You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oozie.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2022/11/29 15:46:00 UTC
[jira] [Commented] (OOZIE-3676) Remove all non FIPS compliant encoding algorithms
[ https://issues.apache.org/jira/browse/OOZIE-3676?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17640791#comment-17640791 ]
ASF subversion and git services commented on OOZIE-3676:
--------------------------------------------------------
Commit b63ad079b56ab4446c1182cf3863edc4af13fe33 in oozie's branch refs/heads/master from Denes Bodo
[ https://gitbox.apache.org/repos/asf?p=oozie.git;h=b63ad079b ]
OOZIE-3676 Remove all non FIPS compliant encoding algorithms (jmakai via dionusos)
> Remove all non FIPS compliant encoding algorithms
> -------------------------------------------------
>
> Key: OOZIE-3676
> URL: https://issues.apache.org/jira/browse/OOZIE-3676
> Project: Oozie
> Issue Type: Task
> Components: core
> Affects Versions: 5.2.1
> Reporter: Janos Makai
> Assignee: Janos Makai
> Priority: Major
> Attachments: OOZIE-3676-001.patch
>
>
> The goal of this Jira is to replace non-FIPS compliant encoding algorithm(s) to FIPS compliant algorithm(s) in Oozie.
> At this moment only `org.apache.oozie.action.hadoop.LauncherHelper#getTag` has non-FIPS compliant algorithm, namely MD-5.
> In scope of this ticket, this algorithm will be changed to FIPS compliant SHA-384.
> ({_}read more about the FIPS compliant algorithms below{_})
> ----
> h2. Using FIPS-Compliant Crypto Libraries
> This should not need much code change. Ensure that when you are performing crypto operations (e.g. generating keys, encrypting/decrypting data, computing hashes, storing/verifying passwords), you are using either OpenSSL or the standard Java crypto API to do so.
> When running in a FIPS environment, the OpenSSL library and Java crypto provider will be replaced with their CryptoComply equivalents. This replacement should be API-compatible.
> h2. Using FIPS-Approved Algorithms
> Only certain algorithms and key sizes are allowed by FIPS.
> Common allowed algorithms are shown below for convenience:
> Symmetric Algorithms
> * AES
> * 3DES
> Public Key Algorithms
> * RSA
> * ElGamal
> Key Agreement Algorithms
> * DH
> * MQV
> * ECDH
> * ECCDH
> * ECMQV
> SSL/TLS
> * TLS 1.0, 1.1, 1.2
> Hash Functions
> * SHA-1 _(avoid this as it is soon to be deprecated)_
> * SHA-224, SHA-256 {_}(avoid these as they are soon to be deprecated){_}, SHA-384, SHA-512
> * SHA3-224, SHA3-256, SHA3-384, SHA3-512
> * SHAKE128, SHAKE256
> Message Authentication
> * AES CCM, CMAC, GMAC
> * HMAC with SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
> * 3DES CMAC
> Password Derivation Functions
> * PBKDF2 with SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
> Random Number Generators
> * HASH DRBG
> * HMAC DRBG
> * CTR DRBG
> Signature Algorithms
> * DSA using SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
> * ECDSA using SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
> * RSA using SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
> Keep in mind that the following common algorithms are *disallowed* and will likely cause a crash if invoked in FIPS mode:
> * MD5: use SHA-384 instead
> * RC4 (also called arcfour): use AES-256 instead
> * SSL: use TLS instead
--
This message was sent by Atlassian Jira
(v8.20.10#820010)