[ https://issues.apache.org/jira/browse/NIFI-3063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17040857#comment-17040857 ]
karthik kadajji commented on NIFI-3063: --------------------------------------- Hi [~alopresto], I was going through the ticket and found that even when a JCE policy is Unlimited, we get the password to be random. I believe the bug is from the TlsToolkitStandaloneCommandLine class where theΒ getPasswords method parses the arguments given in a wrong way. So I would check further. I checked for nifi-1.12 . This appears to be an issue with -P parameter. However, when the following command is run it doens't have the randomness : ./bin/tls-toolkit.sh standalone -C 'CN=test' -B password > TLS Toolkit ignores provided password if longer than 7 characters and > switches to auto-generated 7 character password > --------------------------------------------------------------------------------------------------------------------- > > Key: NIFI-3063 > URL: https://issues.apache.org/jira/browse/NIFI-3063 > Project: Apache NiFi > Issue Type: Bug > Components: Tools and Build > Affects Versions: 1.1.0 > Reporter: Andy LoPresto > Assignee: karthik kadajji > Priority: Critical > Labels: pkcs12, security, tls-toolkit > > Because of work done for [NIFI-2943], the TLS Toolkit cannot accept a > password longer than 7 characters for a PKCS12 keystore if the JCE unlimited > strength cryptographic jurisdiction policies are not installed. While the > tool correctly warns about this, it quietly switches from the provided > password to an auto-generated 7 character password. There is a small log > message saying the password has been switched to an auto-generated, reduced > password, but this is easy to miss and surprising functionality. While not as > secure, truncating the provided password to 7 characters is less likely to > cause confusion for users. > Example output: > {code} > hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT > (master) alopresto > π 7s @ 20:06:39 $ ./bin/tls-toolkit.sh standalone -C 'CN=test' -P password > 2016/11/17 20:06:44 INFO [main] > org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No > nifiPropertiesFile specified, using embedded one. > 2016/11/17 20:06:44 INFO [main] > org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running > standalone certificate generation with output directory > ../nifi-toolkit-1.1.0-SNAPSHOT > 2016/11/17 20:06:44 INFO [main] > org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing > CA certificate ../nifi-toolkit-1.1.0-SNAPSHOT/nifi-cert.pem and key > ../nifi-toolkit-1.1.0-SNAPSHOT/nifi-key.key > 2016/11/17 20:06:44 INFO [main] > org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No hostnames > specified, not generating any host certificates or configuration. > 2016/11/17 20:06:44 INFO [main] > org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Generating new > client certificate ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12 > 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > ********************************************************************************** > 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > WARNING!!!! > 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > ********************************************************************************** > 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > Unlimited JCE Policy is not installed which means we cannot utilize a > 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > PKCS12 password longer than 7 characters. > 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > Autogenerated password has been reduced to 7 characters. > 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > Please strongly consider installing Unlimited JCE Policy at > 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html > 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > Another alternative is to add a stronger password with the openssl tool to the > 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > resulting client certificate: ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12 > 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > openssl pkcs12 -in '../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12' -out > '/tmp/CN=test.p12' > 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > openssl pkcs12 -export -in '/tmp/CN=test.p12' -out > '../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12' > 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > rm -f '/tmp/CN=test.p12' > 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > ********************************************************************************** > 2016/11/17 20:06:45 INFO [main] > org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully > generated client certificate ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12 > 2016/11/17 20:06:45 INFO [main] > org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit > standalone completed successfully > hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT > (master) alopresto > π 6s @ 20:06:46 $ more CN\=test.password > aW5aV2E > hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT > (master) alopresto > π 4s @ 20:06:51 $ > {code} > Suggested solutions (in order of preference): > # Fail to generate the keystore in this case and print reason > # Truncate provided password to 7 characters > # Print larger message explaining that the provided password is ignored > completely and auto-generated password is used -- This message was sent by Atlassian Jira (v8.3.4#803005)