[ 
https://issues.apache.org/jira/browse/NIFI-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16359174#comment-16359174
 ] 

ASF GitHub Bot commented on NIFI-3367:
--------------------------------------

Github user alopresto commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/2463#discussion_r167382434
  
    --- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/util/TlsHelperTest.java
 ---
    @@ -171,6 +172,43 @@ private Date inFuture(int days) {
             return new Date(System.currentTimeMillis() + 
TimeUnit.DAYS.toMillis(days));
         }
     
    +    @Test
    +    public void testTokenLengthInCalculateHmac() throws 
CertificateException, NoSuchAlgorithmException {
    +        List<String> badTokens = new ArrayList<>();
    +        List<String> goodTokens = new ArrayList<>();
    +        badTokens.add(null);
    +        badTokens.add("");
    +        badTokens.add("123");
    +        goodTokens.add("0123456789abcdefghijklm");
    +        goodTokens.add("0123456789abcdef");
    +
    +        String dn = "CN=testDN,O=testOrg";
    +        X509Certificate x509Certificate = 
CertificateUtils.generateSelfSignedX509Certificate(TlsHelper.generateKeyPair(keyPairAlgorithm,
 keySize), dn, signingAlgorithm, days);
    +        PublicKey pubKey = x509Certificate.getPublicKey();
    +
    +        for (String token : badTokens) {
    +            try {
    +                TlsHelper.calculateHMac(token, pubKey);
    +                fail("HMAC was calculated with a token that was too 
short.");
    +            } catch (GeneralSecurityException e) {
    +                assertEquals("Token does not meet minimum size of 16 
bytes.", e.getMessage());
    +            } catch (IllegalArgumentException e) {
    +                assertEquals("Token cannot be null", e.getMessage());
    +            }
    +        }
    +
    +        for (String token : goodTokens) {
    +            try {
    +                byte[] hmac = TlsHelper.calculateHMac(token, pubKey);
    +                assertTrue("HMAC length ok", hmac.length > 0);
    +            } catch (GeneralSecurityException e) {
    +                fail(e.getMessage());
    +            }
    +        }
    +
    --- End diff --
    
    Please remove unnecessary whitespace. 


> TLS Toolkit should enforce minimum length restriction on CA token
> -----------------------------------------------------------------
>
>                 Key: NIFI-3367
>                 URL: https://issues.apache.org/jira/browse/NIFI-3367
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Tools and Build
>    Affects Versions: 1.1.1
>            Reporter: Andy LoPresto
>            Assignee: Andy LoPresto
>            Priority: Major
>              Labels: security, tls-toolkit
>
> The TLS Toolkit uses a shared secret "token" when running in client/server 
> mode in order to perform pre-authentication when requesting a signed 
> certificate from the CA. There is a validation that this token is *required*, 
> but not that it is of a certain length. Because the HMAC construction is 
> available in the source code, the process could easily be brute-forced if the 
> token value is short. We should enforce a minimum length of 16 bytes 
> (regardless if read from {{config.json}} or provided via command line). 
> We may also want to add exponential rate-limiting on failed HMAC values for 
> the same requested public key DN in order to mitigate malicious requests. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to