org.apache.nifi.security.kms

Class CryptoUtils

java.lang.Object

org.apache.nifi.security.kms.CryptoUtils

public class CryptoUtils
extends Object

Field Summary

Fields

Modifier and Type	Field and Description
private static String	BOOTSTRAP_KEY_PREFIX
static String	ENCRYPTED_FSR_CLASS_NAME
static String	EWAFFR_CLASS_NAME
static String	FILE_BASED_KEY_PROVIDER_CLASS_NAME
private static Pattern	HEX_PATTERN
static int	IV_LENGTH
static String	LEGACY_FBKP_FQCN
static String	LEGACY_SKP_FQCN
private static org.slf4j.Logger	logger
private static String	RELATIVE_NIFI_PROPS_PATH
static String	STATIC_KEY_PROVIDER_CLASS_NAME
private static List<Integer>	UNLIMITED_KEY_LENGTHS

Constructor Summary

Constructors

Constructor and Description
CryptoUtils()

Method Summary

Modifier and Type	Method and Description
static byte[]	concatByteArrays(byte[]... arrays) Concatenates multiple byte[] into a single byte[].
static boolean	constantTimeEquals(byte[] a, byte[] b) Returns true if the two parameters are equal.
static boolean	constantTimeEquals(char[] a, char[] b) Returns true if the two parameters are equal.
static boolean	constantTimeEquals(String a, String b) Returns true if the two parameters are equal.
private static byte[]	convertCharsToBytes(char[] chars) Returns a byte[] containing the value of the provided char[] without using new String(chars).getBytes() which would put sensitive data (the password) in the String pool.
static String	extractKeyFromBootstrapFile() Returns the key (if any) used to encrypt sensitive properties, extracted from $NIFI_HOME/conf/bootstrap.conf.
static String	extractKeyFromBootstrapFile(String bootstrapPath) Returns the key (if any) used to encrypt sensitive properties, extracted from $NIFI_HOME/conf/bootstrap.conf.
static SecretKey	formKeyFromHex(String keyHex) Returns a SecretKey formed from the hexadecimal key bytes (validity is checked).
static String	getDefaultFilePath() Returns the default file path to $NIFI_HOME/conf/nifi.properties.
static SecretKey	getMasterKey() Returns the master key from the bootstrap.conf file used to encrypt various sensitive properties and data encryption keys.
(package private) static String	handleLegacyPackages(String implementationClassName)
static boolean	isEmpty(String src) Utility method which returns true if the string is null, empty, or entirely whitespace.
static boolean	isHexString(String hexString) Returns true if the input is valid hexadecimal (does not enforce length and is case-insensitive).
static boolean	isUnlimitedStrengthCryptoAvailable()
static boolean	isValidKeyProvider(String keyProviderImplementation, String keyProviderLocation, String keyId, Map<String,String> encryptionKeys) Returns true if the provided configuration values successfully define the specified KeyProvider.
static boolean	isValidRepositoryEncryptionConfiguration(RepositoryEncryptionConfiguration rec) Returns true if the provided configuration values are valid (shallow evaluation only; does not validate the keys contained in a FileBasedKeyProvider).
static boolean	keyIsValid(String encryptionKeyHex) Returns true if the provided key is valid hex and is the correct length for the current system's JCE policies.
static Map<String,SecretKey>	readKeys(String filepath, SecretKey masterKey) Returns a map containing the key IDs and the parsed key from a key provider definition file.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

logger

private static final org.slf4j.Logger logger

STATIC_KEY_PROVIDER_CLASS_NAME

public static final String STATIC_KEY_PROVIDER_CLASS_NAME

See Also:

Constant Field Values

FILE_BASED_KEY_PROVIDER_CLASS_NAME

public static final String FILE_BASED_KEY_PROVIDER_CLASS_NAME

See Also:

Constant Field Values

LEGACY_SKP_FQCN

public static final String LEGACY_SKP_FQCN

See Also:

Constant Field Values

LEGACY_FBKP_FQCN

public static final String LEGACY_FBKP_FQCN

See Also:

Constant Field Values

RELATIVE_NIFI_PROPS_PATH

private static final String RELATIVE_NIFI_PROPS_PATH

See Also:

Constant Field Values

BOOTSTRAP_KEY_PREFIX

private static final String BOOTSTRAP_KEY_PREFIX

See Also:

Constant Field Values

HEX_PATTERN

private static final Pattern HEX_PATTERN

UNLIMITED_KEY_LENGTHS

private static final List<Integer> UNLIMITED_KEY_LENGTHS

IV_LENGTH

public static final int IV_LENGTH

See Also:

Constant Field Values

ENCRYPTED_FSR_CLASS_NAME

public static final String ENCRYPTED_FSR_CLASS_NAME

See Also:

Constant Field Values

EWAFFR_CLASS_NAME

public static final String EWAFFR_CLASS_NAME

See Also:

Constant Field Values

Constructor Detail

CryptoUtils

public CryptoUtils()

Method Detail

isUnlimitedStrengthCryptoAvailable

public static boolean isUnlimitedStrengthCryptoAvailable()

isEmpty

public static boolean isEmpty(String src)

Utility method which returns true if the string is null, empty, or entirely whitespace.

Parameters:

src - the string to evaluate

Returns:

true if empty

concatByteArrays

public static byte[] concatByteArrays(byte[]... arrays)
                               throws IOException

Concatenates multiple byte[] into a single byte[].

Parameters:

arrays - the component byte[] in order

Returns:

a concatenated byte[]

Throws:

IOException - this should never be thrown

isValidRepositoryEncryptionConfiguration

public static boolean isValidRepositoryEncryptionConfiguration(RepositoryEncryptionConfiguration rec)

Returns true if the provided configuration values are valid (shallow evaluation only; does not validate the keys contained in a FileBasedKeyProvider).

Parameters:

rec - the configuration to validate

Returns:

true if the config is valid

isValidKeyProvider

public static boolean isValidKeyProvider(String keyProviderImplementation,
                                         String keyProviderLocation,
                                         String keyId,
                                         Map<String,String> encryptionKeys)

Returns true if the provided configuration values successfully define the specified KeyProvider.

Parameters:

keyProviderImplementation - the FQ class name of the KeyProvider implementation

keyProviderLocation - the location of the definition (for FileBasedKeyProvider, etc.)

keyId - the active key ID

encryptionKeys - a map of key IDs to key material in hex format

Returns:

true if the provided configuration is valid

handleLegacyPackages

static String handleLegacyPackages(String implementationClassName)
                            throws KeyManagementException

Throws:

KeyManagementException

keyIsValid

public static boolean keyIsValid(String encryptionKeyHex)

Returns true if the provided key is valid hex and is the correct length for the current system's JCE policies.

Parameters:

encryptionKeyHex - the key in hexadecimal

Returns:

true if this key is valid

isHexString

public static boolean isHexString(String hexString)

Returns true if the input is valid hexadecimal (does not enforce length and is case-insensitive).

Parameters:

hexString - the string to evaluate

Returns:

true if the string is valid hex

formKeyFromHex

public static SecretKey formKeyFromHex(String keyHex)
                                throws KeyManagementException

Returns a SecretKey formed from the hexadecimal key bytes (validity is checked).

Parameters:

keyHex - the key in hex form

Returns:

the SecretKey

Throws:

KeyManagementException

readKeys

public static Map<String,SecretKey> readKeys(String filepath,
                                             SecretKey masterKey)
                                      throws KeyManagementException

Returns a map containing the key IDs and the parsed key from a key provider definition file. The values in the file are decrypted using the master key provided. If the file is missing or empty, cannot be read, or if no valid keys are read, a KeyManagementException will be thrown.

Parameters:

filepath - the key definition file path

masterKey - the master key used to decrypt each key definition

Returns:

a Map of key IDs to SecretKeys

Throws:

KeyManagementException - if the file is missing or invalid

getMasterKey

public static SecretKey getMasterKey()
                              throws KeyManagementException

Returns the master key from the bootstrap.conf file used to encrypt various sensitive properties and data encryption keys.

Returns:

the master key

Throws:

KeyManagementException - if the key cannot be read

extractKeyFromBootstrapFile

public static String extractKeyFromBootstrapFile()
                                          throws IOException

Returns the key (if any) used to encrypt sensitive properties, extracted from $NIFI_HOME/conf/bootstrap.conf.

Returns:

the key in hexadecimal format

Throws:

IOException - if the file is not readable

extractKeyFromBootstrapFile

public static String extractKeyFromBootstrapFile(String bootstrapPath)
                                          throws IOException

Returns the key (if any) used to encrypt sensitive properties, extracted from $NIFI_HOME/conf/bootstrap.conf.

Parameters:

bootstrapPath - the path to the bootstrap file

Returns:

the key in hexadecimal format

Throws:

IOException - if the file is not readable

getDefaultFilePath

public static String getDefaultFilePath()

Returns the default file path to $NIFI_HOME/conf/nifi.properties. If the system property nifi.properties.file.path is not set, it will be set to the relative path conf/nifi.properties.

Returns:

the path to the nifi.properties file

constantTimeEquals

public static boolean constantTimeEquals(String a,
                                         String b)

Returns true if the two parameters are equal. This method is null-safe and evaluates the equality in constant-time rather than "short-circuiting" on the first inequality. This prevents timing attacks (side channel attacks) when comparing passwords or hash values.

Parameters:

a - a String to compare

b - a String to compare

Returns:

true if the values are equal

constantTimeEquals

public static boolean constantTimeEquals(char[] a,
                                         char[] b)

Returns true if the two parameters are equal. This method is null-safe and evaluates the equality in constant-time rather than "short-circuiting" on the first inequality. This prevents timing attacks (side channel attacks) when comparing passwords or hash values. Does not convert the character arrays to Strings when converting to byte[] to avoid putting sensitive data in the String pool.

Parameters:

a - a char[] to compare

b - a char[] to compare

Returns:

true if the values are equal

constantTimeEquals

public static boolean constantTimeEquals(byte[] a,
                                         byte[] b)

Returns true if the two parameters are equal. This method is null-safe and evaluates the equality in constant-time rather than "short-circuiting" on the first inequality. This prevents timing attacks (side channel attacks) when comparing passwords or hash values.

Parameters:

a - a byte[] to compare

b - a byte[] to compare

Returns:

true if the values are equal

convertCharsToBytes

private static byte[] convertCharsToBytes(char[] chars)

Returns a byte[] containing the value of the provided char[] without using new String(chars).getBytes() which would put sensitive data (the password) in the String pool.

Parameters:

chars - the characters to convert

Returns:

the byte[]