[
https://issues.apache.org/jira/browse/NIFI-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16359174#comment-16359174
]
ASF GitHub Bot commented on NIFI-3367:
--------------------------------------
Github user alopresto commented on a diff in the pull request:
https://github.com/apache/nifi/pull/2463#discussion_r167382434
--- Diff:
nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/util/TlsHelperTest.java
---
@@ -171,6 +172,43 @@ private Date inFuture(int days) {
return new Date(System.currentTimeMillis() +
TimeUnit.DAYS.toMillis(days));
}
+ @Test
+ public void testTokenLengthInCalculateHmac() throws
CertificateException, NoSuchAlgorithmException {
+ List<String> badTokens = new ArrayList<>();
+ List<String> goodTokens = new ArrayList<>();
+ badTokens.add(null);
+ badTokens.add("");
+ badTokens.add("123");
+ goodTokens.add("0123456789abcdefghijklm");
+ goodTokens.add("0123456789abcdef");
+
+ String dn = "CN=testDN,O=testOrg";
+ X509Certificate x509Certificate =
CertificateUtils.generateSelfSignedX509Certificate(TlsHelper.generateKeyPair(keyPairAlgorithm,
keySize), dn, signingAlgorithm, days);
+ PublicKey pubKey = x509Certificate.getPublicKey();
+
+ for (String token : badTokens) {
+ try {
+ TlsHelper.calculateHMac(token, pubKey);
+ fail("HMAC was calculated with a token that was too
short.");
+ } catch (GeneralSecurityException e) {
+ assertEquals("Token does not meet minimum size of 16
bytes.", e.getMessage());
+ } catch (IllegalArgumentException e) {
+ assertEquals("Token cannot be null", e.getMessage());
+ }
+ }
+
+ for (String token : goodTokens) {
+ try {
+ byte[] hmac = TlsHelper.calculateHMac(token, pubKey);
+ assertTrue("HMAC length ok", hmac.length > 0);
+ } catch (GeneralSecurityException e) {
+ fail(e.getMessage());
+ }
+ }
+
--- End diff --
Please remove unnecessary whitespace.
> TLS Toolkit should enforce minimum length restriction on CA token
> -----------------------------------------------------------------
>
> Key: NIFI-3367
> URL: https://issues.apache.org/jira/browse/NIFI-3367
> Project: Apache NiFi
> Issue Type: Bug
> Components: Tools and Build
> Affects Versions: 1.1.1
> Reporter: Andy LoPresto
> Assignee: Andy LoPresto
> Priority: Major
> Labels: security, tls-toolkit
>
> The TLS Toolkit uses a shared secret "token" when running in client/server
> mode in order to perform pre-authentication when requesting a signed
> certificate from the CA. There is a validation that this token is *required*,
> but not that it is of a certain length. Because the HMAC construction is
> available in the source code, the process could easily be brute-forced if the
> token value is short. We should enforce a minimum length of 16 bytes
> (regardless if read from {{config.json}} or provided via command line).
> We may also want to add exponential rate-limiting on failed HMAC values for
> the same requested public key DN in order to mitigate malicious requests.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
