Skip to content

RANGER-5388: Actual calculated salt size should be updated into the DB #721

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 5, 2025
Merged

RANGER-5388: Actual calculated salt size should be updated into the DB #721

merged 1 commit into from
Nov 5, 2025

Conversation

@vikaskr22
Copy link
Contributor

@vikaskr22 vikaskr22 commented Oct 30, 2025

What changes were proposed in this pull request?

In FIPS enabled env, saltSize is recalculated to be complaint with FIPS algorithm. This new saltSize was being calculated at runtime for MK encryption/decryption but configured saltSize ( or default) was being updated into the DB.

This PR contains code changes to fix this behaviour. With this PR, whatever saltSize calculated and used will be updated into the DB records. It gives clarity on the actual MK metadata and removes dependency to re-calculate the saltSize while decrypting the MK.

Earlier minSaltSize was kept fixed (at least 16 length) for FIPS algorithm, KMS has only one FIPS algorithm right now but with addition of other algorithms, this 16 might not be sufficient for any better/stronger algorithm. So it should be per algorithm. This PR handles this aspect as well.

How was this patch tested?

  • mvn clean install
  • Manual Testing with non-fips env in docker container
  • Manual testing with fips env in docker container. Here I tested fresh installation and upgrade scenario where re-encryption of MK happened from "PBEWithMD5AndDES" to "PBKDF2WithHmacSHA256"
  • Manually verified that DB MK record contains the actual saltSize.

spolavarpau1
spolavarpau1 reviewed Nov 3, 2025
View reviewed changes
Copy link
Contributor

@spolavarpau1 spolavarpau1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor comment. Please check

@dhavalshah9131 dhavalshah9131 merged commit 4008d96 into apache:master Nov 5, 2025
2 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dhavalshah9131 dhavalshah9131 dhavalshah9131 approved these changes

@spolavarpau1 spolavarpau1 spolavarpau1 approved these changes

@pradeepagrawal8184 pradeepagrawal8184 Awaiting requested review from pradeepagrawal8184

@dineshkumar-yadav dineshkumar-yadav Awaiting requested review from dineshkumar-yadav

Assignees

@vikaskr22 vikaskr22

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vikaskr22 @dhavalshah9131 @spolavarpau1