From 0d7af4d37e1f1b6dca25ed8edbf8c2cf3f131742 Mon Sep 17 00:00:00 2001 From: Terry Quigley <77437788+terryquigleysas@users.noreply.github.com> Date: Tue, 23 Apr 2024 15:50:08 +0100 Subject: [PATCH] Replace bouncy castle blake2b (#4275) Signed-off-by: Terry Quigley --- build.gradle | 1 + .../opensearch/security/configuration/MaskedField.java | 9 ++++++--- .../opensearch/security/test/helper/rest/RestHelper.java | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/build.gradle b/build.gradle index 445a6457b2..ad0a58313f 100644 --- a/build.gradle +++ b/build.gradle @@ -580,6 +580,7 @@ dependencies { implementation "org.bouncycastle:bcprov-jdk18on:${versions.bouncycastle}" implementation 'org.ldaptive:ldaptive:1.2.3' implementation 'com.nimbusds:nimbus-jose-jwt:9.37.3' + implementation 'com.rfksystems:blake2b:2.0.0' //JWT implementation "io.jsonwebtoken:jjwt-api:${jjwt_version}" diff --git a/src/main/java/org/opensearch/security/configuration/MaskedField.java b/src/main/java/org/opensearch/security/configuration/MaskedField.java index 8cb20ccdfe..2636047568 100644 --- a/src/main/java/org/opensearch/security/configuration/MaskedField.java +++ b/src/main/java/org/opensearch/security/configuration/MaskedField.java @@ -21,9 +21,10 @@ import com.google.common.base.Splitter; import org.apache.lucene.util.BytesRef; -import org.bouncycastle.crypto.digests.Blake2bDigest; import org.bouncycastle.util.encoders.Hex; +import com.rfksystems.blake2b.Blake2b; + public class MaskedField { private final String name; @@ -164,10 +165,12 @@ private String customHash(String in) { } private byte[] blake2bHash(byte[] in) { - final Blake2bDigest hash = new Blake2bDigest(null, 32, null, defaultSalt); + // Salt is passed incorrectly but order of parameters is retained at present to ensure full backwards compatibility + // Tracking with https://github.com/opensearch-project/security/issues/4274 + final Blake2b hash = new Blake2b(null, 32, null, defaultSalt); hash.update(in, 0, in.length); final byte[] out = new byte[hash.getDigestSize()]; - hash.doFinal(out, 0); + hash.digest(out, 0); return Hex.encode(out); } diff --git a/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java b/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java index c137591825..1710a93875 100644 --- a/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java +++ b/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java @@ -397,7 +397,7 @@ public static class HttpResponse { public HttpResponse(SimpleHttpResponse inner) throws IllegalStateException, IOException { super(); this.inner = inner; - if (inner.getBody() == null) { // head request does not have a entity + if (inner.getBody() == null) { // head request does not have an entity this.body = ""; } else { this.body = inner.getBodyText();