[jira] [Commented] (NIFI-3367) TLS Toolkit should enforce minimum length restriction on CA token

2018-02-09 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/NIFI-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16359190#comment-16359190
 ] 

ASF GitHub Bot commented on NIFI-3367:
--

Github user asfgit closed the pull request at:

https://github.com/apache/nifi/pull/2463


> TLS Toolkit should enforce minimum length restriction on CA token
> -
>
> Key: NIFI-3367
> URL: https://issues.apache.org/jira/browse/NIFI-3367
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Tools and Build
>Affects Versions: 1.1.1
>Reporter: Andy LoPresto
>Assignee: Andy LoPresto
>Priority: Major
>  Labels: security, tls-toolkit
>
> The TLS Toolkit uses a shared secret "token" when running in client/server 
> mode in order to perform pre-authentication when requesting a signed 
> certificate from the CA. There is a validation that this token is *required*, 
> but not that it is of a certain length. Because the HMAC construction is 
> available in the source code, the process could easily be brute-forced if the 
> token value is short. We should enforce a minimum length of 16 bytes 
> (regardless if read from {{config.json}} or provided via command line). 
> We may also want to add exponential rate-limiting on failed HMAC values for 
> the same requested public key DN in order to mitigate malicious requests. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (NIFI-3367) TLS Toolkit should enforce minimum length restriction on CA token

2018-02-09 Thread ASF subversion and git services (JIRA) 

[ 
https://issues.apache.org/jira/browse/NIFI-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16359189#comment-16359189
 ] 

ASF subversion and git services commented on NIFI-3367:
---

Commit b7fdb235ee1055e24fdb3ac000cc8039751199ad in nifi's branch 
refs/heads/master from Lori Buettner
[ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=b7fdb23 ]

NIFI-3367 Added token length check and unit test.

This closes #2463.

Signed-off-by: Andy LoPresto 


> TLS Toolkit should enforce minimum length restriction on CA token
> -
>
> Key: NIFI-3367
> URL: https://issues.apache.org/jira/browse/NIFI-3367
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Tools and Build
>Affects Versions: 1.1.1
>Reporter: Andy LoPresto
>Assignee: Andy LoPresto
>Priority: Major
>  Labels: security, tls-toolkit
>
> The TLS Toolkit uses a shared secret "token" when running in client/server 
> mode in order to perform pre-authentication when requesting a signed 
> certificate from the CA. There is a validation that this token is *required*, 
> but not that it is of a certain length. Because the HMAC construction is 
> available in the source code, the process could easily be brute-forced if the 
> token value is short. We should enforce a minimum length of 16 bytes 
> (regardless if read from {{config.json}} or provided via command line). 
> We may also want to add exponential rate-limiting on failed HMAC values for 
> the same requested public key DN in order to mitigate malicious requests. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (NIFI-3367) TLS Toolkit should enforce minimum length restriction on CA token

2018-02-09 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/NIFI-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16359187#comment-16359187
 ] 

ASF GitHub Bot commented on NIFI-3367:
--

Github user alopresto commented on the issue:

https://github.com/apache/nifi/pull/2463
  
Ran the toolkit in client/server mode. Both rejected a token < 16 bytes 
with an informative error message. With a long token, the process succeeded. 

Ran `contrib-check` and all tests pass. +1, merging. 


> TLS Toolkit should enforce minimum length restriction on CA token
> -
>
> Key: NIFI-3367
> URL: https://issues.apache.org/jira/browse/NIFI-3367
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Tools and Build
>Affects Versions: 1.1.1
>Reporter: Andy LoPresto
>Assignee: Andy LoPresto
>Priority: Major
>  Labels: security, tls-toolkit
>
> The TLS Toolkit uses a shared secret "token" when running in client/server 
> mode in order to perform pre-authentication when requesting a signed 
> certificate from the CA. There is a validation that this token is *required*, 
> but not that it is of a certain length. Because the HMAC construction is 
> available in the source code, the process could easily be brute-forced if the 
> token value is short. We should enforce a minimum length of 16 bytes 
> (regardless if read from {{config.json}} or provided via command line). 
> We may also want to add exponential rate-limiting on failed HMAC values for 
> the same requested public key DN in order to mitigate malicious requests. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (NIFI-3367) TLS Toolkit should enforce minimum length restriction on CA token

2018-02-09 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/NIFI-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16359174#comment-16359174
 ] 

ASF GitHub Bot commented on NIFI-3367:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2463#discussion_r167382434
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/util/TlsHelperTest.java
 ---
@@ -171,6 +172,43 @@ private Date inFuture(int days) {
 return new Date(System.currentTimeMillis() + 
TimeUnit.DAYS.toMillis(days));
 }
 
+@Test
+public void testTokenLengthInCalculateHmac() throws 
CertificateException, NoSuchAlgorithmException {
+List badTokens = new ArrayList<>();
+List goodTokens = new ArrayList<>();
+badTokens.add(null);
+badTokens.add("");
+badTokens.add("123");
+goodTokens.add("0123456789abcdefghijklm");
+goodTokens.add("0123456789abcdef");
+
+String dn = "CN=testDN,O=testOrg";
+X509Certificate x509Certificate = 
CertificateUtils.generateSelfSignedX509Certificate(TlsHelper.generateKeyPair(keyPairAlgorithm,
 keySize), dn, signingAlgorithm, days);
+PublicKey pubKey = x509Certificate.getPublicKey();
+
+for (String token : badTokens) {
+try {
+TlsHelper.calculateHMac(token, pubKey);
+fail("HMAC was calculated with a token that was too 
short.");
+} catch (GeneralSecurityException e) {
+assertEquals("Token does not meet minimum size of 16 
bytes.", e.getMessage());
+} catch (IllegalArgumentException e) {
+assertEquals("Token cannot be null", e.getMessage());
+}
+}
+
+for (String token : goodTokens) {
+try {
+byte[] hmac = TlsHelper.calculateHMac(token, pubKey);
+assertTrue("HMAC length ok", hmac.length > 0);
+} catch (GeneralSecurityException e) {
+fail(e.getMessage());
+}
+}
+
--- End diff --

Please remove unnecessary whitespace. 


> TLS Toolkit should enforce minimum length restriction on CA token
> -
>
> Key: NIFI-3367
> URL: https://issues.apache.org/jira/browse/NIFI-3367
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Tools and Build
>Affects Versions: 1.1.1
>Reporter: Andy LoPresto
>Assignee: Andy LoPresto
>Priority: Major
>  Labels: security, tls-toolkit
>
> The TLS Toolkit uses a shared secret "token" when running in client/server 
> mode in order to perform pre-authentication when requesting a signed 
> certificate from the CA. There is a validation that this token is *required*, 
> but not that it is of a certain length. Because the HMAC construction is 
> available in the source code, the process could easily be brute-forced if the 
> token value is short. We should enforce a minimum length of 16 bytes 
> (regardless if read from {{config.json}} or provided via command line). 
> We may also want to add exponential rate-limiting on failed HMAC values for 
> the same requested public key DN in order to mitigate malicious requests. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (NIFI-3367) TLS Toolkit should enforce minimum length restriction on CA token

2018-02-09 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/NIFI-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16359173#comment-16359173
 ] 

ASF GitHub Bot commented on NIFI-3367:
--

Github user alopresto commented on the issue:

https://github.com/apache/nifi/pull/2463
  
Reviewing...


> TLS Toolkit should enforce minimum length restriction on CA token
> -
>
> Key: NIFI-3367
> URL: https://issues.apache.org/jira/browse/NIFI-3367
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Tools and Build
>Affects Versions: 1.1.1
>Reporter: Andy LoPresto
>Assignee: Andy LoPresto
>Priority: Major
>  Labels: security, tls-toolkit
>
> The TLS Toolkit uses a shared secret "token" when running in client/server 
> mode in order to perform pre-authentication when requesting a signed 
> certificate from the CA. There is a validation that this token is *required*, 
> but not that it is of a certain length. Because the HMAC construction is 
> available in the source code, the process could easily be brute-forced if the 
> token value is short. We should enforce a minimum length of 16 bytes 
> (regardless if read from {{config.json}} or provided via command line). 
> We may also want to add exponential rate-limiting on failed HMAC values for 
> the same requested public key DN in order to mitigate malicious requests. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (NIFI-3367) TLS Toolkit should enforce minimum length restriction on CA token

2018-02-09 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/NIFI-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16359171#comment-16359171
 ] 

ASF GitHub Bot commented on NIFI-3367:
--

GitHub user alopresto opened a pull request:

https://github.com/apache/nifi/pull/2463

NIFI-3367 Enforced minimum length of shared secret in TLS toolkit 
client/server mode

Thank you for submitting a contribution to Apache NiFi.

In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:

### For all changes:
- [x] Is there a JIRA ticket associated with this PR? Is it referenced 
 in the commit message?

- [x] Does your PR title start with NIFI- where  is the JIRA number 
you are trying to resolve? Pay particular attention to the hyphen "-" character.

- [x] Has your PR been rebased against the latest commit within the target 
branch (typically master)?

- [ ] Is your initial contribution a single, squashed commit?

### For code changes:
- [x] Have you ensured that the full suite of tests is executed via mvn 
-Pcontrib-check clean install at the root nifi folder?
- [x] Have you written or updated unit tests to verify your changes?
- [ ] If adding new dependencies to the code, are these dependencies 
licensed in a way that is compatible for inclusion under [ASF 
2.0](http://www.apache.org/legal/resolved.html#category-a)? 
- [ ] If applicable, have you updated the LICENSE file, including the main 
LICENSE file under nifi-assembly?
- [ ] If applicable, have you updated the NOTICE file, including the main 
NOTICE file found under nifi-assembly?
- [ ] If adding new Properties, have you added .displayName in addition to 
.name (programmatic access) for each of the new properties?

### For documentation related changes:
- [ ] Have you ensured that format looks appropriate for the output in 
which it is rendered?

### Note:
Please ensure that once the PR is submitted, you check travis-ci for build 
issues and submit an update to your PR as soon as possible.


You can merge this pull request into a Git repository by running:

$ git pull https://github.com/alopresto/nifi NIFI-3367

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/nifi/pull/2463.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #2463


commit 79a0aafe51a6d806ef3952650139ebbcd007e274
Author: Lori Buettner 
Date:   2018-02-10T00:46:33Z

NIFI-3367 Added token length check and unit test.

commit 5d9680a513bc9e28067eed45b07823f250c7
Author: Lori Buettner 
Date:   2018-02-10T01:04:58Z

NIFI-3367 Resolved failing unit tests.




> TLS Toolkit should enforce minimum length restriction on CA token
> -
>
> Key: NIFI-3367
> URL: https://issues.apache.org/jira/browse/NIFI-3367
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Tools and Build
>Affects Versions: 1.1.1
>Reporter: Andy LoPresto
>Priority: Major
>  Labels: security, tls-toolkit
>
> The TLS Toolkit uses a shared secret "token" when running in client/server 
> mode in order to perform pre-authentication when requesting a signed 
> certificate from the CA. There is a validation that this token is *required*, 
> but not that it is of a certain length. Because the HMAC construction is 
> available in the source code, the process could easily be brute-forced if the 
> token value is short. We should enforce a minimum length of 16 bytes 
> (regardless if read from {{config.json}} or provided via command line). 
> We may also want to add exponential rate-limiting on failed HMAC values for 
> the same requested public key DN in order to mitigate malicious requests. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)