This is an automated email from the ASF dual-hosted git repository.
chriss pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new ccfdfddaae NIFI-14300 Removed Bouncy Castle references from NiFi
Registry
ccfdfddaae is described below
commit ccfdfddaaeef7ca904ad9cb79545d4ad3cdac03c
Author: exceptionfactory <[email protected]>
AuthorDate: Thu Feb 27 23:04:16 2025 -0600
NIFI-14300 Removed Bouncy Castle references from NiFi Registry
Signed-off-by: Chris Sampson <[email protected]>
This closes #9751.
---
.../nifi-registry-framework/pom.xml | 34 ----------
.../nifi-registry-properties/pom.xml | 4 --
.../nifi-registry-security-utils/pom.xml | 4 --
.../nifi/registry/security/util/CryptoUtils.java | 73 ----------------------
.../nifi/registry/security/util/KeyStoreUtils.java | 42 -------------
.../registry/security/util/KeyStoreUtilsTest.java | 37 -----------
.../kerberos/KerberosSpnegoIdentityProvider.java | 13 ----
.../web/api/UnsecuredNiFiRegistryClientIT.java | 8 ---
8 files changed, 215 deletions(-)
diff --git a/nifi-registry/nifi-registry-core/nifi-registry-framework/pom.xml
b/nifi-registry/nifi-registry-core/nifi-registry-framework/pom.xml
index 7445608f3a..d29ecbd3d0 100644
--- a/nifi-registry/nifi-registry-core/nifi-registry-framework/pom.xml
+++ b/nifi-registry/nifi-registry-core/nifi-registry-framework/pom.xml
@@ -311,40 +311,6 @@
<groupId>org.eclipse.jgit</groupId>
<artifactId>org.eclipse.jgit.gpg.bc</artifactId>
<version>${jgit.version}</version>
- <exclusions>
- <exclusion>
- <groupId>org.bouncycastle</groupId>
- <artifactId>bcprov-jdk15on</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.bouncycastle</groupId>
- <artifactId>bcpkix-jdk15on</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.bouncycastle</groupId>
- <artifactId>bcpg-jdk15on</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.bouncycastle</groupId>
- <artifactId>bcutil-jdk15on</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- <dependency>
- <groupId>org.bouncycastle</groupId>
- <artifactId>bcprov-jdk18on</artifactId>
- </dependency>
- <dependency>
- <groupId>org.bouncycastle</groupId>
- <artifactId>bcpkix-jdk18on</artifactId>
- </dependency>
- <dependency>
- <groupId>org.bouncycastle</groupId>
- <artifactId>bcpg-jdk18on</artifactId>
- </dependency>
- <dependency>
- <groupId>org.bouncycastle</groupId>
- <artifactId>bcutil-jdk18on</artifactId>
</dependency>
<dependency>
<groupId>org.eclipse.jgit</groupId>
diff --git a/nifi-registry/nifi-registry-core/nifi-registry-properties/pom.xml
b/nifi-registry/nifi-registry-core/nifi-registry-properties/pom.xml
index 6b8022a46f..21eb4271c3 100644
--- a/nifi-registry/nifi-registry-core/nifi-registry-properties/pom.xml
+++ b/nifi-registry/nifi-registry-core/nifi-registry-properties/pom.xml
@@ -36,9 +36,5 @@
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
</dependency>
- <dependency>
- <groupId>org.bouncycastle</groupId>
- <artifactId>bcprov-jdk18on</artifactId>
- </dependency>
</dependencies>
</project>
diff --git
a/nifi-registry/nifi-registry-core/nifi-registry-security-utils/pom.xml
b/nifi-registry/nifi-registry-core/nifi-registry-security-utils/pom.xml
index ef095f3281..e8b7334b34 100644
--- a/nifi-registry/nifi-registry-core/nifi-registry-security-utils/pom.xml
+++ b/nifi-registry/nifi-registry-core/nifi-registry-security-utils/pom.xml
@@ -27,10 +27,6 @@
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</dependency>
- <dependency>
- <groupId>org.bouncycastle</groupId>
- <artifactId>bcprov-jdk18on</artifactId>
- </dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
diff --git
a/nifi-registry/nifi-registry-core/nifi-registry-security-utils/src/main/java/org/apache/nifi/registry/security/util/CryptoUtils.java
b/nifi-registry/nifi-registry-core/nifi-registry-security-utils/src/main/java/org/apache/nifi/registry/security/util/CryptoUtils.java
deleted file mode 100644
index 8d8b8bae53..0000000000
---
a/nifi-registry/nifi-registry-core/nifi-registry-security-utils/src/main/java/org/apache/nifi/registry/security/util/CryptoUtils.java
+++ /dev/null
@@ -1,73 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.registry.security.util;
-
-import javax.crypto.Cipher;
-import java.security.NoSuchAlgorithmException;
-
-public class CryptoUtils {
-
- /**
- * Required Cipher transformations according to Java SE 8 {@link Cipher}
docs
- */
- private static final String[] standardCryptoTransformations = {
- "AES/CBC/NoPadding",
- "AES/CBC/PKCS5Padding",
- "AES/ECB/NoPadding",
- "AES/ECB/PKCS5Padding",
- "DES/CBC/NoPadding",
- "DES/CBC/PKCS5Padding",
- "DES/ECB/NoPadding",
- "DES/ECB/PKCS5Padding",
- "DESede/CBC/NoPadding",
- "DESede/CBC/PKCS5Padding",
- "DESede/ECB/NoPadding",
- "DESede/ECB/PKCS5Padding",
- "RSA/ECB/PKCS1Padding",
- "RSA/ECB/OAEPWithSHA-1AndMGF1Padding",
- "RSA/ECB/OAEPWithSHA-256AndMGF1Padding"
- };
-
- /**
- * Check if cryptographic strength available in this Java Runtime is
restricted.
- *
- * Not every Java Platform supports "unlimited strength encryption",
- * so this convenience method provides a way to check if strength of crypto
- * functions (i.e., max key length) is unlimited or restricted in the
- * current Java runtime environment.
- *
- * @return true if it can be determined that max key lengths are less than
unlimited
- * false if key lengths are restricted
- * null if max key length cannot be determined for any known
Cipher transformations */
- public static Boolean isCryptoRestricted() {
-
- for (String transformation : standardCryptoTransformations) {
- try {
- return Cipher.getMaxAllowedKeyLength(transformation) <
Integer.MAX_VALUE;
- } catch (final NoSuchAlgorithmException ignored) {
- // Unexpected as we are pulling from a list of transforms that
every
- // java platform is required to support, but try the next one
- }
- }
-
- // Tried every standard Cipher transformation and none were available,
- // so crypto strength restrictions cannot be determined.
- return null;
-
- }
-
-}
diff --git
a/nifi-registry/nifi-registry-core/nifi-registry-security-utils/src/main/java/org/apache/nifi/registry/security/util/KeyStoreUtils.java
b/nifi-registry/nifi-registry-core/nifi-registry-security-utils/src/main/java/org/apache/nifi/registry/security/util/KeyStoreUtils.java
deleted file mode 100644
index 26e2af9622..0000000000
---
a/nifi-registry/nifi-registry-core/nifi-registry-security-utils/src/main/java/org/apache/nifi/registry/security/util/KeyStoreUtils.java
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.nifi.registry.security.util;
-
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
-
-import java.security.KeyStore;
-import java.security.KeyStoreException;
-
-public class KeyStoreUtils {
- private static final BouncyCastleProvider BOUNCY_CASTLE_PROVIDER = new
BouncyCastleProvider();
-
- /**
- * Returns an empty KeyStore backed by the appropriate provider
- *
- * @param keyStoreType the keyStoreType
- * @return an empty KeyStore
- * @throws KeyStoreException if a KeyStore of the given type cannot be
instantiated
- */
- public static KeyStore getKeyStore(final String keyStoreType) throws
KeyStoreException {
- if (KeystoreType.BCFKS.toString().equals(keyStoreType)) {
- return KeyStore.getInstance(keyStoreType, BOUNCY_CASTLE_PROVIDER);
- } else {
- return KeyStore.getInstance(keyStoreType);
- }
- }
-}
diff --git
a/nifi-registry/nifi-registry-core/nifi-registry-security-utils/src/test/java/org/apache/nifi/registry/security/util/KeyStoreUtilsTest.java
b/nifi-registry/nifi-registry-core/nifi-registry-security-utils/src/test/java/org/apache/nifi/registry/security/util/KeyStoreUtilsTest.java
deleted file mode 100644
index 2e81a15084..0000000000
---
a/nifi-registry/nifi-registry-core/nifi-registry-security-utils/src/test/java/org/apache/nifi/registry/security/util/KeyStoreUtilsTest.java
+++ /dev/null
@@ -1,37 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.registry.security.util;
-
-import org.junit.jupiter.api.Test;
-
-import java.security.KeyStore;
-import java.security.KeyStoreException;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertNotNull;
-
-public class KeyStoreUtilsTest {
-
- @Test
- public void testGetKeyStore() throws KeyStoreException {
- for (final KeystoreType keystoreType : KeystoreType.values()) {
- final KeyStore keyStore =
KeyStoreUtils.getKeyStore(keystoreType.toString());
- assertNotNull(keyStore, String.format("KeyStore not found for
Keystore Type [%s]", keystoreType));
- assertEquals(keystoreType.name(), keyStore.getType());
- }
- }
-}
diff --git
a/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/authentication/kerberos/KerberosSpnegoIdentityProvider.java
b/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/authentication/kerberos/KerberosSpnegoIdentityProvider.java
index 839021a915..ac5d6fd14b 100644
---
a/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/authentication/kerberos/KerberosSpnegoIdentityProvider.java
+++
b/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/authentication/kerberos/KerberosSpnegoIdentityProvider.java
@@ -26,7 +26,6 @@ import
org.apache.nifi.registry.security.authentication.exception.IdentityAccess
import
org.apache.nifi.registry.security.authentication.exception.InvalidCredentialsException;
import
org.apache.nifi.registry.security.exception.SecurityProviderCreationException;
import
org.apache.nifi.registry.security.exception.SecurityProviderDestructionException;
-import org.apache.nifi.registry.security.util.CryptoUtils;
import org.apache.nifi.registry.util.FormatUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -146,18 +145,6 @@ public class KerberosSpnegoIdentityProvider implements
IdentityProvider {
} catch (AuthenticationException e) {
String authFailedMessage = "Kerberos credentials could not be
authenticated.";
-
- /* Kerberos uses encryption with up to AES-256, specifically
AES256-CTS-HMAC-SHA1-96.
- * That is not available in every JRE, particularly if Unlimited
Strength Encryption
- * policies are not installed in the Java home lib dir. The
Kerberos lib does not
- * differentiate between failures due to decryption and those due
to bad credentials
- * without walking the causes of the exception, so this check puts
something
- * potentially useful in the logs for those troubleshooting
Kerberos authentication. */
- if (!Boolean.FALSE.equals(CryptoUtils.isCryptoRestricted())) {
- authFailedMessage += " This Java Runtime does not support
unlimited strength encryption. " +
- "This could cause Kerberos authentication to fail as
it can require AES-256.";
- }
-
logger.info(authFailedMessage);
throw new InvalidCredentialsException(authFailedMessage, e);
}
diff --git
a/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/api/UnsecuredNiFiRegistryClientIT.java
b/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/api/UnsecuredNiFiRegistryClientIT.java
index 5915e73a90..aaf1eb1fe0 100644
---
a/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/api/UnsecuredNiFiRegistryClientIT.java
+++
b/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/api/UnsecuredNiFiRegistryClientIT.java
@@ -16,7 +16,6 @@
*/
package org.apache.nifi.registry.web.api;
-import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.extension.ExtensionMetadata;
import org.apache.nifi.flow.VersionedProcessGroup;
@@ -41,7 +40,6 @@ import org.apache.nifi.registry.flow.VersionedFlowSnapshot;
import org.apache.nifi.registry.flow.VersionedFlowSnapshotMetadata;
import org.apache.nifi.registry.revision.entity.RevisionInfo;
import org.apache.nifi.registry.util.FileUtils;
-import org.bouncycastle.util.encoders.Hex;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
@@ -182,12 +180,6 @@ public class UnsecuredNiFiRegistryClientIT extends
UnsecuredITBase {
return createdBundleVersion;
}
- private String calculateSha256Hex(final String narFile) throws IOException
{
- try (final InputStream bundleInputStream = new
FileInputStream(narFile)) {
- return Hex.toHexString(DigestUtils.sha256(bundleInputStream));
- }
- }
-
private static Bucket createBucket(BucketClient bucketClient, int num)
throws IOException, NiFiRegistryException {
final Bucket bucket = new Bucket();
bucket.setName("Bucket #" + num);
