exceptionfactory opened a new pull request #5457: URL: https://github.com/apache/nifi/pull/5457
#### Description of PR NIFI-7322 Adds `SignContentPGP` and `VerifyContentPGP` Processors to the `nifi-pgp-processors` module and includes related updates to `DecryptContentPGP` and `EncryptContentPGP`. The `SignContentPGP` Processor supports the following features: - Configurable `Signing Strategy` property supporting `SIGNED` messages with signature and message, or `DETACHED` signatures - Configurable `Compression Algorithm` supporting OpenPGP compression options - Configurable `File Encoding` support `BINARY` or `ASCII` Armor encoding - Configurable `Hash Algorithm` for signature generation supporting a subset of RFC 4880 options based on current security best practices: `SHA256`, `SHA384`, and `SHA512`, with `SHA512` as the default value - Configurable `Private Key Service` requiring a PGP Private Key Service - Configurable `Private Key ID` supporting standard 16 character hexadecimal key identifiers - Writing PGP signature algorithm FlowFile attributes based on configured values The `VerifyContentPGP` Processor supports the following features: - Configurable `Public Key Service` which the processor uses to find matching PGP Public Keys using the key identifier found on OpenPGP signature packets - Writing PGP signature algorithm FlowFile attributes based on parsed values The `DecryptContentPGP` Processor includes the following changes: - New `Decryption Strategy` property, defaulting to `DECRYPTED`, maintaining the current default behavior of decrypting content and unpacking literal data packets without signature verification - `PACKAGED` setting for `Decryption Strategy` instructing the processor to write decrypted contents as an OpenPGP message to support sending to `VerifyContentPGP` when signature verification is expected after decryption The `EncryptContentPGP` Processor includes the following changes: - Internal detection of OpenPGP packets in FlowFile contents to support encryption after signing without wrapping the content inside a new PGP Literal Data packet All new processors and features include unit tests to demonstrate expected behavior. NIFI-7322 included a request to support the Cleartext Signature Framework described in [RFC 4880 Section 7](https://datatracker.ietf.org/doc/html/rfc4880#section-7), however this capability is not included for several reasons. The Cleartext Signature Framework, also described as [clearsigning](https://www.gnupg.org/gph/en/manual/r684.html) in GPG documentation, is not suitable for generalized processing. Clearsigning requires text input and involves specialized end-of-line handling. Clearsigning also appends the signature to the end of the message in a format specific to GPG processing. As mentioned in RFC 4880 Section 7, [RFC 3156](https://datatracker.ietf.org/doc/html/rfc3156) describes a more generalized standard for packaging signature and content using MIME formatting. Using standard OpenPGP message formatting for signed information provides the widest compatibility across OpenPGP implementations, and also supports any handling any type in input contents. In order to streamline the review of the contribution we ask you to ensure the following steps have been taken: ### For all changes: - [X] Is there a JIRA ticket associated with this PR? Is it referenced in the commit message? - [X] Does your PR title start with **NIFI-XXXX** where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character. - [X] Has your PR been rebased against the latest commit within the target branch (typically `main`)? - [X] Is your initial contribution a single, squashed commit? _Additional commits in response to PR reviewer feedback should be made on this branch and pushed to allow change tracking. Do not `squash` or use `--force` when pushing to allow for clean monitoring of changes._ ### For code changes: - [X] Have you ensured that the full suite of tests is executed via `mvn -Pcontrib-check clean install` at the root `nifi` folder? - [X] Have you written or updated unit tests to verify your changes? - [X] Have you verified that the full build is successful on JDK 8? - [ ] Have you verified that the full build is successful on JDK 11? - [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)? - [ ] If applicable, have you updated the `LICENSE` file, including the main `LICENSE` file under `nifi-assembly`? - [ ] If applicable, have you updated the `NOTICE` file, including the main `NOTICE` file found under `nifi-assembly`? - [X] If adding new Properties, have you added `.displayName` in addition to .name (programmatic access) for each of the new properties? ### For documentation related changes: - [ ] Have you ensured that format looks appropriate for the output in which it is rendered? ### Note: Please ensure that once the PR is submitted, you check GitHub Actions CI for build issues and submit an update to your PR as soon as possible. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
