Andy LoPresto created NIFI-3063:
-----------------------------------
Summary: TLS Toolkit ignores provided password if longer than 7
characters and switches to auto-generated 7 character password
Key: NIFI-3063
URL: https://issues.apache.org/jira/browse/NIFI-3063
Project: Apache NiFi
Issue Type: Bug
Components: Tools and Build
Affects Versions: 1.1.0
Reporter: Andy LoPresto
Priority: Critical
Because of work done for [NIFI-2943], the TLS Toolkit cannot accept a password
longer than 7 characters for a PKCS12 keystore if the JCE unlimited strength
cryptographic jurisdiction policies are not installed. While the tool correctly
warns about this, it quietly switches from the provided password to an
auto-generated 7 character password. There is a small log message saying the
password has been switched to an auto-generated, reduced password, but this is
easy to miss and surprising functionality. While not as secure, truncating the
provided password to 7 characters is less likely to cause confusion for users.
Example output:
{code}
hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT
(master) alopresto
🔒 7s @ 20:06:39 $ ./bin/tls-toolkit.sh standalone -C 'CN=test' -P password
2016/11/17 20:06:44 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No
nifiPropertiesFile specified, using embedded one.
2016/11/17 20:06:44 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone
certificate generation with output directory ../nifi-toolkit-1.1.0-SNAPSHOT
2016/11/17 20:06:44 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing CA
certificate ../nifi-toolkit-1.1.0-SNAPSHOT/nifi-cert.pem and key
../nifi-toolkit-1.1.0-SNAPSHOT/nifi-key.key
2016/11/17 20:06:44 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No hostnames
specified, not generating any host certificates or configuration.
2016/11/17 20:06:44 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Generating new
client certificate ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12
2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
**********************************************************************************
2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
WARNING!!!!
2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
**********************************************************************************
2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
Unlimited JCE Policy is not installed which means we cannot utilize a
2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
PKCS12 password longer than 7 characters.
2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
Autogenerated password has been reduced to 7 characters.
2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
Please strongly consider installing Unlimited JCE Policy at
2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
Another alternative is to add a stronger password with the openssl tool to the
2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
resulting client certificate: ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12
2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
openssl pkcs12 -in '../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12' -out
'/tmp/CN=test.p12'
2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
openssl pkcs12 -export -in '/tmp/CN=test.p12' -out
'../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12'
2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: rm
-f '/tmp/CN=test.p12'
2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
**********************************************************************************
2016/11/17 20:06:45 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully
generated client certificate ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12
2016/11/17 20:06:45 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit
standalone completed successfully
hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT
(master) alopresto
🔒 6s @ 20:06:46 $ more CN\=test.password
aW5aV2E
hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT
(master) alopresto
🔒 4s @ 20:06:51 $
{code}
Suggested solutions (in order of preference):
# Fail to generate the keystore in this case and print reason
# Truncate provided password to 7 characters
# Print larger message explaining that the provided password is ignored
completely and auto-generated password is used
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
