exceptionfactory opened a new pull request, #6821: URL: https://github.com/apache/nifi/pull/6821
# Summary [NIFI-11022](https://issues.apache.org/jira/browse/NIFI-11022) Adds the following new Processors to support decryption of content encrypted using the `EncryptContent` Processor: - `DecryptContentCompatibilityMode` - `DecryptContentEncoded` A new `nifi-cipher-bundle` with `nifi-cipher-nar` module contains the new Processors. A new `nifi-security-crypto-key` module in `nifi-commons` provides standard interfaces and implementations of strong Key Derivation Functions using Bouncy Castle components. The purpose of the new Processors is to maintain components that are capable of decrypting historical information without needing to maintain encryption of insecure and custom formats. ## DecryptContentCompatibilityMode The `DecryptContentCompatibilityMode` Processor focuses on legacy Password-Based Encryption algorithms, many of which are defined in [RFC 8018](https://www.rfc-editor.org/rfc/rfc8018). The Processor supports a `Key Derivation Strategy` using either [OpenSSL EVP BytesToKey](https://www.openssl.org/docs/man3.0/man3/EVP_BytesToKey.html) or [Jasypt Java simplified encryption](http://www.jasypt.org/). These settings map to the OpenSSL and NiFi Legacy settings in the `EncryptContent` Processor. Neither of these key derivation strategies meet the security requirements of modern cryptography, so the `DecryptContentCompatibilityMode` Processor exists exclusively to provide compatibility with historical modes of encryption. This Processor relies on the Bouncy Castle Security Provider to support cipher operations, but avoids global registration of the provider. ## DecryptContentEncoded The `DecryptContentEncoded` Processor focuses on newer Key Derivation Functions, supporting Argon2, bcrypt, PBKDF2, and scrypt algorithms. The Processor supports selection of `Cipher Algorithm Mode` and `Cipher Algorithm Padding`, defaulting to `GCM` and `NoPadding` respectively. These settings match the default configuration of `EncryptContent` for the AES symmetric cipher. The `EncryptContent` Processor and supporting implementation components write encrypted content using a format that is specific to Apache NiFi, and also write the content header using a standard byte format specific to each support Key Derivation Function. The `DecryptContentEncoded` Processor leverages this standard byte formatting to determine the appropriate Key Derivation Function for decryption. The Processor supports a `Key Specification Format` property, defaulting to `PASSWORD`, but also allowing `RAW` to enable configuration of a raw key encoded as a hexadecimal string. Both the `DecryptContentEncoded ` Processor and the supporting `nifi-security-crypto-key` library include extensive tests to exercise byte format detection and cipher algorithm configurations. # Tracking Please complete the following tracking steps prior to pull request creation. ### Issue Tracking - [X] [Apache NiFi Jira](https://issues.apache.org/jira/browse/NIFI) issue created ### Pull Request Tracking - [X] Pull Request title starts with Apache NiFi Jira issue number, such as `NIFI-00000` - [X] Pull Request commit message starts with Apache NiFi Jira issue number, as such `NIFI-00000` ### Pull Request Formatting - [X] Pull Request based on current revision of the `main` branch - [X] Pull Request refers to a feature branch with one commit containing changes # Verification Please indicate the verification steps performed prior to pull request creation. ### Build - [X] Build completed using `mvn clean install -P contrib-check` - [X] JDK 8 - [X] JDK 11 - [X] JDK 17 ### Licensing - [ ] New dependencies are compatible with the [Apache License 2.0](https://apache.org/licenses/LICENSE-2.0) according to the [License Policy](https://www.apache.org/legal/resolved.html) - [ ] New dependencies are documented in applicable `LICENSE` and `NOTICE` files ### Documentation - [ ] Documentation formatting appears as expected in rendered files -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
