Github user ottobackwards commented on a diff in the pull request:
https://github.com/apache/nifi/pull/2980#discussion_r214882758
--- Diff:
nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/security/util/crypto/HashAlgorithm.java
---
@@ -0,0 +1,151 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.security.util.crypto;
+
+import java.util.Arrays;
+import java.util.List;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.builder.ToStringBuilder;
+import org.apache.commons.lang3.builder.ToStringStyle;
+
+/**
+ * Enumeration capturing information about the cryptographic hash
algorithms used in
+ * {@link org.apache.nifi.processors.standard.CalculateAttributeHash} and
+ * {@link org.apache.nifi.processors.standard.HashContent} processors.
+ */
+public enum HashAlgorithm {
+
+ MD2("MD2", 16, "Cryptographically broken due to collisions"),
+ MD5("MD5", 16, "Cryptographically broken due to collisions"),
+ SHA1("SHA-1", 20, "Cryptographically broken due to collisions"),
+ SHA224("SHA-224", 28, "SHA-2 family"),
+ SHA256("SHA-256", 32, "SHA-2 family"),
+ SHA384("SHA-384", 48, "SHA-2 family"),
+ SHA512("SHA-512", 64, "SHA-2 family"),
+ SHA512_224("SHA-512/224", 28, "SHA-2 using SHA-512 with truncated
output"),
+ SHA512_256("SHA-512/256", 32, "SHA-2 using SHA-512 with truncated
output"),
+ SHA3_224("SHA3-224", 28, "Keccak-based SHA3 family"),
+ SHA3_256("SHA3-256", 32, "Keccak-based SHA3 family"),
+ SHA3_384("SHA3-384", 48, "Keccak-based SHA3 family"),
+ SHA3_512("SHA3-512", 64, "Keccak-based SHA3 family"),
+ BLAKE2_160("BLAKE2-160", 20, "Also known as Blake2b"),
+ BLAKE2_256("BLAKE2-256", 32, "Also known as Blake2b"),
+ BLAKE2_384("BLAKE2-384", 48, "Also known as Blake2b"),
+ BLAKE2_512("BLAKE2-512", 64, "Also known as Blake2b");
+
+ private final String name;
+ private final int digestBytesLength;
+ private final String description;
+
+ private static final List<String> BROKEN_ALGORITHMS =
Arrays.asList(MD2.name, MD5.name, SHA1.name);
+
+ HashAlgorithm(String name, int digestBytesLength, String description) {
+ this.name = name;
+ this.digestBytesLength = digestBytesLength;
+ this.description = description;
+ }
+
+ public String getName() {
+ return name;
+ }
+
+ public int getDigestBytesLength() {
+ return digestBytesLength;
+ }
+
+ public String getDescription() {
+ return description;
+ }
+
+ /**
+ * Returns {@code true} if this algorithm is considered
cryptographically secure. These determinations were made as of 2018-08-30.
+ *
+ * Current strong algorithms:
+ *
+ * * SHA-224 (SHA2)
+ * * SHA-256 (SHA2)
+ * * SHA-384 (SHA2)
+ * * SHA-512 (SHA2)
+ * * SHA-512/224 (SHA2)
+ * * SHA-512/256 (SHA2)
+ * * SHA3-256
+ * * SHA3-384
+ * * SHA3-512
+ * * Blake2b-256
+ * * Blake2b-384
+ * * Blake2b-512
+ *
+ * Current broken algorithms:
+ *
+ * * MD2
+ * * MD5
+ * * SHA-1
+ *
+ * @return true if the algorithm is considered strong
+ */
+ public boolean isStrongAlgorithm() {
+ return (!BROKEN_ALGORITHMS.contains(name));
+ }
+
--- End diff --
What is the isBlake2 check about? Is there a way to make it more general?
It seems strange to call out by the name as opposed to the "why"
---
