[ https://issues.apache.org/jira/browse/NIFI-3594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15981212#comment-15981212 ]
ASF GitHub Bot commented on NIFI-3594: -------------------------------------- Github user markap14 commented on a diff in the pull request: https://github.com/apache/nifi/pull/1686#discussion_r112958054 --- Diff: nifi-commons/nifi-data-provenance-utils/src/main/java/org/apache/nifi/provenance/CryptoUtils.java --- @@ -0,0 +1,228 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.provenance; + +import java.io.BufferedReader; +import java.io.ByteArrayOutputStream; +import java.io.File; +import java.io.FileReader; +import java.io.IOException; +import java.security.KeyManagementException; +import java.security.NoSuchAlgorithmException; +import java.util.Arrays; +import java.util.Base64; +import java.util.HashMap; +import java.util.Map; +import java.util.regex.Pattern; +import javax.crypto.BadPaddingException; +import javax.crypto.Cipher; +import javax.crypto.IllegalBlockSizeException; +import javax.crypto.SecretKey; +import javax.crypto.spec.SecretKeySpec; +import org.apache.commons.lang3.StringUtils; +import org.apache.nifi.security.util.EncryptionMethod; +import org.apache.nifi.security.util.crypto.AESKeyedCipherProvider; +import org.apache.nifi.util.NiFiProperties; +import org.bouncycastle.util.encoders.Hex; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class CryptoUtils { + private static final Logger logger = LoggerFactory.getLogger(StaticKeyProvider.class); + private static final String STATIC_KEY_PROVIDER_CLASS_NAME = "org.apache.nifi.provenance.StaticKeyProvider"; + private static final String FILE_BASED_KEY_PROVIDER_CLASS_NAME = "org.apache.nifi.provenance.FileBasedKeyProvider"; + private static final Pattern HEX_PATTERN = Pattern.compile("(?i)^[0-9a-f]+$"); + + public static final int IV_LENGTH = 16; + + public static boolean isUnlimitedStrengthCryptoAvailable() { + try { + return Cipher.getMaxAllowedKeyLength("AES") > 128; + } catch (NoSuchAlgorithmException e) { + logger.warn("Tried to determine if unlimited strength crypto is available but the AES algorithm is not available"); + return false; + } + } + + /** + * Utility method which returns true if the string is null, empty, or entirely whitespace. + * + * @param src the string to evaluate + * @return true if empty + */ + public static boolean isEmpty(String src) { + return src == null || src.trim().isEmpty(); + } + + /** + * Concatenates multiple byte[] into a single byte[]. Because it uses a {@link ByteArrayOutputStream} + * rather than {@link System#arraycopy(Object, int, Object, int, int)} the performance is much better + * with an arbitrary number of input byte[]s. + * + * @param arrays the component byte[] in order + * @return a concatenated byte[] + * @throws IOException this should never be thrown + */ + public static byte[] concatByteArrays(byte[]... arrays) throws IOException { + ByteArrayOutputStream boas = new ByteArrayOutputStream(); + for (byte[] arr : arrays) { + boas.write(arr); + } + return boas.toByteArray(); + } + + public static boolean isValidKeyProvider(String keyProviderImplementation, String keyProviderLocation, String keyId, String encryptionKeyHex) { + if (STATIC_KEY_PROVIDER_CLASS_NAME.equals(keyProviderImplementation)) { + // Ensure the keyId and key are valid + return keyIsValid(encryptionKeyHex) && StringUtils.isNotEmpty(keyId); + } else if (FILE_BASED_KEY_PROVIDER_CLASS_NAME.equals(keyProviderImplementation)) { + // Ensure the file can be read and the keyId is populated (does not read file to validate) + final File kpf = new File(keyProviderLocation); + return kpf.exists() && kpf.canRead() && StringUtils.isNotEmpty(keyId); + } else { + logger.error("The attempt to validate the key provider failed keyProviderImplementation = " + + keyProviderImplementation + " , keyProviderLocation = " + + keyProviderLocation + " , keyId = " + + keyId + " , encryptedKeyHex = " + + (StringUtils.isNotEmpty(encryptionKeyHex) ? "********" : "")); + + return false; + } + } + + /** + * Returns true if the provided key is valid hex and is the correct length for the current system's JCE policies. + * + * @param encryptionKeyHex the key in hexadecimal + * @return true if this key is valid + */ + public static boolean keyIsValid(String encryptionKeyHex) { + return isHexString(encryptionKeyHex) + && (isUnlimitedStrengthCryptoAvailable() + ? Arrays.asList(32, 48, 64).contains(encryptionKeyHex.length()) --- End diff -- This is called a lot - would recommend removing the Arrays.asList(32, 48, 64) and just creating a private static final List or Set, or since there are only 3 possible values, checking them individually > Implement encrypted provenance repository > ----------------------------------------- > > Key: NIFI-3594 > URL: https://issues.apache.org/jira/browse/NIFI-3594 > Project: Apache NiFi > Issue Type: Sub-task > Components: Core Framework > Affects Versions: 1.1.1 > Reporter: Andy LoPresto > Assignee: Andy LoPresto > Labels: encryption, provenance, repository > > I am going to start with the provenance repository, as the new implementation > of {{WriteAheadProvenanceRepository}} has the most recent design decisions > and has not been available in a released version yet, so there should be > minimal backward compatibility concerns. -- This message was sent by Atlassian JIRA (v6.3.15#6346)