[
https://issues.apache.org/jira/browse/IMPALA-14038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17979256#comment-17979256
]
ASF subversion and git services commented on IMPALA-14038:
----------------------------------------------------------
Commit eddf075a7af8c5d2e76e9613142260333e3d65b1 in impala's branch
refs/heads/master from Joe McDonnell
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=eddf075a7 ]
IMPALA-14066 (Part 6): Re-applying IMPALA-14038: Pull in KUDU-3663 to handle
certs with RSASSA-PSS
This commit re-applies IMPALA-14038 to the Kudu files after the Kudu
rebase to v1.17.1.
Testing:
- exhaustive tests have passed
The original commit message is below:
The existing KRPC code to determine the hash algorithm for a
certificate does not handle RSASSA-PSS signatures as the hash
algorithm is configurable for RSASSA-PSS. This was addressed
in Kudu with KUDU-3663. That fix uses OpenSSL 1.1.1's
x509_get_signature_info() function, which is able to determine
the hash algorithm even for RSASSA-PSS. This is similar to the
fix that Postgres did in a similar situation. It does not support
RSASSA-PSS on OpenSSL 1.0.2, but it improves the error message
in that case.
Testing:
- Kudu added a unit test that passes
Change-Id: I162efac2d68c2bfb34a5086557182f68670d8c2a
Reviewed-on: http://gerrit.cloudera.org:8080/22923
Reviewed-by: Jason Fehr <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
Reviewed-on: http://gerrit.cloudera.org:8080/23015
Reviewed-by: Daniel Becker <[email protected]>
Tested-by: Daniel Becker <[email protected]>
> RSASSA-PSS Signature Algorithm Not Supported
> --------------------------------------------
>
> Key: IMPALA-14038
> URL: https://issues.apache.org/jira/browse/IMPALA-14038
> Project: IMPALA
> Issue Type: Bug
> Components: Backend
> Affects Versions: Impala 5.0.0
> Reporter: Jason Fehr
> Assignee: Joe McDonnell
> Priority: Critical
> Fix For: Impala 5.0.0
>
>
> If a certificate used in kRPC communication uses the signature algorithm
> RSASSA-PSS, then communication will be blocked with the following error
> reported:
> {noformat}
> negotiation.cc:311] Negotiation complete: Not implemented: Server connection
> negotiation failed: server connection from ****: server certificate has no
> signature digest (hash) algorithm
> {noformat}
> This error is generated in
> [kudu/security/cert.cc|https://github.com/apache/impala/blob/cb496104d98e8cbd87acf25277f2648cffaac42a/be/src/kudu/security/cert.cc#L194].
> The reason the error is thrown is the RSASSA-PSS algorithm does not
> explicitly specify a hash algorithm. Instead, the hash algorithm is defined
> in subfields within the signature block of the certificate.
> For example, most signature algorithms look like this where the hash
> algorithm (SHA384) is included:
> {noformat}
> Signature Algorithm: ecdsa-with-SHA384
> {noformat}
> But, a RSASSA-PSS signature algorithm looks like this (note the hash
> algorithm is now in a subfield):
> {noformat}
> Signature Algorithm: rsassaPss
> Hash Algorithm: sha256
> Mask Algorithm: mgf1 with sha256
> Salt Length: 0x20
> Trailer Field: 0xBC (default)
> {noformat}
> Since the hash algorithm is defined in a subfield, digest_nid is set to 0.
> One possible solution is to use theĀ
> [X509_digest_sig|https://github.com/openssl/openssl/commit/fccf3dcef42f12b0ac2b1ab8979125a2511dc271]
> function from OpenSSL
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
