This is an automated email from the ASF dual-hosted git repository.
jgresock pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new da1b1df NIFI-7322 Added SignContentPGP and VerifyContentPGP
da1b1df is described below
commit da1b1dfd4be1e7e2ac5096eedbc954da95f713a8
Author: exceptionfactory <[email protected]>
AuthorDate: Wed Oct 6 21:03:25 2021 -0500
NIFI-7322 Added SignContentPGP and VerifyContentPGP
- Added Decryption Strategy property to DecryptContentPGP
- Added OpenPGP Packet detection to EncryptContentPGP to avoid unnecessary
packaging
- Refactored shared processing to EncodingStreamCallback
Signed-off-by: Joe Gresock <[email protected]>
This closes #5457.
---
.../nifi/processors/pgp/DecryptContentPGP.java | 77 +++-
.../nifi/processors/pgp/EncryptContentPGP.java | 118 +++---
.../nifi/processors/pgp/PGPAttributeKey.java | 14 +
.../apache/nifi/processors/pgp/SignContentPGP.java | 408 +++++++++++++++++++++
.../nifi/processors/pgp/VerifyContentPGP.java | 321 ++++++++++++++++
.../pgp/attributes/DecryptionStrategy.java | 36 ++
.../processors/pgp/attributes/HashAlgorithm.java | 40 ++
.../processors/pgp/attributes/SigningStrategy.java | 36 ++
.../processors/pgp/io/EncodingStreamCallback.java | 126 +++++++
.../processors/pgp/io/KeyIdentifierConverter.java | 47 +++
.../services/org.apache.nifi.processor.Processor | 4 +-
.../nifi/processors/pgp/DecryptContentPGPTest.java | 113 ++++--
.../nifi/processors/pgp/EncryptContentPGPTest.java | 75 ++--
.../nifi/processors/pgp/SignContentPGPTest.java | 277 ++++++++++++++
.../nifi/processors/pgp/VerifyContentPGPTest.java | 187 ++++++++++
.../pgp/io/EncodingStreamCallbackTest.java | 96 +++++
.../pgp/io/KeyIdentifierConverterTest.java | 47 +++
.../apache/nifi/pgp/util/PGPOperationUtils.java | 108 ++++++
18 files changed, 2008 insertions(+), 122 deletions(-)
diff --git
a/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/DecryptContentPGP.java
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/DecryptContentPGP.java
index 1e570fc..048d483 100644
---
a/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/DecryptContentPGP.java
+++
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/DecryptContentPGP.java
@@ -22,6 +22,7 @@ import org.apache.nifi.annotation.behavior.WritesAttributes;
import org.apache.nifi.annotation.documentation.CapabilityDescription;
import org.apache.nifi.annotation.documentation.SeeAlso;
import org.apache.nifi.annotation.documentation.Tags;
+import org.apache.nifi.components.AllowableValue;
import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.components.PropertyValue;
import org.apache.nifi.components.ValidationContext;
@@ -34,8 +35,10 @@ import org.apache.nifi.processor.ProcessSession;
import org.apache.nifi.processor.Relationship;
import org.apache.nifi.processor.io.StreamCallback;
import org.apache.nifi.processor.util.StandardValidators;
+import org.apache.nifi.processors.pgp.attributes.DecryptionStrategy;
import org.apache.nifi.processors.pgp.exception.PGPDecryptionException;
import org.apache.nifi.processors.pgp.exception.PGPProcessException;
+import org.apache.nifi.processors.pgp.io.KeyIdentifierConverter;
import org.apache.nifi.stream.io.StreamUtils;
import org.apache.nifi.util.StringUtils;
@@ -76,11 +79,12 @@ import java.util.Set;
*/
@InputRequirement(InputRequirement.Requirement.INPUT_REQUIRED)
@Tags({"PGP", "GPG", "OpenPGP", "Encryption", "RFC 4880"})
-@CapabilityDescription("Decrypt Contents of OpenPGP Messages")
-@SeeAlso(EncryptContentPGP.class)
+@CapabilityDescription("Decrypt contents of OpenPGP messages. Using the
Packaged Decryption Strategy preserves OpenPGP encoding to support subsequent
signature verification.")
+@SeeAlso({EncryptContentPGP.class, SignContentPGP.class,
VerifyContentPGP.class})
@WritesAttributes({
@WritesAttribute(attribute = PGPAttributeKey.LITERAL_DATA_FILENAME,
description = "Filename from decrypted Literal Data"),
@WritesAttribute(attribute = PGPAttributeKey.LITERAL_DATA_MODIFIED,
description = "Modified Date from decrypted Literal Data"),
+ @WritesAttribute(attribute =
PGPAttributeKey.SYMMETRIC_KEY_ALGORITHM_BLOCK_CIPHER, description =
"Symmetric-Key Algorithm Block Cipher"),
@WritesAttribute(attribute =
PGPAttributeKey.SYMMETRIC_KEY_ALGORITHM_ID, description = "Symmetric-Key
Algorithm Identifier")
})
public class DecryptContentPGP extends AbstractProcessor {
@@ -95,6 +99,19 @@ public class DecryptContentPGP extends AbstractProcessor {
.description("Decryption Failed")
.build();
+ public static final PropertyDescriptor DECRYPTION_STRATEGY = new
PropertyDescriptor.Builder()
+ .name("decryption-strategy")
+ .displayName("Decryption Strategy")
+ .description("Strategy for writing files to success after
decryption")
+ .required(true)
+ .defaultValue(DecryptionStrategy.DECRYPTED.name())
+ .allowableValues(
+ Arrays.stream(DecryptionStrategy.values()).map(strategy ->
+ new AllowableValue(strategy.name(),
strategy.name(), strategy.getDescription())
+ ).toArray(AllowableValue[]::new)
+ )
+ .build();
+
public static final PropertyDescriptor PASSPHRASE = new
PropertyDescriptor.Builder()
.name("passphrase")
.displayName("Passphrase")
@@ -113,6 +130,7 @@ public class DecryptContentPGP extends AbstractProcessor {
private static final Set<Relationship> RELATIONSHIPS = new
HashSet<>(Arrays.asList(SUCCESS, FAILURE));
private static final List<PropertyDescriptor> DESCRIPTORS = Arrays.asList(
+ DECRYPTION_STRATEGY,
PASSPHRASE,
PRIVATE_KEY_SERVICE
);
@@ -156,7 +174,8 @@ public class DecryptContentPGP extends AbstractProcessor {
final char[] passphrase = getPassphrase(context);
final PGPPrivateKeyService privateKeyService =
getPrivateKeyService(context);
- final DecryptStreamCallback callback = new
DecryptStreamCallback(passphrase, privateKeyService);
+ final DecryptionStrategy decryptionStrategy =
getDecryptionStrategy(context);
+ final DecryptStreamCallback callback = new
DecryptStreamCallback(passphrase, privateKeyService, decryptionStrategy);
try {
flowFile = session.write(flowFile, callback);
@@ -213,16 +232,26 @@ public class DecryptContentPGP extends AbstractProcessor {
return privateKeyService;
}
+ private DecryptionStrategy getDecryptionStrategy(final ProcessContext
context) {
+ final String strategy =
context.getProperty(DECRYPTION_STRATEGY).getValue();
+ return DecryptionStrategy.valueOf(strategy);
+ }
+
private class DecryptStreamCallback implements StreamCallback {
private final char[] passphrase;
private final PGPPrivateKeyService privateKeyService;
+ private final DecryptionStrategy decryptionStrategy;
+
private final Map<String, String> attributes = new HashMap<>();
- public DecryptStreamCallback(final char[] passphrase, final
PGPPrivateKeyService privateKeyService) {
+ public DecryptStreamCallback(final char[] passphrase,
+ final PGPPrivateKeyService
privateKeyService,
+ final DecryptionStrategy
decryptionStrategy) {
this.passphrase = passphrase;
this.privateKeyService = privateKeyService;
+ this.decryptionStrategy = decryptionStrategy;
}
/**
@@ -236,13 +265,23 @@ public class DecryptContentPGP extends AbstractProcessor {
public void process(final InputStream inputStream, final OutputStream
outputStream) throws IOException {
final PGPEncryptedDataList encryptedDataList =
getEncryptedDataList(inputStream);
final PGPEncryptedData encryptedData =
findSupportedEncryptedData(encryptedDataList);
- final PGPLiteralData literalData = getLiteralData(encryptedData);
- attributes.put(PGPAttributeKey.LITERAL_DATA_FILENAME,
literalData.getFileName());
- attributes.put(PGPAttributeKey.LITERAL_DATA_MODIFIED,
Long.toString(literalData.getModificationTime().getTime()));
+ if (DecryptionStrategy.PACKAGED == decryptionStrategy) {
+ try {
+ final InputStream decryptedDataStream =
getDecryptedDataStream(encryptedData);
+ StreamUtils.copy(decryptedDataStream, outputStream);
+ } catch (final PGPException e) {
+ final String message = String.format("PGP Decryption
Failed [%s]", getEncryptedDataType(encryptedData));
+ throw new PGPDecryptionException(message, e);
+ }
+ } else {
+ final PGPLiteralData literalData =
getLiteralData(encryptedData);
+ attributes.put(PGPAttributeKey.LITERAL_DATA_FILENAME,
literalData.getFileName());
+ attributes.put(PGPAttributeKey.LITERAL_DATA_MODIFIED,
Long.toString(literalData.getModificationTime().getTime()));
- getLogger().debug("PGP Decrypted File Name [{}] Modified [{}]",
literalData.getFileName(), literalData.getModificationTime());
- StreamUtils.copy(literalData.getInputStream(), outputStream);
+ getLogger().debug("PGP Decrypted File Name [{}] Modified
[{}]", literalData.getFileName(), literalData.getModificationTime());
+ StreamUtils.copy(literalData.getInputStream(), outputStream);
+ }
if (isVerified(encryptedData)) {
getLogger().debug("PGP Encrypted Data Verified");
@@ -286,7 +325,7 @@ public class DecryptContentPGP extends AbstractProcessor {
final Optional<PGPPrivateKey> privateKey =
privateKeyService.findPrivateKey(keyId);
if (privateKey.isPresent()) {
supportedEncryptedData = publicKeyEncryptedData;
- final String keyIdentifier =
Long.toHexString(keyId).toUpperCase();
+ final String keyIdentifier =
KeyIdentifierConverter.format(keyId);
getLogger().debug("PGP Private Key [{}] Found for
Public Key Encrypted Data", keyIdentifier);
break;
}
@@ -354,7 +393,7 @@ public class DecryptContentPGP extends AbstractProcessor {
} else {
final PBEDataDecryptorFactory decryptorFactory = new
BcPBEDataDecryptorFactory(passphrase, new BcPGPDigestCalculatorProvider());
final int symmetricAlgorithm =
passwordBasedEncryptedData.getSymmetricAlgorithm(decryptorFactory);
- attributes.put(PGPAttributeKey.SYMMETRIC_KEY_ALGORITHM_ID,
Integer.toString(symmetricAlgorithm));
+ setSymmetricKeyAlgorithmAttributes(symmetricAlgorithm);
return
passwordBasedEncryptedData.getDataStream(decryptorFactory);
}
}
@@ -369,16 +408,22 @@ public class DecryptContentPGP extends AbstractProcessor {
final PGPPrivateKey privateKey = foundPrivateKey.get();
final PublicKeyDataDecryptorFactory decryptorFactory = new
BcPublicKeyDataDecryptorFactory(privateKey);
final int symmetricAlgorithm =
publicKeyEncryptedData.getSymmetricAlgorithm(decryptorFactory);
- attributes.put(PGPAttributeKey.SYMMETRIC_KEY_ALGORITHM_ID,
Integer.toString(symmetricAlgorithm));
+ setSymmetricKeyAlgorithmAttributes(symmetricAlgorithm);
return
publicKeyEncryptedData.getDataStream(decryptorFactory);
} else {
- final String keyIdentifier =
Long.toHexString(keyId).toUpperCase();
+ final String keyIdentifier =
KeyIdentifierConverter.format(keyId);
final String message = String.format("PGP Private Key [%s]
not found for Public Key Encryption", keyIdentifier);
throw new PGPDecryptionException(message);
}
}
}
+ private void setSymmetricKeyAlgorithmAttributes(final int
symmetricAlgorithm) {
+ final String blockCipher =
PGPUtil.getSymmetricCipherName(symmetricAlgorithm);
+
attributes.put(PGPAttributeKey.SYMMETRIC_KEY_ALGORITHM_BLOCK_CIPHER,
blockCipher);
+ attributes.put(PGPAttributeKey.SYMMETRIC_KEY_ALGORITHM_ID,
Integer.toString(symmetricAlgorithm));
+ }
+
private boolean isVerified(final PGPEncryptedData encryptedData) {
boolean verified;
@@ -399,8 +444,7 @@ public class DecryptContentPGP extends AbstractProcessor {
private PGPEncryptedDataList getEncryptedDataList(final InputStream
inputStream) throws IOException {
final InputStream decoderInputStream =
PGPUtil.getDecoderStream(inputStream);
- final PGPObjectFactory encryptedObjectFactory = new
JcaPGPObjectFactory(decoderInputStream);
- final PGPEncryptedDataList encryptedDataList =
findEncryptedDataList(encryptedObjectFactory);
+ final PGPEncryptedDataList encryptedDataList =
findEncryptedDataList(decoderInputStream);
if (encryptedDataList == null) {
throw new PGPProcessException("PGP Encrypted Data Packets not
found");
} else {
@@ -409,9 +453,10 @@ public class DecryptContentPGP extends AbstractProcessor {
}
}
- private PGPEncryptedDataList findEncryptedDataList(final
PGPObjectFactory objectFactory) {
+ private PGPEncryptedDataList findEncryptedDataList(final InputStream
inputStream) {
PGPEncryptedDataList encryptedDataList = null;
+ final PGPObjectFactory objectFactory = new
JcaPGPObjectFactory(inputStream);
for (final Object object : objectFactory) {
getLogger().debug("PGP Object Read [{}]",
object.getClass().getSimpleName());
if (object instanceof PGPEncryptedDataList) {
diff --git
a/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/EncryptContentPGP.java
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/EncryptContentPGP.java
index 49a345f..a45d90d 100644
---
a/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/EncryptContentPGP.java
+++
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/EncryptContentPGP.java
@@ -34,22 +34,23 @@ import org.apache.nifi.processor.AbstractProcessor;
import org.apache.nifi.processor.ProcessContext;
import org.apache.nifi.processor.ProcessSession;
import org.apache.nifi.processor.Relationship;
+import org.apache.nifi.processor.io.InputStreamCallback;
import org.apache.nifi.processor.io.StreamCallback;
import org.apache.nifi.processor.util.StandardValidators;
import org.apache.nifi.processors.pgp.attributes.CompressionAlgorithm;
import org.apache.nifi.processors.pgp.attributes.FileEncoding;
import org.apache.nifi.processors.pgp.attributes.SymmetricKeyAlgorithm;
import org.apache.nifi.processors.pgp.exception.PGPEncryptionException;
+import org.apache.nifi.processors.pgp.io.EncodingStreamCallback;
import org.apache.nifi.stream.io.StreamUtils;
import org.apache.nifi.util.StringUtils;
-import org.bouncycastle.bcpg.ArmoredOutputStream;
-import org.bouncycastle.openpgp.PGPCompressedDataGenerator;
+import org.bouncycastle.bcpg.BCPGInputStream;
+import org.bouncycastle.bcpg.Packet;
import org.bouncycastle.openpgp.PGPEncryptedDataGenerator;
import org.bouncycastle.openpgp.PGPException;
-import org.bouncycastle.openpgp.PGPLiteralData;
-import org.bouncycastle.openpgp.PGPLiteralDataGenerator;
import org.bouncycastle.openpgp.PGPPublicKey;
+import org.bouncycastle.openpgp.PGPUtil;
import org.bouncycastle.openpgp.operator.PGPDataEncryptorBuilder;
import org.bouncycastle.openpgp.operator.PGPKeyEncryptionMethodGenerator;
import org.bouncycastle.openpgp.operator.bc.BcPGPDataEncryptorBuilder;
@@ -63,7 +64,6 @@ import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
-import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
@@ -76,8 +76,8 @@ import java.util.Set;
*/
@InputRequirement(InputRequirement.Requirement.INPUT_REQUIRED)
@Tags({"PGP", "GPG", "OpenPGP", "Encryption", "RFC 4880"})
-@CapabilityDescription("Encrypt Contents using OpenPGP")
-@SeeAlso(DecryptContentPGP.class)
+@CapabilityDescription("Encrypt contents using OpenPGP. The processor reads
input and detects OpenPGP messages to avoid unnecessary additional wrapping in
Literal Data packets.")
+@SeeAlso({ DecryptContentPGP.class, SignContentPGP.class,
VerifyContentPGP.class })
@WritesAttributes({
@WritesAttribute(attribute = PGPAttributeKey.SYMMETRIC_KEY_ALGORITHM,
description = "Symmetric-Key Algorithm"),
@WritesAttribute(attribute =
PGPAttributeKey.SYMMETRIC_KEY_ALGORITHM_BLOCK_CIPHER, description =
"Symmetric-Key Algorithm Block Cipher"),
@@ -153,8 +153,6 @@ public class EncryptContentPGP extends AbstractProcessor {
/** Enable Integrity Protection as described in RFC 4880 Section 5.13 */
private static final boolean ENCRYPTION_INTEGRITY_PACKET_ENABLED = true;
- private static final int OUTPUT_BUFFER_SIZE = 8192;
-
private static final Set<Relationship> RELATIONSHIPS = new
HashSet<>(Arrays.asList(SUCCESS, FAILURE));
private static final List<PropertyDescriptor> DESCRIPTORS = Arrays.asList(
@@ -200,10 +198,14 @@ public class EncryptContentPGP extends AbstractProcessor {
}
try {
+ final PacketReadInputStreamCallback packetCallback = new
PacketReadInputStreamCallback();
+ session.read(flowFile, packetCallback);
+
final SymmetricKeyAlgorithm symmetricKeyAlgorithm =
getSymmetricKeyAlgorithm(context);
final FileEncoding fileEncoding = getFileEncoding(context);
final CompressionAlgorithm compressionAlgorithm =
getCompressionAlgorithm(context);
- final StreamCallback callback = getEncryptStreamCallback(context,
flowFile, symmetricKeyAlgorithm, compressionAlgorithm, fileEncoding);
+ final StreamCallback callback = getEncryptStreamCallback(context,
flowFile, symmetricKeyAlgorithm,
+ compressionAlgorithm, fileEncoding,
packetCallback.packetFound);
flowFile = session.write(flowFile, callback);
final Map<String, String> attributes =
getAttributes(symmetricKeyAlgorithm, fileEncoding, compressionAlgorithm);
@@ -261,10 +263,12 @@ public class EncryptContentPGP extends AbstractProcessor {
return results;
}
- private StreamCallback getEncryptStreamCallback(final ProcessContext
context, final FlowFile flowFile,
+ private StreamCallback getEncryptStreamCallback(final ProcessContext
context,
+ final FlowFile flowFile,
final
SymmetricKeyAlgorithm symmetricKeyAlgorithm,
final CompressionAlgorithm
compressionAlgorithm,
- final FileEncoding
fileEncoding) {
+ final FileEncoding
fileEncoding,
+ final boolean packetFound)
{
final SecureRandom secureRandom = new SecureRandom();
final PGPDataEncryptorBuilder dataEncryptorBuilder = new
BcPGPDataEncryptorBuilder(symmetricKeyAlgorithm.getId())
.setSecureRandom(secureRandom)
@@ -274,7 +278,7 @@ public class EncryptContentPGP extends AbstractProcessor {
methodGenerators.forEach(encryptedDataGenerator::addMethod);
final String filename =
flowFile.getAttribute(CoreAttributes.FILENAME.key());
- return new EncryptStreamCallback(filename, fileEncoding,
encryptedDataGenerator, compressionAlgorithm);
+ return new EncryptStreamCallback(fileEncoding, compressionAlgorithm,
filename, packetFound, encryptedDataGenerator);
}
private List<PGPKeyEncryptionMethodGenerator>
getEncryptionMethodGenerators(final ProcessContext context,
@@ -334,65 +338,65 @@ public class EncryptContentPGP extends AbstractProcessor {
return attributes;
}
- private static class EncryptStreamCallback implements StreamCallback {
- private static final char DATA_FORMAT = PGPLiteralData.BINARY;
+ private class PacketReadInputStreamCallback implements InputStreamCallback
{
+ private boolean packetFound;
- private final String filename;
+ /**
+ * Process Input Stream and attempt to read OpenPGP Packet for content
detection
+ *
+ * @param inputStream Input Stream to be read
+ */
+ @Override
+ public void process(final InputStream inputStream) {
+ try {
+ final InputStream decodedInputStream =
PGPUtil.getDecoderStream(inputStream);
+ final BCPGInputStream packetInputStream = new
BCPGInputStream(decodedInputStream);
+ final Packet packet = packetInputStream.readPacket();
+ if (packet == null) {
+ getLogger().debug("PGP Packet not found");
+ } else {
+ packetFound = true;
+ }
+ } catch (final IOException e) {
+ getLogger().debug("PGP Packet read failed", e);
+ }
+ }
+ }
- private final FileEncoding fileEncoding;
+ private static class EncryptStreamCallback extends EncodingStreamCallback {
+ private final boolean packetFound;
private final PGPEncryptedDataGenerator encryptedDataGenerator;
- private final CompressionAlgorithm compressionAlgorithm;
-
- public EncryptStreamCallback(final String filename, final FileEncoding
fileEncoding, final PGPEncryptedDataGenerator encryptedDataGenerator, final
CompressionAlgorithm compressionAlgorithm) {
- this.filename = filename;
- this.fileEncoding = fileEncoding;
+ public EncryptStreamCallback(final FileEncoding fileEncoding,
+ final CompressionAlgorithm
compressionAlgorithm,
+ final String filename,
+ final boolean packetFound,
+ final PGPEncryptedDataGenerator
encryptedDataGenerator) {
+ super(fileEncoding, compressionAlgorithm, filename);
+ this.packetFound = packetFound;
this.encryptedDataGenerator = encryptedDataGenerator;
- this.compressionAlgorithm = compressionAlgorithm;
}
/**
- * Process Input Stream and write encrypted contents to Output Stream
+ * Process Encoding Output Stream using Encrypted Data Generator with
for subsequent processing
*
- * @param inputStream Input Stream
- * @param outputStream Output Stream for encrypted contents
- * @throws IOException Thrown when unable to read or write streams
+ * @param inputStream Input Stream
+ * @param encodingOutputStream Output Stream to be processed for
encryption
+ * @throws IOException Thrown when failing to read or write streams
+ * @throws PGPException Thrown when failing to perform encryption
operations
*/
@Override
- public void process(final InputStream inputStream, final OutputStream
outputStream) throws IOException {
- try (final OutputStream encodingOutputStream =
getEncodingOutputStream(outputStream)) {
- processEncoding(inputStream, encodingOutputStream);
- } catch (final PGPException e) {
- throw new PGPEncryptionException("PGP Encryption Stream
Processing Failed", e);
- }
- }
-
- private OutputStream getEncodingOutputStream(final OutputStream
outputStream) throws PGPException {
- OutputStream encodingOutputStream = outputStream;
- if (FileEncoding.ASCII.equals(fileEncoding)) {
- encodingOutputStream = new ArmoredOutputStream(outputStream);
- }
- return encodingOutputStream;
- }
-
- private void processEncoding(final InputStream inputStream, final
OutputStream encodingOutputStream) throws IOException, PGPException {
- try (final OutputStream encryptedOutputStream =
encryptedDataGenerator.open(encodingOutputStream, createBuffer())) {
- final PGPCompressedDataGenerator compressedDataGenerator = new
PGPCompressedDataGenerator(compressionAlgorithm.getId());
- try (final OutputStream compressedOutputStream =
compressedDataGenerator.open(encryptedOutputStream, createBuffer())) {
- final PGPLiteralDataGenerator literalDataGenerator = new
PGPLiteralDataGenerator();
- try (final OutputStream literalOutputStream =
literalDataGenerator.open(compressedOutputStream, DATA_FORMAT, filename, new
Date(), createBuffer())) {
- StreamUtils.copy(inputStream, literalOutputStream);
- }
- literalDataGenerator.close();
+ protected void processEncoding(final InputStream inputStream, final
OutputStream encodingOutputStream) throws IOException, PGPException {
+ try (final OutputStream encryptedOutputStream =
encryptedDataGenerator.open(encodingOutputStream, createOutputBuffer())) {
+ if (packetFound) {
+ // Write OpenPGP packets to encrypted stream without
additional encoding
+ StreamUtils.copy(inputStream, encryptedOutputStream);
+ } else {
+ super.processEncoding(inputStream, encryptedOutputStream);
}
- compressedDataGenerator.close();
}
encryptedDataGenerator.close();
}
-
- private byte[] createBuffer() {
- return new byte[OUTPUT_BUFFER_SIZE];
- }
}
}
diff --git
a/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/PGPAttributeKey.java
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/PGPAttributeKey.java
index 17b17dc..459b158 100644
---
a/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/PGPAttributeKey.java
+++
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/PGPAttributeKey.java
@@ -37,4 +37,18 @@ class PGPAttributeKey {
static final String COMPRESS_ALGORITHM = "pgp.compression.algorithm";
static final String COMPRESS_ALGORITHM_ID = "pgp.compression.algorithm.id";
+
+ static final String SIGNATURE_CREATED = "pgp.signature.created";
+
+ static final String SIGNATURE_ALGORITHM = "pgp.signature.algorithm";
+
+ static final String SIGNATURE_HASH_ALGORITHM_ID =
"pgp.signature.hash.algorithm.id";
+
+ static final String SIGNATURE_KEY_ALGORITHM_ID =
"pgp.signature.key.algorithm.id";
+
+ static final String SIGNATURE_KEY_ID = "pgp.signature.key.id";
+
+ static final String SIGNATURE_TYPE_ID = "pgp.signature.type.id";
+
+ static final String SIGNATURE_VERSION = "pgp.signature.version";
}
diff --git
a/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/SignContentPGP.java
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/SignContentPGP.java
new file mode 100644
index 0000000..cdee4be
--- /dev/null
+++
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/SignContentPGP.java
@@ -0,0 +1,408 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.processors.pgp;
+
+import org.apache.nifi.annotation.behavior.InputRequirement;
+import org.apache.nifi.annotation.behavior.WritesAttribute;
+import org.apache.nifi.annotation.behavior.WritesAttributes;
+import org.apache.nifi.annotation.documentation.CapabilityDescription;
+import org.apache.nifi.annotation.documentation.SeeAlso;
+import org.apache.nifi.annotation.documentation.Tags;
+import org.apache.nifi.components.AllowableValue;
+import org.apache.nifi.components.PropertyDescriptor;
+import org.apache.nifi.expression.ExpressionLanguageScope;
+import org.apache.nifi.flowfile.FlowFile;
+import org.apache.nifi.flowfile.attributes.CoreAttributes;
+import org.apache.nifi.pgp.service.api.PGPPrivateKeyService;
+import org.apache.nifi.processor.AbstractProcessor;
+import org.apache.nifi.processor.ProcessContext;
+import org.apache.nifi.processor.ProcessSession;
+import org.apache.nifi.processor.Relationship;
+import org.apache.nifi.processor.util.StandardValidators;
+import org.apache.nifi.processors.pgp.attributes.CompressionAlgorithm;
+import org.apache.nifi.processors.pgp.attributes.FileEncoding;
+import org.apache.nifi.processors.pgp.attributes.HashAlgorithm;
+import org.apache.nifi.processors.pgp.attributes.SigningStrategy;
+import org.apache.nifi.processors.pgp.exception.PGPProcessException;
+import org.apache.nifi.processors.pgp.io.EncodingStreamCallback;
+import org.apache.nifi.processors.pgp.io.KeyIdentifierConverter;
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPLiteralDataGenerator;
+import org.bouncycastle.openpgp.PGPOnePassSignature;
+import org.bouncycastle.openpgp.PGPPrivateKey;
+import org.bouncycastle.openpgp.PGPSignature;
+import org.bouncycastle.openpgp.PGPSignatureGenerator;
+import org.bouncycastle.openpgp.PGPUtil;
+import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentSignerBuilder;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.security.SecureRandom;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
+
+/**
+ * Sign Content using Open Pretty Good Privacy Private Keys
+ */
+@InputRequirement(InputRequirement.Requirement.INPUT_REQUIRED)
+@Tags({"PGP", "GPG", "OpenPGP", "Encryption", "Signing", "RFC 4880"})
+@CapabilityDescription("Sign content using OpenPGP Private Keys")
+@SeeAlso({DecryptContentPGP.class, EncryptContentPGP.class,
VerifyContentPGP.class})
+@WritesAttributes({
+ @WritesAttribute(attribute = PGPAttributeKey.COMPRESS_ALGORITHM,
description = "Compression Algorithm"),
+ @WritesAttribute(attribute = PGPAttributeKey.COMPRESS_ALGORITHM_ID,
description = "Compression Algorithm Identifier"),
+ @WritesAttribute(attribute = PGPAttributeKey.FILE_ENCODING,
description = "File Encoding"),
+ @WritesAttribute(attribute = PGPAttributeKey.SIGNATURE_ALGORITHM,
description = "Signature Algorithm including key and hash algorithm names"),
+ @WritesAttribute(attribute =
PGPAttributeKey.SIGNATURE_HASH_ALGORITHM_ID, description = "Signature Hash
Algorithm Identifier"),
+ @WritesAttribute(attribute =
PGPAttributeKey.SIGNATURE_KEY_ALGORITHM_ID, description = "Signature Key
Algorithm Identifier"),
+ @WritesAttribute(attribute = PGPAttributeKey.SIGNATURE_KEY_ID,
description = "Signature Public Key Identifier"),
+ @WritesAttribute(attribute = PGPAttributeKey.SIGNATURE_TYPE_ID,
description = "Signature Type Identifier"),
+ @WritesAttribute(attribute = PGPAttributeKey.SIGNATURE_VERSION,
description = "Signature Version Number"),
+})
+public class SignContentPGP extends AbstractProcessor {
+
+ public static final Relationship SUCCESS = new Relationship.Builder()
+ .name("success")
+ .description("Content signing succeeded")
+ .build();
+
+ public static final Relationship FAILURE = new Relationship.Builder()
+ .name("failure")
+ .description("Content signing failed")
+ .build();
+
+ public static final PropertyDescriptor COMPRESSION_ALGORITHM = new
PropertyDescriptor.Builder()
+ .name("compression-algorithm")
+ .displayName("Compression Algorithm")
+ .description("Compression Algorithm for signing")
+ .required(true)
+ .defaultValue(CompressionAlgorithm.ZIP.name())
+ .allowableValues(CompressionAlgorithm.values())
+ .build();
+
+ public static final PropertyDescriptor FILE_ENCODING = new
PropertyDescriptor.Builder()
+ .name("file-encoding")
+ .displayName("File Encoding")
+ .description("File Encoding for signing")
+ .required(true)
+ .defaultValue(FileEncoding.BINARY.name())
+ .allowableValues(FileEncoding.values())
+ .build();
+
+ public static final PropertyDescriptor HASH_ALGORITHM = new
PropertyDescriptor.Builder()
+ .name("hash-algorithm")
+ .displayName("Hash Algorithm")
+ .description("Hash Algorithm for signing")
+ .required(true)
+ .defaultValue(HashAlgorithm.SHA512.name())
+ .allowableValues(HashAlgorithm.values())
+ .build();
+
+ public static final PropertyDescriptor SIGNING_STRATEGY = new
PropertyDescriptor.Builder()
+ .name("signing-strategy")
+ .displayName("Signing Strategy")
+ .description("Strategy for writing files to success after signing")
+ .required(true)
+ .defaultValue(SigningStrategy.SIGNED.name())
+ .allowableValues(
+ Arrays.stream(SigningStrategy.values()).map(strategy ->
+ new AllowableValue(strategy.name(),
strategy.name(), strategy.getDescription())
+ ).toArray(AllowableValue[]::new)
+ )
+ .build();
+
+ public static final PropertyDescriptor PRIVATE_KEY_SERVICE = new
PropertyDescriptor.Builder()
+ .name("private-key-service")
+ .displayName("Private Key Service")
+ .description("PGP Private Key Service for generating content
signatures")
+ .identifiesControllerService(PGPPrivateKeyService.class)
+ .required(true)
+ .build();
+
+ public static final PropertyDescriptor PRIVATE_KEY_ID = new
PropertyDescriptor.Builder()
+ .name("private-key-id")
+ .displayName("Private Key ID")
+ .description("PGP Private Key Identifier formatted as uppercase
hexadecimal string of 16 characters used for signing")
+
.expressionLanguageSupported(ExpressionLanguageScope.FLOWFILE_ATTRIBUTES)
+ .addValidator(StandardValidators.NON_EMPTY_EL_VALIDATOR)
+ .required(true)
+ .build();
+
+ private static final Set<Relationship> RELATIONSHIPS = new
HashSet<>(Arrays.asList(SUCCESS, FAILURE));
+
+ private static final List<PropertyDescriptor> DESCRIPTORS = Arrays.asList(
+ COMPRESSION_ALGORITHM,
+ FILE_ENCODING,
+ HASH_ALGORITHM,
+ SIGNING_STRATEGY,
+ PRIVATE_KEY_SERVICE,
+ PRIVATE_KEY_ID
+ );
+
+ private static final boolean NESTED_SIGNATURE_DISABLED = false;
+
+ /**
+ * Get Relationships
+ *
+ * @return Processor Relationships
+ */
+ @Override
+ public Set<Relationship> getRelationships() {
+ return RELATIONSHIPS;
+ }
+
+ /**
+ * Get Supported Property Descriptors
+ *
+ * @return Processor Supported Property Descriptors
+ */
+ @Override
+ public final List<PropertyDescriptor> getSupportedPropertyDescriptors() {
+ return DESCRIPTORS;
+ }
+
+ /**
+ * On Trigger generates signatures for Flow File contents using private
keys
+ *
+ * @param context Process Context
+ * @param session Process Session
+ */
+ @Override
+ public void onTrigger(final ProcessContext context, final ProcessSession
session) {
+ FlowFile flowFile = session.get();
+ if (flowFile == null) {
+ return;
+ }
+
+ try {
+ final SignatureStreamCallback callback =
getStreamCallback(context, flowFile);
+ flowFile = session.write(flowFile, callback);
+ flowFile = session.putAllAttributes(flowFile, callback.attributes);
+ session.transfer(flowFile, SUCCESS);
+ } catch (final RuntimeException e) {
+ getLogger().error("Signing Failed {}", flowFile, e);
+ session.transfer(flowFile, FAILURE);
+ }
+ }
+
+ private SignatureStreamCallback getStreamCallback(final ProcessContext
context, final FlowFile flowFile) {
+ final FileEncoding fileEncoding = getFileEncoding(context);
+ final CompressionAlgorithm compressionAlgorithm =
getCompressionAlgorithm(context);
+ final HashAlgorithm hashAlgorithm = getHashAlgorithm(context);
+ final String filename =
flowFile.getAttribute(CoreAttributes.FILENAME.key());
+ final SigningStrategy signingStrategy = getSigningStrategy(context);
+ final PGPPrivateKey privateKey = getPrivateKey(context, flowFile);
+ return SigningStrategy.SIGNED.equals(signingStrategy)
+ ? new SignedStreamCallback(fileEncoding, compressionAlgorithm,
filename, hashAlgorithm, privateKey)
+ : new DetachedStreamCallback(fileEncoding,
compressionAlgorithm, filename, hashAlgorithm, privateKey);
+ }
+
+ private PGPPrivateKey getPrivateKey(final ProcessContext context, final
FlowFile flowFile) {
+ final PGPPrivateKeyService privateKeyService =
context.getProperty(PRIVATE_KEY_SERVICE).asControllerService(PGPPrivateKeyService.class);
+ final long privateKeyId = getPrivateKeyId(context, flowFile);
+ final Optional<PGPPrivateKey> optionalPrivateKey =
privateKeyService.findPrivateKey(privateKeyId);
+
+ return optionalPrivateKey.orElseThrow(() -> {
+ final String message = String.format("Private Key ID [%s] not
found", KeyIdentifierConverter.format(privateKeyId));
+ return new PGPProcessException(message);
+ });
+ }
+
+ private long getPrivateKeyId(final ProcessContext context, final FlowFile
flowFile) {
+ final String privateKeyId =
context.getProperty(PRIVATE_KEY_ID).evaluateAttributeExpressions(flowFile).getValue();
+ try {
+ return KeyIdentifierConverter.parse(privateKeyId);
+ } catch (final NumberFormatException e) {
+ throw new PGPProcessException(String.format("Private Key ID [%s]
Hexadecimal Parsing Failed", privateKeyId), e);
+ }
+ }
+
+ private CompressionAlgorithm getCompressionAlgorithm(final ProcessContext
context) {
+ final String algorithm =
context.getProperty(COMPRESSION_ALGORITHM).getValue();
+ return CompressionAlgorithm.valueOf(algorithm);
+ }
+
+ private FileEncoding getFileEncoding(final ProcessContext context) {
+ final String encoding = context.getProperty(FILE_ENCODING).getValue();
+ return FileEncoding.valueOf(encoding);
+ }
+
+ private HashAlgorithm getHashAlgorithm(final ProcessContext context) {
+ final String algorithm =
context.getProperty(HASH_ALGORITHM).getValue();
+ return HashAlgorithm.valueOf(algorithm);
+ }
+
+ private SigningStrategy getSigningStrategy(final ProcessContext context) {
+ final String strategy =
context.getProperty(SIGNING_STRATEGY).getValue();
+ return SigningStrategy.valueOf(strategy);
+ }
+
+ private class SignatureStreamCallback extends EncodingStreamCallback {
+ private final PGPPrivateKey privateKey;
+
+ private final HashAlgorithm hashAlgorithm;
+
+ private final Map<String, String> attributes = new HashMap<>();
+
+ protected SignatureStreamCallback(final FileEncoding fileEncoding,
+ final CompressionAlgorithm
compressionAlgorithm,
+ final String filename,
+ final HashAlgorithm hashAlgorithm,
+ final PGPPrivateKey privateKey
+ ) {
+ super(fileEncoding, compressionAlgorithm, filename);
+ this.hashAlgorithm = hashAlgorithm;
+ this.privateKey = privateKey;
+
+ attributes.put(PGPAttributeKey.COMPRESS_ALGORITHM,
compressionAlgorithm.toString());
+ attributes.put(PGPAttributeKey.COMPRESS_ALGORITHM_ID,
Integer.toString(compressionAlgorithm.getId()));
+ attributes.put(PGPAttributeKey.FILE_ENCODING,
fileEncoding.toString());
+ }
+
+ /***
+ * Write Signature to Output Stream
+ *
+ * @param signatureGenerator Signature Generator initialized with
Private Key
+ * @param outputStream Output Stream for writing encoded signature
+ * @throws PGPException Thrown when failing to generate signature
+ * @throws IOException Thrown when failing to write signature
+ */
+ protected void writeSignature(final PGPSignatureGenerator
signatureGenerator, final OutputStream outputStream) throws PGPException,
IOException {
+ final PGPSignature signature = signatureGenerator.generate();
+ signature.encode(outputStream);
+ setSignatureAttributes(signature);
+ }
+
+ /**
+ * Get Signature Generator initialized using configuration properties
and Private Key
+ * @return Initialized Signature Generator
+ * @throws PGPException Thrown when failing to initialize signature
generator
+ */
+ protected PGPSignatureGenerator getSignatureGenerator() throws
PGPException {
+ final int keyAlgorithm =
privateKey.getPublicKeyPacket().getAlgorithm();
+ final SecureRandom secureRandom = new SecureRandom();
+ final JcaPGPContentSignerBuilder builder = new
JcaPGPContentSignerBuilder(keyAlgorithm,
hashAlgorithm.getId()).setSecureRandom(secureRandom);
+ final PGPSignatureGenerator signatureGenerator = new
PGPSignatureGenerator(builder);
+ signatureGenerator.init(PGPSignature.BINARY_DOCUMENT, privateKey);
+ return signatureGenerator;
+ }
+
+ private void setSignatureAttributes(final PGPSignature signature) {
+ setSignatureAlgorithm(signature.getKeyAlgorithm(),
signature.getHashAlgorithm());
+ attributes.put(PGPAttributeKey.SIGNATURE_CREATED,
Long.toString(signature.getCreationTime().getTime()));
+ attributes.put(PGPAttributeKey.SIGNATURE_KEY_ID,
KeyIdentifierConverter.format(signature.getKeyID()));
+ attributes.put(PGPAttributeKey.SIGNATURE_TYPE_ID,
Integer.toString(signature.getSignatureType()));
+ attributes.put(PGPAttributeKey.SIGNATURE_VERSION,
Integer.toString(signature.getVersion()));
+ }
+
+ private void setSignatureAlgorithm(final int keyAlgorithm, final int
hashAlgorithm) {
+ attributes.put(PGPAttributeKey.SIGNATURE_HASH_ALGORITHM_ID,
Integer.toString(hashAlgorithm));
+ attributes.put(PGPAttributeKey.SIGNATURE_KEY_ALGORITHM_ID,
Integer.toString(keyAlgorithm));
+ try {
+ final String algorithm =
PGPUtil.getSignatureName(keyAlgorithm, hashAlgorithm);
+ attributes.put(PGPAttributeKey.SIGNATURE_ALGORITHM, algorithm);
+ } catch (final PGPException e) {
+ getLogger().debug("Signature Algorithm Key Identifier [{}]
Hash Identifier [{}] not found", keyAlgorithm, hashAlgorithm);
+ }
+ }
+ }
+
+ private class DetachedStreamCallback extends SignatureStreamCallback {
+ private DetachedStreamCallback(final FileEncoding fileEncoding,
+ final CompressionAlgorithm
compressionAlgorithm,
+ final String filename,
+ final HashAlgorithm hashAlgorithm,
+ final PGPPrivateKey privateKey
+ ) {
+ super(fileEncoding, compressionAlgorithm, filename, hashAlgorithm,
privateKey);
+ }
+
+ /**
+ * Process Encoding writes detached signature through Compression
Output Stream
+ *
+ * @param inputStream Input Stream
+ * @param encodingOutputStream Output Stream configured according to
File Encoding
+ * @throws IOException Thrown when unable to read or write streams
+ * @throws PGPException Thrown when unable to process compression
+ */
+ @Override
+ protected void processEncoding(final InputStream inputStream, final
OutputStream encodingOutputStream) throws IOException, PGPException {
+ processDetached(inputStream, encodingOutputStream);
+ }
+
+ private void processDetached(final InputStream inputStream, final
OutputStream outputStream) throws IOException, PGPException {
+ final PGPSignatureGenerator signatureGenerator =
getSignatureGenerator();
+ final byte[] buffer = createOutputBuffer();
+ int read;
+ while ((read = inputStream.read(buffer)) >= 0) {
+ signatureGenerator.update(buffer, 0, read);
+ }
+ writeSignature(signatureGenerator, outputStream);
+ }
+ }
+
+ private class SignedStreamCallback extends SignatureStreamCallback {
+
+ private SignedStreamCallback(final FileEncoding fileEncoding,
+ final CompressionAlgorithm
compressionAlgorithm,
+ final String filename,
+ final HashAlgorithm hashAlgorithm,
+ final PGPPrivateKey privateKey
+ ) {
+ super(fileEncoding, compressionAlgorithm, filename, hashAlgorithm,
privateKey);
+ }
+
+ /**
+ * Process Compression passing Input Stream through Literal Data
Output Stream prepended with One-Pass Signature and followed with Signature
+ *
+ * @param inputStream Input Stream
+ * @param compressedOutputStream Output Stream configured according to
Compression Algorithm
+ * @throws IOException Thrown when unable to read or write streams
+ * @throws PGPException Thrown when unable to generate signatures
+ */
+ @Override
+ protected void processCompression(final InputStream inputStream, final
OutputStream compressedOutputStream) throws IOException, PGPException {
+ final PGPSignatureGenerator signatureGenerator =
getSignatureGenerator();
+
+ final PGPOnePassSignature onePassSignature =
signatureGenerator.generateOnePassVersion(NESTED_SIGNATURE_DISABLED);
+ onePassSignature.encode(compressedOutputStream);
+
+ final PGPLiteralDataGenerator literalDataGenerator = new
PGPLiteralDataGenerator();
+ try (final OutputStream literalOutputStream =
openLiteralOutputStream(literalDataGenerator, compressedOutputStream)) {
+ processSigned(inputStream, literalOutputStream,
signatureGenerator);
+ }
+ literalDataGenerator.close();
+
+ writeSignature(signatureGenerator, compressedOutputStream);
+ }
+
+ private void processSigned(final InputStream inputStream, final
OutputStream outputStream, final PGPSignatureGenerator signatureGenerator)
throws IOException {
+ final byte[] buffer = createOutputBuffer();
+ int read;
+ while ((read = inputStream.read(buffer)) >= 0) {
+ outputStream.write(buffer, 0, read);
+ signatureGenerator.update(buffer, 0, read);
+ }
+ }
+ }
+}
diff --git
a/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/VerifyContentPGP.java
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/VerifyContentPGP.java
new file mode 100644
index 0000000..115ffdd
--- /dev/null
+++
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/VerifyContentPGP.java
@@ -0,0 +1,321 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.processors.pgp;
+
+import org.apache.nifi.annotation.behavior.InputRequirement;
+import org.apache.nifi.annotation.behavior.WritesAttribute;
+import org.apache.nifi.annotation.behavior.WritesAttributes;
+import org.apache.nifi.annotation.documentation.CapabilityDescription;
+import org.apache.nifi.annotation.documentation.SeeAlso;
+import org.apache.nifi.annotation.documentation.Tags;
+import org.apache.nifi.components.PropertyDescriptor;
+import org.apache.nifi.flowfile.FlowFile;
+import org.apache.nifi.pgp.service.api.PGPPublicKeyService;
+import org.apache.nifi.processor.AbstractProcessor;
+import org.apache.nifi.processor.ProcessContext;
+import org.apache.nifi.processor.ProcessSession;
+import org.apache.nifi.processor.Relationship;
+import org.apache.nifi.processor.io.StreamCallback;
+import org.apache.nifi.processors.pgp.exception.PGPProcessException;
+import org.apache.nifi.processors.pgp.io.KeyIdentifierConverter;
+import org.apache.nifi.stream.io.StreamUtils;
+import org.bouncycastle.openpgp.PGPCompressedData;
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPLiteralData;
+import org.bouncycastle.openpgp.PGPObjectFactory;
+import org.bouncycastle.openpgp.PGPOnePassSignature;
+import org.bouncycastle.openpgp.PGPOnePassSignatureList;
+import org.bouncycastle.openpgp.PGPPublicKey;
+import org.bouncycastle.openpgp.PGPSignature;
+import org.bouncycastle.openpgp.PGPSignatureList;
+import org.bouncycastle.openpgp.PGPUtil;
+import org.bouncycastle.openpgp.jcajce.JcaPGPObjectFactory;
+import
org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentVerifierBuilderProvider;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
+
+/**
+ * Verify Content using Open Pretty Good Privacy Public Keys
+ */
+@InputRequirement(InputRequirement.Requirement.INPUT_REQUIRED)
+@Tags({"PGP", "GPG", "OpenPGP", "Encryption", "Signing", "RFC 4880"})
+@CapabilityDescription("Verify signatures using OpenPGP Public Keys")
+@SeeAlso({ DecryptContentPGP.class, EncryptContentPGP.class,
SignContentPGP.class })
+@WritesAttributes({
+ @WritesAttribute(attribute = PGPAttributeKey.LITERAL_DATA_FILENAME,
description = "Filename from Literal Data"),
+ @WritesAttribute(attribute = PGPAttributeKey.LITERAL_DATA_MODIFIED,
description = "Modified Date Time from Literal Data in milliseconds"),
+ @WritesAttribute(attribute = PGPAttributeKey.SIGNATURE_CREATED,
description = "Signature Creation Time in milliseconds"),
+ @WritesAttribute(attribute = PGPAttributeKey.SIGNATURE_ALGORITHM,
description = "Signature Algorithm including key and hash algorithm names"),
+ @WritesAttribute(attribute =
PGPAttributeKey.SIGNATURE_HASH_ALGORITHM_ID, description = "Signature Hash
Algorithm Identifier"),
+ @WritesAttribute(attribute =
PGPAttributeKey.SIGNATURE_KEY_ALGORITHM_ID, description = "Signature Key
Algorithm Identifier"),
+ @WritesAttribute(attribute = PGPAttributeKey.SIGNATURE_KEY_ID,
description = "Signature Public Key Identifier"),
+ @WritesAttribute(attribute = PGPAttributeKey.SIGNATURE_TYPE_ID,
description = "Signature Type Identifier"),
+ @WritesAttribute(attribute = PGPAttributeKey.SIGNATURE_VERSION,
description = "Signature Version Number"),
+})
+public class VerifyContentPGP extends AbstractProcessor {
+
+ public static final Relationship SUCCESS = new Relationship.Builder()
+ .name("success")
+ .description("Signature Verification Succeeded")
+ .build();
+
+ public static final Relationship FAILURE = new Relationship.Builder()
+ .name("failure")
+ .description("Signature Verification Failed")
+ .build();
+
+ public static final PropertyDescriptor PUBLIC_KEY_SERVICE = new
PropertyDescriptor.Builder()
+ .name("public-key-service")
+ .displayName("Public Key Service")
+ .description("PGP Public Key Service for verifying signatures with
Public Key Encryption")
+ .identifiesControllerService(PGPPublicKeyService.class)
+ .required(true)
+ .build();
+
+ private static final Set<Relationship> RELATIONSHIPS = new
HashSet<>(Arrays.asList(SUCCESS, FAILURE));
+
+ private static final List<PropertyDescriptor> DESCRIPTORS =
Collections.singletonList(
+ PUBLIC_KEY_SERVICE
+ );
+
+ private static final int BUFFER_SIZE = 8192;
+
+ private static final String KEY_ID_UNKNOWN = "UNKNOWN";
+
+ /**
+ * Get Relationships
+ *
+ * @return Processor Relationships
+ */
+ @Override
+ public Set<Relationship> getRelationships() {
+ return RELATIONSHIPS;
+ }
+
+ /**
+ * Get Supported Property Descriptors
+ *
+ * @return Processor Supported Property Descriptors
+ */
+ @Override
+ public final List<PropertyDescriptor> getSupportedPropertyDescriptors() {
+ return DESCRIPTORS;
+ }
+
+ /**
+ * On Trigger verifies signatures found in Flow File contents using
configured properties
+ *
+ * @param context Process Context
+ * @param session Process Session
+ */
+ @Override
+ public void onTrigger(final ProcessContext context, final ProcessSession
session) {
+ FlowFile flowFile = session.get();
+ if (flowFile == null) {
+ return;
+ }
+
+ final PGPPublicKeyService publicKeyService =
context.getProperty(PUBLIC_KEY_SERVICE).asControllerService(PGPPublicKeyService.class);
+ final VerifyStreamCallback callback = new
VerifyStreamCallback(publicKeyService);
+ try {
+ flowFile = session.write(flowFile, callback);
+ flowFile = session.putAllAttributes(flowFile, callback.attributes);
+ final String keyId =
flowFile.getAttribute(PGPAttributeKey.SIGNATURE_KEY_ID);
+ getLogger().info("Signature Key ID [{}] Verification Completed
{}", keyId, flowFile);
+ session.transfer(flowFile, SUCCESS);
+ } catch (final RuntimeException e) {
+ flowFile = session.putAllAttributes(flowFile, callback.attributes);
+ getLogger().error("Processing Failed {}", flowFile, e);
+ session.transfer(flowFile, FAILURE);
+ }
+ }
+
+ private class VerifyStreamCallback implements StreamCallback {
+ private final PGPPublicKeyService publicKeyService;
+
+ private final Map<String, String> attributes = new HashMap<>();
+
+ private boolean verified;
+
+ private VerifyStreamCallback(final PGPPublicKeyService
publicKeyService) {
+ this.publicKeyService = publicKeyService;
+ }
+
+ /**
+ * Process Input Stream containing binary or ASCII Armored OpenPGP
messages and write literal data after verification
+ *
+ * @param inputStream Input Stream to be read
+ * @param outputStream Output Stream for literal data contents
+ * @throws IOException Thrown when unable to read or write streams
+ */
+ @Override
+ public void process(final InputStream inputStream, final OutputStream
outputStream) throws IOException {
+ final InputStream decoderInputStream =
PGPUtil.getDecoderStream(inputStream);
+ final PGPObjectFactory pgpObjectFactory = new
JcaPGPObjectFactory(decoderInputStream);
+ final Iterator<?> objects = pgpObjectFactory.iterator();
+ if (objects.hasNext()) {
+ processObjectFactory(objects, outputStream);
+ }
+
+ if (verified) {
+ getLogger().debug("One-Pass Signature Algorithm [{}]
Verified", attributes.get(PGPAttributeKey.SIGNATURE_ALGORITHM));
+ } else {
+ final String keyId =
attributes.getOrDefault(PGPAttributeKey.SIGNATURE_KEY_ID, KEY_ID_UNKNOWN);
+ throw new PGPProcessException(String.format("Signature Key ID
[%s] Verification Failed", keyId));
+ }
+ }
+
+ private void processObjectFactory(final Iterator<?> objects, final
OutputStream outputStream) throws IOException {
+ PGPOnePassSignature onePassSignature = null;
+
+ while (objects.hasNext()) {
+ final Object object = objects.next();
+ getLogger().debug("PGP Object Read [{}]",
object.getClass().getSimpleName());
+
+ if (object instanceof PGPCompressedData) {
+ final PGPCompressedData compressedData =
(PGPCompressedData) object;
+ try {
+ final PGPObjectFactory compressedObjectFactory = new
JcaPGPObjectFactory(compressedData.getDataStream());
+
processObjectFactory(compressedObjectFactory.iterator(), outputStream);
+ } catch (final PGPException e) {
+ throw new PGPProcessException("Read Compressed Data
Failed", e);
+ }
+ } else if (object instanceof PGPOnePassSignatureList) {
+ final PGPOnePassSignatureList onePassSignatureList =
(PGPOnePassSignatureList) object;
+ onePassSignature =
processOnePassSignatures(onePassSignatureList);
+ } else if (object instanceof PGPLiteralData) {
+ final PGPLiteralData literalData = (PGPLiteralData) object;
+ processLiteralData(literalData, outputStream,
onePassSignature);
+ } else if (object instanceof PGPSignatureList) {
+ final PGPSignatureList signatureList = (PGPSignatureList)
object;
+ processSignatures(signatureList, onePassSignature);
+ }
+ }
+ }
+
+ private PGPOnePassSignature processOnePassSignatures(final
PGPOnePassSignatureList onePassSignatureList) {
+ getLogger().debug("One-Pass Signatures Found [{}]",
onePassSignatureList.size());
+
+ PGPOnePassSignature initializedOnePassSignature = null;
+ final Iterator<PGPOnePassSignature> onePassSignatures =
onePassSignatureList.iterator();
+ if (onePassSignatures.hasNext()) {
+ final PGPOnePassSignature onePassSignature =
onePassSignatures.next();
+ setOnePassSignatureAttributes(onePassSignature);
+
+ final String keyId =
KeyIdentifierConverter.format(onePassSignature.getKeyID());
+ final Optional<PGPPublicKey> optionalPublicKey =
publicKeyService.findPublicKey(keyId);
+ if (optionalPublicKey.isPresent()) {
+ getLogger().debug("One-Pass Signature Key ID [{}] found",
keyId);
+ final PGPPublicKey publicKey = optionalPublicKey.get();
+ try {
+ onePassSignature.init(new
JcaPGPContentVerifierBuilderProvider(), publicKey);
+ initializedOnePassSignature = onePassSignature;
+ } catch (final PGPException e) {
+ throw new PGPProcessException(String.format("One-Pass
Signature Key ID [%s] Initialization Failed", keyId), e);
+ }
+ } else {
+ getLogger().warn("One-Pass Signature Key ID [{}] not found
in Public Key Service", keyId);
+ }
+ }
+ return initializedOnePassSignature;
+ }
+
+ private void processLiteralData(final PGPLiteralData literalData,
+ final OutputStream outputStream,
+ final PGPOnePassSignature
onePassSignature) throws IOException {
+ setLiteralDataAttributes(literalData);
+ final InputStream literalInputStream =
literalData.getInputStream();
+ if (onePassSignature == null) {
+ StreamUtils.copy(literalInputStream, outputStream);
+ } else {
+ processSignedStream(literalInputStream, outputStream,
onePassSignature);
+ }
+ }
+
+ private void processSignatures(final PGPSignatureList signatureList,
final PGPOnePassSignature onePassSignature) {
+ getLogger().debug("Signatures Found [{}]", signatureList.size());
+ final Iterator<PGPSignature> signatures = signatureList.iterator();
+ if (signatures.hasNext()) {
+ final PGPSignature signature = signatures.next();
+ setSignatureAttributes(signature);
+
+ if (onePassSignature == null) {
+ getLogger().debug("One-Pass Signature not found:
Verification Failed");
+ } else {
+ try {
+ verified = onePassSignature.verify(signature);
+ } catch (final PGPException e) {
+ final String keyId =
KeyIdentifierConverter.format(onePassSignature.getKeyID());
+ throw new PGPProcessException(String.format("One-Pass
Signature Key ID [%s] Verification Failed", keyId), e);
+ }
+ }
+ }
+ }
+
+ private void processSignedStream(final InputStream inputStream, final
OutputStream outputStream, final PGPOnePassSignature onePassSignature) throws
IOException {
+ final String keyId =
KeyIdentifierConverter.format(onePassSignature.getKeyID());
+ getLogger().debug("Processing Data for One-Pass Signature with Key
ID [{}]", keyId);
+ final byte[] buffer = new byte[BUFFER_SIZE];
+ int read;
+ while ((read = inputStream.read(buffer)) >= 0) {
+ onePassSignature.update(buffer, 0, read);
+ outputStream.write(buffer, 0, read);
+ }
+ }
+
+ private void setOnePassSignatureAttributes(final PGPOnePassSignature
onePassSignature) {
+ setSignatureAlgorithm(onePassSignature.getKeyAlgorithm(),
onePassSignature.getHashAlgorithm());
+ attributes.put(PGPAttributeKey.SIGNATURE_KEY_ID,
KeyIdentifierConverter.format(onePassSignature.getKeyID()));
+ attributes.put(PGPAttributeKey.SIGNATURE_TYPE_ID,
Integer.toString(onePassSignature.getSignatureType()));
+ }
+
+ private void setSignatureAttributes(final PGPSignature signature) {
+ setSignatureAlgorithm(signature.getKeyAlgorithm(),
signature.getHashAlgorithm());
+ attributes.put(PGPAttributeKey.SIGNATURE_CREATED,
Long.toString(signature.getCreationTime().getTime()));
+ attributes.put(PGPAttributeKey.SIGNATURE_KEY_ID,
KeyIdentifierConverter.format(signature.getKeyID()));
+ attributes.put(PGPAttributeKey.SIGNATURE_TYPE_ID,
Integer.toString(signature.getSignatureType()));
+ attributes.put(PGPAttributeKey.SIGNATURE_VERSION,
Integer.toString(signature.getVersion()));
+ }
+
+ private void setLiteralDataAttributes(final PGPLiteralData
literalData) {
+ attributes.put(PGPAttributeKey.LITERAL_DATA_FILENAME,
literalData.getFileName());
+ attributes.put(PGPAttributeKey.LITERAL_DATA_MODIFIED,
Long.toString(literalData.getModificationTime().getTime()));
+ }
+
+ private void setSignatureAlgorithm(final int keyAlgorithm, final int
hashAlgorithm) {
+ attributes.put(PGPAttributeKey.SIGNATURE_HASH_ALGORITHM_ID,
Integer.toString(hashAlgorithm));
+ attributes.put(PGPAttributeKey.SIGNATURE_KEY_ALGORITHM_ID,
Integer.toString(keyAlgorithm));
+ try {
+ final String algorithm =
PGPUtil.getSignatureName(keyAlgorithm, hashAlgorithm);
+ attributes.put(PGPAttributeKey.SIGNATURE_ALGORITHM, algorithm);
+ } catch (final PGPException e) {
+ getLogger().debug("Signature Algorithm Key Identifier [{}]
Hash Identifier [{}] not found", keyAlgorithm, hashAlgorithm);
+ }
+ }
+ }
+}
diff --git
a/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/attributes/DecryptionStrategy.java
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/attributes/DecryptionStrategy.java
new file mode 100644
index 0000000..54bf2d5
--- /dev/null
+++
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/attributes/DecryptionStrategy.java
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.processors.pgp.attributes;
+
+/**
+ * Pretty Good Privacy Decryption Strategy
+ */
+public enum DecryptionStrategy {
+ DECRYPTED("Produce decrypted content read from literal data ignoring
signatures"),
+
+ PACKAGED("Produce decrypted content packaged as an OpenPGP message for
additional processing");
+
+ private final String description;
+
+ DecryptionStrategy(final String description) {
+ this.description = description;
+ }
+
+ public String getDescription() {
+ return description;
+ }
+}
diff --git
a/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/attributes/HashAlgorithm.java
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/attributes/HashAlgorithm.java
new file mode 100644
index 0000000..9549147
--- /dev/null
+++
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/attributes/HashAlgorithm.java
@@ -0,0 +1,40 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.processors.pgp.attributes;
+
+import org.bouncycastle.bcpg.HashAlgorithmTags;
+
+/**
+ * PGP Hash Algorithm Definitions supported for Signing
+ */
+public enum HashAlgorithm {
+ SHA256(HashAlgorithmTags.SHA256),
+
+ SHA384(HashAlgorithmTags.SHA384),
+
+ SHA512(HashAlgorithmTags.SHA512);
+
+ private int id;
+
+ HashAlgorithm(final int id) {
+ this.id = id;
+ }
+
+ public int getId() {
+ return id;
+ }
+}
diff --git
a/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/attributes/SigningStrategy.java
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/attributes/SigningStrategy.java
new file mode 100644
index 0000000..06ba4da
--- /dev/null
+++
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/attributes/SigningStrategy.java
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.processors.pgp.attributes;
+
+/**
+ * Pretty Good Privacy File Signing Strategy
+ */
+public enum SigningStrategy {
+ SIGNED("Produce signed content packaged as an OpenPGP message"),
+
+ DETACHED("Produce detached signature based on associated content packaged
according to OpenPGP encoding");
+
+ private final String description;
+
+ SigningStrategy(final String description) {
+ this.description = description;
+ }
+
+ public String getDescription() {
+ return description;
+ }
+}
diff --git
a/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/io/EncodingStreamCallback.java
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/io/EncodingStreamCallback.java
new file mode 100644
index 0000000..1377e4e
--- /dev/null
+++
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/io/EncodingStreamCallback.java
@@ -0,0 +1,126 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.processors.pgp.io;
+
+import org.apache.nifi.processor.io.StreamCallback;
+import org.apache.nifi.processors.pgp.attributes.CompressionAlgorithm;
+import org.apache.nifi.processors.pgp.attributes.FileEncoding;
+import org.apache.nifi.processors.pgp.exception.PGPProcessException;
+import org.apache.nifi.stream.io.StreamUtils;
+import org.bouncycastle.bcpg.ArmoredOutputStream;
+import org.bouncycastle.openpgp.PGPCompressedDataGenerator;
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPLiteralData;
+import org.bouncycastle.openpgp.PGPLiteralDataGenerator;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.Date;
+import java.util.Objects;
+
+/**
+ * Encoding Stream Callback handles writing PGP messages using configured
properties
+ */
+public class EncodingStreamCallback implements StreamCallback {
+ private static final int OUTPUT_BUFFER_SIZE = 8192;
+
+ private final FileEncoding fileEncoding;
+
+ private final CompressionAlgorithm compressionAlgorithm;
+
+ private final String filename;
+
+ public EncodingStreamCallback(final FileEncoding fileEncoding, final
CompressionAlgorithm compressionAlgorithm, final String filename) {
+ this.fileEncoding = Objects.requireNonNull(fileEncoding, "File
Encoding required");
+ this.compressionAlgorithm =
Objects.requireNonNull(compressionAlgorithm, "Compression Algorithm required");
+ this.filename = Objects.requireNonNull(filename, "Filename required");
+ }
+
+ /**
+ * Process Input Stream and write encoded contents to Output Stream
+ *
+ * @param inputStream Input Stream
+ * @param outputStream Output Stream for encrypted contents
+ * @throws IOException Thrown when unable to read or write streams
+ */
+ @Override
+ public void process(final InputStream inputStream, final OutputStream
outputStream) throws IOException {
+ try (final OutputStream encodingOutputStream =
getEncodingOutputStream(outputStream)) {
+ processEncoding(inputStream, encodingOutputStream);
+ } catch (final PGPException e) {
+ throw new PGPProcessException("PGP Stream Processing Failed", e);
+ }
+ }
+
+ /**
+ * Create Output Buffer byte array with size of 8192
+ *
+ * @return New empty array of 8192 bytes
+ */
+ protected byte[] createOutputBuffer() {
+ return new byte[OUTPUT_BUFFER_SIZE];
+ }
+
+ /**
+ * Process Encoding passing Input Stream through Compression Output Stream
+ *
+ * @param inputStream Input Stream
+ * @param encodingOutputStream Output Stream configured according to File
Encoding
+ * @throws IOException Thrown when unable to read or write streams
+ * @throws PGPException Thrown when unable to process compression
+ */
+ protected void processEncoding(final InputStream inputStream, final
OutputStream encodingOutputStream) throws IOException, PGPException {
+ final PGPCompressedDataGenerator compressedDataGenerator = new
PGPCompressedDataGenerator(compressionAlgorithm.getId());
+ try (final OutputStream compressedOutputStream =
compressedDataGenerator.open(encodingOutputStream, createOutputBuffer())) {
+ processCompression(inputStream, compressedOutputStream);
+ }
+ compressedDataGenerator.close();
+ }
+
+ /**
+ * Process Compression passing Input Stream through Literal Data Output
Stream
+ *
+ * @param inputStream Input Stream
+ * @param compressedOutputStream Output Stream configured according to
Compression Algorithm
+ * @throws IOException Thrown when unable to read or write streams
+ * @throws PGPException Thrown when unable to process streams using PGP
operations
+ */
+ protected void processCompression(final InputStream inputStream, final
OutputStream compressedOutputStream) throws IOException, PGPException {
+ final PGPLiteralDataGenerator generator = new
PGPLiteralDataGenerator();
+ try (final OutputStream literalOutputStream =
openLiteralOutputStream(generator, compressedOutputStream)) {
+ StreamUtils.copy(inputStream, literalOutputStream);
+ }
+ generator.close();
+ }
+
+ /**
+ * Open Literal Data Output Stream using binary indicator with configured
filename and current date indicating modification
+ *
+ * @param generator PGP Literal Data Generator
+ * @param compressedOutputStream Output Stream configured according to
Compression Algorithm
+ * @return Literal Data Output Stream
+ * @throws IOException Thrown when unable to open Literal Data Output
Stream
+ */
+ protected OutputStream openLiteralOutputStream(final
PGPLiteralDataGenerator generator, final OutputStream compressedOutputStream)
throws IOException {
+ return generator.open(compressedOutputStream, PGPLiteralData.BINARY,
filename, new Date(), createOutputBuffer());
+ }
+
+ private OutputStream getEncodingOutputStream(final OutputStream
outputStream) {
+ return FileEncoding.ASCII.equals(fileEncoding) ? new
ArmoredOutputStream(outputStream) : outputStream;
+ }
+}
diff --git
a/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/io/KeyIdentifierConverter.java
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/io/KeyIdentifierConverter.java
new file mode 100644
index 0000000..25e5d91
--- /dev/null
+++
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/io/KeyIdentifierConverter.java
@@ -0,0 +1,47 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.processors.pgp.io;
+
+import java.math.BigInteger;
+
+/**
+ * Key Identifier Converter from number to hexadecimal string
+ */
+public class KeyIdentifierConverter {
+ private static final int HEXADECIMAL_RADIX = 16;
+
+ /**
+ * Format numeric key identifier as uppercase hexadecimal string
+ *
+ * @param keyId Key Identifier
+ * @return Uppercase hexadecimal string
+ */
+ public static String format(final long keyId) {
+ return Long.toHexString(keyId).toUpperCase();
+ }
+
+ /**
+ * Parse hexadecimal key identifier to numeric key identifier
+ *
+ * @param keyId Hexadecimal string
+ * @return Key Identifier
+ */
+ public static long parse(final String keyId) {
+ final BigInteger parsed = new BigInteger(keyId, HEXADECIMAL_RADIX);
+ return parsed.longValue();
+ }
+}
diff --git
a/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/resources/META-INF/services/org.apache.nifi.processor.Processor
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/resources/META-INF/services/org.apache.nifi.processor.Processor
index 8ce19cd..e8c6858 100644
---
a/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/resources/META-INF/services/org.apache.nifi.processor.Processor
+++
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/resources/META-INF/services/org.apache.nifi.processor.Processor
@@ -13,4 +13,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
org.apache.nifi.processors.pgp.EncryptContentPGP
-org.apache.nifi.processors.pgp.DecryptContentPGP
\ No newline at end of file
+org.apache.nifi.processors.pgp.DecryptContentPGP
+org.apache.nifi.processors.pgp.SignContentPGP
+org.apache.nifi.processors.pgp.VerifyContentPGP
diff --git
a/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/DecryptContentPGPTest.java
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/DecryptContentPGPTest.java
index dcff039..c58080c 100644
---
a/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/DecryptContentPGPTest.java
+++
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/DecryptContentPGPTest.java
@@ -18,9 +18,12 @@ package org.apache.nifi.processors.pgp;
import org.apache.nifi.pgp.service.api.PGPPrivateKeyService;
import org.apache.nifi.pgp.util.PGPSecretKeyGenerator;
+import org.apache.nifi.pgp.util.PGPOperationUtils;
+import org.apache.nifi.processors.pgp.attributes.DecryptionStrategy;
import org.apache.nifi.processors.pgp.exception.PGPDecryptionException;
import org.apache.nifi.processors.pgp.exception.PGPProcessException;
import org.apache.nifi.reporting.InitializationException;
+import org.apache.nifi.stream.io.StreamUtils;
import org.apache.nifi.util.LogMessage;
import org.apache.nifi.util.MockFlowFile;
import org.apache.nifi.util.TestRunner;
@@ -30,20 +33,23 @@ import org.bouncycastle.openpgp.PGPCompressedData;
import org.bouncycastle.openpgp.PGPCompressedDataGenerator;
import org.bouncycastle.openpgp.PGPEncryptedDataGenerator;
import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPLiteralData;
import org.bouncycastle.openpgp.PGPLiteralDataGenerator;
+import org.bouncycastle.openpgp.PGPObjectFactory;
+import org.bouncycastle.openpgp.PGPOnePassSignature;
+import org.bouncycastle.openpgp.PGPOnePassSignatureList;
import org.bouncycastle.openpgp.PGPPrivateKey;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPSecretKey;
import org.bouncycastle.openpgp.PGPSecretKeyRing;
import org.bouncycastle.openpgp.PGPSignature;
-import org.bouncycastle.openpgp.PGPSignatureGenerator;
+import org.bouncycastle.openpgp.PGPSignatureList;
import org.bouncycastle.openpgp.PGPUtil;
+import org.bouncycastle.openpgp.jcajce.JcaPGPObjectFactory;
import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
-import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder;
import org.bouncycastle.openpgp.operator.PGPDataEncryptorBuilder;
import org.bouncycastle.openpgp.operator.bc.BcPGPDataEncryptorBuilder;
import
org.bouncycastle.openpgp.operator.bc.BcPublicKeyKeyEncryptionMethodGenerator;
-import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentSignerBuilder;
import
org.bouncycastle.openpgp.operator.jcajce.JcePBEKeyEncryptionMethodGenerator;
import
org.bouncycastle.openpgp.operator.jcajce.JcePBESecretKeyDecryptorBuilder;
import org.junit.jupiter.api.BeforeAll;
@@ -55,7 +61,9 @@ import org.mockito.junit.jupiter.MockitoExtension;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
+import java.io.InputStream;
import java.io.OutputStream;
+import java.io.UncheckedIOException;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
@@ -66,6 +74,7 @@ import java.util.UUID;
import static org.hamcrest.CoreMatchers.hasItem;
import static org.hamcrest.CoreMatchers.isA;
+import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.mockito.ArgumentMatchers.eq;
@@ -95,8 +104,6 @@ public class DecryptContentPGPTest {
private static final int BUFFER_SIZE = 128;
- private static final boolean NESTED_SIGNATURE_DISABLED = false;
-
private static final String SERVICE_ID =
PGPPrivateKeyService.class.getSimpleName();
private static PGPSecretKey rsaSecretKey;
@@ -265,6 +272,23 @@ public class DecryptContentPGPTest {
}
@Test
+ public void testSuccessPublicKeyEncryptionRsaPrivateKeyPackaged() throws
InitializationException, IOException, PGPException {
+ setPrivateKeyService();
+ final PGPPublicKey publicKey = rsaSecretKey.getPublicKey();
+
when(privateKeyService.findPrivateKey(eq(publicKey.getKeyID()))).thenReturn(Optional.of(rsaPrivateKey));
+
+ runner.setProperty(DecryptContentPGP.DECRYPTION_STRATEGY,
DecryptionStrategy.PACKAGED.toString());
+
+ final byte[] contents = DATA.getBytes(DATA_CHARSET);
+ final byte[] signedData =
PGPOperationUtils.getOnePassSignedLiteralData(contents, rsaPrivateKey);
+ final byte[] encryptedData = getPublicKeyEncryptedData(signedData,
publicKey);
+ runner.enqueue(encryptedData);
+ runner.run();
+
+ assertSuccess(ENCRYPTION_ALGORITHM, DecryptionStrategy.PACKAGED);
+ }
+
+ @Test
public void testSuccessPublicKeyEncryptionElGamalPrivateKey() throws
InitializationException, IOException, PGPException {
setPrivateKeyService();
when(privateKeyService.findPrivateKey(eq(elGamalPrivateKey.getKeyID()))).thenReturn(Optional.of(elGamalPrivateKey));
@@ -281,8 +305,9 @@ public class DecryptContentPGPTest {
final PGPPublicKey publicKey = rsaSecretKey.getPublicKey();
when(privateKeyService.findPrivateKey(eq(publicKey.getKeyID()))).thenReturn(Optional.of(rsaPrivateKey));
- final byte[] encryptedData =
getPublicKeyEncryptedData(getLiteralData(), publicKey);
- final byte[] signedData = getSignedData(encryptedData, publicKey,
rsaPrivateKey);
+ final byte[] literalData = getLiteralData();
+ final byte[] encrypted = getPublicKeyEncryptedData(literalData,
publicKey);
+ final byte[] signedData =
PGPOperationUtils.getOnePassSignedData(encrypted, rsaPrivateKey);
runner.enqueue(signedData);
runner.run();
@@ -325,18 +350,71 @@ public class DecryptContentPGPTest {
}
private void assertSuccess() {
- assertSuccess(ENCRYPTION_ALGORITHM);
+ assertSuccess(ENCRYPTION_ALGORITHM, DecryptionStrategy.DECRYPTED);
}
private void assertSuccess(final int encryptionAlgorithm) {
+ assertSuccess(encryptionAlgorithm, DecryptionStrategy.DECRYPTED);
+ }
+
+ private void assertSuccess(final int encryptionAlgorithm, final
DecryptionStrategy decryptionStrategy) {
runner.assertAllFlowFilesTransferred(DecryptContentPGP.SUCCESS);
final List<MockFlowFile> flowFiles =
runner.getFlowFilesForRelationship(DecryptContentPGP.SUCCESS);
final MockFlowFile flowFile = flowFiles.iterator().next();
- flowFile.assertContentEquals(DATA, DATA_CHARSET);
- flowFile.assertAttributeEquals(PGPAttributeKey.LITERAL_DATA_FILENAME,
FILE_NAME);
- flowFile.assertAttributeEquals(PGPAttributeKey.LITERAL_DATA_MODIFIED,
Long.toString(MODIFIED_MILLISECONDS));
+ if (DecryptionStrategy.PACKAGED == decryptionStrategy) {
+ assertSuccessPackaged(flowFile.getContentStream());
+ } else {
+ flowFile.assertContentEquals(DATA, DATA_CHARSET);
+
flowFile.assertAttributeEquals(PGPAttributeKey.LITERAL_DATA_FILENAME,
FILE_NAME);
+
flowFile.assertAttributeEquals(PGPAttributeKey.LITERAL_DATA_MODIFIED,
Long.toString(MODIFIED_MILLISECONDS));
+ }
+
flowFile.assertAttributeEquals(PGPAttributeKey.SYMMETRIC_KEY_ALGORITHM_ID,
Integer.toString(encryptionAlgorithm));
+
flowFile.assertAttributeEquals(PGPAttributeKey.SYMMETRIC_KEY_ALGORITHM_BLOCK_CIPHER,
PGPUtil.getSymmetricCipherName(encryptionAlgorithm));
+ }
+
+ private void assertSuccessPackaged(final InputStream inputStream) {
+ final PGPObjectFactory objectFactory = new
JcaPGPObjectFactory(inputStream);
+ try {
+ final Object firstObject = objectFactory.nextObject();
+ assertOnePassSignatureEquals(firstObject);
+
+ final Object secondObject = objectFactory.nextObject();
+ assertLiteralDataEquals(secondObject);
+
+ final Object thirdObject = objectFactory.nextObject();
+ assertSignatureEquals(thirdObject);
+ } catch (final IOException e) {
+ throw new UncheckedIOException(e);
+ }
+ }
+
+ private void assertOnePassSignatureEquals(final Object object) {
+ assertTrue(object instanceof PGPOnePassSignatureList);
+ final PGPOnePassSignatureList onePassSignatureList =
(PGPOnePassSignatureList) object;
+ final PGPOnePassSignature onePassSignature =
onePassSignatureList.iterator().next();
+ assertEquals(onePassSignature.getKeyID(), rsaPrivateKey.getKeyID());
+ }
+
+ private void assertLiteralDataEquals(final Object object) throws
IOException {
+ assertTrue(object instanceof PGPLiteralData);
+ final PGPLiteralData literalData = (PGPLiteralData) object;
+ assertEquals(FILE_NAME, literalData.getFileName());
+ assertEquals(MODIFIED, literalData.getModificationTime());
+
+ final ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
+ StreamUtils.copy(literalData.getDataStream(), outputStream);
+ final byte[] literalBinary = outputStream.toByteArray();
+ final String literal = new String(literalBinary, DATA_CHARSET);
+ assertEquals(DATA, literal);
+ }
+
+ private void assertSignatureEquals(final Object object) {
+ assertTrue(object instanceof PGPSignatureList);
+ final PGPSignatureList signatureList = (PGPSignatureList) object;
+ final PGPSignature signature = signatureList.iterator().next();
+ assertEquals(rsaPrivateKey.getKeyID(), signature.getKeyID());
}
private void assertFailureExceptionLogged(final Class<? extends Exception>
exceptionClass) {
@@ -347,19 +425,6 @@ public class DecryptContentPGPTest {
assertThat(Arrays.asList(logMessage.getArgs()),
hasItem(isA(exceptionClass)));
}
- private byte[] getSignedData(final byte[] contents, final PGPPublicKey
publicKey, final PGPPrivateKey privateKey) throws PGPException, IOException {
- final PGPContentSignerBuilder contentSignerBuilder = new
JcaPGPContentSignerBuilder(publicKey.getAlgorithm(), PGPUtil.SHA1);
- final PGPSignatureGenerator signatureGenerator = new
PGPSignatureGenerator(contentSignerBuilder);
- signatureGenerator.init(PGPSignature.BINARY_DOCUMENT, privateKey);
-
- final ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
-
signatureGenerator.generateOnePassVersion(NESTED_SIGNATURE_DISABLED).encode(outputStream);
- outputStream.write(contents);
- signatureGenerator.update(contents);
- signatureGenerator.generate().encode(outputStream);
- return outputStream.toByteArray();
- }
-
private byte[] getPublicKeyEncryptedData(final byte[] contents, final
PGPPublicKey publicKey) throws IOException, PGPException {
final PGPDataEncryptorBuilder builder = new
BcPGPDataEncryptorBuilder(ENCRYPTION_ALGORITHM).setWithIntegrityPacket(INTEGRITY_ENABLED);
final PGPEncryptedDataGenerator generator = new
PGPEncryptedDataGenerator(builder);
diff --git
a/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/EncryptContentPGPTest.java
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/EncryptContentPGPTest.java
index 5fb2be7..78a31d9 100644
---
a/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/EncryptContentPGPTest.java
+++
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/EncryptContentPGPTest.java
@@ -17,9 +17,12 @@
package org.apache.nifi.processors.pgp;
import org.apache.nifi.pgp.service.api.PGPPublicKeyService;
+import org.apache.nifi.pgp.util.PGPOperationUtils;
import org.apache.nifi.processors.pgp.attributes.CompressionAlgorithm;
+import org.apache.nifi.processors.pgp.attributes.DecryptionStrategy;
import org.apache.nifi.processors.pgp.attributes.FileEncoding;
import org.apache.nifi.processors.pgp.attributes.SymmetricKeyAlgorithm;
+import org.apache.nifi.processors.pgp.io.KeyIdentifierConverter;
import org.apache.nifi.reporting.InitializationException;
import org.apache.nifi.stream.io.StreamUtils;
import org.apache.nifi.util.MockFlowFile;
@@ -59,10 +62,12 @@ import org.mockito.junit.jupiter.MockitoExtension;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
+import java.nio.charset.StandardCharsets;
import java.util.Optional;
import java.util.UUID;
import java.util.stream.StreamSupport;
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.mockito.ArgumentMatchers.eq;
@@ -74,6 +79,8 @@ public class EncryptContentPGPTest {
private static final String DATA = String.class.getName();
+ private static final byte[] DATA_BINARY =
DATA.getBytes(StandardCharsets.UTF_8);
+
private static final SymmetricKeyAlgorithm DEFAULT_SYMMETRIC_KEY_ALGORITHM
=
SymmetricKeyAlgorithm.valueOf(EncryptContentPGP.SYMMETRIC_KEY_ALGORITHM.getDefaultValue());
private static final String SERVICE_ID =
PGPPublicKeyService.class.getName();
@@ -180,19 +187,34 @@ public class EncryptContentPGPTest {
public void testSuccessPublicKeyEncryptionRsaPublicKey() throws
IOException, InitializationException, PGPException {
final PGPPublicKey publicKey = rsaSecretKey.getPublicKey();
setPublicKeyService(publicKey);
- final String publicKeyIdSearch =
Long.toHexString(publicKey.getKeyID()).toUpperCase();
+ final String publicKeyIdSearch =
KeyIdentifierConverter.format(publicKey.getKeyID());
when(publicKeyService.findPublicKey(eq(publicKeyIdSearch))).thenReturn(Optional.of(publicKey));
runner.enqueue(DATA);
runner.run();
- assertSuccess(rsaPrivateKey);
+ assertSuccess(rsaPrivateKey, DecryptionStrategy.DECRYPTED,
DATA_BINARY);
+ }
+
+ @Test
+ public void testSuccessPublicKeyEncryptionRsaPublicKeySignedDataPackaged()
throws IOException, InitializationException, PGPException {
+ final PGPPublicKey publicKey = rsaSecretKey.getPublicKey();
+ setPublicKeyService(publicKey);
+ final String publicKeyIdSearch =
KeyIdentifierConverter.format(publicKey.getKeyID());
+
when(publicKeyService.findPublicKey(eq(publicKeyIdSearch))).thenReturn(Optional.of(publicKey));
+
+ final byte[] contents = DATA.getBytes(StandardCharsets.UTF_8);
+ final byte[] signedData =
PGPOperationUtils.getOnePassSignedLiteralData(contents, rsaPrivateKey);
+
+ runner.enqueue(signedData);
+ runner.run();
+ assertSuccess(rsaPrivateKey, DecryptionStrategy.PACKAGED, signedData);
}
@Test
public void testSuccessPasswordBasedAndPublicKeyEncryptionRsaPublicKey()
throws IOException, InitializationException, PGPException {
final PGPPublicKey publicKey = rsaSecretKey.getPublicKey();
setPublicKeyService(publicKey);
- final String publicKeyIdSearch =
Long.toHexString(publicKey.getKeyID()).toUpperCase();
+ final String publicKeyIdSearch =
KeyIdentifierConverter.format(publicKey.getKeyID());
when(publicKeyService.findPublicKey(eq(publicKeyIdSearch))).thenReturn(Optional.of(publicKey));
runner.setProperty(EncryptContentPGP.PASSPHRASE, PASSPHRASE);
@@ -200,19 +222,19 @@ public class EncryptContentPGPTest {
runner.enqueue(DATA);
runner.run();
- assertSuccess(rsaPrivateKey);
+ assertSuccess(rsaPrivateKey, DecryptionStrategy.DECRYPTED,
DATA_BINARY);
assertSuccess(DEFAULT_SYMMETRIC_KEY_ALGORITHM,
PASSPHRASE.toCharArray());
}
@Test
public void testSuccessPublicKeyEncryptionElGamalPublicKey() throws
IOException, InitializationException, PGPException {
setPublicKeyService(elGamalPublicKey);
- final String publicKeyIdSearch =
Long.toHexString(elGamalPublicKey.getKeyID()).toUpperCase();
+ final String publicKeyIdSearch =
KeyIdentifierConverter.format(elGamalPublicKey.getKeyID());
when(publicKeyService.findPublicKey(eq(publicKeyIdSearch))).thenReturn(Optional.of(elGamalPublicKey));
runner.enqueue(DATA);
runner.run();
- assertSuccess(elGamalPrivateKey);
+ assertSuccess(elGamalPrivateKey, DecryptionStrategy.DECRYPTED,
DATA_BINARY);
}
@Test
@@ -220,7 +242,7 @@ public class EncryptContentPGPTest {
final PGPPublicKey publicKey = rsaSecretKey.getPublicKey();
setPublicKeyService(publicKey);
- final String publicKeyIdNotFound =
Long.toHexString(Long.MAX_VALUE).toUpperCase();
+ final String publicKeyIdNotFound =
KeyIdentifierConverter.format(Long.MAX_VALUE);
runner.setProperty(EncryptContentPGP.PUBLIC_KEY_SEARCH,
publicKeyIdNotFound);
runner.enqueue(DATA);
@@ -234,12 +256,11 @@ public class EncryptContentPGPTest {
runner.enableControllerService(publicKeyService);
runner.setProperty(EncryptContentPGP.PUBLIC_KEY_SERVICE, SERVICE_ID);
- final long publicKeyId = publicKey.getKeyID();
- final String publicKeyIdLong =
Long.toHexString(publicKeyId).toUpperCase();
- runner.setProperty(EncryptContentPGP.PUBLIC_KEY_SEARCH,
publicKeyIdLong);
+ final String publicKeyId =
KeyIdentifierConverter.format(publicKey.getKeyID());
+ runner.setProperty(EncryptContentPGP.PUBLIC_KEY_SEARCH, publicKeyId);
}
- private void assertSuccess(final PGPPrivateKey privateKey) throws
IOException, PGPException {
+ private void assertSuccess(final PGPPrivateKey privateKey, final
DecryptionStrategy decryptionStrategy, final byte[] expected) throws
IOException, PGPException {
runner.assertAllFlowFilesTransferred(EncryptContentPGP.SUCCESS);
final MockFlowFile flowFile =
runner.getFlowFilesForRelationship(EncryptContentPGP.SUCCESS).iterator().next();
assertAttributesFound(DEFAULT_SYMMETRIC_KEY_ALGORITHM, flowFile);
@@ -251,8 +272,8 @@ public class EncryptContentPGPTest {
assertTrue(encryptedData.isPresent(), "Public Key Encrypted Data not
found");
final PGPPublicKeyEncryptedData publicKeyEncryptedData =
(PGPPublicKeyEncryptedData) encryptedData.get();
- final String decryptedData = getDecryptedData(publicKeyEncryptedData,
privateKey);
- assertEquals(DATA, decryptedData);
+ final byte[] decryptedData = getDecryptedData(publicKeyEncryptedData,
privateKey, decryptionStrategy);
+ assertArrayEquals(expected, decryptedData);
}
private void assertSuccess(final SymmetricKeyAlgorithm
symmetricKeyAlgorithm, final char[] passphrase) throws IOException,
PGPException {
@@ -267,8 +288,8 @@ public class EncryptContentPGPTest {
assertTrue(encryptedData.isPresent(), "Password Based Encrypted Data
not found");
final PGPPBEEncryptedData passwordBasedEncryptedData =
(PGPPBEEncryptedData) encryptedData.get();
- final String decryptedData =
getDecryptedData(passwordBasedEncryptedData, passphrase);
- assertEquals(DATA, decryptedData);
+ final byte[] decryptedData =
getDecryptedData(passwordBasedEncryptedData, passphrase);
+ assertArrayEquals(DATA_BINARY, decryptedData);
}
private void assertAttributesFound(final SymmetricKeyAlgorithm
symmetricKeyAlgorithm, final MockFlowFile flowFile) {
@@ -295,24 +316,30 @@ public class EncryptContentPGPTest {
return (PGPEncryptedDataList) firstObject;
}
- private String getDecryptedData(final PGPPBEEncryptedData
passwordBasedEncryptedData, final char[] passphrase) throws PGPException,
IOException {
+ private byte[] getDecryptedData(final PGPPBEEncryptedData
passwordBasedEncryptedData, final char[] passphrase) throws PGPException,
IOException {
final PBEDataDecryptorFactory decryptorFactory = new
BcPBEDataDecryptorFactory(passphrase, new BcPGPDigestCalculatorProvider());
final InputStream decryptedDataStream =
passwordBasedEncryptedData.getDataStream(decryptorFactory);
- return getDecryptedData(decryptedDataStream);
+ return getDecryptedData(decryptedDataStream,
DecryptionStrategy.DECRYPTED);
}
- private String getDecryptedData(final PGPPublicKeyEncryptedData
publicKeyEncryptedData, final PGPPrivateKey privateKey) throws PGPException,
IOException {
+ private byte[] getDecryptedData(final PGPPublicKeyEncryptedData
publicKeyEncryptedData,
+ final PGPPrivateKey privateKey,
+ final DecryptionStrategy
decryptionStrategy) throws PGPException, IOException {
final PublicKeyDataDecryptorFactory decryptorFactory = new
BcPublicKeyDataDecryptorFactory(privateKey);
final InputStream decryptedDataStream =
publicKeyEncryptedData.getDataStream(decryptorFactory);
- return getDecryptedData(decryptedDataStream);
+ return getDecryptedData(decryptedDataStream, decryptionStrategy);
}
- private String getDecryptedData(final InputStream decryptedDataStream)
throws PGPException, IOException {
+ private byte[] getDecryptedData(final InputStream decryptedDataStream,
final DecryptionStrategy decryptionStrategy) throws PGPException, IOException {
final ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
- final PGPObjectFactory objectFactory = new
JcaPGPObjectFactory(decryptedDataStream);
- final PGPLiteralData literalData = getLiteralData(objectFactory);
- StreamUtils.copy(literalData.getDataStream(), outputStream);
- return outputStream.toString();
+ if (DecryptionStrategy.PACKAGED == decryptionStrategy) {
+ StreamUtils.copy(decryptedDataStream, outputStream);
+ } else {
+ final PGPObjectFactory objectFactory = new
JcaPGPObjectFactory(decryptedDataStream);
+ final PGPLiteralData literalData = getLiteralData(objectFactory);
+ StreamUtils.copy(literalData.getDataStream(), outputStream);
+ }
+ return outputStream.toByteArray();
}
private PGPLiteralData getLiteralData(final PGPObjectFactory
objectFactory) throws PGPException {
diff --git
a/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/SignContentPGPTest.java
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/SignContentPGPTest.java
new file mode 100644
index 0000000..0b92b3d
--- /dev/null
+++
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/SignContentPGPTest.java
@@ -0,0 +1,277 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.processors.pgp;
+
+import org.apache.nifi.pgp.service.api.PGPPrivateKeyService;
+import org.apache.nifi.pgp.util.PGPSecretKeyGenerator;
+import org.apache.nifi.processors.pgp.attributes.CompressionAlgorithm;
+import org.apache.nifi.processors.pgp.attributes.FileEncoding;
+import org.apache.nifi.processors.pgp.attributes.HashAlgorithm;
+import org.apache.nifi.processors.pgp.attributes.SigningStrategy;
+import org.apache.nifi.processors.pgp.io.KeyIdentifierConverter;
+import org.apache.nifi.reporting.InitializationException;
+import org.apache.nifi.util.LogMessage;
+import org.apache.nifi.util.MockFlowFile;
+import org.apache.nifi.util.TestRunner;
+import org.apache.nifi.util.TestRunners;
+import org.bouncycastle.openpgp.PGPCompressedData;
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPLiteralData;
+import org.bouncycastle.openpgp.PGPObjectFactory;
+import org.bouncycastle.openpgp.PGPOnePassSignature;
+import org.bouncycastle.openpgp.PGPOnePassSignatureList;
+import org.bouncycastle.openpgp.PGPPrivateKey;
+import org.bouncycastle.openpgp.PGPPublicKey;
+import org.bouncycastle.openpgp.PGPSecretKey;
+import org.bouncycastle.openpgp.PGPSignature;
+import org.bouncycastle.openpgp.PGPSignatureList;
+import org.bouncycastle.openpgp.PGPUtil;
+import org.bouncycastle.openpgp.jcajce.JcaPGPObjectFactory;
+import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
+import
org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentVerifierBuilderProvider;
+import
org.bouncycastle.openpgp.operator.jcajce.JcePBESecretKeyDecryptorBuilder;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.charset.StandardCharsets;
+import java.util.Optional;
+import java.util.UUID;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.when;
+
+@ExtendWith(MockitoExtension.class)
+public class SignContentPGPTest {
+ private static final String PASSPHRASE = UUID.randomUUID().toString();
+
+ private static final String DATA = String.class.getName();
+
+ private static final byte[] DATA_BINARY =
DATA.getBytes(StandardCharsets.UTF_8);
+
+ private static final String SERVICE_ID =
PGPPrivateKeyService.class.getName();
+
+ private static final int SIGNATURE_VERSION = 4;
+
+ private static PGPPrivateKey rsaPrivateKey;
+
+ private static PGPPublicKey rsaPublicKey;
+
+ @Mock
+ private PGPPrivateKeyService privateKeyService;
+
+ private TestRunner runner;
+
+ @BeforeAll
+ public static void setKeys() throws Exception {
+ final PGPSecretKey rsaSecretKey =
PGPSecretKeyGenerator.generateRsaSecretKey(PASSPHRASE.toCharArray());
+ rsaPublicKey = rsaSecretKey.getPublicKey();
+
+ final PBESecretKeyDecryptor decryptor = new
JcePBESecretKeyDecryptorBuilder().build(PASSPHRASE.toCharArray());
+ rsaPrivateKey = rsaSecretKey.extractPrivateKey(decryptor);
+ }
+
+ @BeforeEach
+ public void setRunner() throws InitializationException {
+ runner = TestRunners.newTestRunner(new SignContentPGP());
+
+ when(privateKeyService.getIdentifier()).thenReturn(SERVICE_ID);
+ runner.addControllerService(SERVICE_ID, privateKeyService);
+ runner.enableControllerService(privateKeyService);
+ runner.setProperty(SignContentPGP.PRIVATE_KEY_SERVICE, SERVICE_ID);
+ }
+
+ @Test
+ public void testFailurePrivateKeyIdParsingException() {
+ runner.setProperty(SignContentPGP.PRIVATE_KEY_ID,
String.class.getSimpleName());
+
+ runner.enqueue(DATA);
+ runner.run();
+
+ assertFailureErrorLogged();
+ }
+
+ @Test
+ public void testFailureServiceException() {
+ final String privateKeyId =
KeyIdentifierConverter.format((rsaPrivateKey.getKeyID()));
+ runner.setProperty(SignContentPGP.PRIVATE_KEY_ID, privateKeyId);
+
when(privateKeyService.findPrivateKey(eq(rsaPrivateKey.getKeyID()))).thenThrow(new
RuntimeException());
+
+ runner.enqueue(DATA);
+ runner.run();
+
+ assertFailureErrorLogged();
+ }
+
+ @Test
+ public void testFailurePrivateKeyIdNotFound() {
+ final String privateKeyId =
KeyIdentifierConverter.format((rsaPrivateKey.getKeyID()));
+ runner.setProperty(SignContentPGP.PRIVATE_KEY_ID, privateKeyId);
+
when(privateKeyService.findPrivateKey(eq(rsaPrivateKey.getKeyID()))).thenReturn(Optional.empty());
+
+ runner.enqueue(DATA);
+ runner.run();
+
+ assertFailureErrorLogged();
+ }
+
+ @Test
+ public void testSuccessFileEncodingAsciiHashAlgorithmSha512() throws
PGPException, IOException {
+ assertSuccess(FileEncoding.ASCII, HashAlgorithm.SHA512,
SigningStrategy.SIGNED);
+ }
+
+ @Test
+ public void testSuccessFileEncodingBinaryHashAlgorithmSha512() throws
PGPException, IOException {
+ assertSuccess(FileEncoding.BINARY, HashAlgorithm.SHA512,
SigningStrategy.SIGNED);
+ }
+
+ @Test
+ public void testSuccessFileEncodingBinaryUncompressedHashAlgorithmSha256()
throws PGPException, IOException {
+ runner.setProperty(SignContentPGP.COMPRESSION_ALGORITHM,
CompressionAlgorithm.UNCOMPRESSED.toString());
+ assertSuccess(FileEncoding.BINARY, HashAlgorithm.SHA256,
SigningStrategy.SIGNED);
+ }
+
+ @Test
+ public void testSuccessFileEncodingBinaryHashAlgorithmSha256() throws
PGPException, IOException {
+ assertSuccess(FileEncoding.BINARY, HashAlgorithm.SHA256,
SigningStrategy.SIGNED);
+ }
+
+ @Test
+ public void testSuccessDetachedFileEncodingBinaryHashAlgorithmSha256()
throws PGPException, IOException {
+ assertSuccess(FileEncoding.BINARY, HashAlgorithm.SHA256,
SigningStrategy.DETACHED);
+ }
+
+ private void setPrivateKey() {
+ final String privateKeyId =
KeyIdentifierConverter.format((rsaPrivateKey.getKeyID()));
+ runner.setProperty(SignContentPGP.PRIVATE_KEY_ID, privateKeyId);
+
when(privateKeyService.findPrivateKey(eq(rsaPrivateKey.getKeyID()))).thenReturn(Optional.of(rsaPrivateKey));
+ }
+
+ private void assertSuccess(final FileEncoding fileEncoding, final
HashAlgorithm hashAlgorithm, final SigningStrategy signingStrategy) throws
PGPException, IOException {
+ setPrivateKey();
+
+ runner.setProperty(SignContentPGP.FILE_ENCODING,
fileEncoding.toString());
+ runner.setProperty(SignContentPGP.HASH_ALGORITHM,
hashAlgorithm.toString());
+ runner.setProperty(SignContentPGP.SIGNING_STRATEGY,
signingStrategy.toString());
+
+ runner.enqueue(DATA);
+ runner.run();
+
+ runner.assertTransferCount(SignContentPGP.SUCCESS, 1);
+ final MockFlowFile flowFile =
runner.getFlowFilesForRelationship(SignContentPGP.SUCCESS).iterator().next();
+ assertFlowFileAttributesFound(flowFile, fileEncoding, hashAlgorithm);
+
+ if (SigningStrategy.DETACHED == signingStrategy) {
+ assertDetachedSignatureVerified(flowFile);
+ } else {
+ assertSignatureVerified(flowFile);
+ }
+ }
+
+ private void assertFailureErrorLogged() {
+ runner.assertAllFlowFilesTransferred(SignContentPGP.FAILURE);
+ final Optional<LogMessage> optionalLogMessage =
runner.getLogger().getErrorMessages().stream().findFirst();
+ assertTrue(optionalLogMessage.isPresent());
+ }
+
+ private void assertFlowFileAttributesFound(final MockFlowFile flowFile,
final FileEncoding fileEncoding, final HashAlgorithm hashAlgorithm) throws
PGPException {
+ flowFile.assertAttributeEquals(PGPAttributeKey.FILE_ENCODING,
fileEncoding.toString());
+ flowFile.assertAttributeExists(PGPAttributeKey.COMPRESS_ALGORITHM);
+ flowFile.assertAttributeExists(PGPAttributeKey.COMPRESS_ALGORITHM_ID);
+
+ final String signatureAlgorithm =
PGPUtil.getSignatureName(rsaPrivateKey.getPublicKeyPacket().getAlgorithm(),
hashAlgorithm.getId());
+ final String keyId =
KeyIdentifierConverter.format((rsaPrivateKey.getKeyID()));
+
+ flowFile.assertAttributeExists(PGPAttributeKey.SIGNATURE_CREATED);
+ flowFile.assertAttributeEquals(PGPAttributeKey.SIGNATURE_ALGORITHM,
signatureAlgorithm);
+
flowFile.assertAttributeEquals(PGPAttributeKey.SIGNATURE_HASH_ALGORITHM_ID,
Integer.toString(hashAlgorithm.getId()));
+
flowFile.assertAttributeEquals(PGPAttributeKey.SIGNATURE_KEY_ALGORITHM_ID,
Integer.toString(rsaPrivateKey.getPublicKeyPacket().getAlgorithm()));
+ flowFile.assertAttributeEquals(PGPAttributeKey.SIGNATURE_KEY_ID,
keyId);
+ flowFile.assertAttributeEquals(PGPAttributeKey.SIGNATURE_TYPE_ID,
Integer.toString(PGPSignature.BINARY_DOCUMENT));
+ flowFile.assertAttributeEquals(PGPAttributeKey.SIGNATURE_VERSION,
Integer.toString(SIGNATURE_VERSION));
+ }
+
+ private void assertDetachedSignatureVerified(final MockFlowFile
signatureFlowFile) throws IOException, PGPException {
+ final InputStream signatureContentStream =
PGPUtil.getDecoderStream(signatureFlowFile.getContentStream());
+ final PGPObjectFactory objectFactory = new
JcaPGPObjectFactory(signatureContentStream);
+
+ final PGPSignatureList signatureList = (PGPSignatureList)
objectFactory.nextObject();
+ final PGPSignature signature = signatureList.iterator().next();
+
+ signature.init(new JcaPGPContentVerifierBuilderProvider(),
rsaPublicKey);
+
+ signature.update(DATA_BINARY);
+
+ final boolean verified = signature.verify();
+ assertTrue(verified);
+ }
+
+ private void assertSignatureVerified(final MockFlowFile flowFile) throws
IOException, PGPException {
+ final InputStream flowFileContentStream =
PGPUtil.getDecoderStream(flowFile.getContentStream());
+ final PGPObjectFactory objectFactory = new
JcaPGPObjectFactory(flowFileContentStream);
+
+ final PGPCompressedData compressedData = (PGPCompressedData)
objectFactory.nextObject();
+ final InputStream dataInputStream = compressedData.getDataStream();
+ final PGPObjectFactory dataObjectFactory = new
JcaPGPObjectFactory(dataInputStream);
+
+ final ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
+ PGPOnePassSignature onePassSignature = null;
+ boolean verified = false;
+ for (final Object object : dataObjectFactory) {
+ if (object instanceof PGPOnePassSignatureList) {
+ final PGPOnePassSignatureList onePassSignatureList =
(PGPOnePassSignatureList) object;
+ onePassSignature = onePassSignatureList.iterator().next();
+ onePassSignature.init(new
JcaPGPContentVerifierBuilderProvider(), rsaPublicKey);
+ } else if (object instanceof PGPLiteralData) {
+ if (onePassSignature == null) {
+ throw new IllegalStateException("One-Pass Signature not
found before Literal Data");
+ }
+
+ final PGPLiteralData literalData = (PGPLiteralData) object;
+ final InputStream literalInputStream =
literalData.getDataStream();
+ int read;
+ while ((read = literalInputStream.read()) >= 0) {
+ onePassSignature.update((byte) read);
+ outputStream.write(read);
+ }
+ } else if (object instanceof PGPSignatureList) {
+ if (onePassSignature == null) {
+ throw new IllegalStateException("One-Pass Signature not
found before Signature");
+ }
+
+ final PGPSignatureList signatureList = (PGPSignatureList)
object;
+ final PGPSignature signature = signatureList.iterator().next();
+ verified = onePassSignature.verify(signature);
+ } else {
+ throw new IllegalStateException(String.format("Unexpected PGP
Object Found [%s]", object.getClass()));
+ }
+ }
+
+ assertTrue(verified);
+
+ final String literal = new String(outputStream.toByteArray(),
StandardCharsets.UTF_8);
+ assertEquals(DATA, literal);
+ }
+}
diff --git
a/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/VerifyContentPGPTest.java
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/VerifyContentPGPTest.java
new file mode 100644
index 0000000..33e74c3
--- /dev/null
+++
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/VerifyContentPGPTest.java
@@ -0,0 +1,187 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.processors.pgp;
+
+import org.apache.nifi.pgp.service.api.PGPPublicKeyService;
+import org.apache.nifi.pgp.util.PGPFileUtils;
+import org.apache.nifi.pgp.util.PGPSecretKeyGenerator;
+import org.apache.nifi.pgp.util.PGPOperationUtils;
+import org.apache.nifi.processors.pgp.io.KeyIdentifierConverter;
+import org.apache.nifi.reporting.InitializationException;
+import org.apache.nifi.util.LogMessage;
+import org.apache.nifi.util.MockFlowFile;
+import org.apache.nifi.util.TestRunner;
+import org.apache.nifi.util.TestRunners;
+import org.bouncycastle.bcpg.HashAlgorithmTags;
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPrivateKey;
+import org.bouncycastle.openpgp.PGPPublicKey;
+import org.bouncycastle.openpgp.PGPSecretKey;
+import org.bouncycastle.openpgp.PGPSignature;
+import org.bouncycastle.openpgp.PGPUtil;
+import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
+import
org.bouncycastle.openpgp.operator.jcajce.JcePBESecretKeyDecryptorBuilder;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.util.Optional;
+import java.util.UUID;
+
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.when;
+
+@ExtendWith(MockitoExtension.class)
+public class VerifyContentPGPTest {
+ private static final String PASSPHRASE = UUID.randomUUID().toString();
+
+ private static final String SERVICE_ID =
PGPPublicKeyService.class.getName();
+
+ private static final int SIGNATURE_VERSION = 4;
+
+ private static final int HASH_ALGORITHM_ID = HashAlgorithmTags.SHA512;
+
+ private static final String DATA = VerifyContentPGPTest.class.getName();
+
+ private static final byte[] DATA_BINARY =
DATA.getBytes(StandardCharsets.UTF_8);
+
+ private static PGPPrivateKey rsaPrivateKey;
+
+ private static PGPPublicKey rsaPublicKey;
+
+ private TestRunner runner;
+
+ @Mock
+ private PGPPublicKeyService publicKeyService;
+
+ @BeforeAll
+ public static void setKeys() throws Exception {
+ final PGPSecretKey rsaSecretKey =
PGPSecretKeyGenerator.generateRsaSecretKey(PASSPHRASE.toCharArray());
+ final PBESecretKeyDecryptor decryptor = new
JcePBESecretKeyDecryptorBuilder().build(PASSPHRASE.toCharArray());
+ rsaPrivateKey = rsaSecretKey.extractPrivateKey(decryptor);
+ rsaPublicKey = rsaSecretKey.getPublicKey();
+ }
+
+ @BeforeEach
+ public void setRunner() throws InitializationException {
+ runner = TestRunners.newTestRunner(new VerifyContentPGP());
+
+ when(publicKeyService.getIdentifier()).thenReturn(SERVICE_ID);
+ runner.addControllerService(SERVICE_ID, publicKeyService);
+ runner.enableControllerService(publicKeyService);
+ runner.setProperty(EncryptContentPGP.PUBLIC_KEY_SERVICE, SERVICE_ID);
+ }
+
+ @Test
+ public void testFailureDataNotFound() {
+ runner.enqueue(new byte[]{});
+ runner.run();
+
+ assertFailureErrorLogged();
+ }
+
+ @Test
+ public void testFailureFlowFileUnchanged() {
+ runner.enqueue(DATA);
+ runner.run();
+
+ assertFailureErrorLogged();
+ final MockFlowFile flowFile =
runner.getFlowFilesForRelationship(VerifyContentPGP.FAILURE).iterator().next();
+ flowFile.assertContentEquals(DATA);
+ }
+
+ @Test
+ public void testFailurePublicKeyNotFoundDataUnchanged() throws
PGPException, IOException {
+ final byte[] signed =
PGPOperationUtils.getOnePassSignedLiteralData(DATA_BINARY, rsaPrivateKey);
+
+ final String publicKeyIdSearch =
KeyIdentifierConverter.format((rsaPublicKey.getKeyID()));
+
when(publicKeyService.findPublicKey(eq(publicKeyIdSearch))).thenReturn(Optional.empty());
+
+ runner.enqueue(signed);
+ runner.run();
+
+ assertFailureErrorLogged();
+ final MockFlowFile flowFile =
runner.getFlowFilesForRelationship(VerifyContentPGP.FAILURE).iterator().next();
+ flowFile.assertContentEquals(signed);
+ assertFlowFileAttributesFound(flowFile);
+ }
+
+ @Test
+ public void testSuccessAsciiDataUnpacked() throws PGPException,
IOException {
+ final byte[] signed =
PGPOperationUtils.getOnePassSignedLiteralData(DATA_BINARY, rsaPrivateKey);
+ final String armored = PGPFileUtils.getArmored(signed);
+
+ setPublicKeyId();
+ runner.enqueue(armored);
+ runner.run();
+
+ final MockFlowFile flowFile = assertSuccess();
+ flowFile.assertContentEquals(DATA);
+ }
+
+ @Test
+ public void testSuccessBinaryDataUnpacked() throws PGPException,
IOException {
+ final byte[] signed =
PGPOperationUtils.getOnePassSignedLiteralData(DATA_BINARY, rsaPrivateKey);
+
+ setPublicKeyId();
+ runner.enqueue(signed);
+ runner.run();
+
+ final MockFlowFile flowFile = assertSuccess();
+ flowFile.assertContentEquals(DATA);
+ }
+
+ private void setPublicKeyId() {
+ final String publicKeyIdSearch =
KeyIdentifierConverter.format((rsaPrivateKey.getKeyID()));
+
when(publicKeyService.findPublicKey(eq(publicKeyIdSearch))).thenReturn(Optional.of(rsaPublicKey));
+ }
+
+ private MockFlowFile assertSuccess() throws PGPException {
+ runner.assertAllFlowFilesTransferred(VerifyContentPGP.SUCCESS);
+ final MockFlowFile flowFile =
runner.getFlowFilesForRelationship(VerifyContentPGP.SUCCESS).iterator().next();
+ assertFlowFileAttributesFound(flowFile);
+ return flowFile;
+ }
+
+ private void assertFailureErrorLogged() {
+ runner.assertAllFlowFilesTransferred(VerifyContentPGP.FAILURE);
+ final Optional<LogMessage> optionalLogMessage =
runner.getLogger().getErrorMessages().stream().findFirst();
+ assertTrue(optionalLogMessage.isPresent());
+ }
+
+ private void assertFlowFileAttributesFound(final MockFlowFile flowFile)
throws PGPException {
+ flowFile.assertAttributeExists(PGPAttributeKey.LITERAL_DATA_FILENAME);
+ flowFile.assertAttributeExists(PGPAttributeKey.LITERAL_DATA_MODIFIED);
+
+ final String signatureAlgorithm =
PGPUtil.getSignatureName(rsaPublicKey.getAlgorithm(), HASH_ALGORITHM_ID);
+ final String keyId =
KeyIdentifierConverter.format((rsaPrivateKey.getKeyID()));
+
+ flowFile.assertAttributeExists(PGPAttributeKey.SIGNATURE_CREATED);
+ flowFile.assertAttributeEquals(PGPAttributeKey.SIGNATURE_ALGORITHM,
signatureAlgorithm);
+
flowFile.assertAttributeEquals(PGPAttributeKey.SIGNATURE_HASH_ALGORITHM_ID,
Integer.toString(HASH_ALGORITHM_ID));
+
flowFile.assertAttributeEquals(PGPAttributeKey.SIGNATURE_KEY_ALGORITHM_ID,
Integer.toString(rsaPublicKey.getAlgorithm()));
+ flowFile.assertAttributeEquals(PGPAttributeKey.SIGNATURE_KEY_ID,
keyId);
+ flowFile.assertAttributeEquals(PGPAttributeKey.SIGNATURE_TYPE_ID,
Integer.toString(PGPSignature.BINARY_DOCUMENT));
+ flowFile.assertAttributeEquals(PGPAttributeKey.SIGNATURE_VERSION,
Integer.toString(SIGNATURE_VERSION));
+ }
+}
diff --git
a/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/io/EncodingStreamCallbackTest.java
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/io/EncodingStreamCallbackTest.java
new file mode 100644
index 0000000..3926a0b
--- /dev/null
+++
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/io/EncodingStreamCallbackTest.java
@@ -0,0 +1,96 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.processors.pgp.io;
+
+import org.apache.nifi.processors.pgp.attributes.CompressionAlgorithm;
+import org.apache.nifi.processors.pgp.attributes.FileEncoding;
+import org.apache.nifi.stream.io.StreamUtils;
+import org.bouncycastle.openpgp.PGPCompressedData;
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPLiteralData;
+import org.bouncycastle.openpgp.PGPObjectFactory;
+import org.bouncycastle.openpgp.PGPUtil;
+import org.bouncycastle.openpgp.jcajce.JcaPGPObjectFactory;
+import org.junit.jupiter.api.Test;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.charset.StandardCharsets;
+
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+
+public class EncodingStreamCallbackTest {
+ private static final String FILENAME = String.class.getName();
+
+ private static final byte[] DATA =
String.class.getSimpleName().getBytes(StandardCharsets.UTF_8);
+
+ @Test
+ public void testProcessBinaryCompressionZip() throws IOException,
PGPException {
+ final CompressionAlgorithm compressionAlgorithm =
CompressionAlgorithm.ZIP;
+ final EncodingStreamCallback callback = new
EncodingStreamCallback(FileEncoding.BINARY, compressionAlgorithm, FILENAME);
+ final ByteArrayInputStream inputStream = new
ByteArrayInputStream(DATA);
+ final ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
+ callback.process(inputStream, outputStream);
+
+ final InputStream processed = new
ByteArrayInputStream(outputStream.toByteArray());
+ final InputStream compressedInputStream =
assertCompressDataEquals(processed, compressionAlgorithm);
+ assertLiteralDataEquals(compressedInputStream);
+ }
+
+ @Test
+ public void testProcessAsciiCompressionBzip2() throws IOException,
PGPException {
+ final CompressionAlgorithm compressionAlgorithm =
CompressionAlgorithm.BZIP2;
+ final EncodingStreamCallback callback = new
EncodingStreamCallback(FileEncoding.ASCII, compressionAlgorithm, FILENAME);
+ final ByteArrayInputStream inputStream = new
ByteArrayInputStream(DATA);
+ final ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
+ callback.process(inputStream, outputStream);
+
+ final InputStream processed = PGPUtil.getDecoderStream(new
ByteArrayInputStream(outputStream.toByteArray()));
+ final InputStream compressedInputStream =
assertCompressDataEquals(processed, compressionAlgorithm);
+ assertLiteralDataEquals(compressedInputStream);
+ }
+
+ private InputStream assertCompressDataEquals(final InputStream processed,
final CompressionAlgorithm compressionAlgorithm) throws IOException,
PGPException {
+ final PGPObjectFactory objectFactory = new
JcaPGPObjectFactory(processed);
+ final Object firstObject = objectFactory.nextObject();
+ assertNotNull(firstObject);
+ assertEquals(PGPCompressedData.class, firstObject.getClass());
+
+ final PGPCompressedData compressedData = (PGPCompressedData)
firstObject;
+ assertEquals(compressionAlgorithm.getId(),
compressedData.getAlgorithm());
+ return compressedData.getDataStream();
+ }
+
+ private void assertLiteralDataEquals(final InputStream inputStream) throws
IOException {
+ final PGPObjectFactory compressedObjectFactory = new
JcaPGPObjectFactory(inputStream);
+ final Object firstCompressedObject =
compressedObjectFactory.nextObject();
+ assertNotNull(firstCompressedObject);
+ assertEquals(PGPLiteralData.class, firstCompressedObject.getClass());
+
+ final PGPLiteralData literalData = (PGPLiteralData)
firstCompressedObject;
+ assertEquals(FILENAME, literalData.getFileName());
+ assertEquals(PGPLiteralData.BINARY, literalData.getFormat());
+
+ final ByteArrayOutputStream literalOutputStream = new
ByteArrayOutputStream();
+ StreamUtils.copy(literalData.getDataStream(), literalOutputStream);
+ assertArrayEquals(DATA, literalOutputStream.toByteArray());
+ }
+}
diff --git
a/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/io/KeyIdentifierConverterTest.java
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/io/KeyIdentifierConverterTest.java
new file mode 100644
index 0000000..7c047b3
--- /dev/null
+++
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/io/KeyIdentifierConverterTest.java
@@ -0,0 +1,47 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.processors.pgp.io;
+
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+public class KeyIdentifierConverterTest {
+ private static final long KEY_ID = Long.MAX_VALUE;
+
+ private static final String KEY_ID_FORMATTED = "7FFFFFFFFFFFFFFF";
+
+ private static final String INVALID = Long.class.getSimpleName();
+
+ @Test
+ public void testFormat() {
+ final String formatted = KeyIdentifierConverter.format(KEY_ID);
+ assertEquals(KEY_ID_FORMATTED, formatted);
+ }
+
+ @Test
+ public void testParse() {
+ final long parsed = KeyIdentifierConverter.parse(KEY_ID_FORMATTED);
+ assertEquals(KEY_ID, parsed);
+ }
+
+ @Test
+ public void testParseNumberFormatException() {
+ assertThrows(NumberFormatException.class, () ->
KeyIdentifierConverter.parse(INVALID));
+ }
+}
diff --git
a/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-test-utils/src/main/java/org/apache/nifi/pgp/util/PGPOperationUtils.java
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-test-utils/src/main/java/org/apache/nifi/pgp/util/PGPOperationUtils.java
new file mode 100644
index 0000000..63e1fe7
--- /dev/null
+++
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-test-utils/src/main/java/org/apache/nifi/pgp/util/PGPOperationUtils.java
@@ -0,0 +1,108 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.pgp.util;
+
+import org.bouncycastle.bcpg.HashAlgorithmTags;
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPLiteralDataGenerator;
+import org.bouncycastle.openpgp.PGPOnePassSignature;
+import org.bouncycastle.openpgp.PGPPrivateKey;
+import org.bouncycastle.openpgp.PGPSignature;
+import org.bouncycastle.openpgp.PGPSignatureGenerator;
+import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder;
+import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentSignerBuilder;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.util.Date;
+
+/**
+ * Pretty Good Privacy Operation Utilities
+ */
+public class PGPOperationUtils {
+ private static final boolean NESTED_SIGNATURE_DISABLED = false;
+
+ private static final int BUFFER_SIZE = 2048;
+
+ private static final long MODIFIED_MILLISECONDS = 86400000;
+
+ private static final Date MODIFIED = new Date(MODIFIED_MILLISECONDS);
+
+ private static final String FILE_NAME = String.class.getSimpleName();
+
+ private static final char FILE_TYPE = PGPLiteralDataGenerator.BINARY;
+
+ /**
+ * Get data signed using one-pass signature generator
+ *
+ * @param contents Byte array contents to be signed
+ * @param privateKey Private Key used for signing
+ * @return Signed byte array
+ * @throws PGPException Thrown when signature initialization failed
+ * @throws IOException Thrown when signature generation failed
+ */
+ public static byte[] getOnePassSignedData(final byte[] contents, final
PGPPrivateKey privateKey) throws IOException, PGPException {
+ final PGPSignatureGenerator signatureGenerator =
getSignatureGenerator(privateKey);
+
+ final ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
+ final PGPOnePassSignature onePassSignature =
signatureGenerator.generateOnePassVersion(NESTED_SIGNATURE_DISABLED);
+ onePassSignature.encode(outputStream);
+
+ outputStream.write(contents);
+ signatureGenerator.update(contents);
+
+ final PGPSignature signature = signatureGenerator.generate();
+ signature.encode(outputStream);
+ return outputStream.toByteArray();
+ }
+
+ /**
+ * Get data signed using one-pass signature generator wrapping literal data
+ *
+ * @param contents Byte array contents to be signed
+ * @param privateKey Private Key used for signing
+ * @return Signed byte array
+ * @throws PGPException Thrown when signature initialization failed
+ * @throws IOException Thrown when signature generation failed
+ */
+ public static byte[] getOnePassSignedLiteralData(final byte[] contents,
final PGPPrivateKey privateKey) throws IOException, PGPException {
+ final PGPSignatureGenerator signatureGenerator =
getSignatureGenerator(privateKey);
+
+ final ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
+ final PGPOnePassSignature onePassSignature =
signatureGenerator.generateOnePassVersion(NESTED_SIGNATURE_DISABLED);
+ onePassSignature.encode(outputStream);
+
+ final PGPLiteralDataGenerator generator = new
PGPLiteralDataGenerator();
+ final byte[] buffer = new byte[BUFFER_SIZE];
+ try (final OutputStream literalStream = generator.open(outputStream,
FILE_TYPE, FILE_NAME, MODIFIED, buffer)) {
+ literalStream.write(contents);
+ signatureGenerator.update(contents);
+ }
+
+ final PGPSignature signature = signatureGenerator.generate();
+ signature.encode(outputStream);
+ return outputStream.toByteArray();
+ }
+
+ private static PGPSignatureGenerator getSignatureGenerator(final
PGPPrivateKey privateKey) throws PGPException {
+ final PGPContentSignerBuilder contentSignerBuilder = new
JcaPGPContentSignerBuilder(privateKey.getPublicKeyPacket().getAlgorithm(),
HashAlgorithmTags.SHA512);
+ final PGPSignatureGenerator signatureGenerator = new
PGPSignatureGenerator(contentSignerBuilder);
+ signatureGenerator.init(PGPSignature.BINARY_DOCUMENT, privateKey);
+ return signatureGenerator;
+ }
+}
