[jira] [Comment Edited] (NIFI-3063) TLS Toolkit ignores provided password if longer than 7 characters and switches to auto-generated 7 character password

karthik kadajji (Jira) Thu, 20 Feb 2020 08:54:09 -0800


    [ 
https://issues.apache.org/jira/browse/NIFI-3063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17041122#comment-17041122
 ]


karthik kadajji edited comment on NIFI-3063 at 2/20/20 4:53 PM:
----------------------------------------------------------------

Hi [~alopresto], 

I was going through the ticket and found that even when a JCE policy is 
Unlimited, we get the password to be random. I believe the bug is from the 
TlsToolkitStandaloneCommandLine class where the  getPasswords method parses the 
arguments given in a wrong way. So I would check further. I checked for 
nifi-1.12 . This appears to be an issue with -P parameter. 

However, when the following command is run it doens't have the randomness : 
./bin/tls-toolkit.sh standalone -C 'CN=test' -B password


was (Author: karthikkadajji):
Hi [~alopresto]], 

I was going through the ticket and found that even when a JCE policy is 
Unlimited, we get the password to be random. I believe the bug is from the 
TlsToolkitStandaloneCommandLine class where the  getPasswords method parses the 
arguments given in a wrong way. So I would check further. I checked for 
nifi-1.12 . This appears to be an issue with -P parameter. 

However, when the following command is run it doens't have the randomness : 
./bin/tls-toolkit.sh standalone -C 'CN=test' -B password

> TLS Toolkit ignores provided password if longer than 7 characters and 
> switches to auto-generated 7 character password
> ---------------------------------------------------------------------------------------------------------------------
>
>                 Key: NIFI-3063
>                 URL: https://issues.apache.org/jira/browse/NIFI-3063
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Tools and Build
>    Affects Versions: 1.1.0
>            Reporter: Andy LoPresto
>            Assignee: karthik kadajji
>            Priority: Critical
>              Labels: pkcs12, security, tls-toolkit
>
> Because of work done for [NIFI-2943], the TLS Toolkit cannot accept a 
> password longer than 7 characters for a PKCS12 keystore if the JCE unlimited 
> strength cryptographic jurisdiction policies are not installed. While the 
> tool correctly warns about this, it quietly switches from the provided 
> password to an auto-generated 7 character password. There is a small log 
> message saying the password has been switched to an auto-generated, reduced 
> password, but this is easy to miss and surprising functionality. While not as 
> secure, truncating the provided password to 7 characters is less likely to 
> cause confusion for users. 
> Example output:
> {code}
> hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT
>  (master) alopresto
> 🔒 7s @ 20:06:39 $ ./bin/tls-toolkit.sh standalone -C 'CN=test' -P password
> 2016/11/17 20:06:44 INFO [main] 
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No 
> nifiPropertiesFile specified, using embedded one.
> 2016/11/17 20:06:44 INFO [main] 
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running 
> standalone certificate generation with output directory 
> ../nifi-toolkit-1.1.0-SNAPSHOT
> 2016/11/17 20:06:44 INFO [main] 
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing 
> CA certificate ../nifi-toolkit-1.1.0-SNAPSHOT/nifi-cert.pem and key 
> ../nifi-toolkit-1.1.0-SNAPSHOT/nifi-key.key
> 2016/11/17 20:06:44 INFO [main] 
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No hostnames 
> specified, not generating any host certificates or configuration.
> 2016/11/17 20:06:44 INFO [main] 
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Generating new 
> client certificate ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: 
> **********************************************************************************
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:   
>                                   WARNING!!!!
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: 
> **********************************************************************************
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: 
> Unlimited JCE Policy is not installed which means we cannot utilize a
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: 
> PKCS12 password longer than 7 characters.
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: 
> Autogenerated password has been reduced to 7 characters.
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: 
> Please strongly consider installing Unlimited JCE Policy at
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: 
> http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: 
> Another alternative is to add a stronger password with the openssl tool to the
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: 
> resulting client certificate: ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: 
> openssl pkcs12 -in '../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12' -out 
> '/tmp/CN=test.p12'
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: 
> openssl pkcs12 -export -in '/tmp/CN=test.p12' -out 
> '../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12'
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: 
> rm -f '/tmp/CN=test.p12'
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: 
> **********************************************************************************
> 2016/11/17 20:06:45 INFO [main] 
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully 
> generated client certificate ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12
> 2016/11/17 20:06:45 INFO [main] 
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit 
> standalone completed successfully
> hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT
>  (master) alopresto
> 🔒 6s @ 20:06:46 $ more CN\=test.password
> aW5aV2E
> hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT
>  (master) alopresto
> 🔒 4s @ 20:06:51 $
> {code}
> Suggested solutions (in order of preference):
> # Fail to generate the keystore in this case and print reason
> # Truncate provided password to 7 characters
> # Print larger message explaining that the provided password is ignored 
> completely and auto-generated password is used



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Comment Edited] (NIFI-3063) TLS Toolkit ignores provided password if longer than 7 characters and switches to auto-generated 7 character password

Reply via email to