Replace bouncy castle blake2b (opensearch-project#4275)

Signed-off-by: Terry Quigley <terry.quigley@sas.com>
terryquigleysas · Apr 23, 2024 · 0d7af4d · 0d7af4d
1 parent c09fad5
commit 0d7af4d
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 4 deletions.
diff --git a/build.gradle b/build.gradle
@@ -580,6 +580,7 @@ dependencies {
     implementation "org.bouncycastle:bcprov-jdk18on:${versions.bouncycastle}"
     implementation 'org.ldaptive:ldaptive:1.2.3'
     implementation 'com.nimbusds:nimbus-jose-jwt:9.37.3'
+    implementation 'com.rfksystems:blake2b:2.0.0'
 
     //JWT
     implementation "io.jsonwebtoken:jjwt-api:${jjwt_version}"

diff --git a/src/main/java/org/opensearch/security/configuration/MaskedField.java b/src/main/java/org/opensearch/security/configuration/MaskedField.java
@@ -21,9 +21,10 @@
 
 import com.google.common.base.Splitter;
 import org.apache.lucene.util.BytesRef;
-import org.bouncycastle.crypto.digests.Blake2bDigest;
 import org.bouncycastle.util.encoders.Hex;
 
+import com.rfksystems.blake2b.Blake2b;
+
 public class MaskedField {
 
     private final String name;
@@ -164,10 +165,12 @@ private String customHash(String in) {
     }
 
     private byte[] blake2bHash(byte[] in) {
-        final Blake2bDigest hash = new Blake2bDigest(null, 32, null, defaultSalt);
+        // Salt is passed incorrectly but order of parameters is retained at present to ensure full backwards compatibility
+        // Tracking with https://github.com/opensearch-project/security/issues/4274
+        final Blake2b hash = new Blake2b(null, 32, null, defaultSalt);
         hash.update(in, 0, in.length);
         final byte[] out = new byte[hash.getDigestSize()];
-        hash.doFinal(out, 0);
+        hash.digest(out, 0);
         return Hex.encode(out);
     }
 

diff --git a/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java b/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java
@@ -397,7 +397,7 @@ public static class HttpResponse {
         public HttpResponse(SimpleHttpResponse inner) throws IllegalStateException, IOException {
             super();
             this.inner = inner;
-            if (inner.getBody() == null) { // head request does not have a entity
+            if (inner.getBody() == null) { // head request does not have an entity
                 this.body = "";
             } else {
                 this.body = inner.getBodyText();