exceptionfactory commented on a change in pull request #4809: URL: https://github.com/apache/nifi/pull/4809#discussion_r583143047
########## File path: nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/crypto/KeyDerivationBcryptSecureHasher.java ########## @@ -0,0 +1,95 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.security.util.crypto; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.util.Arrays; + +/** + * Extension of Bcrypt Secure Hasher used for Key Derivation support specified of Derived Key Length + */ +public class KeyDerivationBcryptSecureHasher extends BcryptSecureHasher { + private static final Logger LOGGER = LoggerFactory.getLogger(KeyDerivationBcryptSecureHasher.class); + + private static final String DIGEST_ALGORITHM = "SHA-512"; + + private static final int HASH_START_INDEX = 29; + + private final int derivedKeyLength; + + private final boolean digestBcryptHash; + + /** + * Key Deriviation Bcrypt Secure Hasher with specified Derived Key Length + * + * @param derivedKeyLength Derived Key Length + */ + public KeyDerivationBcryptSecureHasher(final int derivedKeyLength) { + this.derivedKeyLength = derivedKeyLength; + this.digestBcryptHash = false; + } + + /** + * Key Deriviation Bcrypt Secure Hasher with specified Derived Key Length and Cost Parameters + * + * @param derivedKeyLength Derived Key Length + * @param cost Cost Parameter for calculation + * @param digestBcryptHash Enable to disable digesting of bcrypt hash to support legacy derivation functions + */ + public KeyDerivationBcryptSecureHasher(final int derivedKeyLength, final int cost, final boolean digestBcryptHash) { + super(cost); + this.derivedKeyLength = derivedKeyLength; + this.digestBcryptHash = digestBcryptHash; + } + + /** + * Hash raw bytes using provided salt and then leverage SHA-512 to digest the results and truncate to length requested + * + * @param input Raw bytes to be hashed + * @param rawSalt Raw salt bytes to be hashed + * @return Hash bytes digested using SHA-512 and truncated to derived key length configured + */ + @Override + byte[] hash(final byte[] input, final byte[] rawSalt) { + final byte[] bcryptHash = super.hash(input, rawSalt); + + final MessageDigest messageDigest = getMessageDigest(); + byte[] digest; + if (digestBcryptHash) { + LOGGER.warn("Using Legacy Key Derivation based on digested bcrypt hash including algorithm parameters"); + digest = messageDigest.digest(bcryptHash); + } else { + // Truncate bcrypt hash and remove algorithm parameters + byte[] hash = Arrays.copyOfRange(bcryptHash, HASH_START_INDEX, bcryptHash.length); Review comment: This approach is migrated from the `BcryptCipherProvider`. Apparently early versions of the `BcryptCipherProvider` digested all of the bytes returned from `BcryptSecureHasher`, however, the value returned includes not only the bcrypt hash itself, but also additional parameters include cost, salt, and version information. The [bcrypt page on Wikipedia](https://en.wikipedia.org/wiki/Bcrypt#Description) has a good example of what is returned. In summary, the reason for the flag is to provide backward compatibility, whereas the behavior should only use the actual hash section of what gets returned. Do you think additional details are necessary in the comment on this line of code? ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
