[
https://issues.apache.org/jira/browse/NIFI-1242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15038541#comment-15038541
]
ASF GitHub Bot commented on NIFI-1242:
--------------------------------------
GitHub user alopresto opened a pull request:
https://github.com/apache/nifi/pull/140
Nifi 1242
NIFI-1242:
Created KeyDerivationFunction enum and provided as a property on
EncryptContent processor to allow backward compatibility with legacy NiFi KDF
(MD5 @ 1000 iterations) and OpenSSL EVP_BytesToKey (custom KDF with MD5 PKCS#5
v1.5).
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/alopresto/nifi NIFI-1242
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/nifi/pull/140.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #140
----
commit bd4a838841ceb5c9b9ad86ae15d1e1e81c525f0c
Author: Andy LoPresto <[email protected]>
Date: 2015-12-03T20:23:45Z
NIFI-1242:
Added test resources.
plain.txt: This is a plaintext message.
0s @ 12:20:32 $ openssl enc -aes-256-cbc -e -in plain.txt -out
salted_raw.enc -k thisIsABadPassword -p
salt=31DC301A6C7B8A0B
key=CB878A6E167A5B530B8F2BD175E6359E3092AFF7C83274A22A5B421D79E599AC
iv =0C614A72FC06B454B84E035B3FA8F877
0s @ 12:20:44 $ xxd salted_raw.enc
0000000: 5361 6c74 6564 5f5f 31dc 301a 6c7b 8a0b Salted__1.0.l{..
0000010: 616b c65d f767 504d c085 ba7a c517 d0cb ak.].gPM...z....
0000020: 7832 211e f573 b6f1 ded2 8f59 88e8 088f x2!..s.....Y....
0s @ 20:14:00 $ openssl enc -aes-256-cbc -e -in plain.txt -out
unsalted_raw.enc -k thisIsABadPassword -p -nosalt
key=711E85689CE7AFF6F410AEA43ABC5446842F685B84879B2E00F977C22B9E9A7D
iv =0C90ABF8ECE84B92BAA2CD448EC760F0
0s @ 20:14:17 $ xxd unsalted_raw.enc
0000000: 70cd 2984 fdbb 0e7c c01b 7206 88b1 6b50 p.)....|..r...kP
0000010: 5eeb e4f3 4036 773b 00ce dd8e 85d8 f90a ^...@6w;........
commit 3f7ab278012987a89245e3b69cd28853d9d8d0ff
Author: Andy LoPresto <[email protected]>
Date: 2015-12-03T20:24:48Z
NIFI-1242:
Added KeyDerivationFunction enum.
Added kdf property in EncryptContent processor and provided to
PasswordBasedEncryptor.
Added logic in PasswordBasedEncryptor to handle variable KDF.
Added unit tests for EncryptContent processor.
----
> Password-based encryption is not compatible with OpenSSL
> --------------------------------------------------------
>
> Key: NIFI-1242
> URL: https://issues.apache.org/jira/browse/NIFI-1242
> Project: Apache NiFi
> Issue Type: Bug
> Components: Extensions
> Affects Versions: 0.4.0
> Reporter: Andy LoPresto
> Assignee: Andy LoPresto
> Priority: Critical
> Labels: easyfix, security
> Fix For: 0.4.0
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> Despite the algorithm names indicating compatibility with OpenSSL, the
> current password-based encryption processors cannot decrypt data that was
> encrypted with OpenSSL external to NiFi.
> I will create a new OpenSSLPBEEncryptor implementation, a new
> EncryptionMethod, and wire the logic in EncryptContent to select the correct
> encryptor.
> I have a more in-depth explanation of the issue at
> https://github.com/alopresto/opensslpbeencryptor/blob/master/blog.md, but the
> fix is done in a sandbox and will be moved into NiFi by morning 12/03/15.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
