You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2020/07/24 19:58:40 UTC

[GitHub] [nifi] alopresto commented on a change in pull request #4427: NIFI-7638 Added PBE AEAD algorithm for flow sensitive properties

alopresto commented on a change in pull request #4427:
URL: https://github.com/apache/nifi/pull/4427#discussion_r460260432



##########
File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/encrypt/StringEncryptor.java
##########
@@ -408,27 +468,34 @@ public String decrypt(String cipherText) throws EncryptionException {
 
     private byte[] decryptPBE(byte[] cipherBytes) {
         PBECipherProvider pbecp = (PBECipherProvider) cipherProvider;
-        final EncryptionMethod encryptionMethod = EncryptionMethod.forAlgorithm(algorithm);
+        final EncryptionMethod encryptionMethod = getEncryptionMethodForAlgorithm(algorithm);
 
         // Extract salt
-        int saltLength = CipherUtility.getSaltLengthForAlgorithm(algorithm);
+        int saltLength = determineSaltLength(algorithm);
         byte[] salt = new byte[saltLength];
         System.arraycopy(cipherBytes, 0, salt, 0, saltLength);
 
-        byte[] actualCipherBytes = Arrays.copyOfRange(cipherBytes, saltLength, cipherBytes.length);
+        // Read IV if necessary (allows for future use of Argon2, PBKDF2, Bcrypt, or Scrypt)
+        byte[] ivBytes = new byte[0];

Review comment:
       The actual `ivBytes` array is only instantiated when the algorithm dictates a random IV. For 99.9% of users, this won't be the case and so it makes sense not to instantiate it at all. 
   
   For users who select one of the custom algorithms, the `byte[16]` is instantiated and filled with a random value, but this happens every time and is intentionally unique on each invocation, so pre-allocating wouldn't gain anything unless I am missing your concern. 
   
   The size of the object to be encrypted is independent of the IV size -- the IV is always 0 or 16 bytes depending solely on the algorithm. 




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org