org.apache.nifi.security.util.crypto

Class CipherUtility

java.lang.Object

org.apache.nifi.security.util.crypto.CipherUtility

public class CipherUtility
extends Object

Field Summary

Fields

Modifier and Type	Field and Description
static int	BUFFER_SIZE
private static int	DEFAULT_MAX_ALLOWED_KEY_LENGTH
private static Pattern	KEY_LENGTH_PATTERN
private static Map<String,Integer>	MAX_PASSWORD_LENGTH_BY_ALGORITHM

Constructor Summary

Constructors

Constructor and Description
CipherUtility()

Method Summary

Modifier and Type	Method and Description
static String	encodeBase64NoPadding(byte[] bytes)
private static int	getDefaultKeyLengthForCipher(String cipher)
static int	getIterationCountForAlgorithm(String algorithm) Returns the KDF iteration count for various PBE algorithms.
static int	getMaximumPasswordLengthForAlgorithmOnLimitedStrengthCrypto(EncryptionMethod encryptionMethod)
static int	getSaltLengthForAlgorithm(String algorithm) Returns the salt length for various PBE algorithms.
static List<Integer>	getValidKeyLengthsForAlgorithm(String algorithm) Returns a list of valid key lengths in bits for this algorithm.
static Cipher	initPBECipher(String algorithm, String provider, String password, byte[] salt, int iterationCount, boolean encryptMode) Initializes a Cipher object with the given PBE parameters.
static boolean	isKeyedCipher(String algorithm)
static boolean	isPBECipher(String algorithm)
static boolean	isUnlimitedStrengthCryptoSupported()
static boolean	isValidKeyLength(int keyLength, String cipher) Returns true if the provided key length is a valid key length for the provided cipher family.
static boolean	isValidKeyLengthForAlgorithm(int keyLength, String algorithm) Returns true if the provided key length is a valid key length for the provided algorithm.
private static int	parseActualKeyLengthFromAlgorithm(String algorithm)
static String	parseCipherFromAlgorithm(String algorithm) Returns the cipher algorithm from the full algorithm name.
static int	parseKeyLengthFromAlgorithm(String algorithm) Returns the cipher key length from the full algorithm name.
static boolean	passwordLengthIsValidForAlgorithmOnLimitedStrengthCrypto(int passwordLength, EncryptionMethod encryptionMethod)
static void	processStreams(Cipher cipher, InputStream in, OutputStream out)
static byte[]	readBytesFromInputStream(InputStream in, String label, int limit, byte[] delimiter)
static void	writeBytesToOutputStream(OutputStream out, byte[] value, String label, byte[] delimiter)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

BUFFER_SIZE

public static final int BUFFER_SIZE

See Also:

Constant Field Values

KEY_LENGTH_PATTERN

private static final Pattern KEY_LENGTH_PATTERN

MAX_PASSWORD_LENGTH_BY_ALGORITHM

private static final Map<String,Integer> MAX_PASSWORD_LENGTH_BY_ALGORITHM

DEFAULT_MAX_ALLOWED_KEY_LENGTH

private static final int DEFAULT_MAX_ALLOWED_KEY_LENGTH

See Also:

Constant Field Values

Constructor Detail

CipherUtility

public CipherUtility()

Method Detail

parseCipherFromAlgorithm

public static String parseCipherFromAlgorithm(String algorithm)

Returns the cipher algorithm from the full algorithm name. Useful for getting key lengths, etc.

Ex: PBEWITHMD5AND128BITAES-CBC-OPENSSL -> AES

Parameters:

algorithm - the full algorithm name

Returns:

the generic cipher name or the full algorithm if one cannot be extracted

parseKeyLengthFromAlgorithm

public static int parseKeyLengthFromAlgorithm(String algorithm)

Returns the cipher key length from the full algorithm name. Useful for getting key lengths, etc.

Ex: PBEWITHMD5AND128BITAES-CBC-OPENSSL -> 128

Parameters:

algorithm - the full algorithm name

Returns:

the key length or -1 if one cannot be extracted

parseActualKeyLengthFromAlgorithm

private static int parseActualKeyLengthFromAlgorithm(String algorithm)

isValidKeyLength

public static boolean isValidKeyLength(int keyLength,
                                       String cipher)

Returns true if the provided key length is a valid key length for the provided cipher family. Does not reflect if the Unlimited Strength Cryptography Jurisdiction Policies are installed. Does not reflect if the key length is correct for a specific combination of cipher and PBE-derived key length.

Ex:

256 is valid for AES/CBC/PKCS7Padding but not PBEWITHMD5AND128BITAES-CBC-OPENSSL. However, this method will return true for both because it only gets the cipher family, AES.

64, AES -> false [128, 192, 256], AES -> true

Parameters:

keyLength - the key length in bits

cipher - the cipher family

Returns:

true if this key length is valid

isValidKeyLengthForAlgorithm

public static boolean isValidKeyLengthForAlgorithm(int keyLength,
                                                   String algorithm)

Returns true if the provided key length is a valid key length for the provided algorithm. Does not reflect if the Unlimited Strength Cryptography Jurisdiction Policies are installed.

Ex:

256 is valid for AES/CBC/PKCS7Padding but not PBEWITHMD5AND128BITAES-CBC-OPENSSL.

64, AES/CBC/PKCS7Padding -> false [128, 192, 256], AES/CBC/PKCS7Padding -> true

128, PBEWITHMD5AND128BITAES-CBC-OPENSSL -> true [192, 256], PBEWITHMD5AND128BITAES-CBC-OPENSSL -> false

Parameters:

keyLength - the key length in bits

algorithm - the specific algorithm

Returns:

true if this key length is valid

getValidKeyLengthsForAlgorithm

public static List<Integer> getValidKeyLengthsForAlgorithm(String algorithm)

Returns a list of valid key lengths in bits for this algorithm. If the algorithm cannot be parsed, an empty list is returned.

Parameters:

algorithm - the name of the algorithm

Returns:

a list of valid key lengths

getDefaultKeyLengthForCipher

private static int getDefaultKeyLengthForCipher(String cipher)

processStreams

public static void processStreams(Cipher cipher,
                                  InputStream in,
                                  OutputStream out)

readBytesFromInputStream

public static byte[] readBytesFromInputStream(InputStream in,
                                              String label,
                                              int limit,
                                              byte[] delimiter)
                                       throws IOException,
                                              ProcessException

Throws:

IOException

ProcessException

writeBytesToOutputStream

public static void writeBytesToOutputStream(OutputStream out,
                                            byte[] value,
                                            String label,
                                            byte[] delimiter)
                                     throws IOException

Throws:

IOException

encodeBase64NoPadding

public static String encodeBase64NoPadding(byte[] bytes)

passwordLengthIsValidForAlgorithmOnLimitedStrengthCrypto

public static boolean passwordLengthIsValidForAlgorithmOnLimitedStrengthCrypto(int passwordLength,
                                                                               EncryptionMethod encryptionMethod)

getMaximumPasswordLengthForAlgorithmOnLimitedStrengthCrypto

public static int getMaximumPasswordLengthForAlgorithmOnLimitedStrengthCrypto(EncryptionMethod encryptionMethod)

isUnlimitedStrengthCryptoSupported

public static boolean isUnlimitedStrengthCryptoSupported()

isPBECipher

public static boolean isPBECipher(String algorithm)

isKeyedCipher

public static boolean isKeyedCipher(String algorithm)

initPBECipher

public static Cipher initPBECipher(String algorithm,
                                   String provider,
                                   String password,
                                   byte[] salt,
                                   int iterationCount,
                                   boolean encryptMode)
                            throws IllegalArgumentException

Initializes a Cipher object with the given PBE parameters.

Parameters:

algorithm - the algorithm

provider - the JCA provider

password - the password

salt - the salt

iterationCount - the KDF iteration count

encryptMode - true to encrypt; false to decrypt

Returns:

the initialized Cipher

Throws:

IllegalArgumentException - if any parameter is invalid

getIterationCountForAlgorithm

public static int getIterationCountForAlgorithm(String algorithm)

Returns the KDF iteration count for various PBE algorithms. These values were determined empirically from configured/chosen legacy values from the earlier version of the project. Code demonstrating this is available at StringEncryptorTest#testPBEncryptionShouldBeExternallyConsistent.

Parameters:

algorithm - the EncryptionMethod.algorithm

Returns:

the iteration count. Default is 0.

getSaltLengthForAlgorithm

public static int getSaltLengthForAlgorithm(String algorithm)

Returns the salt length for various PBE algorithms. These values were determined empirically from configured/chosen legacy values from the earlier version of the project. Code demonstrating this is available at StringEncryptorTest#testPBEncryptionShouldBeExternallyConsistent.

Parameters:

algorithm - the EncryptionMethod.algorithm

Returns:

the salt length in bytes. Default is 16.