exceptionfactory opened a new pull request, #9603: URL: https://github.com/apache/nifi/pull/9603
# Summary [NIFI-14048](https://issues.apache.org/jira/browse/NIFI-14048) Adjusts the framework web application security configuration to support fallback to the `RSA` key algorithm and the `PS512` JSON Web Signature algorithm when the runtime Java Security Provider does not support the `Ed25519` key algorithm. NiFi versions prior to 2.0.0 used `RSA` with `PS512` for signing and verifying Application Bearer Tokens. NiFi 2.0.0 changed the implementation to use `Ed25519` with `EdDSA` for smaller key and signature sizes providing similar or better security than RSA. At the time of this writing, Java Security Providers that enforce Federal Information Processing Standards do not include `Ed25519` in the list of approved algorithms. [FIPS 186-5](https://csrc.nist.gov/pubs/fips/186-5/final) published in February 2023 adds `Ed25519` to the list of approved algorithms, and FIPS providers such as [Bouncy Castle](https://www.bouncycastle.org/download/bouncy-castle-java-fips/roadmap/) have submitted versions for approval that include `Ed25519`. Although the project does not provide official support for operating in a mode compatible with FIPS providers, enabling fallback support for `RSA` enables a transitional upgrade path for current deployments. Instead of introducing a new framework configuration property, changes in this pull request use [java.security.Security](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/Security.html) to determine whether `Ed25519` is supported on startup. In absence of support for `Ed25519`, the framework selects `RSA` for rotating JWT key pair generation and `PS512` for token signing. The framework logs a message indicating the selected algorithm. This approach also provides the opportunity for subsequent removal when support for `Ed25519` is incorporated in providers such as Bouncy Castle. # Tracking Please complete the following tracking steps prior to pull request creation. ### Issue Tracking - [X] [Apache NiFi Jira](https://issues.apache.org/jira/browse/NIFI) issue created ### Pull Request Tracking - [X] Pull Request title starts with Apache NiFi Jira issue number, such as `NIFI-00000` - [X] Pull Request commit message starts with Apache NiFi Jira issue number, as such `NIFI-00000` ### Pull Request Formatting - [X] Pull Request based on current revision of the `main` branch - [X] Pull Request refers to a feature branch with one commit containing changes # Verification Please indicate the verification steps performed prior to pull request creation. ### Build - [X] Build completed using `mvn clean install -P contrib-check` - [X] JDK 21 ### Licensing - [ ] New dependencies are compatible with the [Apache License 2.0](https://apache.org/licenses/LICENSE-2.0) according to the [License Policy](https://www.apache.org/legal/resolved.html) - [ ] New dependencies are documented in applicable `LICENSE` and `NOTICE` files ### Documentation - [ ] Documentation formatting appears as expected in rendered files -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
