[Backport 2.x] Replace bouncy castle blake2b (opensearch-project#4284)

Signed-off-by: Terry Quigley <[email protected]>
peternied · Apr 24, 2024 · badea0d · badea0d
1 parent d6c0ba3
commit badea0d
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 4 deletions.
diff --git a/build.gradle b/build.gradle
@@ -573,6 +573,7 @@ dependencies {
     implementation "org.bouncycastle:bcprov-jdk15to18:${versions.bouncycastle}"
     implementation 'org.ldaptive:ldaptive:1.2.3'
     implementation 'com.nimbusds:nimbus-jose-jwt:9.37.3'
+    implementation 'com.rfksystems:blake2b:2.0.0'
 
     //JWT
     implementation "io.jsonwebtoken:jjwt-api:${jjwt_version}"

diff --git a/src/main/java/org/opensearch/security/configuration/MaskedField.java b/src/main/java/org/opensearch/security/configuration/MaskedField.java
@@ -21,9 +21,10 @@
 
 import com.google.common.base.Splitter;
 import org.apache.lucene.util.BytesRef;
-import org.bouncycastle.crypto.digests.Blake2bDigest;
 import org.bouncycastle.util.encoders.Hex;
 
+import com.rfksystems.blake2b.Blake2b;
+
 public class MaskedField {
 
     private final String name;
@@ -164,10 +165,12 @@ private String customHash(String in) {
     }
 
     private byte[] blake2bHash(byte[] in) {
-        final Blake2bDigest hash = new Blake2bDigest(null, 32, null, defaultSalt);
+        // Salt is passed incorrectly but order of parameters is retained at present to ensure full backwards compatibility
+        // Tracking with https://github.com/opensearch-project/security/issues/4274
+        final Blake2b hash = new Blake2b(null, 32, null, defaultSalt);
         hash.update(in, 0, in.length);
         final byte[] out = new byte[hash.getDigestSize()];
-        hash.doFinal(out, 0);
+        hash.digest(out, 0);
         return Hex.encode(out);
     }
 

diff --git a/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java b/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java
@@ -310,7 +310,7 @@ public HttpResponse(CloseableHttpResponse inner) throws IllegalStateException, I
             super();
             this.inner = inner;
             final HttpEntity entity = inner.getEntity();
-            if (entity == null) { // head request does not have a entity
+            if (entity == null) { // head request does not have an entity
                 this.body = "";
             } else {
                 this.body = CharStreams.toString(new InputStreamReader(entity.getContent(), Charsets.UTF_8));