alopresto commented on a change in pull request #3672: NIFI-6363 Additional
Sensitive Property Providers
URL: https://github.com/apache/nifi/pull/3672#discussion_r318139310
##########
File path:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-properties-loader/src/main/java/org/apache/nifi/properties/sensitive/aes/AESSensitivePropertyProvider.java
##########
@@ -258,4 +266,35 @@ public static int getMinCipherTextLength() {
public static String getDelimiter() {
return DELIMITER;
}
+
+ private static int getMaxValidKeyLength() {
+ return Collections.max(getValidKeyLengths());
+ }
+
+ /**
+ * @return key type and max key length, e.g., "aes/gcm/128".
+ */
+ public static String getDefaultProtectionScheme() {
+ return IMPLEMENTATION_KEY + getMaxValidKeyLength();
+ }
+
+ /**
+ * True if this class can provide protected and unprotected values for the
given scheme.
+ *
+ * @param material name of encryption or protection scheme
+ * @return true if this class can provide protected values
+ */
+ public static boolean isProviderFor(String material) {
+ return material.startsWith(IMPLEMENTATION_KEY);
+ }
+
+ /**
+ * Printable representation of a key.
+ *
+ * @param key key material or key id
+ * @return printable string
+ */
+ public static String toPrintableString(String key) {
+ return PRINTABLE_PREFIX +
UUID.nameUUIDFromBytes(key.getBytes(StandardCharsets.UTF_8)).toString();
Review comment:
Can we introduce a `SHA-512` hash over the key bytes before constructing the
UUID? Deterministic functions over key material can leak key material. Ex:
`UUID.of(SHA-512(keyBytes))`.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
