-
Notifications
You must be signed in to change notification settings - Fork 2.6k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
NIFI-7668 Implemented support for additional AEAD property encryption…
… methods - Added support for PBKDF2 and Scrypt property encryption methods in addition to Argon2 - Refactored StringEncryptor class to PropertyEncryptor interface with implementations - Added PasswordBasedCipherPropertyEncryptor and KeyedCipherPropertyEncryptor - Replaced direct instantiation of encryptor with PropertyEncryptorFactory - Refactored applicable unit tests to use mocked PropertyEncryptor NIFI-7668 Consolidated similar methods to CipherPropertyEncryptor NIFI-7668 Updated AbstractTimeBasedSchedulingAgent with PropertyEncryptor NIFI-7668 Added support for bcrypt secure hashing algorithm NIFI-7668 Updated comments to clarify implementation of bcrypt key derivation Signed-off-by: Nathan Gough <thenatog@gmail.com> This closes #4809.
- Loading branch information
1 parent
99fe548
commit 5608f43
Showing
68 changed files
with
1,570 additions
and
1,917 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
95 changes: 95 additions & 0 deletions
95
...s/src/main/java/org/apache/nifi/security/util/crypto/KeyDerivationBcryptSecureHasher.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,95 @@ | ||
| /* | ||
| * Licensed to the Apache Software Foundation (ASF) under one or more | ||
| * contributor license agreements. See the NOTICE file distributed with | ||
| * this work for additional information regarding copyright ownership. | ||
| * The ASF licenses this file to You under the Apache License, Version 2.0 | ||
| * (the "License"); you may not use this file except in compliance with | ||
| * the License. You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
| package org.apache.nifi.security.util.crypto; | ||
|
|
||
| import org.slf4j.Logger; | ||
| import org.slf4j.LoggerFactory; | ||
|
|
||
| import java.security.MessageDigest; | ||
| import java.security.NoSuchAlgorithmException; | ||
| import java.util.Arrays; | ||
|
|
||
| /** | ||
| * Extension of Bcrypt Secure Hasher used for Key Derivation support. Allows specifying a Derived Key Length in bytes. | ||
| */ | ||
| public class KeyDerivationBcryptSecureHasher extends BcryptSecureHasher { | ||
| private static final Logger LOGGER = LoggerFactory.getLogger(KeyDerivationBcryptSecureHasher.class); | ||
|
|
||
| private static final String DIGEST_ALGORITHM = "SHA-512"; | ||
|
|
||
| private static final int HASH_START_INDEX = 29; | ||
|
|
||
| private final int derivedKeyLength; | ||
|
|
||
| private final boolean digestBcryptHash; | ||
|
|
||
| /** | ||
| * Key Deriviation Bcrypt Secure Hasher with specified Derived Key Length | ||
| * | ||
| * @param derivedKeyLength Derived Key Length in bytes | ||
| */ | ||
| public KeyDerivationBcryptSecureHasher(final int derivedKeyLength) { | ||
| this.derivedKeyLength = derivedKeyLength; | ||
| this.digestBcryptHash = false; | ||
| } | ||
|
|
||
| /** | ||
| * Key Deriviation Bcrypt Secure Hasher with specified Derived Key Length and Cost Parameters | ||
| * | ||
| * @param derivedKeyLength Derived Key Length in bytes | ||
| * @param cost Cost Parameter for calculation | ||
| * @param digestBcryptHash Enable to disable digesting of bcrypt hash to support legacy derivation functions | ||
| */ | ||
| public KeyDerivationBcryptSecureHasher(final int derivedKeyLength, final int cost, final boolean digestBcryptHash) { | ||
| super(cost); | ||
| this.derivedKeyLength = derivedKeyLength; | ||
| this.digestBcryptHash = digestBcryptHash; | ||
| } | ||
|
|
||
| /** | ||
| * Hash raw bytes using provided salt and then leverage SHA-512 to digest the results and truncate to length requested | ||
| * | ||
| * @param input Raw bytes to be hashed | ||
| * @param rawSalt Raw salt bytes to be hashed | ||
| * @return Hash bytes digested using SHA-512 and truncated to derived key length configured | ||
| */ | ||
| @Override | ||
| byte[] hash(final byte[] input, final byte[] rawSalt) { | ||
| final byte[] costSaltBcryptHash = super.hash(input, rawSalt); | ||
|
|
||
| final MessageDigest messageDigest = getMessageDigest(); | ||
| byte[] digest; | ||
| if (digestBcryptHash) { | ||
| LOGGER.warn("Using Legacy Key Derivation on bcrypt hash including cost and salt"); | ||
| digest = messageDigest.digest(costSaltBcryptHash); | ||
| } else { | ||
| // Remove cost and salt from bcrypt function results and retain bcrypt hash | ||
| byte[] hash = Arrays.copyOfRange(costSaltBcryptHash, HASH_START_INDEX, costSaltBcryptHash.length); | ||
| digest = messageDigest.digest(hash); | ||
| } | ||
|
|
||
| return Arrays.copyOf(digest, derivedKeyLength); | ||
| } | ||
|
|
||
| private MessageDigest getMessageDigest() { | ||
| try { | ||
| return MessageDigest.getInstance(DIGEST_ALGORITHM); | ||
| } catch (final NoSuchAlgorithmException e) { | ||
| throw new UnsupportedOperationException(DIGEST_ALGORITHM, e); | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.