org.apache.nifi.security.util.crypto

Class Argon2SecureHasher

java.lang.Object

org.apache.nifi.security.util.crypto.Argon2SecureHasher

All Implemented Interfaces:

SecureHasher

public class Argon2SecureHasher
extends Object
implements SecureHasher

Provides an implementation of Argon2 for secure password hashing. This class is roughly based on Spring Security's implementation but does not include the full module in this utility module. This implementation uses Argon2id which provides a balance of protection against side-channel and memory attacks.

One critical difference is that this implementation uses a static universal salt unless instructed otherwise, which provides strict determinism across nodes in a cluster. The purpose for this is to allow for blind equality comparison of sensitive values hashed on different nodes (with potentially different nifi.sensitive.props.key values) during flow inheritance (see FingerprintFactory).

Field Summary

Fields

Modifier and Type	Field and Description
private static int	DEFAULT_HASH_LENGTH
private static int	DEFAULT_ITERATIONS
private static int	DEFAULT_MEMORY
private static int	DEFAULT_PARALLELISM
private int	hashLength
private int	iterations
private static org.slf4j.Logger	logger
private int	memory
private int	parallelism
private int	saltLength
private static byte[]	staticSalt
private boolean	usingStaticSalt

Constructor Summary

Constructors

Constructor and Description
Argon2SecureHasher() Instantiates an Argon2 secure hasher using the default cost parameters (hashLength = DEFAULT_HASH_LENGTH, memory = DEFAULT_MEMORY, parallelism = DEFAULT_PARALLELISM, iterations = DEFAULT_ITERATIONS).
Argon2SecureHasher(int hashLength, int memory, int parallelism, int iterations) Instantiates an Argon2 secure hasher using the provided cost parameters.
Argon2SecureHasher(int hashLength, int memory, int parallelism, int iterations, int saltLength) Instantiates an Argon2 secure hasher using the provided cost parameters.

Method Summary

Modifier and Type	Method and Description
(package private) byte[]	getSalt() Returns a salt to use.
private byte[]	hash(byte[] input) Internal method to hash the raw bytes.
String	hashBase64(String input) Returns a String representation of Argon2(input) in Base 64-encoded format.
String	hashHex(String input) Returns a String representation of Argon2(input) in hex-encoded format.
byte[]	hashRaw(byte[] input) Returns a byte[] representation of Argon2(input).
boolean	isUsingStaticSalt() Returns true if this instance is configured to use a static salt.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

logger

private static final org.slf4j.Logger logger

DEFAULT_HASH_LENGTH

private static final int DEFAULT_HASH_LENGTH

See Also:

Constant Field Values

DEFAULT_PARALLELISM

private static final int DEFAULT_PARALLELISM

See Also:

Constant Field Values

DEFAULT_MEMORY

private static final int DEFAULT_MEMORY

See Also:

Constant Field Values

DEFAULT_ITERATIONS

private static final int DEFAULT_ITERATIONS

See Also:

Constant Field Values

hashLength

private final int hashLength

memory

private final int memory

parallelism

private final int parallelism

iterations

private final int iterations

saltLength

private final int saltLength

usingStaticSalt

private final boolean usingStaticSalt

staticSalt

private static final byte[] staticSalt

Constructor Detail

Argon2SecureHasher

public Argon2SecureHasher()

Instantiates an Argon2 secure hasher using the default cost parameters (hashLength = DEFAULT_HASH_LENGTH, memory = DEFAULT_MEMORY, parallelism = DEFAULT_PARALLELISM, iterations = DEFAULT_ITERATIONS). A static salt is also used.

Argon2SecureHasher

public Argon2SecureHasher(int hashLength,
                          int memory,
                          int parallelism,
                          int iterations)

Instantiates an Argon2 secure hasher using the provided cost parameters. A unique #DEFAULT_SALT_LENGTH byte salt will be generated on every hash request.

Parameters:

hashLength - the output length in bytes (4 to 2^32 - 1)

memory - the integer number of KB used (8p to 2^32 - 1)

parallelism - degree of parallelism (1 to 2^24 - 1)

iterations - number of iterations (1 to 2^32 - 1)

Argon2SecureHasher

public Argon2SecureHasher(int hashLength,
                          int memory,
                          int parallelism,
                          int iterations,
                          int saltLength)

Instantiates an Argon2 secure hasher using the provided cost parameters. A unique salt of the specified length will be generated on every hash request.

Parameters:

hashLength - the output length in bytes (4 to 2^32 - 1)

memory - the integer number of KB used (8p to 2^32 - 1)

parallelism - degree of parallelism (1 to 2^24 - 1)

iterations - number of iterations (1 to 2^32 - 1)

saltLength - the salt length in bytes 8 to 2^32 - 1)

Method Detail

isUsingStaticSalt

public boolean isUsingStaticSalt()

Returns true if this instance is configured to use a static salt.

Returns:

true if all hashes will be generated using a static salt

getSalt

byte[] getSalt()

Returns a salt to use. If using a static salt (see isUsingStaticSalt()), this return value will be identical across every invocation. If using a dynamic salt, it will be saltLength bytes of a securely-generated random value.

Returns:

the salt value

hashHex

public String hashHex(String input)

Returns a String representation of Argon2(input) in hex-encoded format.

Specified by:

hashHex in interface SecureHasher

Parameters:

input - the input

Returns:

the hex-encoded hash

hashBase64

public String hashBase64(String input)

Returns a String representation of Argon2(input) in Base 64-encoded format.

Specified by:

hashBase64 in interface SecureHasher

Parameters:

input - the input

Returns:

the Base 64-encoded hash

hashRaw

public byte[] hashRaw(byte[] input)

Returns a byte[] representation of Argon2(input).

Specified by:

hashRaw in interface SecureHasher

Parameters:

input - the input

Returns:

the hash

hash

private byte[] hash(byte[] input)

Internal method to hash the raw bytes.

Parameters:

input - the raw bytes to hash (can be length 0)

Returns:

the generated hash