thenatog commented on a change in pull request #4809: URL: https://github.com/apache/nifi/pull/4809#discussion_r583153473
########## File path: nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/crypto/KeyDerivationBcryptSecureHasher.java ########## @@ -0,0 +1,95 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.security.util.crypto; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.util.Arrays; + +/** + * Extension of Bcrypt Secure Hasher used for Key Derivation support specified of Derived Key Length + */ +public class KeyDerivationBcryptSecureHasher extends BcryptSecureHasher { + private static final Logger LOGGER = LoggerFactory.getLogger(KeyDerivationBcryptSecureHasher.class); + + private static final String DIGEST_ALGORITHM = "SHA-512"; + + private static final int HASH_START_INDEX = 29; + + private final int derivedKeyLength; + + private final boolean digestBcryptHash; + + /** + * Key Deriviation Bcrypt Secure Hasher with specified Derived Key Length + * + * @param derivedKeyLength Derived Key Length + */ + public KeyDerivationBcryptSecureHasher(final int derivedKeyLength) { + this.derivedKeyLength = derivedKeyLength; + this.digestBcryptHash = false; + } + + /** + * Key Deriviation Bcrypt Secure Hasher with specified Derived Key Length and Cost Parameters + * + * @param derivedKeyLength Derived Key Length + * @param cost Cost Parameter for calculation + * @param digestBcryptHash Enable to disable digesting of bcrypt hash to support legacy derivation functions + */ + public KeyDerivationBcryptSecureHasher(final int derivedKeyLength, final int cost, final boolean digestBcryptHash) { + super(cost); + this.derivedKeyLength = derivedKeyLength; + this.digestBcryptHash = digestBcryptHash; + } + + /** + * Hash raw bytes using provided salt and then leverage SHA-512 to digest the results and truncate to length requested + * + * @param input Raw bytes to be hashed + * @param rawSalt Raw salt bytes to be hashed + * @return Hash bytes digested using SHA-512 and truncated to derived key length configured + */ + @Override + byte[] hash(final byte[] input, final byte[] rawSalt) { + final byte[] bcryptHash = super.hash(input, rawSalt); + + final MessageDigest messageDigest = getMessageDigest(); + byte[] digest; + if (digestBcryptHash) { + LOGGER.warn("Using Legacy Key Derivation based on digested bcrypt hash including algorithm parameters"); + digest = messageDigest.digest(bcryptHash); + } else { + // Truncate bcrypt hash and remove algorithm parameters + byte[] hash = Arrays.copyOfRange(bcryptHash, HASH_START_INDEX, bcryptHash.length); Review comment: Ah okay, so just to confirm, on line 81 we extract only the hash (and dropping the hash params), and then on line 85 we return the hash truncated to the specified key length? Makes sense now. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
