This is an automated email from the ASF dual-hosted git repository.
joewitt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new 64edc60716 NIFI-14189 Upgraded Bouncy Castle from 1.79 to 1.80 This
closes #9661
64edc60716 is described below
commit 64edc607164e423675c585a5b0069e398e300e14
Author: exceptionfactory <[email protected]>
AuthorDate: Thu Jan 23 11:09:05 2025 -0600
NIFI-14189 Upgraded Bouncy Castle from 1.79 to 1.80
This closes #9661
- Updated DecryptContentPGP to handle unknown symmetric algorithm on
decryption failures
- Updated DecryptContentPGPTest to use Bouncy Castle instead of JCE
implementation of Password-Based Key Encryption method to address algorithm
registration issues for Bouncy Castle algorithms
Signed-off-by: Joseph Witt <[email protected]>
---
.../apache/nifi/processors/pgp/DecryptContentPGP.java | 17 ++++++++++++-----
.../nifi/processors/pgp/DecryptContentPGPTest.java | 6 +++---
pom.xml | 2 +-
3 files changed, 16 insertions(+), 9 deletions(-)
diff --git
a/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/DecryptContentPGP.java
b/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/DecryptContentPGP.java
index 92c651ebd7..f46e849cb0 100644
---
a/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/DecryptContentPGP.java
+++
b/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/DecryptContentPGP.java
@@ -42,6 +42,7 @@ import org.apache.nifi.pgp.service.api.KeyIdentifierConverter;
import org.apache.nifi.stream.io.StreamUtils;
import org.apache.nifi.util.StringUtils;
+import org.bouncycastle.bcpg.KeyIdentifier;
import org.bouncycastle.openpgp.PGPCompressedData;
import org.bouncycastle.openpgp.PGPEncryptedData;
import org.bouncycastle.openpgp.PGPEncryptedDataList;
@@ -323,7 +324,8 @@ public class DecryptContentPGP extends AbstractProcessor {
} else if (publicKeyData.hasNext()) {
while (publicKeyData.hasNext()) {
final PGPPublicKeyEncryptedData publicKeyEncryptedData =
publicKeyData.next();
- final long keyId = publicKeyEncryptedData.getKeyID();
+ final KeyIdentifier publicKeyIdentifier =
publicKeyEncryptedData.getKeyIdentifier();
+ final long keyId = publicKeyIdentifier.getKeyId();
final Optional<PGPPrivateKey> privateKey =
privateKeyService.findPrivateKey(keyId);
if (privateKey.isPresent()) {
supportedEncryptedData = publicKeyEncryptedData;
@@ -404,7 +406,8 @@ public class DecryptContentPGP extends AbstractProcessor {
if (privateKeyService == null) {
throw new PGPProcessException("PGP Public Key Encryption
Found: Private Key Service not configured");
} else {
- final long keyId = publicKeyEncryptedData.getKeyID();
+ final KeyIdentifier publicKeyIdentifier =
publicKeyEncryptedData.getKeyIdentifier();
+ final long keyId = publicKeyIdentifier.getKeyId();
final Optional<PGPPrivateKey> foundPrivateKey =
privateKeyService.findPrivateKey(keyId);
if (foundPrivateKey.isPresent()) {
final PGPPrivateKey privateKey = foundPrivateKey.get();
@@ -421,9 +424,13 @@ public class DecryptContentPGP extends AbstractProcessor {
}
private void setSymmetricKeyAlgorithmAttributes(final int
symmetricAlgorithm) {
- final String blockCipher =
PGPUtil.getSymmetricCipherName(symmetricAlgorithm);
-
attributes.put(PGPAttributeKey.SYMMETRIC_KEY_ALGORITHM_BLOCK_CIPHER,
blockCipher);
- attributes.put(PGPAttributeKey.SYMMETRIC_KEY_ALGORITHM_ID,
Integer.toString(symmetricAlgorithm));
+ try {
+ final String blockCipher =
PGPUtil.getSymmetricCipherName(symmetricAlgorithm);
+
attributes.put(PGPAttributeKey.SYMMETRIC_KEY_ALGORITHM_BLOCK_CIPHER,
blockCipher);
+ attributes.put(PGPAttributeKey.SYMMETRIC_KEY_ALGORITHM_ID,
Integer.toString(symmetricAlgorithm));
+ } catch (final IllegalArgumentException e) {
+ throw new PGPDecryptionException("PGP Symmetric Algorithm [%d]
not valid".formatted(symmetricAlgorithm));
+ }
}
private boolean isVerified(final PGPEncryptedData encryptedData) {
diff --git
a/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/DecryptContentPGPTest.java
b/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/DecryptContentPGPTest.java
index e1eeba050e..8dcafd734b 100644
---
a/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/DecryptContentPGPTest.java
+++
b/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/DecryptContentPGPTest.java
@@ -48,9 +48,9 @@ import org.bouncycastle.openpgp.PGPUtil;
import org.bouncycastle.openpgp.jcajce.JcaPGPObjectFactory;
import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
import org.bouncycastle.openpgp.operator.PGPDataEncryptorBuilder;
+import org.bouncycastle.openpgp.operator.bc.BcPBEKeyEncryptionMethodGenerator;
import org.bouncycastle.openpgp.operator.bc.BcPGPDataEncryptorBuilder;
import
org.bouncycastle.openpgp.operator.bc.BcPublicKeyKeyEncryptionMethodGenerator;
-import
org.bouncycastle.openpgp.operator.jcajce.JcePBEKeyEncryptionMethodGenerator;
import
org.bouncycastle.openpgp.operator.jcajce.JcePBESecretKeyDecryptorBuilder;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.BeforeEach;
@@ -437,14 +437,14 @@ public class DecryptContentPGPTest {
private byte[] getPasswordBasedEncryptedData(final int
encryptionAlgorithm, final byte[] contents, final boolean integrityEnabled)
throws IOException, PGPException {
final PGPDataEncryptorBuilder builder = new
BcPGPDataEncryptorBuilder(encryptionAlgorithm).setWithIntegrityPacket(integrityEnabled);
final PGPEncryptedDataGenerator generator = new
PGPEncryptedDataGenerator(builder);
- generator.addMethod(new
JcePBEKeyEncryptionMethodGenerator(PASSPHRASE.toCharArray()));
+ generator.addMethod(new
BcPBEKeyEncryptionMethodGenerator(PASSPHRASE.toCharArray()));
return getEncryptedData(generator, contents);
}
private byte[] getPasswordBasedAndPublicKeyEncryptedData(final byte[]
contents, final PGPPublicKey publicKey) throws IOException, PGPException {
final PGPDataEncryptorBuilder builder = new
BcPGPDataEncryptorBuilder(ENCRYPTION_ALGORITHM).setWithIntegrityPacket(INTEGRITY_ENABLED);
final PGPEncryptedDataGenerator generator = new
PGPEncryptedDataGenerator(builder);
- generator.addMethod(new
JcePBEKeyEncryptionMethodGenerator(PASSPHRASE.toCharArray()));
+ generator.addMethod(new
BcPBEKeyEncryptionMethodGenerator(PASSPHRASE.toCharArray()));
generator.addMethod(new
BcPublicKeyKeyEncryptionMethodGenerator(publicKey));
return getEncryptedData(generator, contents);
}
diff --git a/pom.xml b/pom.xml
index 77cc9bc1fb..b5dced87e8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -127,7 +127,7 @@
<org.apache.commons.text.version>1.13.0</org.apache.commons.text.version>
<org.apache.httpcomponents.httpclient.version>4.5.14</org.apache.httpcomponents.httpclient.version>
<org.apache.httpcomponents.httpcore.version>4.4.16</org.apache.httpcomponents.httpcore.version>
- <org.bouncycastle.version>1.79</org.bouncycastle.version>
+ <org.bouncycastle.version>1.80</org.bouncycastle.version>
<pmd.version>7.9.0</pmd.version>
<testcontainers.version>1.20.4</testcontainers.version>
<org.slf4j.version>2.0.16</org.slf4j.version>
