Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NIFI-7668 Implemented support for additional AEAD property encryption methods #4809

Closed
wants to merge 5 commits into from

Conversation

exceptionfactory
Copy link
Contributor

@exceptionfactory exceptionfactory commented Feb 5, 2021

Description of PR

NIFI-7668 Implements support for the following additional AEAD property encryption methods:

  • NIFI_BCRYPT_AES_GCM_128
  • NIFI_BCRYPT_AES_GCM_256
  • NIFI_PBKDF2_AES_GCM_128
  • NIFI_PBKDF2_AES_GCM_256
  • NIFI_SCRYPT_AES_GCM_128
  • NIFI_SCRYPT_AES_GCM_256

This PR incorporates the following changes:

  • Added support for PBKDF2 and Scrypt property encryption methods in addition to Argon2
  • Refactored StringEncryptor class to PropertyEncryptor interface with implementations
  • Added PasswordBasedCipherPropertyEncryptor and KeyedCipherPropertyEncryptor
  • Replaced direct instantiation of encryptor with PropertyEncryptorFactory
  • Refactored applicable unit tests to use mocked PropertyEncryptor

In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:

For all changes:

  • Is there a JIRA ticket associated with this PR? Is it referenced
    in the commit message?

  • Does your PR title start with NIFI-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.

  • Has your PR been rebased against the latest commit within the target branch (typically main)?

  • Is your initial contribution a single, squashed commit? Additional commits in response to PR reviewer feedback should be made on this branch and pushed to allow change tracking. Do not squash or use --force when pushing to allow for clean monitoring of changes.

For code changes:

  • Have you ensured that the full suite of tests is executed via mvn -Pcontrib-check clean install at the root nifi folder?
  • Have you written or updated unit tests to verify your changes?
  • Have you verified that the full build is successful on JDK 8?
  • Have you verified that the full build is successful on JDK 11?
  • If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
  • If applicable, have you updated the LICENSE file, including the main LICENSE file under nifi-assembly?
  • If applicable, have you updated the NOTICE file, including the main NOTICE file found under nifi-assembly?
  • If adding new Properties, have you added .displayName in addition to .name (programmatic access) for each of the new properties?

For documentation related changes:

  • Have you ensured that format looks appropriate for the output in which it is rendered?

Note:

Please ensure that once the PR is submitted, you check GitHub Actions CI for build issues and submit an update to your PR as soon as possible.

Copy link
Contributor Author

@exceptionfactory exceptionfactory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Lehel44 Thanks for the feedback on syntax, will make some adjustments based on your feedback. Please feel free to follow up if you have any comments on the substance of the implementation.

@Lehel44
Copy link
Contributor

Lehel44 commented Feb 14, 2021

@exceptionfactory Thank you for the improvements!

… methods

- Added support for PBKDF2 and Scrypt property encryption methods in addition to Argon2
- Refactored StringEncryptor class to PropertyEncryptor interface with implementations
- Added PasswordBasedCipherPropertyEncryptor and KeyedCipherPropertyEncryptor
- Replaced direct instantiation of encryptor with PropertyEncryptorFactory
- Refactored applicable unit tests to use mocked PropertyEncryptor
import java.util.Arrays;

/**
* Extension of Bcrypt Secure Hasher used for Key Derivation support specified of Derived Key Length
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"Extension of Bcrypt Secure Hasher used for Key Derivation support. Allows specifying a Derived Key Length."

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the correction.

digest = messageDigest.digest(bcryptHash);
} else {
// Truncate bcrypt hash and remove algorithm parameters
byte[] hash = Arrays.copyOfRange(bcryptHash, HASH_START_INDEX, bcryptHash.length);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we truncate the bcrypt hash and what is the relevance of the HASH_START_INDEX=29?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This approach is migrated from the BcryptCipherProvider. Apparently early versions of the BcryptCipherProvider digested all of the bytes returned from BcryptSecureHasher, however, the value returned includes not only the bcrypt hash itself, but also additional parameters include cost, salt, and version information. The bcrypt page on Wikipedia has a good example of what is returned. In summary, the reason for the flag is to provide backward compatibility, whereas the behavior should only use the actual hash section of what gets returned. Do you think additional details are necessary in the comment on this line of code?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah okay, so just to confirm, on line 81 we extract only the hash (and dropping the hash params), and then on line 85 we return the hash truncated to the specified key length? Makes sense now.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, exactly as you described.

/**
* Key Deriviation Bcrypt Secure Hasher with specified Derived Key Length and Cost Parameters
*
* @param derivedKeyLength Derived Key Length
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Derived key length in bytes?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, derived key length in bytes, will update the documentation to state that explicitly.

*/
@Override
public String encrypt(final String property) {
final byte[] binary = property.getBytes(PROPERTY_CHARSET);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are NiFi properties always UTF_8 encoded regardless of language?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a good question. This approach preserves the current behavior and makes it more explicit. StringEncryptor previously buried this fact in the encryptKeyed and encryptPBE methods when calling Cipher.doFinal().

@thenatog
Copy link
Contributor

Other than a few questions, things look great to me.

@exceptionfactory
Copy link
Contributor Author

Other than a few questions, things look great to me.

Thanks for the feedback @thenatog! Pushed an update with clarifying comments for the bcrypt key derivation implementation.

@thenatog
Copy link
Contributor

+1, will merge

@thenatog thenatog closed this in 5608f43 Feb 25, 2021
driesva pushed a commit to driesva/nifi that referenced this pull request Mar 19, 2021
… methods

- Added support for PBKDF2 and Scrypt property encryption methods in addition to Argon2
- Refactored StringEncryptor class to PropertyEncryptor interface with implementations
- Added PasswordBasedCipherPropertyEncryptor and KeyedCipherPropertyEncryptor
- Replaced direct instantiation of encryptor with PropertyEncryptorFactory
- Refactored applicable unit tests to use mocked PropertyEncryptor

NIFI-7668 Consolidated similar methods to CipherPropertyEncryptor

NIFI-7668 Updated AbstractTimeBasedSchedulingAgent with PropertyEncryptor

NIFI-7668 Added support for bcrypt secure hashing algorithm

NIFI-7668 Updated comments to clarify implementation of bcrypt key derivation

Signed-off-by: Nathan Gough <thenatog@gmail.com>

This closes apache#4809.
krisztina-zsihovszki pushed a commit to krisztina-zsihovszki/nifi that referenced this pull request Jun 28, 2022
… methods

- Added support for PBKDF2 and Scrypt property encryption methods in addition to Argon2
- Refactored StringEncryptor class to PropertyEncryptor interface with implementations
- Added PasswordBasedCipherPropertyEncryptor and KeyedCipherPropertyEncryptor
- Replaced direct instantiation of encryptor with PropertyEncryptorFactory
- Refactored applicable unit tests to use mocked PropertyEncryptor

NIFI-7668 Consolidated similar methods to CipherPropertyEncryptor

NIFI-7668 Updated AbstractTimeBasedSchedulingAgent with PropertyEncryptor

NIFI-7668 Added support for bcrypt secure hashing algorithm

NIFI-7668 Updated comments to clarify implementation of bcrypt key derivation

Signed-off-by: Nathan Gough <thenatog@gmail.com>

This closes apache#4809.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
3 participants