You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@nifi.apache.org by alopresto <gi...@git.apache.org> on 2015/12/03 19:57:00 UTC
[GitHub] nifi pull request: NIFI-1242 Providing KDF property for encryption...
GitHub user alopresto opened a pull request:
https://github.com/apache/nifi/pull/139
NIFI-1242 Providing KDF property for encryption to allow compatibility with OpenSSL
The internal key derivation function used by NiFi, while stronger than OpenSSL's default (MD5/PKCS#5 v1.5), is not compatible with OpenSSL, so externally-encrypted files could not be decrypted in NiFi. Added a property on EncryptContent processor for KDF (defaults to legacy NiFi) to allow integration of OpenSSL.
Wrote a longer explanation here: https://github.com/alopresto/opensslpbeencryptor/blob/master/blog.md
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/alopresto/nifi master
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/nifi/pull/139.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #139
----
commit 25b7108d7befc744a27caf1abeb35c3c36d64288
Author: Andy LoPresto <al...@gmail.com>
Date: 2015-12-02T23:20:46Z
NIFI-1240:
Added explicit reference to Sun Java Cryptographic Service Provider in PasswordBasedEncryptor.
Removed manual seeding of SecureRandom in PasswordBasedEncryptor.
commit c04844c0480d208074be31ccd9dc72ec92b642df
Author: Andy LoPresto <al...@gmail.com>
Date: 2015-12-03T03:05:53Z
NIFI-1242:
Added enum for KeyDerivationFunction.
commit af35c370d3c27d5bd47c63d4b889d6cc21284193
Author: Andy LoPresto <al...@gmail.com>
Date: 2015-12-03T03:09:27Z
NIFI-1242:
Added cipher init for legacy and OpenSSL KDFs.
commit 940b6e370ab9cd23a4dbe7dba4bb0d01c02e8cdf
Author: Andy LoPresto <al...@gmail.com>
Date: 2015-12-03T04:21:03Z
NIFI-1242:
Added test resources.
plain.txt: This is a plaintext message.
0s @ 19:48:36 $ openssl enc -aes-256-cbc -e -in plain.txt -out salted_raw.enc -k thisIsABadPassword -p
salt=43CD63B29E1CE1F2
key=8A78D6762B279416B62E1AF50A73339C5D753FBF956092B4235323AD4147D8BE
iv =ED4ED4827BD23DE74D21C8E63DA0B8AE
0s @ 19:49:24 $ xxd salted_raw.enc
0000000: 5361 6c74 6564 5f5f 43cd 63b2 9e1c e1f2 Salted__C.c.....
0000010: c972 11ac 1baa b424 7fb3 156e 4cc6 1f47 .r.....$...nL..G
0000020: 11e5 cedc e343 5203 952d 4500 f9ab 3cbe .....CR..-E...<.
0s @ 20:14:00 $ openssl enc -aes-256-cbc -e -in plain.txt -out unsalted_raw.enc -k thisIsABadPassword -p -nosalt
key=711E85689CE7AFF6F410AEA43ABC5446842F685B84879B2E00F977C22B9E9A7D
iv =0C90ABF8ECE84B92BAA2CD448EC760F0
0s @ 20:14:17 $ xxd unsalted_raw.enc
0000000: 70cd 2984 fdbb 0e7c c01b 7206 88b1 6b50 p.)....|..r...kP
0000010: 5eeb e4f3 4036 773b 00ce dd8e 85d8 f90a ^...@6w;........
commit 3f481a2e61630df449f8cfd681ba17d76e80e6ab
Author: Andy LoPresto <al...@gmail.com>
Date: 2015-12-03T04:24:27Z
NIFI-1242:
Implemented KDF-dependent PBE in PasswordBasedEncryptor.
Added KDF property to EncryptContent processor and provided to PasswordBasedEncryptor.
Added unit tests for salted and unsalted raw OpenSSL encrypted file decryption.
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi pull request: NIFI-1242 Providing KDF property for encryption...
Posted by alopresto <gi...@git.apache.org>.
Github user alopresto commented on the pull request:
https://github.com/apache/nifi/pull/139#issuecomment-161762655
Reopening PR after merging from upstream/master.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi pull request: NIFI-1242 Providing KDF property for encryption...
Posted by alopresto <gi...@git.apache.org>.
Github user alopresto commented on the pull request:
https://github.com/apache/nifi/pull/139#issuecomment-161747831
Note, this contains the old commit specifying the Sun CSP in SecureRandom. This should be reverted.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi pull request: NIFI-1242 Providing KDF property for encryption...
Posted by alopresto <gi...@git.apache.org>.
Github user alopresto closed the pull request at:
https://github.com/apache/nifi/pull/139
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi pull request: NIFI-1242 Providing KDF property for encryption...
Posted by alopresto <gi...@git.apache.org>.
Github user alopresto closed the pull request at:
https://github.com/apache/nifi/pull/139
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi pull request: NIFI-1242 Providing KDF property for encryption...
Posted by alopresto <gi...@git.apache.org>.
Github user alopresto commented on the pull request:
https://github.com/apache/nifi/pull/139#issuecomment-161772800
Closing to open against alopresto/NIFI-1242 branch.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi pull request: NIFI-1242 Providing KDF property for encryption...
Posted by alopresto <gi...@git.apache.org>.
GitHub user alopresto reopened a pull request:
https://github.com/apache/nifi/pull/139
NIFI-1242 Providing KDF property for encryption to allow compatibility with OpenSSL
The internal key derivation function used by NiFi, while stronger than OpenSSL's default (MD5/PKCS#5 v1.5), is not compatible with OpenSSL, so externally-encrypted files could not be decrypted in NiFi. Added a property on EncryptContent processor for KDF (defaults to legacy NiFi) to allow integration of OpenSSL.
Wrote a longer explanation here: https://github.com/alopresto/opensslpbeencryptor/blob/master/blog.md
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/alopresto/nifi master
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/nifi/pull/139.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #139
----
commit 25b7108d7befc744a27caf1abeb35c3c36d64288
Author: Andy LoPresto <al...@gmail.com>
Date: 2015-12-02T23:20:46Z
NIFI-1240:
Added explicit reference to Sun Java Cryptographic Service Provider in PasswordBasedEncryptor.
Removed manual seeding of SecureRandom in PasswordBasedEncryptor.
commit c04844c0480d208074be31ccd9dc72ec92b642df
Author: Andy LoPresto <al...@gmail.com>
Date: 2015-12-03T03:05:53Z
NIFI-1242:
Added enum for KeyDerivationFunction.
commit af35c370d3c27d5bd47c63d4b889d6cc21284193
Author: Andy LoPresto <al...@gmail.com>
Date: 2015-12-03T03:09:27Z
NIFI-1242:
Added cipher init for legacy and OpenSSL KDFs.
commit 940b6e370ab9cd23a4dbe7dba4bb0d01c02e8cdf
Author: Andy LoPresto <al...@gmail.com>
Date: 2015-12-03T04:21:03Z
NIFI-1242:
Added test resources.
plain.txt: This is a plaintext message.
0s @ 19:48:36 $ openssl enc -aes-256-cbc -e -in plain.txt -out salted_raw.enc -k thisIsABadPassword -p
salt=43CD63B29E1CE1F2
key=8A78D6762B279416B62E1AF50A73339C5D753FBF956092B4235323AD4147D8BE
iv =ED4ED4827BD23DE74D21C8E63DA0B8AE
0s @ 19:49:24 $ xxd salted_raw.enc
0000000: 5361 6c74 6564 5f5f 43cd 63b2 9e1c e1f2 Salted__C.c.....
0000010: c972 11ac 1baa b424 7fb3 156e 4cc6 1f47 .r.....$...nL..G
0000020: 11e5 cedc e343 5203 952d 4500 f9ab 3cbe .....CR..-E...<.
0s @ 20:14:00 $ openssl enc -aes-256-cbc -e -in plain.txt -out unsalted_raw.enc -k thisIsABadPassword -p -nosalt
key=711E85689CE7AFF6F410AEA43ABC5446842F685B84879B2E00F977C22B9E9A7D
iv =0C90ABF8ECE84B92BAA2CD448EC760F0
0s @ 20:14:17 $ xxd unsalted_raw.enc
0000000: 70cd 2984 fdbb 0e7c c01b 7206 88b1 6b50 p.)....|..r...kP
0000010: 5eeb e4f3 4036 773b 00ce dd8e 85d8 f90a ^...@6w;........
commit 3f481a2e61630df449f8cfd681ba17d76e80e6ab
Author: Andy LoPresto <al...@gmail.com>
Date: 2015-12-03T04:24:27Z
NIFI-1242:
Implemented KDF-dependent PBE in PasswordBasedEncryptor.
Added KDF property to EncryptContent processor and provided to PasswordBasedEncryptor.
Added unit tests for salted and unsalted raw OpenSSL encrypted file decryption.
commit 7113ee5f20d803d7cae613aed71bee0b141c7b0d
Author: Andy LoPresto <al...@gmail.com>
Date: 2015-12-03T19:47:49Z
Merge remote-tracking branch 'upstream/master'
commit ea0cb2f778651765128e1c8f2dff2d6c95af380f
Author: Andy LoPresto <al...@gmail.com>
Date: 2015-12-03T19:48:46Z
Merged from upstream/master.
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---