Uploaded image for project: 'Oozie'
  1. Oozie
  2. OOZIE-3676

Remove all non FIPS compliant encoding algorithms

    XMLWordPrintableJSON

Details

    • Task
    • Status: Resolved
    • Major
    • Resolution: Done
    • 5.2.1
    • 5.3.0
    • core
    • None

    Description

      The goal of this Jira is to replace non-FIPS compliant encoding algorithm(s) to FIPS compliant algorithm(s) in Oozie.

      At this moment only `org.apache.oozie.action.hadoop.LauncherHelper#getTag` has non-FIPS compliant algorithm, namely MD-5.
      In scope of this ticket, this algorithm will be changed to FIPS compliant SHA-384.

      (read more about the FIPS compliant algorithms below)

      Using FIPS-Compliant Crypto Libraries

      This should not need much code change. Ensure that when you are performing crypto operations (e.g. generating keys, encrypting/decrypting data, computing hashes, storing/verifying passwords), you are using either OpenSSL or the standard Java crypto API to do so.

      When running in a FIPS environment, the OpenSSL library and Java crypto provider will be replaced with their CryptoComply equivalents. This replacement should be API-compatible.

      Using FIPS-Approved Algorithms

      Only certain algorithms and key sizes are allowed by FIPS. 

      Common allowed algorithms are shown below for convenience:

      Symmetric Algorithms

      • AES
      • 3DES

      Public Key Algorithms

      • RSA
      • ElGamal

      Key Agreement Algorithms

      • DH
      • MQV
      • ECDH
      • ECCDH
      • ECMQV

      SSL/TLS

      • TLS 1.0, 1.1, 1.2

      Hash Functions

      • SHA-1 (avoid this as it is soon to be deprecated)
      • SHA-224, SHA-256 (avoid these as they are soon to be deprecated), SHA-384, SHA-512
      • SHA3-224, SHA3-256, SHA3-384, SHA3-512
      • SHAKE128, SHAKE256

      Message Authentication

      • AES CCM, CMAC, GMAC
      • HMAC with SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
      • 3DES CMAC

      Password Derivation Functions

      • PBKDF2 with SHA-1, SHA-224, SHA-256, SHA-384, SHA-512

      Random Number Generators

      • HASH DRBG
      • HMAC DRBG
      • CTR DRBG

      Signature Algorithms

      • DSA using SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
      • ECDSA using SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
      • RSA using SHA-1, SHA-224, SHA-256, SHA-384, SHA-512

      Keep in mind that the following common algorithms are disallowed and will likely cause a crash if invoked in FIPS mode:

      • MD5: use SHA-384 instead
      • RC4 (also called arcfour): use AES-256 instead
      • SSL: use TLS instead

      Attachments

        1. OOZIE-3676-001.patch
          3 kB
          János Makai

        Activity

          People

            jmakai János Makai
            jmakai János Makai
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: