You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Andy LoPresto (JIRA)" <ji...@apache.org> on 2017/04/18 23:52:41 UTC
[jira] [Created] (NIFI-3714) Encrypt config tool replaces wrong
key/value pair with encrypted value and exposes plain sensitive value
Andy LoPresto created NIFI-3714:
-----------------------------------
Summary: Encrypt config tool replaces wrong key/value pair with encrypted value and exposes plain sensitive value
Key: NIFI-3714
URL: https://issues.apache.org/jira/browse/NIFI-3714
Project: Apache NiFi
Issue Type: Bug
Components: Tools and Build
Affects Versions: 1.1.1
Reporter: Andy LoPresto
Assignee: Andy LoPresto
In testing the encrypted provenance repository key management system, I found an issue where the {{$ ./bin/encrypt-config.sh}} command can encrypt the correct sensitive value but replace the wrong key/value pair in the encrypted {{nifi.properties}} file.
Example:
*existing nifi.properties*
{code}
nifi.provenance.repository.implementation=org.apache.nifi.provenance.EncryptedWriteAheadProvenanceRepository
nifi.provenance.repository.debug.frequency=1_000_000
nifi.provenance.repository.encryption.key.provider.implementation=org.apache.nifi.provenance.StaticKeyProvider
nifi.provenance.repository.encryption.key.provider.location=
nifi.provenance.repository.encryption.key.id=Key1
nifi.provenance.repository.encryption.key=0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210
nifi.sensitive.props.additional.keys=nifi.provenance.repository.encryption.key
{code}
*After running {{./bin/encrypt-config.sh -b conf/bootstrap.conf -n conf/nifi.properties -k AAAABBBBCCCCDDDDEEEEFFFF00001111AAAABBBBCCCCDDDDEEEEFFFF00001111}}*
{code}
# Provenance Repository Properties
nifi.provenance.repository.implementation=org.apache.nifi.provenance.EncryptedWriteAheadProvenanceRepository
nifi.provenance.repository.debug.frequency=1_000_000
nifi.provenance.repository.encryption.key=aYDkDKys1ENr3gp+||sTBPpMlIvHcOLTGZlfWct8r9RY8BuDlDkoaYmGJ/9m9af9tZIVzcnDwvYQAaIKxRGF7vI2yrY7Xd6x9GTDnWGiGiRXlaP458BBMMgfzH2O8
nifi.provenance.repository.encryption.key.protected=aes/gcm/256
nifi.provenance.repository.encryption.key.provider.location=
nifi.provenance.repository.encryption.key.id=Key1
nifi.provenance.repository.encryption.key=0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210
nifi.sensitive.props.additional.keys=nifi.provenance.repository.encryption.key
{code}
*When it should be*
{code}
# Provenance Repository Properties
nifi.provenance.repository.implementation=org.apache.nifi.provenance.EncryptedWriteAheadProvenanceRepository
nifi.provenance.repository.debug.frequency=1_000_000
nifi.provenance.repository.encryption.key.provider.implementation=org.apache.nifi.provenance.StaticKeyProvider
nifi.provenance.repository.encryption.key.provider.location=
nifi.provenance.repository.encryption.key.id=Key1
nifi.provenance.repository.encryption.key=aYDkDKys1ENr3gp+||sTBPpMlIvHcOLTGZlfWct8r9RY8BuDlDkoaYmGJ/9m9af9tZIVzcnDwvYQAaIKxRGF7vI2yrY7Xd6x9GTDnWGiGiRXlaP458BBMMgfzH2O8
nifi.provenance.repository.encryption.key.protected=aes/gcm/256
nifi.sensitive.props.additional.keys=nifi.provenance.repository.encryption.key
{code}
I verified (using a test fixture) that the cipher text is the correct encryption of {{0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210}} with a random IV (Base64-encoded and embedded in the cipher text as {{aYDkDKys1ENr3gp+}} and the key {{AAAABBBBCCCCDDDDEEEEFFFF00001111AAAABBBBCCCCDDDDEEEEFFFF00001111}}. It does not appear to be an issue with the encryption but with the replacement logic.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)