[
https://issues.apache.org/jira/browse/NIFI-3594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15981212#comment-15981212
]
ASF GitHub Bot commented on NIFI-3594:
--------------------------------------
Github user markap14 commented on a diff in the pull request:
https://github.com/apache/nifi/pull/1686#discussion_r112958054
--- Diff:
nifi-commons/nifi-data-provenance-utils/src/main/java/org/apache/nifi/provenance/CryptoUtils.java
---
@@ -0,0 +1,228 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.provenance;
+
+import java.io.BufferedReader;
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileReader;
+import java.io.IOException;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
+import java.util.Arrays;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.regex.Pattern;
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.security.util.EncryptionMethod;
+import org.apache.nifi.security.util.crypto.AESKeyedCipherProvider;
+import org.apache.nifi.util.NiFiProperties;
+import org.bouncycastle.util.encoders.Hex;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class CryptoUtils {
+ private static final Logger logger =
LoggerFactory.getLogger(StaticKeyProvider.class);
+ private static final String STATIC_KEY_PROVIDER_CLASS_NAME =
"org.apache.nifi.provenance.StaticKeyProvider";
+ private static final String FILE_BASED_KEY_PROVIDER_CLASS_NAME =
"org.apache.nifi.provenance.FileBasedKeyProvider";
+ private static final Pattern HEX_PATTERN =
Pattern.compile("(?i)^[0-9a-f]+$");
+
+ public static final int IV_LENGTH = 16;
+
+ public static boolean isUnlimitedStrengthCryptoAvailable() {
+ try {
+ return Cipher.getMaxAllowedKeyLength("AES") > 128;
+ } catch (NoSuchAlgorithmException e) {
+ logger.warn("Tried to determine if unlimited strength crypto
is available but the AES algorithm is not available");
+ return false;
+ }
+ }
+
+ /**
+ * Utility method which returns true if the string is null, empty, or
entirely whitespace.
+ *
+ * @param src the string to evaluate
+ * @return true if empty
+ */
+ public static boolean isEmpty(String src) {
+ return src == null || src.trim().isEmpty();
+ }
+
+ /**
+ * Concatenates multiple byte[] into a single byte[]. Because it uses
a {@link ByteArrayOutputStream}
+ * rather than {@link System#arraycopy(Object, int, Object, int, int)}
the performance is much better
+ * with an arbitrary number of input byte[]s.
+ *
+ * @param arrays the component byte[] in order
+ * @return a concatenated byte[]
+ * @throws IOException this should never be thrown
+ */
+ public static byte[] concatByteArrays(byte[]... arrays) throws
IOException {
+ ByteArrayOutputStream boas = new ByteArrayOutputStream();
+ for (byte[] arr : arrays) {
+ boas.write(arr);
+ }
+ return boas.toByteArray();
+ }
+
+ public static boolean isValidKeyProvider(String
keyProviderImplementation, String keyProviderLocation, String keyId, String
encryptionKeyHex) {
+ if
(STATIC_KEY_PROVIDER_CLASS_NAME.equals(keyProviderImplementation)) {
+ // Ensure the keyId and key are valid
+ return keyIsValid(encryptionKeyHex) &&
StringUtils.isNotEmpty(keyId);
+ } else if
(FILE_BASED_KEY_PROVIDER_CLASS_NAME.equals(keyProviderImplementation)) {
+ // Ensure the file can be read and the keyId is populated
(does not read file to validate)
+ final File kpf = new File(keyProviderLocation);
+ return kpf.exists() && kpf.canRead() &&
StringUtils.isNotEmpty(keyId);
+ } else {
+ logger.error("The attempt to validate the key provider failed
keyProviderImplementation = "
+ + keyProviderImplementation + " , keyProviderLocation
= "
+ + keyProviderLocation + " , keyId = "
+ + keyId + " , encryptedKeyHex = "
+ + (StringUtils.isNotEmpty(encryptionKeyHex) ?
"********" : ""));
+
+ return false;
+ }
+ }
+
+ /**
+ * Returns true if the provided key is valid hex and is the correct
length for the current system's JCE policies.
+ *
+ * @param encryptionKeyHex the key in hexadecimal
+ * @return true if this key is valid
+ */
+ public static boolean keyIsValid(String encryptionKeyHex) {
+ return isHexString(encryptionKeyHex)
+ && (isUnlimitedStrengthCryptoAvailable()
+ ? Arrays.asList(32, 48,
64).contains(encryptionKeyHex.length())
--- End diff --
This is called a lot - would recommend removing the Arrays.asList(32, 48,
64) and just creating a private static final List or Set, or since there are
only 3 possible values, checking them individually
> Implement encrypted provenance repository
> -----------------------------------------
>
> Key: NIFI-3594
> URL: https://issues.apache.org/jira/browse/NIFI-3594
> Project: Apache NiFi
> Issue Type: Sub-task
> Components: Core Framework
> Affects Versions: 1.1.1
> Reporter: Andy LoPresto
> Assignee: Andy LoPresto
> Labels: encryption, provenance, repository
>
> I am going to start with the provenance repository, as the new implementation
> of {{WriteAheadProvenanceRepository}} has the most recent design decisions
> and has not been available in a released version yet, so there should be
> minimal backward compatibility concerns.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
