[jira] [Commented] (NIFI-3594) Implement encrypted provenance repository

Mon, 24 Apr 2017 11:00:30 -0700 

    [ 
https://issues.apache.org/jira/browse/NIFI-3594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15981589#comment-15981589
 ] 

ASF GitHub Bot commented on NIFI-3594:
--------------------------------------

Github user alopresto commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/1686#discussion_r113014671
  
    --- Diff: 
nifi-commons/nifi-data-provenance-utils/src/main/java/org/apache/nifi/provenance/CryptoUtils.java
 ---
    @@ -0,0 +1,228 @@
    +/*
    + * Licensed to the Apache Software Foundation (ASF) under one or more
    + * contributor license agreements.  See the NOTICE file distributed with
    + * this work for additional information regarding copyright ownership.
    + * The ASF licenses this file to You under the Apache License, Version 2.0
    + * (the "License"); you may not use this file except in compliance with
    + * the License.  You may obtain a copy of the License at
    + *
    + *     http://www.apache.org/licenses/LICENSE-2.0
    + *
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +package org.apache.nifi.provenance;
    +
    +import java.io.BufferedReader;
    +import java.io.ByteArrayOutputStream;
    +import java.io.File;
    +import java.io.FileReader;
    +import java.io.IOException;
    +import java.security.KeyManagementException;
    +import java.security.NoSuchAlgorithmException;
    +import java.util.Arrays;
    +import java.util.Base64;
    +import java.util.HashMap;
    +import java.util.Map;
    +import java.util.regex.Pattern;
    +import javax.crypto.BadPaddingException;
    +import javax.crypto.Cipher;
    +import javax.crypto.IllegalBlockSizeException;
    +import javax.crypto.SecretKey;
    +import javax.crypto.spec.SecretKeySpec;
    +import org.apache.commons.lang3.StringUtils;
    +import org.apache.nifi.security.util.EncryptionMethod;
    +import org.apache.nifi.security.util.crypto.AESKeyedCipherProvider;
    +import org.apache.nifi.util.NiFiProperties;
    +import org.bouncycastle.util.encoders.Hex;
    +import org.slf4j.Logger;
    +import org.slf4j.LoggerFactory;
    +
    +public class CryptoUtils {
    +    private static final Logger logger = 
LoggerFactory.getLogger(StaticKeyProvider.class);
    +    private static final String STATIC_KEY_PROVIDER_CLASS_NAME = 
"org.apache.nifi.provenance.StaticKeyProvider";
    +    private static final String FILE_BASED_KEY_PROVIDER_CLASS_NAME = 
"org.apache.nifi.provenance.FileBasedKeyProvider";
    +    private static final Pattern HEX_PATTERN = 
Pattern.compile("(?i)^[0-9a-f]+$");
    +
    +    public static final int IV_LENGTH = 16;
    +
    +    public static boolean isUnlimitedStrengthCryptoAvailable() {
    +        try {
    +            return Cipher.getMaxAllowedKeyLength("AES") > 128;
    +        } catch (NoSuchAlgorithmException e) {
    +            logger.warn("Tried to determine if unlimited strength crypto 
is available but the AES algorithm is not available");
    +            return false;
    +        }
    +    }
    +
    +    /**
    +     * Utility method which returns true if the string is null, empty, or 
entirely whitespace.
    +     *
    +     * @param src the string to evaluate
    +     * @return true if empty
    +     */
    +    public static boolean isEmpty(String src) {
    +        return src == null || src.trim().isEmpty();
    +    }
    +
    +    /**
    +     * Concatenates multiple byte[] into a single byte[]. Because it uses 
a {@link ByteArrayOutputStream}
    +     * rather than {@link System#arraycopy(Object, int, Object, int, int)} 
the performance is much better
    +     * with an arbitrary number of input byte[]s.
    +     *
    +     * @param arrays the component byte[] in order
    +     * @return a concatenated byte[]
    +     * @throws IOException this should never be thrown
    +     */
    +    public static byte[] concatByteArrays(byte[]... arrays) throws 
IOException {
    +        ByteArrayOutputStream boas = new ByteArrayOutputStream();
    --- End diff --
    
    I was curious about this, so I added an implementation as you described 
above and compared them. The BAOS is definitely faster for small byte[], but 
slower for large ones. Interesting. 
    
    ```java
      public static byte[] concatByteArrays(byte[]... arrays) throws 
IOException {
            int totalByteLength = 0;
            for (byte[] bytes : arrays) {
                totalByteLength += bytes.length;
            }
            byte[] totalBytes = new byte[totalByteLength];
            int currentLength = 0;
            for (byte[] bytes : arrays) {
                System.arraycopy(bytes, 0, totalBytes, currentLength, 
bytes.length);
                currentLength += bytes.length;
            }
            return totalBytes;
        }
    
        public static byte[] concatByteArraysWithBAOS(byte[]... arrays) throws 
IOException {
            ByteArrayOutputStream boas = new ByteArrayOutputStream();
            for (byte[] arr : arrays) {
                boas.write(arr);
            }
            return boas.toByteArray();
        }
    ```
    
    ```
    Calculating small/small -- 3 arrays with avg length 11
    Ran 100 of small/small (traditional) with a total wall time of 28720012 ns 
and average run of 195354 ns
    Ran 100 of small/small (BAOS) with a total wall time of 6745072 ns and 
average run of 12300 ns
    Calculating small/large -- 2 arrays with avg length 567
    Ran 100 of small/large (traditional) with a total wall time of 2712642 ns 
and average run of 5807 ns
    Ran 100 of small/large (BAOS) with a total wall time of 3774826 ns and 
average run of 11078 ns
    Calculating large/small -- 145 arrays with avg length 8
    Ran 100 of large/small (traditional) with a total wall time of 5173622 ns 
and average run of 27214 ns
    Ran 100 of large/small (BAOS) with a total wall time of 5120322 ns and 
average run of 27663 ns
    Calculating large/large -- 182 arrays with avg length 534
    Ran 100 of large/large (traditional) with a total wall time of 11537912 ns 
and average run of 83769 ns
    Ran 100 of large/large (BAOS) with a total wall time of 65845017 ns and 
average run of 612915 ns
    ```


> Implement encrypted provenance repository
> -----------------------------------------
>
>                 Key: NIFI-3594
>                 URL: https://issues.apache.org/jira/browse/NIFI-3594
>             Project: Apache NiFi
>          Issue Type: Sub-task
>          Components: Core Framework
>    Affects Versions: 1.1.1
>            Reporter: Andy LoPresto
>            Assignee: Andy LoPresto
>              Labels: encryption, provenance, repository
>
> I am going to start with the provenance repository, as the new implementation 
> of {{WriteAheadProvenanceRepository}} has the most recent design decisions 
> and has not been available in a released version yet, so there should be 
> minimal backward compatibility concerns. 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to