[nifi] branch support/nifi-1.x updated: NIFI-11277 Deprecated bcrypt and scrypt Properties Algorithms

pvillard Tue, 14 Mar 2023 04:47:18 -0700

This is an automated email from the ASF dual-hosted git repository.

pvillard pushed a commit to branch support/nifi-1.x
in repository https://gitbox.apache.org/repos/asf/nifi.git



The following commit(s) were added to refs/heads/support/nifi-1.x by this push:
     new 60749b1a75 NIFI-11277 Deprecated bcrypt and scrypt Properties 
Algorithms
60749b1a75 is described below

commit 60749b1a75e3e498be74dc9bd12164a976c9ae5a
Author: exceptionfactory <[email protected]>
AuthorDate: Mon Mar 13 11:59:01 2023 -0500

    NIFI-11277 Deprecated bcrypt and scrypt Properties Algorithms
    
    - Deprecated 128 bit key variants of Sensitive Properties Algorithms
    - Updated documentation to recommend either NIFI_ARGON2_AES_GCM_256 or 
NIFI_PBKDF2_AES_GCM_256
    
    Signed-off-by: Pierre Villard <[email protected]>
    
    This closes #7040.
---
 nifi-commons/nifi-property-encryptor/pom.xml             |  5 +++++
 .../apache/nifi/encrypt/PropertyEncryptionMethod.java    |  6 ++++++
 .../nifi/encrypt/StandardPropertySecretKeyProvider.java  | 16 ++++++++++++++++
 nifi-docs/src/main/asciidoc/administration-guide.adoc    |  7 +++++--
 4 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/nifi-commons/nifi-property-encryptor/pom.xml 
b/nifi-commons/nifi-property-encryptor/pom.xml
index 71eb05d54e..c3e8b4358b 100644
--- a/nifi-commons/nifi-property-encryptor/pom.xml
+++ b/nifi-commons/nifi-property-encryptor/pom.xml
@@ -39,5 +39,10 @@
             <groupId>commons-codec</groupId>
             <artifactId>commons-codec</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.apache.nifi</groupId>
+            <artifactId>nifi-deprecation-log</artifactId>
+            <version>1.21.0-SNAPSHOT</version>
+        </dependency>
     </dependencies>
 </project>
diff --git 
a/nifi-commons/nifi-property-encryptor/src/main/java/org/apache/nifi/encrypt/PropertyEncryptionMethod.java
 
b/nifi-commons/nifi-property-encryptor/src/main/java/org/apache/nifi/encrypt/PropertyEncryptionMethod.java
index 420684396d..5371d98209 100644
--- 
a/nifi-commons/nifi-property-encryptor/src/main/java/org/apache/nifi/encrypt/PropertyEncryptionMethod.java
+++ 
b/nifi-commons/nifi-property-encryptor/src/main/java/org/apache/nifi/encrypt/PropertyEncryptionMethod.java
@@ -23,20 +23,26 @@ import org.apache.nifi.security.util.KeyDerivationFunction;
  * Property Encryption Method enumerates supported values in addition to 
{@link org.apache.nifi.security.util.EncryptionMethod}
  */
 public enum PropertyEncryptionMethod {
+    @Deprecated
     NIFI_ARGON2_AES_GCM_128(KeyDerivationFunction.ARGON2, 
EncryptionMethod.AES_GCM,128),
 
     NIFI_ARGON2_AES_GCM_256(KeyDerivationFunction.ARGON2, 
EncryptionMethod.AES_GCM, 256),
 
+    @Deprecated
     NIFI_BCRYPT_AES_GCM_128(KeyDerivationFunction.BCRYPT, 
EncryptionMethod.AES_GCM, 128),
 
+    @Deprecated
     NIFI_BCRYPT_AES_GCM_256(KeyDerivationFunction.BCRYPT, 
EncryptionMethod.AES_GCM, 256),
 
+    @Deprecated
     NIFI_PBKDF2_AES_GCM_128(KeyDerivationFunction.PBKDF2, 
EncryptionMethod.AES_GCM, 128),
 
     NIFI_PBKDF2_AES_GCM_256(KeyDerivationFunction.PBKDF2, 
EncryptionMethod.AES_GCM, 256),
 
+    @Deprecated
     NIFI_SCRYPT_AES_GCM_128(KeyDerivationFunction.SCRYPT, 
EncryptionMethod.AES_GCM, 128),
 
+    @Deprecated
     NIFI_SCRYPT_AES_GCM_256(KeyDerivationFunction.SCRYPT, 
EncryptionMethod.AES_GCM, 256);
 
     private static final int HASH_LENGTH_DIVISOR = 8;
diff --git 
a/nifi-commons/nifi-property-encryptor/src/main/java/org/apache/nifi/encrypt/StandardPropertySecretKeyProvider.java
 
b/nifi-commons/nifi-property-encryptor/src/main/java/org/apache/nifi/encrypt/StandardPropertySecretKeyProvider.java
index 4a5bf0139f..4d6c45700d 100644
--- 
a/nifi-commons/nifi-property-encryptor/src/main/java/org/apache/nifi/encrypt/StandardPropertySecretKeyProvider.java
+++ 
b/nifi-commons/nifi-property-encryptor/src/main/java/org/apache/nifi/encrypt/StandardPropertySecretKeyProvider.java
@@ -17,6 +17,8 @@
 package org.apache.nifi.encrypt;
 
 import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.deprecation.log.DeprecationLogger;
+import org.apache.nifi.deprecation.log.DeprecationLoggerFactory;
 import org.apache.nifi.security.util.KeyDerivationFunction;
 import org.apache.nifi.security.util.crypto.Argon2SecureHasher;
 import org.apache.nifi.security.util.crypto.KeyDerivationBcryptSecureHasher;
@@ -64,6 +66,7 @@ class StandardPropertySecretKeyProvider implements 
PropertySecretKeyProvider {
         final KeyDerivationFunction keyDerivationFunction = 
propertyEncryptionMethod.getKeyDerivationFunction();
         final int keyLength = propertyEncryptionMethod.getKeyLength();
         LOGGER.debug("Generating [{}-{}] Secret Key using [{}]", 
SECRET_KEY_ALGORITHM, keyLength, keyDerivationFunction.getKdfName());
+        logDeprecated(propertyEncryptionMethod);
 
         final SecureHasher secureHasher = 
getSecureHasher(propertyEncryptionMethod);
         final byte[] passwordBinary = password.getBytes(PASSWORD_CHARSET);
@@ -88,4 +91,17 @@ class StandardPropertySecretKeyProvider implements 
PropertySecretKeyProvider {
             throw new EncryptionException(message);
         }
     }
+
+    private static void logDeprecated(final PropertyEncryptionMethod method) {
+        final DeprecationLogger deprecationLogger = 
DeprecationLoggerFactory.getLogger(StandardPropertySecretKeyProvider.class);
+        final PropertyEncryptionMethod recommendedMethod = 
PropertyEncryptionMethod.NIFI_PBKDF2_AES_GCM_256;
+        final KeyDerivationFunction keyDerivationFunction = 
method.getKeyDerivationFunction();
+        final int keyLength = method.getKeyLength();
+
+        if (KeyDerivationFunction.BCRYPT == keyDerivationFunction || 
KeyDerivationFunction.SCRYPT == keyDerivationFunction) {
+            deprecationLogger.warn("Sensitive Properties Algorithm [{}] is 
deprecated in favor of [{}]", method, recommendedMethod);
+        } else if (keyLength == 128) {
+            deprecationLogger.warn("Sensitive Properties Algorithm [{}] Key 
Length [{}] should be upgraded to Key Length [{}]", method, keyLength, 
recommendedMethod.getKeyLength());
+        }
+    }
 }
diff --git a/nifi-docs/src/main/asciidoc/administration-guide.adoc 
b/nifi-docs/src/main/asciidoc/administration-guide.adoc
index 2fd8ad4a93..82fff7328c 100644
--- a/nifi-docs/src/main/asciidoc/administration-guide.adoc
+++ b/nifi-docs/src/main/asciidoc/administration-guide.adoc
@@ -2020,12 +2020,15 @@ Each Key Derivation Function also uses default 
iteration and cost parameters as
 === Property Encryption Algorithms
 The following strong encryption methods can be configured in the 
`nifi.sensitive.props.algorithm` property:
 
-* `NIFI_ARGON2_AES_GCM_128`
 * `NIFI_ARGON2_AES_GCM_256`
+* `NIFI_PBKDF2_AES_GCM_256`
+
+The following sensitive properties algorithms are deprecated and will be 
removed in subsequent major releases:
+
+* `NIFI_ARGON2_AES_GCM_128`
 * `NIFI_BCRYPT_AES_GCM_128`
 * `NIFI_BCRYPT_AES_GCM_256`
 * `NIFI_PBKDF2_AES_GCM_128`
-* `NIFI_PBKDF2_AES_GCM_256`
 * `NIFI_SCRYPT_AES_GCM_128`
 * `NIFI_SCRYPT_AES_GCM_256`

[nifi] branch support/nifi-1.x updated: NIFI-11277 Deprecated bcrypt and scrypt Properties Algorithms

Reply via email to