This is an automated email from the ASF dual-hosted git repository.
exceptionfactory pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new 58f93d1f8b NIFI-10085 Removed
CryptoUtility.isUnlimitedStrengthCryptoSupported() and references
58f93d1f8b is described below
commit 58f93d1f8b812b87a82348b7b60ecd1f376441a5
Author: Emilio Setiadarma <[email protected]>
AuthorDate: Fri Jun 3 00:38:13 2022 -0700
NIFI-10085 Removed CryptoUtility.isUnlimitedStrengthCryptoSupported() and
references
This closes #6098
Signed-off-by: David Handermann <[email protected]>
---
.../nifi/security/util/crypto/CipherUtility.java | 9 --
.../crypto/Argon2CipherProviderGroovyTest.groovy | 9 +-
.../crypto/BcryptCipherProviderGroovyTest.groovy | 9 +-
.../NiFiLegacyCipherProviderGroovyTest.groovy | 43 ---------
.../OpenSSLPKCS5CipherProviderGroovyTest.groovy | 4 -
.../crypto/PBKDF2CipherProviderGroovyTest.groovy | 8 +-
.../crypto/ScryptCipherProviderGroovyTest.groovy | 11 +--
.../nifi/processors/standard/EncryptContent.java | 29 ------
.../standard/TestEncryptContentGroovy.groovy | 103 +--------------------
.../processors/standard/TestEncryptContent.java | 24 +----
10 files changed, 11 insertions(+), 238 deletions(-)
diff --git
a/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/crypto/CipherUtility.java
b/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/crypto/CipherUtility.java
index 85016ecc7f..4f1ba11978 100644
---
a/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/crypto/CipherUtility.java
+++
b/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/crypto/CipherUtility.java
@@ -31,7 +31,6 @@ import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.nio.charset.StandardCharsets;
-import java.security.NoSuchAlgorithmException;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Arrays;
@@ -327,14 +326,6 @@ public class CipherUtility {
return
MAX_PASSWORD_LENGTH_BY_ALGORITHM.getOrDefault(encryptionMethod.getAlgorithm(),
-1);
}
- public static boolean isUnlimitedStrengthCryptoSupported() {
- try {
- return (Cipher.getMaxAllowedKeyLength("AES") >
DEFAULT_MAX_ALLOWED_KEY_LENGTH);
- } catch (NoSuchAlgorithmException e) {
- return false;
- }
- }
-
/**
* Returns the salt length for various PBE algorithms. These values were
determined empirically from configured/chosen legacy values from the earlier
version of the project.
*
diff --git
a/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/Argon2CipherProviderGroovyTest.groovy
b/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/Argon2CipherProviderGroovyTest.groovy
index 1bfb0313dc..66aa10383b 100644
---
a/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/Argon2CipherProviderGroovyTest.groovy
+++
b/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/Argon2CipherProviderGroovyTest.groovy
@@ -59,11 +59,7 @@ class Argon2CipherProviderGroovyTest extends GroovyTestCase {
logger.info("[${name?.toUpperCase()}] ${(args as List).join(" ")}")
}
- if (CipherUtility.isUnlimitedStrengthCryptoSupported()) {
- AES_KEY_LENGTHS = [128, 192, 256]
- } else {
- AES_KEY_LENGTHS = [128]
- }
+ AES_KEY_LENGTHS = [128, 192, 256]
}
@BeforeEach
@@ -225,9 +221,6 @@ class Argon2CipherProviderGroovyTest extends GroovyTestCase
{
@Test
void testGetCipherWithUnlimitedStrengthShouldBeInternallyConsistent()
throws Exception {
// Arrange
-
Assumptions.assumeTrue(CipherUtility.isUnlimitedStrengthCryptoSupported(),
- "Test is being skipped due to this JVM lacking JCE Unlimited
Strength Jurisdiction Policy file.")
-
final String PASSWORD = "shortPassword"
final byte[] SALT = cipherProvider.generateSalt()
diff --git
a/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/BcryptCipherProviderGroovyTest.groovy
b/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/BcryptCipherProviderGroovyTest.groovy
index 8d28e7709d..efecb9cbce 100644
---
a/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/BcryptCipherProviderGroovyTest.groovy
+++
b/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/BcryptCipherProviderGroovyTest.groovy
@@ -59,11 +59,7 @@ class BcryptCipherProviderGroovyTest {
logger.info("[${name?.toUpperCase()}] ${(args as List).join(" ")}")
}
- if (CipherUtility.isUnlimitedStrengthCryptoSupported()) {
- AES_KEY_LENGTHS = [128, 192, 256]
- } else {
- AES_KEY_LENGTHS = [128]
- }
+ AES_KEY_LENGTHS = [128, 192, 256]
}
@Test
@@ -129,9 +125,6 @@ class BcryptCipherProviderGroovyTest {
@Test
void testGetCipherWithUnlimitedStrengthShouldBeInternallyConsistent()
throws Exception {
// Arrange
- assumeTrue(CipherUtility.isUnlimitedStrengthCryptoSupported(),
- "Test is being skipped due to this JVM lacking JCE Unlimited
Strength Jurisdiction Policy file.")
-
RandomIVPBECipherProvider cipherProvider = new BcryptCipherProvider(4)
final String PASSWORD = "shortPassword"
diff --git
a/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/NiFiLegacyCipherProviderGroovyTest.groovy
b/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/NiFiLegacyCipherProviderGroovyTest.groovy
index 525a4fae15..261e56f600 100644
---
a/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/NiFiLegacyCipherProviderGroovyTest.groovy
+++
b/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/NiFiLegacyCipherProviderGroovyTest.groovy
@@ -233,47 +233,4 @@ class NiFiLegacyCipherProviderGroovyTest {
assert plaintext.equals(recovered)
}
}
-
- /**
- * This test determines for each PBE encryption algorithm if it actually
requires the JCE unlimited strength jurisdiction policies to be installed.
- * Even some algorithms that use 128-bit keys (which should be allowed on
all systems) throw exceptions because BouncyCastle derives the key
- * from the password using a long digest result at the time of key length
checking.
- * @throws IOException
- */
- @EnabledIfSystemProperty(named = "legacyCipherTest", matches = "true",
disabledReason = "Only needed once to determine max supported password lengths")
- @Test
- void testShouldDetermineDependenceOnUnlimitedStrengthCrypto() throws
IOException {
- def encryptionMethods = EncryptionMethod.values().findAll {
it.algorithm.startsWith("PBE") }
-
- boolean unlimitedCryptoSupported =
CipherUtility.isUnlimitedStrengthCryptoSupported()
- logger.info("This JVM supports unlimited strength crypto:
${unlimitedCryptoSupported}")
-
- def longestSupportedPasswordByEM = [:]
-
- encryptionMethods.each { EncryptionMethod encryptionMethod ->
- logger.info("Attempting ${encryptionMethod.name()}
(${encryptionMethod.algorithm}) which claims unlimited strength required:
${encryptionMethod.unlimitedStrength}")
-
- (1..20).find { int length ->
- String password = "x" * length
-
- try {
- NiFiLegacyCipherProvider cipherProvider = new
NiFiLegacyCipherProvider()
- Cipher cipher = cipherProvider.getCipher(encryptionMethod,
password, true)
- return false
- } catch (Exception e) {
- logger.error("Unable to create the cipher with
${encryptionMethod.algorithm} and password ${password} (${password.length()})
due to ${e.getMessage()}")
- if
(!longestSupportedPasswordByEM.containsKey(encryptionMethod)) {
- longestSupportedPasswordByEM.put(encryptionMethod,
password.length() - 1)
- }
- return true
- }
- }
- logger.info("\n")
- }
-
- logger.info("Longest supported password by encryption method:")
- longestSupportedPasswordByEM.each { EncryptionMethod encryptionMethod,
int length ->
- logger.info("\t${encryptionMethod.algorithm}\t${length}")
- }
- }
}
\ No newline at end of file
diff --git
a/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/OpenSSLPKCS5CipherProviderGroovyTest.groovy
b/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/OpenSSLPKCS5CipherProviderGroovyTest.groovy
index b3c337b9b3..5a4a399d7c 100644
---
a/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/OpenSSLPKCS5CipherProviderGroovyTest.groovy
+++
b/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/OpenSSLPKCS5CipherProviderGroovyTest.groovy
@@ -33,7 +33,6 @@ import java.security.Security
import static groovy.test.GroovyAssert.shouldFail
import static org.junit.Assert.fail
-import static org.junit.jupiter.api.Assumptions.assumeTrue
class OpenSSLPKCS5CipherProviderGroovyTest {
private static final Logger logger =
LoggerFactory.getLogger(OpenSSLPKCS5CipherProviderGroovyTest.class)
@@ -107,9 +106,6 @@ class OpenSSLPKCS5CipherProviderGroovyTest {
@Test
void testGetCipherWithUnlimitedStrengthShouldBeInternallyConsistent()
throws Exception {
// Arrange
- assumeTrue(CipherUtility.isUnlimitedStrengthCryptoSupported(),
- "Test is being skipped due to this JVM lacking JCE Unlimited
Strength Jurisdiction Policy file.")
-
OpenSSLPKCS5CipherProvider cipherProvider = new
OpenSSLPKCS5CipherProvider()
final String PASSWORD = "shortPassword"
diff --git
a/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/PBKDF2CipherProviderGroovyTest.groovy
b/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/PBKDF2CipherProviderGroovyTest.groovy
index 28aff8e859..c0b9fbd57a 100644
---
a/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/PBKDF2CipherProviderGroovyTest.groovy
+++
b/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/PBKDF2CipherProviderGroovyTest.groovy
@@ -20,7 +20,6 @@ import org.apache.commons.codec.binary.Hex
import org.apache.nifi.security.util.EncryptionMethod
import org.bouncycastle.jce.provider.BouncyCastleProvider
import org.junit.jupiter.api.BeforeAll
-import org.junit.jupiter.api.Disabled
import org.junit.jupiter.api.Test
import org.junit.jupiter.api.condition.EnabledIfSystemProperty
import org.slf4j.Logger
@@ -31,7 +30,6 @@ import java.security.Security
import static groovy.test.GroovyAssert.shouldFail
import static org.junit.Assert.assertTrue
-import static org.junit.jupiter.api.Assumptions.assumeTrue
class PBKDF2CipherProviderGroovyTest {
private static final Logger logger =
LoggerFactory.getLogger(PBKDF2CipherProviderGroovyTest.class)
@@ -58,11 +56,7 @@ class PBKDF2CipherProviderGroovyTest {
logger.info("[${name?.toUpperCase()}] ${(args as List).join(" ")}")
}
- if (CipherUtility.isUnlimitedStrengthCryptoSupported()) {
- AES_KEY_LENGTHS = [128, 192, 256]
- } else {
- AES_KEY_LENGTHS = [128]
- }
+ AES_KEY_LENGTHS = [128, 192, 256]
}
@Test
diff --git
a/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/ScryptCipherProviderGroovyTest.groovy
b/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/ScryptCipherProviderGroovyTest.groovy
index bac83486e2..4c23b43ad7 100644
---
a/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/ScryptCipherProviderGroovyTest.groovy
+++
b/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/ScryptCipherProviderGroovyTest.groovy
@@ -23,7 +23,6 @@ import org.apache.nifi.security.util.crypto.scrypt.Scrypt
import org.bouncycastle.jce.provider.BouncyCastleProvider
import org.junit.jupiter.api.BeforeAll
import org.junit.jupiter.api.BeforeEach
-import org.junit.jupiter.api.Disabled
import org.junit.jupiter.api.Test
import org.junit.jupiter.api.condition.EnabledIfSystemProperty
import org.slf4j.Logger
@@ -38,7 +37,6 @@ import java.security.Security
import static groovy.test.GroovyAssert.shouldFail
import static org.junit.Assert.assertTrue
-import static org.junit.jupiter.api.Assumptions.assumeTrue
class ScryptCipherProviderGroovyTest {
private static final Logger logger =
LoggerFactory.getLogger(ScryptCipherProviderGroovyTest.class)
@@ -63,11 +61,7 @@ class ScryptCipherProviderGroovyTest {
logger.info("[${name?.toUpperCase()}] ${(args as List).join(" ")}")
}
- if (CipherUtility.isUnlimitedStrengthCryptoSupported()) {
- AES_KEY_LENGTHS = [128, 192, 256]
- } else {
- AES_KEY_LENGTHS = [128]
- }
+ AES_KEY_LENGTHS = [128, 192, 256]
}
@BeforeEach
@@ -135,9 +129,6 @@ class ScryptCipherProviderGroovyTest {
@Test
void testGetCipherWithUnlimitedStrengthShouldBeInternallyConsistent()
throws Exception {
// Arrange
- assumeTrue(CipherUtility.isUnlimitedStrengthCryptoSupported(),
- "Test is being skipped due to this JVM lacking JCE Unlimited
Strength Jurisdiction Policy file.")
-
final String PASSWORD = "shortPassword"
final byte[] SALT = cipherProvider.generateSalt()
diff --git
a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/EncryptContent.java
b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/EncryptContent.java
index 522980c690..1b5f02d93a 100644
---
a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/EncryptContent.java
+++
b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/EncryptContent.java
@@ -437,8 +437,6 @@ public class EncryptContent extends AbstractProcessor {
private List<ValidationResult> validatePassword(EncryptionMethod
encryptionMethod, KeyDerivationFunction kdf, String password, boolean
allowWeakCrypto) {
List<ValidationResult> validationResults = new ArrayList<>();
- boolean limitedStrengthCrypto =
!CipherUtility.isUnlimitedStrengthCryptoSupported();
-
// Password required (short circuits validation because other
conditions depend on password presence)
if (StringUtils.isEmpty(password)) {
validationResults.add(new
ValidationResult.Builder().subject(PASSWORD.getName())
@@ -456,40 +454,13 @@ public class EncryptContent extends AbstractProcessor {
}
}
- // Multiple checks on machine with limited strength crypto
- if (limitedStrengthCrypto) {
- // Cannot use unlimited strength ciphers on machine that lacks
policies
- if (encryptionMethod.isUnlimitedStrength()) {
- validationResults.add(new
ValidationResult.Builder().subject(ENCRYPTION_ALGORITHM.getName())
- .explanation(encryptionMethod.name() + " (" +
encryptionMethod.getAlgorithm() + ") is not supported by this JVM due to
lacking JCE Unlimited " +
- "Strength Jurisdiction Policy files. See Admin
Guide.").build());
- }
-
- // Check if the password exceeds the limit
- final boolean passwordLongerThanLimit =
!CipherUtility.passwordLengthIsValidForAlgorithmOnLimitedStrengthCrypto(passwordBytesLength,
encryptionMethod);
- if (passwordLongerThanLimit) {
- int maxPasswordLength =
CipherUtility.getMaximumPasswordLengthForAlgorithmOnLimitedStrengthCrypto(encryptionMethod);
- validationResults.add(new
ValidationResult.Builder().subject(PASSWORD.getName())
- .explanation("Password length greater than " +
maxPasswordLength + " characters is not supported by this JVM" +
- " due to lacking JCE Unlimited Strength
Jurisdiction Policy files. See Admin Guide.").build());
- }
- }
-
return validationResults;
}
private List<ValidationResult> validateKeyed(EncryptionMethod
encryptionMethod, KeyDerivationFunction kdf, String keyHex, String password,
boolean allowWeakCrypto, boolean encrypt) {
List<ValidationResult> validationResults = new ArrayList<>();
- boolean limitedStrengthCrypto =
!CipherUtility.isUnlimitedStrengthCryptoSupported();
- if (limitedStrengthCrypto) {
- if (encryptionMethod.isUnlimitedStrength()) {
- validationResults.add(new
ValidationResult.Builder().subject(ENCRYPTION_ALGORITHM.getName())
- .explanation(encryptionMethod.name() + " (" +
encryptionMethod.getAlgorithm() + ") is not supported by this JVM due to
lacking JCE Unlimited " +
- "Strength Jurisdiction Policy files. See Admin
Guide.").build());
- }
- }
int allowedKeyLength =
PasswordBasedEncryptor.getMaxAllowedKeyLength(ENCRYPTION_ALGORITHM.getName());
// Scenario 1: RKH is present & KDF == NONE
diff --git
a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/groovy/org/apache/nifi/processors/standard/TestEncryptContentGroovy.groovy
b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/groovy/org/apache/nifi/processors/standard/TestEncryptContentGroovy.groovy
index 15b3f6d03f..0e711e9f0d 100644
---
a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/groovy/org/apache/nifi/processors/standard/TestEncryptContentGroovy.groovy
+++
b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/groovy/org/apache/nifi/processors/standard/TestEncryptContentGroovy.groovy
@@ -35,7 +35,6 @@ import org.apache.nifi.util.TestRunners
import org.bouncycastle.jce.provider.BouncyCastleProvider
import org.junit.After
import org.junit.Assert
-import org.junit.Assume
import org.junit.Before
import org.junit.BeforeClass
import org.junit.Test
@@ -81,9 +80,6 @@ class TestEncryptContentGroovy {
@Test
void testShouldValidateMaxKeySizeForAlgorithmsOnUnlimitedStrengthJVM()
throws IOException {
// Arrange
- Assume.assumeTrue("Test is being skipped due to this JVM lacking JCE
Unlimited Strength Jurisdiction Policy file.",
- CipherUtility.isUnlimitedStrengthCryptoSupported())
-
final TestRunner runner =
TestRunners.newTestRunner(EncryptContent.class)
Collection<ValidationResult> results
MockProcessContext pc
@@ -116,50 +112,6 @@ class TestEncryptContentGroovy {
Assert.assertTrue(message, vr.toString().contains(expectedResult))
}
- @Test
- void testShouldValidateMaxKeySizeForAlgorithmsOnLimitedStrengthJVM()
throws IOException {
- // Arrange
- Assume.assumeTrue("Test is being skipped because this JVM supports
unlimited strength crypto.",
- !CipherUtility.isUnlimitedStrengthCryptoSupported())
-
- final TestRunner runner =
TestRunners.newTestRunner(EncryptContent.class)
- Collection<ValidationResult> results
- MockProcessContext pc
-
- EncryptionMethod encryptionMethod = EncryptionMethod.AES_CBC
-
- final int MAX_KEY_LENGTH = 128
- final String TOO_LONG_KEY_HEX = "ab" * (MAX_KEY_LENGTH / 8 + 1)
- logger.info("Using key ${TOO_LONG_KEY_HEX}
(${TOO_LONG_KEY_HEX.length() * 4} bits)")
-
- runner.setProperty(EncryptContent.MODE, EncryptContent.ENCRYPT_MODE)
- runner.setProperty(EncryptContent.ENCRYPTION_ALGORITHM,
encryptionMethod.name())
- runner.setProperty(EncryptContent.KEY_DERIVATION_FUNCTION,
KeyDerivationFunction.NONE.name())
- runner.setProperty(EncryptContent.RAW_KEY_HEX, TOO_LONG_KEY_HEX)
-
- runner.enqueue(new byte[0])
- pc = (MockProcessContext) runner.getProcessContext()
-
- // Act
- results = pc.validate()
-
- // Assert
-
- // Two validation problems -- max key size and key length is invalid
- Assert.assertEquals(2, results.size())
- logger.expected(results)
- ValidationResult maxKeyLengthVR = results.first()
-
- String expectedResult = "'raw-key-hex' is invalid because Key length
greater than ${MAX_KEY_LENGTH} bits is not supported"
- String message = "'" + maxKeyLengthVR.toString() + "' contains '" +
expectedResult + "'"
- Assert.assertTrue(message,
maxKeyLengthVR.toString().contains(expectedResult))
-
- expectedResult = "'raw-key-hex' is invalid because Key must be valid
length [128, 192, 256]"
- ValidationResult keyLengthInvalidVR = results.last()
- message = "'" + keyLengthInvalidVR.toString() + "' contains '" +
expectedResult + "'"
- Assert.assertTrue(message,
keyLengthInvalidVR.toString().contains(expectedResult))
- }
-
@Test
void testShouldValidateKeyFormatAndSizeForAlgorithms() throws IOException {
// Arrange
@@ -379,10 +331,6 @@ class TestEncryptContentGroovy {
final String PASSWORD = "short"
def encryptionMethods = EncryptionMethod.values().findAll {
it.algorithm.startsWith("PBE") }
- if (!CipherUtility.isUnlimitedStrengthCryptoSupported()) {
- // Remove all unlimited strength algorithms
- encryptionMethods.removeAll { it.unlimitedStrength }
- }
runner.setProperty(EncryptContent.MODE, EncryptContent.ENCRYPT_MODE)
runner.setProperty(EncryptContent.PASSWORD, PASSWORD)
@@ -825,53 +773,6 @@ class TestEncryptContentGroovy {
assert [fiveSecondDiff, tenSecondDiff, parsedTenSecondDiff].every {
it.days == 0 }
}
- @Test
- void testShouldCheckMaximumLengthOfPasswordOnLimitedStrengthCryptoJVM()
throws IOException {
- // Arrange
- Assume.assumeTrue("Only run on systems with limited strength crypto",
!CipherUtility.isUnlimitedStrengthCryptoSupported())
-
- final TestRunner testRunner = TestRunners.newTestRunner(new
EncryptContent())
- testRunner.setProperty(EncryptContent.KEY_DERIVATION_FUNCTION,
KeyDerivationFunction.NIFI_LEGACY.name())
- testRunner.setProperty(EncryptContent.ALLOW_WEAK_CRYPTO,
WEAK_CRYPTO_ALLOWED)
-
- Collection<ValidationResult> results
- MockProcessContext pc
-
- def encryptionMethods = EncryptionMethod.values().findAll {
it.algorithm.startsWith("PBE") }
-
- // Use .find instead of .each to allow "breaks" using return false
- encryptionMethods.find { EncryptionMethod encryptionMethod ->
- def invalidPasswordLength =
CipherUtility.getMaximumPasswordLengthForAlgorithmOnLimitedStrengthCrypto(encryptionMethod)
+ 1
- String tooLongPassword = "x" * invalidPasswordLength
- if (encryptionMethod.isUnlimitedStrength() ||
encryptionMethod.isKeyedCipher()) {
- return false
- // cannot test unlimited strength in unit tests because it's
not enabled by the JVM by default.
- }
-
- testRunner.setProperty(EncryptContent.PASSWORD, tooLongPassword)
- logger.info("Attempting ${encryptionMethod.algorithm} with
password of length ${invalidPasswordLength}")
- testRunner.setProperty(EncryptContent.ENCRYPTION_ALGORITHM,
encryptionMethod.name())
- testRunner.setProperty(EncryptContent.MODE,
EncryptContent.ENCRYPT_MODE)
-
- testRunner.clearTransferState()
- testRunner.enqueue(new byte[0])
- pc = (MockProcessContext) testRunner.getProcessContext()
-
- // Act
- results = pc.validate()
-
- // Assert
- logger.expected(results)
- Assert.assertEquals(1, results.size())
- ValidationResult passwordLengthVR = results.first()
-
- String expectedResult = "'Password' is invalid because Password
length greater than ${invalidPasswordLength - 1} characters is not supported
by" +
- " this JVM due to lacking JCE Unlimited Strength
Jurisdiction Policy files."
- String message = "'" + passwordLengthVR.toString() + "' contains
'" + expectedResult + "'"
- Assert.assertTrue(message,
passwordLengthVR.toString().contains(expectedResult))
- }
- }
-
@Test
void testShouldCheckLengthOfPasswordWhenNotAllowed() throws IOException {
// Arrange
@@ -883,7 +784,7 @@ class TestEncryptContentGroovy {
def encryptionMethods = EncryptionMethod.values().findAll {
it.algorithm.startsWith("PBE") }
- boolean limitedStrengthCrypto =
!CipherUtility.isUnlimitedStrengthCryptoSupported()
+ boolean limitedStrengthCrypto = false
boolean allowWeakCrypto = false
testRunner.setProperty(EncryptContent.ALLOW_WEAK_CRYPTO,
WEAK_CRYPTO_NOT_ALLOWED)
@@ -933,7 +834,7 @@ class TestEncryptContentGroovy {
def encryptionMethods = EncryptionMethod.values().findAll {
it.algorithm.startsWith("PBE") }
- boolean limitedStrengthCrypto =
!CipherUtility.isUnlimitedStrengthCryptoSupported()
+ boolean limitedStrengthCrypto = false
boolean allowWeakCrypto = true
testRunner.setProperty(EncryptContent.ALLOW_WEAK_CRYPTO,
WEAK_CRYPTO_ALLOWED)
diff --git
a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestEncryptContent.java
b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestEncryptContent.java
index f86d17b3f2..7dc66ce4b5 100644
---
a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestEncryptContent.java
+++
b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestEncryptContent.java
@@ -39,7 +39,6 @@ import org.apache.nifi.components.AllowableValue;
import org.apache.nifi.components.ValidationResult;
import org.apache.nifi.security.util.EncryptionMethod;
import org.apache.nifi.security.util.KeyDerivationFunction;
-import org.apache.nifi.security.util.crypto.CipherUtility;
import org.apache.nifi.security.util.crypto.PasswordBasedEncryptor;
import org.apache.nifi.util.MockFlowFile;
import org.apache.nifi.util.MockProcessContext;
@@ -209,8 +208,8 @@ public class TestEncryptContent {
final String AES_ALGORITHM =
EncryptionMethod.MD5_256AES.getAlgorithm();
final String DES_ALGORITHM = EncryptionMethod.MD5_DES.getAlgorithm();
- final int AES_MAX_LENGTH =
CipherUtility.isUnlimitedStrengthCryptoSupported() ? Integer.MAX_VALUE : 128;
- final int DES_MAX_LENGTH =
CipherUtility.isUnlimitedStrengthCryptoSupported() ? Integer.MAX_VALUE : 64;
+ final int AES_MAX_LENGTH = Integer.MAX_VALUE;
+ final int DES_MAX_LENGTH = Integer.MAX_VALUE;
// Act
int determinedAESMaxLength =
PasswordBasedEncryptor.getMaxAllowedKeyLength(AES_ALGORITHM);
@@ -224,8 +223,6 @@ public class TestEncryptContent {
@Test
public void testShouldDecryptOpenSSLRawSalted() throws IOException {
// Arrange
- Assume.assumeTrue("Test is being skipped due to this JVM lacking JCE
Unlimited Strength Jurisdiction Policy file.",
- CipherUtility.isUnlimitedStrengthCryptoSupported());
final TestRunner testRunner = TestRunners.newTestRunner(new
EncryptContent());
@@ -258,8 +255,6 @@ public class TestEncryptContent {
@Test
public void testShouldDecryptOpenSSLRawUnsalted() throws IOException {
// Arrange
- Assume.assumeTrue("Test is being skipped due to this JVM lacking JCE
Unlimited Strength Jurisdiction Policy file.",
- CipherUtility.isUnlimitedStrengthCryptoSupported());
final TestRunner testRunner = TestRunners.newTestRunner(new
EncryptContent());
@@ -484,18 +479,9 @@ public class TestEncryptContent {
runner.setProperty(EncryptContent.PASSWORD,
"ThisIsAPasswordThatIsLongerThanSixteenCharacters");
pc = (MockProcessContext) runner.getProcessContext();
results = pc.validate();
- if (!CipherUtility.isUnlimitedStrengthCryptoSupported()) {
- logger.info(results.toString());
- Assert.assertEquals(1, results.size());
- for (final ValidationResult vr : results) {
- Assert.assertTrue(
- "Did not successfully catch validation error of a long
password in a non-JCE Unlimited Strength environment",
- vr.toString().contains("Password length greater than "
+
CipherUtility.getMaximumPasswordLengthForAlgorithmOnLimitedStrengthCrypto(encryptionMethod)
- + " characters is not supported by this JVM
due to lacking JCE Unlimited Strength Jurisdiction Policy files."));
- }
- } else {
- Assert.assertEquals(results.toString(), 0, results.size());
- }
+
+ Assert.assertEquals(results.toString(), 0, results.size());
+
runner.removeProperty(EncryptContent.PASSWORD);
runner.setProperty(EncryptContent.ENCRYPTION_ALGORITHM,
EncryptionMethod.PGP.name());
