accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] ctubbsii commented on a change in pull request #318: ACCUMULO-4733 Implement configurable security provider for crypto
Date Thu, 01 Jan 1970 00:00:00 GMT
ctubbsii commented on a change in pull request #318: ACCUMULO-4733 Implement configurable security
provider for crypto
URL: https://github.com/apache/accumulo/pull/318#discussion_r148596928
 
 

 ##########
 File path: core/src/main/java/org/apache/accumulo/core/security/crypto/DefaultCryptoModuleUtils.java
 ##########
 @@ -50,20 +50,23 @@ public static SecureRandom getSecureRandom(String secureRNG, String secureRNGPro
     return secureRandom;
   }
 
-  public static Cipher getCipher(String cipherSuite) {
+  public static Cipher getCipher(String cipherSuite, String securityProvider) {
     Cipher cipher = null;
 
     if (cipherSuite.equals("NullCipher")) {
       cipher = new NullCipher();
     } else {
       try {
-        cipher = Cipher.getInstance(cipherSuite);
+        cipher = Cipher.getInstance(cipherSuite, securityProvider);
 
 Review comment:
   This will override the system-wide prioritized crypto providers for Java set by the system
administrator. This may be okay in some cases, but I don't think this should be the default.
   
   I think that we should set the default value to be null, instead of SunJCE, and if it is
null, then we call the one-parameter version of this method, which respects the system-wide
security settings. The specific provider should only be used if it's not null.
   
   Doing it the way I'm suggesting will be much friendlier on system administrators trying
to ensure their systems are compliant with their organizational requirements. It also makes
more sense if a single crypto doesn't support all of the algorithms the user has specified,
because the default behavior is to search the providers set by the system administrator to
find one that will work for a given algorithm.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

Mime
View raw message