This is an automated email from the ASF dual-hosted git repository.
dhavalshah9131 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 6dede819b RANGER-5239: Decrypt and verify before storing newly
re-encypted key material into DB (#612)
6dede819b is described below
commit 6dede819beb5b376f47d6a63258c81a388e0facd
Author: Vikas Kumar <[email protected]>
AuthorDate: Wed Jul 23 17:23:01 2025 +0530
RANGER-5239: Decrypt and verify before storing newly re-encypted key
material into DB (#612)
---
.../main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java | 7 +++++++
1 file changed, 7 insertions(+)
diff --git
a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java
b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java
index 30b0ee032..24811ce39 100755
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java
@@ -308,6 +308,13 @@ public boolean reencryptMKWithFipsAlgo(String mkPassword) {
init();
PBEKeySpec newPbeKeySpec = getPBEParameterSpec(mkPassword,
encrCryptoAlgo);
byte[] masterKeyToDB = encryptKey(oldKeyMaterial,
newPbeKeySpec);
+ byte[] decryptedMaterialWithNewAlgo =
decryptKey(masterKeyToDB, newPbeKeySpec);
+ // This is just a sanity check but important to ensure that
returned key material after re-encryption is same as old MK key material.
+ if
(!Base64.encode(oldKeyMaterial).equals(Base64.encode(decryptedMaterialWithNewAlgo)))
{
+ String errMsg = "After re-encryption, Latest decrypted
MasterKey material is different than original.Aborting the re-encryption, DB is
not updated with new encrypted material.";
+ logger.error(errMsg);
+ throw new RuntimeException(errMsg);
+ }
String encodeMKToDB = Base64.encode(masterKeyToDB);
updateEncryptedMK(paddingString + "," + encodeMKToDB);
