org.apache.nifi.security.util.crypto

Class Argon2CipherProvider

java.lang.Object

org.apache.nifi.security.util.crypto.RandomIVPBECipherProvider

org.apache.nifi.security.util.crypto.Argon2CipherProvider

All Implemented Interfaces:

CipherProvider, PBECipherProvider

public class Argon2CipherProvider
extends RandomIVPBECipherProvider

Field Summary

Fields

Modifier and Type	Field and Description
private static Pattern	ARGON2_SALT_FORMAT
private static int	DEFAULT_ITERATIONS
private static int	DEFAULT_MEMORY
private static int	DEFAULT_PARALLELISM
private static int	DEFAULT_SALT_LENGTH
private Integer	iterations
private static org.slf4j.Logger	logger
private Integer	memory
private int	parallelism

Fields inherited from class org.apache.nifi.security.util.crypto.RandomIVPBECipherProvider

IV_DELIMITER, MAX_IV_LIMIT, MAX_SALT_LIMIT, SALT_DELIMITER

Constructor Summary

Constructors

Constructor and Description
Argon2CipherProvider() Instantiates an Argon2 cipher provider using the default cost parameters memory = DEFAULT_MEMORY, parallelism = DEFAULT_PARALLELISM, iterations = DEFAULT_ITERATIONS).
Argon2CipherProvider(Integer memory, int parallelism, Integer iterations) Instantiates an Argon2 cipher provider using the provided cost parameters.

Method Summary

Modifier and Type	Method and Description
static byte[]	extractRawSaltFromArgon2Salt(String argon2Salt) Returns the raw salt contained in the provided Argon2 salt string.
static String	formSalt(byte[] rawSalt, int memory, int iterations, int parallelism) Returns the formatted Argon2 salt string given the provided parameters.
byte[]	generateSalt() Returns a random salt suitable for this cipher provider.
Cipher	getCipher(EncryptionMethod encryptionMethod, String password, byte[] salt, byte[] iv, int keyLength, boolean encryptMode) Returns an initialized cipher for the specified algorithm.
Cipher	getCipher(EncryptionMethod encryptionMethod, String password, byte[] salt, int keyLength, boolean encryptMode) Returns an initialized cipher for the specified algorithm.
int	getDefaultSaltLength() Returns the default salt length for this implementation.
protected Cipher	getInitializedCipher(EncryptionMethod encryptionMethod, String password, byte[] salt, byte[] iv, int keyLength, boolean encryptMode)
protected int	getIterations()
(package private) org.slf4j.Logger	getLogger()
protected int	getMemory()
protected int	getParallelism()
static boolean	isArgon2FormattedSalt(String salt) Returns true if the salt string is a valid Argon2 salt string ($argon2id$v=19$m=4096,t=3,p=1$abcdefghi..{22}).
private void	parseSalt(String argon2Salt, byte[] rawSalt, List<Integer> params)

Methods inherited from class org.apache.nifi.security.util.crypto.RandomIVPBECipherProvider

readIV, readSalt, writeIV, writeSalt

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

logger

private static final org.slf4j.Logger logger

DEFAULT_PARALLELISM

private static final int DEFAULT_PARALLELISM

See Also:

Constant Field Values

DEFAULT_MEMORY

private static final int DEFAULT_MEMORY

See Also:

Constant Field Values

DEFAULT_ITERATIONS

private static final int DEFAULT_ITERATIONS

See Also:

Constant Field Values

DEFAULT_SALT_LENGTH

private static final int DEFAULT_SALT_LENGTH

See Also:

Constant Field Values

memory

private final Integer memory

parallelism

private final int parallelism

iterations

private final Integer iterations

ARGON2_SALT_FORMAT

private static final Pattern ARGON2_SALT_FORMAT

Constructor Detail

Argon2CipherProvider

public Argon2CipherProvider()

Instantiates an Argon2 cipher provider using the default cost parameters memory = DEFAULT_MEMORY, parallelism = DEFAULT_PARALLELISM, iterations = DEFAULT_ITERATIONS). A static salt is also used.

Argon2CipherProvider

public Argon2CipherProvider(Integer memory,
                            int parallelism,
                            Integer iterations)

Instantiates an Argon2 cipher provider using the provided cost parameters.

Parameters:

memory - the integer number of KiB used (8p to 2^32 - 1)

parallelism - degree of parallelism (1 to 2^24 - 1)

iterations - number of iterations (1 to 2^32 - 1)

Method Detail

getCipher

public Cipher getCipher(EncryptionMethod encryptionMethod,
                        String password,
                        byte[] salt,
                        byte[] iv,
                        int keyLength,
                        boolean encryptMode)
                 throws Exception

Returns an initialized cipher for the specified algorithm. The key is derived by the KDF of the implementation. The IV is provided externally to allow for non-deterministic IVs, as IVs deterministically derived from the password are a potential vulnerability and compromise semantic security. See Ilmari Karonen's answer on Crypto Stack Exchange

Specified by:

getCipher in class RandomIVPBECipherProvider

Parameters:

encryptionMethod - the EncryptionMethod

password - the secret input

salt - the complete salt (e.g. "$argon2id$v=19$m=1024,t=3,p=1$ftvICs8WpASuN3FnRIDcRA$eB912UtYgZjKdwK64V7pfmMiDbsaPK+hts6H6cSHl3I".getBytes(StandardCharsets.UTF_8))

iv - the IV

keyLength - the desired key length in bits

encryptMode - true for encrypt, false for decrypt

Returns:

the initialized cipher

Throws:

Exception - if there is a problem initializing the cipher

getLogger

org.slf4j.Logger getLogger()

Specified by:

getLogger in class RandomIVPBECipherProvider

getCipher

public Cipher getCipher(EncryptionMethod encryptionMethod,
                        String password,
                        byte[] salt,
                        int keyLength,
                        boolean encryptMode)
                 throws Exception

Returns an initialized cipher for the specified algorithm. The key (and IV if necessary) are derived by the KDF of the implementation.

The IV can be retrieved by the calling method using Cipher.getIV().

Parameters:

encryptionMethod - the EncryptionMethod

password - the secret input

salt - the complete salt (e.g. "$argon2id$v=19$m=1024,t=3,p=1$ftvICs8WpASuN3FnRIDcRA$eB912UtYgZjKdwK64V7pfmMiDbsaPK+hts6H6cSHl3I".getBytes(StandardCharsets.UTF_8))

keyLength - the desired key length in bits

encryptMode - true for encrypt, false for decrypt

Returns:

the initialized cipher

Throws:

Exception - if there is a problem initializing the cipher

getInitializedCipher

protected Cipher getInitializedCipher(EncryptionMethod encryptionMethod,
                                      String password,
                                      byte[] salt,
                                      byte[] iv,
                                      int keyLength,
                                      boolean encryptMode)
                               throws Exception

Throws:

Exception

extractRawSaltFromArgon2Salt

public static byte[] extractRawSaltFromArgon2Salt(String argon2Salt)

Returns the raw salt contained in the provided Argon2 salt string.

Parameters:

argon2Salt - the full Argon2 salt

Returns:

the raw salt decoded from Base64

isArgon2FormattedSalt

public static boolean isArgon2FormattedSalt(String salt)

Returns true if the salt string is a valid Argon2 salt string ($argon2id$v=19$m=4096,t=3,p=1$abcdefghi..{22}).

Parameters:

salt - the salt string to evaluate

Returns:

true if valid Argon2 salt

parseSalt

private void parseSalt(String argon2Salt,
                       byte[] rawSalt,
                       List<Integer> params)

generateSalt

public byte[] generateSalt()

Description copied from interface: PBECipherProvider

Returns a random salt suitable for this cipher provider.

Returns:

a random salt

See Also:

PBECipherProvider.getDefaultSaltLength()

formSalt

public static String formSalt(byte[] rawSalt,
                              int memory,
                              int iterations,
                              int parallelism)

Returns the formatted Argon2 salt string given the provided parameters.

$argon2id$v=19$m=4096,t=3,p=1$abcdefABCDEF0123456789

Parameters:

rawSalt - the salt bytes

memory - the memory cost in KiB

iterations - the iterations

parallelism - the parallelism factor

Returns:

the formatted salt string

getDefaultSaltLength

public int getDefaultSaltLength()

Description copied from interface: PBECipherProvider

Returns the default salt length for this implementation.

Returns:

the default salt length in bytes

getMemory

protected int getMemory()

getParallelism

protected int getParallelism()

getIterations

protected int getIterations()