Skip to content

Increase KDF iteration count in KeyStoreWrapper #107107

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Apr 8, 2024
Merged

Increase KDF iteration count in KeyStoreWrapper #107107

merged 10 commits into from
Apr 8, 2024

Conversation

n1v0lg
Copy link
Contributor

@n1v0lg n1v0lg commented Apr 4, 2024
edited
Loading

This PR increases the KDF iteration count for the keystore password.

Additional context in ES-8063.

@n1v0lg n1v0lg added >enhancement :Core/Infra/CLI CLI utilities, scripts, and infrastructure labels Apr 4, 2024
@n1v0lg n1v0lg self-assigned this Apr 4, 2024
n1v0lg
n1v0lg commented Apr 4, 2024
View reviewed changes
server/src/main/java/org/elasticsearch/common/settings/KeyStoreWrapper.java
@@ -114,19 +114,19 @@ public void writeTo(StreamOutput out) throws IOException {

/** The oldest metadata format version that can be read. */
private static final int MIN_FORMAT_VERSION = 3;
/** Legacy versions of the metadata written before the keystore data. */
public static final int V2_VERSION = 2;
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unused, so I'm removing it.

@elasticsearchmachine
Copy link
Collaborator

Hi @n1v0lg, I've created a changelog YAML for you.

@n1v0lg n1v0lg marked this pull request as ready for review April 5, 2024 12:20
@n1v0lg n1v0lg requested a review from a team as a code owner April 5, 2024 12:20
@n1v0lg n1v0lg requested a review from rjernst April 5, 2024 12:21
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-core-infra (Team:Core/Infra)

@elasticsearchmachine elasticsearchmachine added the Team:Core/Infra Meta label for core/infra team label Apr 5, 2024
@n1v0lg
Copy link
Contributor Author

n1v0lg commented Apr 5, 2024

@elasticmachine update branch

rjernst
rjernst approved these changes Apr 5, 2024
View reviewed changes
Copy link
Member

@rjernst rjernst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, one suggestion

server/src/main/java/org/elasticsearch/common/settings/KeyStoreWrapper.java Outdated

/** The algorithm used to derive the cipher key from a password. */
private static final String KDF_ALGO = "PBKDF2WithHmacSHA512";

/** The number of iterations to derive the cipher key, for versions of the keystore preceding the iteration count increase. */
private static final int KDF_ITERS_BEFORE_HIGHER_KDF_ITERATION_COUNT_VERSION = 10000;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would put this inline in getKdfIterationCountForVersion, no need to take up memory forever for it.

@n1v0lg n1v0lg added the auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) label Apr 8, 2024
@elasticsearchmachine elasticsearchmachine merged commit 8830637 into elastic:main Apr 8, 2024
@n1v0lg n1v0lg deleted the iter-count-keystore-wrapper branch April 8, 2024 09:28
n1v0lg added a commit that referenced this pull request Apr 9, 2024
@n1v0lg
Revert "Increase KDF iteration count in KeyStoreWrapper (#107107)"
1ce524f 
This reverts commit 8830637.
@n1v0lg n1v0lg mentioned this pull request Apr 9, 2024
Closed
@n1v0lg n1v0lg mentioned this pull request Nov 20, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rjernst rjernst rjernst approved these changes

Assignees

@n1v0lg n1v0lg

Labels
auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) :Core/Infra/CLI CLI utilities, scripts, and infrastructure >enhancement Team:Core/Infra Meta label for core/infra team v8.14.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@n1v0lg @elasticsearchmachine @rjernst @elasticmachine