You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@nifi.apache.org by jackowaya <gi...@git.apache.org> on 2015/08/22 14:53:28 UTC
[GitHub] nifi pull request: NIFI-888 EncryptContent for PGP Leaks File Hand...
GitHub user jackowaya opened a pull request:
https://github.com/apache/nifi/pull/76
NIFI-888 EncryptContent for PGP Leaks File Handles.
Closes InputStreams created to read the public keys for PGP encryption and several other
streams involved in PGP encryptiong. This prevents NiFi from leaking file handles on
every validate call or encryption attempt in the EncryptContent processor.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/jackowaya/incubator-nifi encryptFileLeak
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/nifi/pull/76.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #76
----
commit 42956dd15cf678f30d3848aefda35c4515315621
Author: Alan Jackoway <al...@cloudera.com>
Date: 2015-08-21T20:45:30Z
NIFI-888 EncryptContent for PGP Leaks File Handles.
Closes InputStreams created to read the public keys for PGP encryption and several other
streams involved in PGP encryptiong. This prevents NiFi from leaking file handles on
every validate call or encryption attempt in the EncryptContent processor.
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi pull request: NIFI-888 EncryptContent for PGP Leaks File Hand...
Posted by markap14 <gi...@git.apache.org>.
Github user markap14 commented on a diff in the pull request:
https://github.com/apache/nifi/pull/76#discussion_r37697819
--- Diff: nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/util/OpenPGPKeyBasedEncryptor.java ---
@@ -139,75 +151,88 @@ public static PGPPublicKey getPublicKey(String userId, String publicKeyring) thr
private String secretKeyring;
private char[] passphrase;
- OpenPGPDecryptCallback(final String provider, final String keyring, final char[] passphrase) {
+ OpenPGPDecryptCallback(final String provider, final String keyring,
+ final char[] passphrase) {
this.provider = provider;
this.secretKeyring = keyring;
this.passphrase = passphrase;
}
@Override
- public void process(InputStream in, OutputStream out) throws IOException {
- InputStream pgpin = PGPUtil.getDecoderStream(in);
- PGPObjectFactory pgpFactory = new PGPObjectFactory(pgpin);
+ public void process(InputStream in, OutputStream out)
+ throws IOException {
+ try (InputStream pgpin = PGPUtil.getDecoderStream(in)) {
+ PGPObjectFactory pgpFactory = new PGPObjectFactory(pgpin);
- Object obj = pgpFactory.nextObject();
- if (!(obj instanceof PGPEncryptedDataList)) {
- obj = pgpFactory.nextObject();
+ Object obj = pgpFactory.nextObject();
if (!(obj instanceof PGPEncryptedDataList)) {
- throw new ProcessException("Invalid OpenPGP data");
- }
- }
- PGPEncryptedDataList encList = (PGPEncryptedDataList) obj;
-
- PGPSecretKeyRingCollection pgpSecretKeyring;
- try {
- // open secret keyring file
- pgpSecretKeyring = new PGPSecretKeyRingCollection(PGPUtil.getDecoderStream(Files
- .newInputStream(Paths.get(secretKeyring))));
- } catch (Exception e) {
- throw new ProcessException("Invalid secret keyring - " + e.getMessage());
- }
-
- try {
- PGPPrivateKey privateKey = null;
- PGPPublicKeyEncryptedData encData = null;
-
- // find the secret key in the encrypted data
- Iterator it = encList.getEncryptedDataObjects();
- while (privateKey == null && it.hasNext()) {
- obj = it.next();
- if (!(obj instanceof PGPPublicKeyEncryptedData)) {
+ obj = pgpFactory.nextObject();
+ if (!(obj instanceof PGPEncryptedDataList)) {
throw new ProcessException("Invalid OpenPGP data");
}
- encData = (PGPPublicKeyEncryptedData) obj;
- PGPSecretKey secretkey = pgpSecretKeyring.getSecretKey(encData.getKeyID());
- if (secretkey != null) {
- privateKey = secretkey.extractPrivateKey(passphrase, provider);
- }
}
- if (privateKey == null) {
- throw new ProcessException("Secret keyring does not contain the key required to decrypt");
+ PGPEncryptedDataList encList = (PGPEncryptedDataList) obj;
+
+ PGPSecretKeyRingCollection pgpSecretKeyring;
+ try {
+ // open secret keyring file
+ pgpSecretKeyring = new PGPSecretKeyRingCollection(
+ PGPUtil.getDecoderStream(Files.newInputStream(Paths
--- End diff --
The InputStream returned by Files.newInputStream is leaked here.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi pull request: NIFI-888 EncryptContent for PGP Leaks File Hand...
Posted by asfgit <gi...@git.apache.org>.
Github user asfgit closed the pull request at:
https://github.com/apache/nifi/pull/76
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi pull request: NIFI-888 EncryptContent for PGP Leaks File Hand...
Posted by markap14 <gi...@git.apache.org>.
Github user markap14 commented on a diff in the pull request:
https://github.com/apache/nifi/pull/76#discussion_r37697905
--- Diff: nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/util/OpenPGPKeyBasedEncryptor.java ---
@@ -85,49 +85,61 @@ public StreamCallback getDecryptionCallback() throws Exception {
/*
* Validate secret keyring passphrase
*/
- public static boolean validateKeyring(String provider, String secretKeyringFile, char[] passphrase) throws IOException,
+ public static boolean validateKeyring(String provider,
+ String secretKeyringFile, char[] passphrase) throws IOException,
PGPException, NoSuchProviderException {
- PGPSecretKeyRingCollection pgpsec = new PGPSecretKeyRingCollection(PGPUtil.getDecoderStream(Files.newInputStream(Paths
- .get(secretKeyringFile))));
- Iterator ringit = pgpsec.getKeyRings();
- while (ringit.hasNext()) {
- PGPSecretKeyRing secretkeyring = (PGPSecretKeyRing) ringit.next();
- PGPSecretKey secretkey = secretkeyring.getSecretKey();
- secretkey.extractPrivateKey(passphrase, provider);
- return true;
+ try (InputStream fin = Files.newInputStream(Paths
+ .get(secretKeyringFile))) {
+ try (InputStream pin = PGPUtil.getDecoderStream(fin)) {
+ PGPSecretKeyRingCollection pgpsec = new PGPSecretKeyRingCollection(
+ pin);
+ Iterator ringit = pgpsec.getKeyRings();
+ while (ringit.hasNext()) {
+ PGPSecretKeyRing secretkeyring = (PGPSecretKeyRing) ringit
+ .next();
+ PGPSecretKey secretkey = secretkeyring.getSecretKey();
+ secretkey.extractPrivateKey(passphrase, provider);
+ return true;
+ }
+ return false;
+ }
}
- return false;
}
/*
* Get the public key for a specific user id from a keyring.
*/
@SuppressWarnings("rawtypes")
- public static PGPPublicKey getPublicKey(String userId, String publicKeyring) throws IOException, PGPException {
+ public static PGPPublicKey getPublicKey(String userId, String publicKeyring)
+ throws IOException, PGPException {
PGPPublicKey pubkey = null;
- PGPPublicKeyRingCollection pgppub = new
- PGPPublicKeyRingCollection(PGPUtil.getDecoderStream(Files.newInputStream(Paths.get(publicKeyring))));
-
- Iterator ringit = pgppub.getKeyRings();
- while (ringit.hasNext()) {
- PGPPublicKeyRing kring = (PGPPublicKeyRing) ringit.next();
-
- Iterator keyit = kring.getPublicKeys();
- while (keyit.hasNext()) {
- pubkey = (PGPPublicKey) keyit.next();
- boolean userIdMatch = false;
-
- Iterator userit = pubkey.getUserIDs();
- while (userit.hasNext()) {
- String id = userit.next().toString();
- if (id.contains(userId)) {
- userIdMatch = true;
- break;
+ try (InputStream fin = Files.newInputStream(Paths.get(publicKeyring))) {
+ try (InputStream pin = PGPUtil.getDecoderStream(fin)) {
--- End diff --
I would wrap this up with the previous try-with-resources so that we have:
try (InputStream fin = Files.newInputStream(Paths.get(publicKeyring));
InputStream pin = PGPUtil.getDecoderStream(fin)) { ...
rather than having a new try-with-resources embedded within the outer one.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---