Alan, The processor properties for public keyring file and secret keyring file are fairly explicit in their names, so when I upgraded the BouncyCastle dependencies, I wrote logic that performs strict validation on the file format because the underlying library code changed substantially. I was unaware anyone was using the individual key file there.
I have created a Jira [1] for 0.7.0 to add custom logic to handle this scenario. [1] https://issues.apache.org/jira/browse/NIFI-1694 <https://issues.apache.org/jira/browse/NIFI-1694> Andy LoPresto [email protected] PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Mar 29, 2016, at 8:03 AM, Alan Jackoway <[email protected]> wrote: > > I don't get a stacktrace. Probably because it is a validation failure and the > error is caught at > https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/EncryptContent.java#L288 > > <https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/EncryptContent.java#L288> > > I couldn't get your template to work without the gpgkeyring file. However, > that clued me into what I believe is the problem. > > I have not been using a public keyring file, but rather the public key > itself. Somehow that used to work, but the parameter has always been called > Public Keyring File so I was using it wrong the whole time. > > I attached the encrypt template that is working for me back in 0.3.0 (and > should work in 0.4.1 but not 0.5.1) > > To fix it for 0.5.1, I had to make a real keyring file AND change the user id > to be the right thing. > > This feels like a regression to me, but one where I was not following the > instructions all along. > > Thanks, > Alan > > On Tue, Mar 29, 2016 at 1:15 AM, Andy LoPresto <[email protected] > <mailto:[email protected]>> wrote: > The only other thing I can think of off the top of my head is that the userID > specification may have changed with the BouncyCastle upgrade and the provided > userID of just an email may be incomplete? In my testing, I had to specify > the "name", "description", and "email" fields from the key in the format > below in order to match the exact format that the library reads from the > keyring. > > userID = "Name (Description) <Email>" > > You can test this and evaluate what the library sees as the key userID by > attaching a remote debugger to your running instance and evaluating inside > the iterator loop here [1]. > > I'm not sure what version of GPG you're running, but it is worth > investigating if the format of the stored key no longer matches how NiFi was > reading it. > > [1] > https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/util/crypto/OpenPGPKeyBasedEncryptor.java#L200 > > <https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/util/crypto/OpenPGPKeyBasedEncryptor.java#L200> > > > > Andy LoPresto > [email protected] <mailto:[email protected]> > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > > > On Mar 28, 2016, at 18:24, Andy LoPresto <[email protected] > > <mailto:[email protected]>> wrote: > > > > Forgot to mention you’ll want to change the input/output directories in the > > GetFile and PutFile processors, as well as the paths to the public and > > secret keyring, the user ID, and the password for the EncryptContent > > processors. > > > > Andy LoPresto > > [email protected] <mailto:[email protected]> > > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > > > >> On Mar 28, 2016, at 4:04 PM, Andy LoPresto <[email protected] > >> <mailto:[email protected]>> wrote: > >> > >> Hi Alan, > >> > >> I am investigating this issue (spinning up an instance, setting up a flow > >> that involves PGP encryption and decryption, etc.) to verify. > >> > >> As an aside, the setting for “Key Derivation Function” is irrelevant if > >> “Encryption Algorithm” is set to “PGP” or “PGP_ASCII_ARMOR”. The KDF is > >> required for symmetric encryption (deriving a key from the provided > >> password), but not used for PGP encryption/decryption at all. > >> Unfortunately, we cannot currently display/hide or change the > >> required-ness of processor properties based on the value of other > >> properties. There is an existing Jira open [1] to enhance this > >> functionality. Perhaps this can be better documented in the Admin Guide > >> [2]. > >> > >> Can you also provide the full stacktrace and your system configuration, if > >> possible, to help with the troubleshooting? Thank you. > >> > >> [1] https://issues.apache.org/jira/browse/NIFI-1121 > >> <https://issues.apache.org/jira/browse/NIFI-1121> > >> [2] > >> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#encryption > >> > >> <https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#encryption> > >> > >> > >> Andy LoPresto > >> [email protected] <mailto:[email protected]> > >> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > >> > >>> On Mar 28, 2016, at 2:18 PM, Alan Jackoway <[email protected] > >>> <mailto:[email protected]>> wrote: > >>> > >>> Hello, > >>> > >>> I had an EncryptContent processor running with PGP public key encryption > >>> when we were running NiFi 0.4.x. > >>> > >>> We recently went up to a 0.5.x, which includes NIFI-1257 and NIFI-1259. > >>> Now my EncryptContent processors are failing to validate my key with an > >>> error message: > >>> 'Public Keyring File' is invalid because Invalid Public Keyring File > >>> filename because java.io.IOException: invalid header encountered > >>> > >>> I tried all the key derivation functions, but in all cases I got the same > >>> error. > >>> > >>> Is there an easy way to talk NiFi into using my key again? > >>> > >>> I have attached a public key that works on 0.3.0 (I didn't have 0.4 on my > >>> machine for some reason) but fails in 0.5.1. The user id is > >>> [email protected] <mailto:[email protected]> > >>> > >>> Is there any easy fix? Should I file a jira? > >>> > >>> Since it said invalid header, I tried taking out the comment at the top > >>> of the key. That didn't work. > >>> > >>> Thanks, > >>> Alan > >>> <TestPublicKey.asc> > > > > <AlanEncryptTemplate.xml>
signature.asc
Description: Message signed with OpenPGP using GPGMail
