[jira] [Commented] (NIFI-3063) TLS Toolkit ignores provided password if longer than 7 characters and switches to auto-generated 7 character password

Mon, 24 Feb 2020 07:45:45 -0800 


    [ 
https://issues.apache.org/jira/browse/NIFI-3063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17043624#comment-17043624
 ] 

karthik kadajji commented on NIFI-3063:
---------------------------------------

Hi [~alopresto],
 I went back through the documentation and the codebase again. If we don't have 
-B  parameter specified in the standalone tls commandline, it is automatically 
generated(random). If the password is of length more than 7 like the below 
command
{code:java}
 bin/tls-toolkit.sh standalone -n 'localhost' -C 'CN=username' -S keystored -P 
trustmaster -K keypassed -B 12345678 .
{code}
Resulted in the following error:
{code:java}
Error generating TLS configuration. (Specified password for 
../nifi-toolkit-1.12.0-SNAPSHOT/CN=username.p12 too long to work without 
unlimited JCE policy installed.
Please see 
http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html)

{code}
Only difference to note is, If -B( Password for client certificate) is 
mentioned in the command line and if it is greater than 7, then it will throw 
an error. If -B isn't mentioned, the PasswordUtil function will auto generate 
and trim it to length of 7,  which I believe is correctly acting on. I verified 
the trust store password and keystore password as well and both of them have 
right values without randomization. it can be checked using the 

The following command can be used to verify the truststore/keystore password . 
{code:java}
 Keytool -list -keystore truststore.keystore and enter the truststore password 
. 

{code}
 

{code:java}

karthik@karthik-VirtualBox:~/Nifi/nifi/nifi-toolkit/nifi-toolkit-assembly/target/nifi-toolkit-1.12.0-SNAPSHOT-bin/nifi-toolkit-1.12.0-SNAPSHOT$
 bin/tls-toolkit.sh standalone -n 'localhost' -C 'CN=username' -S keystored -P 
trustmaster -K keypassed -B 123
2020/02/24 16:38:21 INFO [main] 
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No 
nifiPropertiesFile specified, using embedded one.
2020/02/24 16:38:25 INFO [main] 
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone 
certificate generation with output directory ../nifi-toolkit-1.12.0-SNAPSHOT
2020/02/24 16:38:27 INFO [main] 
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Generated new CA 
certificate ../nifi-toolkit-1.12.0-SNAPSHOT/nifi-cert.pem and key 
../nifi-toolkit-1.12.0-SNAPSHOT/nifi-key.key
2020/02/24 16:38:27 INFO [main] 
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl 
configuration to ../nifi-toolkit-1.12.0-SNAPSHOT/localhost
2020/02/24 16:38:27 INFO [main] 
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully 
generated TLS configuration for localhost 1 in 
../nifi-toolkit-1.12.0-SNAPSHOT/localhost
2020/02/24 16:38:27 INFO [main] 
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Generating new 
client certificate ../nifi-toolkit-1.12.0-SNAPSHOT/CN=username.p12
2020/02/24 16:38:35 INFO [main] 
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully 
generated client certificate ../nifi-toolkit-1.12.0-SNAPSHOT/CN=username.p12
2020/02/24 16:38:35 INFO [main] 
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit 
standalone completed successfully
karthik@karthik-VirtualBox:~/Nifi/nifi/nifi-toolkit/nifi-toolkit-assembly/target/nifi-toolkit-1.12.0-SNAPSHOT-bin/nifi-toolkit-1.12.0-SNAPSHOT$
 more CN\=username.password 
123

{code}

Regards,
Karthik 

> TLS Toolkit ignores provided password if longer than 7 characters and 
> switches to auto-generated 7 character password
> ---------------------------------------------------------------------------------------------------------------------
>
>                 Key: NIFI-3063
>                 URL: https://issues.apache.org/jira/browse/NIFI-3063
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Tools and Build
>    Affects Versions: 1.1.0
>            Reporter: Andy LoPresto
>            Assignee: karthik kadajji
>            Priority: Critical
>              Labels: pkcs12, security, tls-toolkit
>
> Because of work done for [NIFI-2943], the TLS Toolkit cannot accept a 
> password longer than 7 characters for a PKCS12 keystore if the JCE unlimited 
> strength cryptographic jurisdiction policies are not installed. While the 
> tool correctly warns about this, it quietly switches from the provided 
> password to an auto-generated 7 character password. There is a small log 
> message saying the password has been switched to an auto-generated, reduced 
> password, but this is easy to miss and surprising functionality. While not as 
> secure, truncating the provided password to 7 characters is less likely to 
> cause confusion for users. 
> Example output:
> {code}
> hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT
>  (master) alopresto
> 🔒 7s @ 20:06:39 $ ./bin/tls-toolkit.sh standalone -C 'CN=test' -P password
> 2016/11/17 20:06:44 INFO [main] 
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No 
> nifiPropertiesFile specified, using embedded one.
> 2016/11/17 20:06:44 INFO [main] 
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running 
> standalone certificate generation with output directory 
> ../nifi-toolkit-1.1.0-SNAPSHOT
> 2016/11/17 20:06:44 INFO [main] 
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing 
> CA certificate ../nifi-toolkit-1.1.0-SNAPSHOT/nifi-cert.pem and key 
> ../nifi-toolkit-1.1.0-SNAPSHOT/nifi-key.key
> 2016/11/17 20:06:44 INFO [main] 
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No hostnames 
> specified, not generating any host certificates or configuration.
> 2016/11/17 20:06:44 INFO [main] 
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Generating new 
> client certificate ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: 
> **********************************************************************************
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:   
>                                   WARNING!!!!
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: 
> **********************************************************************************
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: 
> Unlimited JCE Policy is not installed which means we cannot utilize a
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: 
> PKCS12 password longer than 7 characters.
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: 
> Autogenerated password has been reduced to 7 characters.
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: 
> Please strongly consider installing Unlimited JCE Policy at
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: 
> http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: 
> Another alternative is to add a stronger password with the openssl tool to the
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: 
> resulting client certificate: ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: 
> openssl pkcs12 -in '../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12' -out 
> '/tmp/CN=test.p12'
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: 
> openssl pkcs12 -export -in '/tmp/CN=test.p12' -out 
> '../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12'
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: 
> rm -f '/tmp/CN=test.p12'
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> 2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: 
> **********************************************************************************
> 2016/11/17 20:06:45 INFO [main] 
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully 
> generated client certificate ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12
> 2016/11/17 20:06:45 INFO [main] 
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit 
> standalone completed successfully
> hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT
>  (master) alopresto
> 🔒 6s @ 20:06:46 $ more CN\=test.password
> aW5aV2E
> hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT
>  (master) alopresto
> 🔒 4s @ 20:06:51 $
> {code}
> Suggested solutions (in order of preference):
> # Fail to generate the keystore in this case and print reason
> # Truncate provided password to 7 characters
> # Print larger message explaining that the provided password is ignored 
> completely and auto-generated password is used



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to