[jira] [Commented] (NIFI-3367) TLS Toolkit should enforce minimum length restriction on CA token
[ https://issues.apache.org/jira/browse/NIFI-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16359190#comment-16359190 ] ASF GitHub Bot commented on NIFI-3367: -- Github user asfgit closed the pull request at: https://github.com/apache/nifi/pull/2463 > TLS Toolkit should enforce minimum length restriction on CA token > - > > Key: NIFI-3367 > URL: https://issues.apache.org/jira/browse/NIFI-3367 > Project: Apache NiFi > Issue Type: Bug > Components: Tools and Build >Affects Versions: 1.1.1 >Reporter: Andy LoPresto >Assignee: Andy LoPresto >Priority: Major > Labels: security, tls-toolkit > > The TLS Toolkit uses a shared secret "token" when running in client/server > mode in order to perform pre-authentication when requesting a signed > certificate from the CA. There is a validation that this token is *required*, > but not that it is of a certain length. Because the HMAC construction is > available in the source code, the process could easily be brute-forced if the > token value is short. We should enforce a minimum length of 16 bytes > (regardless if read from {{config.json}} or provided via command line). > We may also want to add exponential rate-limiting on failed HMAC values for > the same requested public key DN in order to mitigate malicious requests. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (NIFI-3367) TLS Toolkit should enforce minimum length restriction on CA token
[ https://issues.apache.org/jira/browse/NIFI-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16359189#comment-16359189 ] ASF subversion and git services commented on NIFI-3367: --- Commit b7fdb235ee1055e24fdb3ac000cc8039751199ad in nifi's branch refs/heads/master from Lori Buettner [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=b7fdb23 ] NIFI-3367 Added token length check and unit test. This closes #2463. Signed-off-by: Andy LoPresto> TLS Toolkit should enforce minimum length restriction on CA token > - > > Key: NIFI-3367 > URL: https://issues.apache.org/jira/browse/NIFI-3367 > Project: Apache NiFi > Issue Type: Bug > Components: Tools and Build >Affects Versions: 1.1.1 >Reporter: Andy LoPresto >Assignee: Andy LoPresto >Priority: Major > Labels: security, tls-toolkit > > The TLS Toolkit uses a shared secret "token" when running in client/server > mode in order to perform pre-authentication when requesting a signed > certificate from the CA. There is a validation that this token is *required*, > but not that it is of a certain length. Because the HMAC construction is > available in the source code, the process could easily be brute-forced if the > token value is short. We should enforce a minimum length of 16 bytes > (regardless if read from {{config.json}} or provided via command line). > We may also want to add exponential rate-limiting on failed HMAC values for > the same requested public key DN in order to mitigate malicious requests. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (NIFI-3367) TLS Toolkit should enforce minimum length restriction on CA token
[ https://issues.apache.org/jira/browse/NIFI-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16359187#comment-16359187 ] ASF GitHub Bot commented on NIFI-3367: -- Github user alopresto commented on the issue: https://github.com/apache/nifi/pull/2463 Ran the toolkit in client/server mode. Both rejected a token < 16 bytes with an informative error message. With a long token, the process succeeded. Ran `contrib-check` and all tests pass. +1, merging. > TLS Toolkit should enforce minimum length restriction on CA token > - > > Key: NIFI-3367 > URL: https://issues.apache.org/jira/browse/NIFI-3367 > Project: Apache NiFi > Issue Type: Bug > Components: Tools and Build >Affects Versions: 1.1.1 >Reporter: Andy LoPresto >Assignee: Andy LoPresto >Priority: Major > Labels: security, tls-toolkit > > The TLS Toolkit uses a shared secret "token" when running in client/server > mode in order to perform pre-authentication when requesting a signed > certificate from the CA. There is a validation that this token is *required*, > but not that it is of a certain length. Because the HMAC construction is > available in the source code, the process could easily be brute-forced if the > token value is short. We should enforce a minimum length of 16 bytes > (regardless if read from {{config.json}} or provided via command line). > We may also want to add exponential rate-limiting on failed HMAC values for > the same requested public key DN in order to mitigate malicious requests. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (NIFI-3367) TLS Toolkit should enforce minimum length restriction on CA token
[ https://issues.apache.org/jira/browse/NIFI-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16359174#comment-16359174 ] ASF GitHub Bot commented on NIFI-3367: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/2463#discussion_r167382434 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/util/TlsHelperTest.java --- @@ -171,6 +172,43 @@ private Date inFuture(int days) { return new Date(System.currentTimeMillis() + TimeUnit.DAYS.toMillis(days)); } +@Test +public void testTokenLengthInCalculateHmac() throws CertificateException, NoSuchAlgorithmException { +List badTokens = new ArrayList<>(); +List goodTokens = new ArrayList<>(); +badTokens.add(null); +badTokens.add(""); +badTokens.add("123"); +goodTokens.add("0123456789abcdefghijklm"); +goodTokens.add("0123456789abcdef"); + +String dn = "CN=testDN,O=testOrg"; +X509Certificate x509Certificate = CertificateUtils.generateSelfSignedX509Certificate(TlsHelper.generateKeyPair(keyPairAlgorithm, keySize), dn, signingAlgorithm, days); +PublicKey pubKey = x509Certificate.getPublicKey(); + +for (String token : badTokens) { +try { +TlsHelper.calculateHMac(token, pubKey); +fail("HMAC was calculated with a token that was too short."); +} catch (GeneralSecurityException e) { +assertEquals("Token does not meet minimum size of 16 bytes.", e.getMessage()); +} catch (IllegalArgumentException e) { +assertEquals("Token cannot be null", e.getMessage()); +} +} + +for (String token : goodTokens) { +try { +byte[] hmac = TlsHelper.calculateHMac(token, pubKey); +assertTrue("HMAC length ok", hmac.length > 0); +} catch (GeneralSecurityException e) { +fail(e.getMessage()); +} +} + --- End diff -- Please remove unnecessary whitespace. > TLS Toolkit should enforce minimum length restriction on CA token > - > > Key: NIFI-3367 > URL: https://issues.apache.org/jira/browse/NIFI-3367 > Project: Apache NiFi > Issue Type: Bug > Components: Tools and Build >Affects Versions: 1.1.1 >Reporter: Andy LoPresto >Assignee: Andy LoPresto >Priority: Major > Labels: security, tls-toolkit > > The TLS Toolkit uses a shared secret "token" when running in client/server > mode in order to perform pre-authentication when requesting a signed > certificate from the CA. There is a validation that this token is *required*, > but not that it is of a certain length. Because the HMAC construction is > available in the source code, the process could easily be brute-forced if the > token value is short. We should enforce a minimum length of 16 bytes > (regardless if read from {{config.json}} or provided via command line). > We may also want to add exponential rate-limiting on failed HMAC values for > the same requested public key DN in order to mitigate malicious requests. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (NIFI-3367) TLS Toolkit should enforce minimum length restriction on CA token
[ https://issues.apache.org/jira/browse/NIFI-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16359173#comment-16359173 ] ASF GitHub Bot commented on NIFI-3367: -- Github user alopresto commented on the issue: https://github.com/apache/nifi/pull/2463 Reviewing... > TLS Toolkit should enforce minimum length restriction on CA token > - > > Key: NIFI-3367 > URL: https://issues.apache.org/jira/browse/NIFI-3367 > Project: Apache NiFi > Issue Type: Bug > Components: Tools and Build >Affects Versions: 1.1.1 >Reporter: Andy LoPresto >Assignee: Andy LoPresto >Priority: Major > Labels: security, tls-toolkit > > The TLS Toolkit uses a shared secret "token" when running in client/server > mode in order to perform pre-authentication when requesting a signed > certificate from the CA. There is a validation that this token is *required*, > but not that it is of a certain length. Because the HMAC construction is > available in the source code, the process could easily be brute-forced if the > token value is short. We should enforce a minimum length of 16 bytes > (regardless if read from {{config.json}} or provided via command line). > We may also want to add exponential rate-limiting on failed HMAC values for > the same requested public key DN in order to mitigate malicious requests. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (NIFI-3367) TLS Toolkit should enforce minimum length restriction on CA token
[ https://issues.apache.org/jira/browse/NIFI-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16359171#comment-16359171 ] ASF GitHub Bot commented on NIFI-3367: -- GitHub user alopresto opened a pull request: https://github.com/apache/nifi/pull/2463 NIFI-3367 Enforced minimum length of shared secret in TLS toolkit client/server mode Thank you for submitting a contribution to Apache NiFi. In order to streamline the review of the contribution we ask you to ensure the following steps have been taken: ### For all changes: - [x] Is there a JIRA ticket associated with this PR? Is it referenced in the commit message? - [x] Does your PR title start with NIFI- where is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character. - [x] Has your PR been rebased against the latest commit within the target branch (typically master)? - [ ] Is your initial contribution a single, squashed commit? ### For code changes: - [x] Have you ensured that the full suite of tests is executed via mvn -Pcontrib-check clean install at the root nifi folder? - [x] Have you written or updated unit tests to verify your changes? - [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)? - [ ] If applicable, have you updated the LICENSE file, including the main LICENSE file under nifi-assembly? - [ ] If applicable, have you updated the NOTICE file, including the main NOTICE file found under nifi-assembly? - [ ] If adding new Properties, have you added .displayName in addition to .name (programmatic access) for each of the new properties? ### For documentation related changes: - [ ] Have you ensured that format looks appropriate for the output in which it is rendered? ### Note: Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible. You can merge this pull request into a Git repository by running: $ git pull https://github.com/alopresto/nifi NIFI-3367 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/nifi/pull/2463.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #2463 commit 79a0aafe51a6d806ef3952650139ebbcd007e274 Author: Lori BuettnerDate: 2018-02-10T00:46:33Z NIFI-3367 Added token length check and unit test. commit 5d9680a513bc9e28067eed45b07823f250c7 Author: Lori Buettner Date: 2018-02-10T01:04:58Z NIFI-3367 Resolved failing unit tests. > TLS Toolkit should enforce minimum length restriction on CA token > - > > Key: NIFI-3367 > URL: https://issues.apache.org/jira/browse/NIFI-3367 > Project: Apache NiFi > Issue Type: Bug > Components: Tools and Build >Affects Versions: 1.1.1 >Reporter: Andy LoPresto >Priority: Major > Labels: security, tls-toolkit > > The TLS Toolkit uses a shared secret "token" when running in client/server > mode in order to perform pre-authentication when requesting a signed > certificate from the CA. There is a validation that this token is *required*, > but not that it is of a certain length. Because the HMAC construction is > available in the source code, the process could easily be brute-forced if the > token value is short. We should enforce a minimum length of 16 bytes > (regardless if read from {{config.json}} or provided via command line). > We may also want to add exponential rate-limiting on failed HMAC values for > the same requested public key DN in order to mitigate malicious requests. -- This message was sent by Atlassian JIRA (v7.6.3#76005)