Repository: nifi Updated Branches: refs/heads/master 61c6f0305 -> b7fdb235e
NIFI-3367 Added token length check and unit test. This closes #2463. Signed-off-by: Andy LoPresto <alopre...@apache.org> Project: http://git-wip-us.apache.org/repos/asf/nifi/repo Commit: http://git-wip-us.apache.org/repos/asf/nifi/commit/b7fdb235 Tree: http://git-wip-us.apache.org/repos/asf/nifi/tree/b7fdb235 Diff: http://git-wip-us.apache.org/repos/asf/nifi/diff/b7fdb235 Branch: refs/heads/master Commit: b7fdb235ee1055e24fdb3ac000cc8039751199ad Parents: 61c6f03 Author: Lori Buettner <lorraine.buett...@gmail.com> Authored: Sat Feb 10 00:46:33 2018 +0000 Committer: Andy LoPresto <alopre...@apache.org> Committed: Fri Feb 9 17:43:41 2018 -0800 ---------------------------------------------------------------------- .../apache/nifi/toolkit/tls/util/TlsHelper.java | 19 ++++++---- ...sCertificateSigningRequestPerformerTest.java | 2 +- ...sCertificateAuthorityServiceHandlerTest.java | 2 +- .../nifi/toolkit/tls/util/TlsHelperTest.java | 37 +++++++++++++++++++- 4 files changed, 51 insertions(+), 9 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/nifi/blob/b7fdb235/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java ---------------------------------------------------------------------- diff --git a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java index d1d93e4..1dee905 100644 --- a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java +++ b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java @@ -100,7 +100,7 @@ public class TlsHelper { logger.warn("resulting client certificate: " + fileToString); logger.warn(""); logger.warn("openssl pkcs12 -in '" + fileToString + "' -out '/tmp/" + fileName + "'"); - logger.warn("openssl pkcs12 -export -in '/tmp/" + fileName + "' -out '" + fileToString + "'"); + logger.warn("openssl pkcs12 -export -in '/tmp/" + fileName + "' -out '" + fileToString + "'"); logger.warn("rm -f '/tmp/" + fileName + "'"); logger.warn(""); logger.warn("**********************************************************************************"); @@ -146,7 +146,14 @@ public class TlsHelper { } public static byte[] calculateHMac(String token, PublicKey publicKey) throws GeneralSecurityException { - SecretKeySpec keySpec = new SecretKeySpec(token.getBytes(StandardCharsets.UTF_8), "RAW"); + if (token == null) { + throw new IllegalArgumentException("Token cannot be null"); + } + byte[] tokenBytes = token.getBytes(StandardCharsets.UTF_8); + if (tokenBytes.length < 16) { + throw new GeneralSecurityException("Token does not meet minimum size of 16 bytes."); + } + SecretKeySpec keySpec = new SecretKeySpec(tokenBytes, "RAW"); Mac mac = Mac.getInstance("Hmac-SHA256", BouncyCastleProvider.PROVIDER_NAME); mac.init(keySpec); return mac.doFinal(getKeyIdentifier(publicKey)); @@ -197,7 +204,7 @@ public class TlsHelper { } public static JcaPKCS10CertificationRequest generateCertificationRequest(String requestedDn, String domainAlternativeNames, - KeyPair keyPair, String signingAlgorithm) throws OperatorCreationException { + KeyPair keyPair, String signingAlgorithm) throws OperatorCreationException { JcaPKCS10CertificationRequestBuilder jcaPKCS10CertificationRequestBuilder = new JcaPKCS10CertificationRequestBuilder(new X500Name(requestedDn), keyPair.getPublic()); // add Subject Alternative Name(s) @@ -221,13 +228,13 @@ public class TlsHelper { throw new IOException("Failed to extract CN from request DN: " + requestedDn, e); } - if(StringUtils.isNotBlank(domainAlternativeNames)) { - for(String alternativeName : domainAlternativeNames.split(",")) { + if (StringUtils.isNotBlank(domainAlternativeNames)) { + for (String alternativeName : domainAlternativeNames.split(",")) { namesList.add(new GeneralName(GeneralName.dNSName, alternativeName)); } } - GeneralNames subjectAltNames = new GeneralNames(namesList.toArray(new GeneralName [] {})); + GeneralNames subjectAltNames = new GeneralNames(namesList.toArray(new GeneralName[]{})); ExtensionsGenerator extGen = new ExtensionsGenerator(); extGen.addExtension(Extension.subjectAlternativeName, false, subjectAltNames); return extGen.generate(); http://git-wip-us.apache.org/repos/asf/nifi/blob/b7fdb235/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/service/client/TlsCertificateSigningRequestPerformerTest.java ---------------------------------------------------------------------- diff --git a/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/service/client/TlsCertificateSigningRequestPerformerTest.java b/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/service/client/TlsCertificateSigningRequestPerformerTest.java index fb20739..5ecb3b1 100644 --- a/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/service/client/TlsCertificateSigningRequestPerformerTest.java +++ b/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/service/client/TlsCertificateSigningRequestPerformerTest.java @@ -95,7 +95,7 @@ public class TlsCertificateSigningRequestPerformerTest { objectMapper = new ObjectMapper(); keyPair = TlsHelper.generateKeyPair(TlsConfig.DEFAULT_KEY_PAIR_ALGORITHM, TlsConfig.DEFAULT_KEY_SIZE); - testToken = "testToken"; + testToken = "testTokenTestToken"; testCaHostname = "testCaHostname"; testPort = 8993; certificates = new ArrayList<>(); http://git-wip-us.apache.org/repos/asf/nifi/blob/b7fdb235/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/service/server/TlsCertificateAuthorityServiceHandlerTest.java ---------------------------------------------------------------------- diff --git a/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/service/server/TlsCertificateAuthorityServiceHandlerTest.java b/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/service/server/TlsCertificateAuthorityServiceHandlerTest.java index 00c5ec8..b9b6945 100644 --- a/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/service/server/TlsCertificateAuthorityServiceHandlerTest.java +++ b/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/service/server/TlsCertificateAuthorityServiceHandlerTest.java @@ -98,7 +98,7 @@ public class TlsCertificateAuthorityServiceHandlerTest { @Before public void setup() throws Exception { - testToken = "testToken"; + testToken = "testTokenTestToken"; testPemEncodedSignedCertificate = "testPemEncodedSignedCertificate"; keyPair = TlsHelper.generateKeyPair(TlsConfig.DEFAULT_KEY_PAIR_ALGORITHM, TlsConfig.DEFAULT_KEY_SIZE); objectMapper = new ObjectMapper(); http://git-wip-us.apache.org/repos/asf/nifi/blob/b7fdb235/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/util/TlsHelperTest.java ---------------------------------------------------------------------- diff --git a/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/util/TlsHelperTest.java b/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/util/TlsHelperTest.java index 9e23496..91da17a 100644 --- a/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/util/TlsHelperTest.java +++ b/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/util/TlsHelperTest.java @@ -43,6 +43,7 @@ import java.security.KeyStoreSpi; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; import java.security.Provider; +import java.security.PublicKey; import java.security.SignatureException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; @@ -52,7 +53,6 @@ import java.util.Date; import java.util.List; import java.util.concurrent.TimeUnit; import java.util.stream.Collectors; - import org.apache.commons.lang3.StringUtils; import org.apache.nifi.security.util.CertificateUtils; import org.apache.nifi.toolkit.tls.configuration.TlsConfig; @@ -172,6 +172,41 @@ public class TlsHelperTest { } @Test + public void testTokenLengthInCalculateHmac() throws CertificateException, NoSuchAlgorithmException { + List<String> badTokens = new ArrayList<>(); + List<String> goodTokens = new ArrayList<>(); + badTokens.add(null); + badTokens.add(""); + badTokens.add("123"); + goodTokens.add("0123456789abcdefghijklm"); + goodTokens.add("0123456789abcdef"); + + String dn = "CN=testDN,O=testOrg"; + X509Certificate x509Certificate = CertificateUtils.generateSelfSignedX509Certificate(TlsHelper.generateKeyPair(keyPairAlgorithm, keySize), dn, signingAlgorithm, days); + PublicKey pubKey = x509Certificate.getPublicKey(); + + for (String token : badTokens) { + try { + TlsHelper.calculateHMac(token, pubKey); + fail("HMAC was calculated with a token that was too short."); + } catch (GeneralSecurityException e) { + assertEquals("Token does not meet minimum size of 16 bytes.", e.getMessage()); + } catch (IllegalArgumentException e) { + assertEquals("Token cannot be null", e.getMessage()); + } + } + + for (String token : goodTokens) { + try { + byte[] hmac = TlsHelper.calculateHMac(token, pubKey); + assertTrue("HMAC length ok", hmac.length > 0); + } catch (GeneralSecurityException e) { + fail(e.getMessage()); + } + } + } + + @Test public void testGenerateSelfSignedCert() throws GeneralSecurityException, IOException, OperatorCreationException { String dn = "CN=testDN,O=testOrg";