org.apache.nifi.security.util.crypto

Class Argon2SecureHasher

java.lang.Object

org.apache.nifi.security.util.crypto.AbstractSecureHasher

org.apache.nifi.security.util.crypto.Argon2SecureHasher

All Implemented Interfaces:

SecureHasher

public class Argon2SecureHasher
extends AbstractSecureHasher

Provides an implementation of Argon2 for secure password hashing. This class is roughly based on Spring Security's implementation but does not include the full module in this utility module. This implementation uses Argon2id which provides a balance of protection against side-channel and memory attacks.

One critical difference is that this implementation uses a static universal salt unless instructed otherwise, which provides strict determinism across nodes in a cluster. The purpose for this is to allow for blind equality comparison of sensitive values hashed on different nodes (with potentially different nifi.sensitive.props.key values) during flow inheritance (see FingerprintFactory).

Field Summary

Fields

Modifier and Type	Field and Description
private static int	DEFAULT_HASH_LENGTH
static int	DEFAULT_ITERATIONS
static int	DEFAULT_MEMORY
static int	DEFAULT_PARALLELISM
private static int	DEFAULT_SALT_LENGTH
private Integer	hashLength
private Integer	iterations
private static org.slf4j.Logger	logger
private static int	MAX_PARALLELISM
private Integer	memory
private static int	MIN_HASH_LENGTH
private static int	MIN_ITERATIONS
private static int	MIN_MEMORY_SIZE_KB
private static int	MIN_PARALLELISM
private static int	MIN_SALT_LENGTH
private int	parallelism

Fields inherited from class org.apache.nifi.security.util.crypto.AbstractSecureHasher

saltLength, UPPER_BOUNDARY

Constructor Summary

Constructors

Constructor and Description
Argon2SecureHasher() Instantiates an Argon2 secure hasher using the default cost parameters (hashLength = DEFAULT_HASH_LENGTH, memory = DEFAULT_MEMORY, parallelism = DEFAULT_PARALLELISM, iterations = DEFAULT_ITERATIONS).
Argon2SecureHasher(Integer hashLength) Instantiates an Argon2 secure hasher using the provided hash length and default cost parameters (memory = DEFAULT_MEMORY, parallelism = DEFAULT_PARALLELISM, iterations = DEFAULT_ITERATIONS).
Argon2SecureHasher(Integer hashLength, Integer memory, int parallelism, Integer iterations) Instantiates an Argon2 secure hasher using the provided cost parameters.
Argon2SecureHasher(Integer hashLength, Integer memory, int parallelism, Integer iterations, Integer saltLength) Instantiates an Argon2 secure hasher using the provided cost parameters.

Method Summary

Modifier and Type	Method and Description
(package private) boolean	acceptsEmptyInput() Returns true if the algorithm can accept empty (non-null) inputs.
(package private) String	getAlgorithmName() Returns the algorithm-specific name for logging and messages.
(package private) int	getDefaultSaltLength() Returns the algorithm-specific default salt length in bytes.
(package private) int	getMaxSaltLength() Returns the algorithm-specific maximum salt length in bytes.
(package private) int	getMinSaltLength() Returns the algorithm-specific minimum salt length in bytes.
(package private) byte[]	hash(byte[] input) Internal method to hash the raw bytes.
(package private) byte[]	hash(byte[] input, byte[] rawSalt) Internal method to hash the raw bytes.
static boolean	isHashLengthValid(Integer hashLength) Returns whether the provided hash length is within boundaries.
static boolean	isIterationsValid(Integer iterations) Returns whether the provided iteration count is within boundaries.
static boolean	isMemorySizeValid(Integer memory) Returns whether the provided memory size is within boundaries.
static boolean	isParallelismValid(int parallelism) Returns whether the provided parallelization factor is within boundaries.
private void	validateParameters(Integer hashLength, Integer memory, int parallelism, Integer iterations, Integer saltLength) Enforces valid Argon2 secure hasher cost parameters are provided.

Methods inherited from class org.apache.nifi.security.util.crypto.AbstractSecureHasher

getSalt, hashBase64, hashBase64, hashHex, hashHex, hashRaw, hashRaw, initializeSalt, isSaltLengthValid, isUsingStaticSalt

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

logger

private static final org.slf4j.Logger logger

DEFAULT_HASH_LENGTH

private static final int DEFAULT_HASH_LENGTH

See Also:

Constant Field Values

DEFAULT_PARALLELISM

public static final int DEFAULT_PARALLELISM

See Also:

Constant Field Values

DEFAULT_MEMORY

public static final int DEFAULT_MEMORY

See Also:

Constant Field Values

DEFAULT_ITERATIONS

public static final int DEFAULT_ITERATIONS

See Also:

Constant Field Values

DEFAULT_SALT_LENGTH

private static final int DEFAULT_SALT_LENGTH

See Also:

Constant Field Values

MIN_MEMORY_SIZE_KB

private static final int MIN_MEMORY_SIZE_KB

See Also:

Constant Field Values

MIN_PARALLELISM

private static final int MIN_PARALLELISM

See Also:

Constant Field Values

MAX_PARALLELISM

private static final int MAX_PARALLELISM

MIN_HASH_LENGTH

private static final int MIN_HASH_LENGTH

See Also:

Constant Field Values

MIN_ITERATIONS

private static final int MIN_ITERATIONS

See Also:

Constant Field Values

MIN_SALT_LENGTH

private static final int MIN_SALT_LENGTH

See Also:

Constant Field Values

hashLength

private final Integer hashLength

memory

private final Integer memory

parallelism

private final int parallelism

iterations

private final Integer iterations

Constructor Detail

Argon2SecureHasher

public Argon2SecureHasher()

Instantiates an Argon2 secure hasher using the default cost parameters (hashLength = DEFAULT_HASH_LENGTH, memory = DEFAULT_MEMORY, parallelism = DEFAULT_PARALLELISM, iterations = DEFAULT_ITERATIONS). A static salt is also used.

Argon2SecureHasher

public Argon2SecureHasher(Integer hashLength)

Instantiates an Argon2 secure hasher using the provided hash length and default cost parameters (memory = DEFAULT_MEMORY, parallelism = DEFAULT_PARALLELISM, iterations = DEFAULT_ITERATIONS). A static salt is also used.

Parameters:

hashLength - the desired hash output length in bytes

Argon2SecureHasher

public Argon2SecureHasher(Integer hashLength,
                          Integer memory,
                          int parallelism,
                          Integer iterations)

Instantiates an Argon2 secure hasher using the provided cost parameters. A static DEFAULT_SALT_LENGTH byte salt will be generated on every hash request. Integer is used instead of int for parameters which have a max value of 2^32 - 1 to allow for unsigned integers exceeding Integer.MAX_VALUE.

Parameters:

hashLength - the output length in bytes (4 to 2^32 - 1)

memory - the integer number of KiB used (8p to 2^32 - 1)

parallelism - degree of parallelism (1 to 2^24 - 1)

iterations - number of iterations (1 to 2^32 - 1)

Argon2SecureHasher

public Argon2SecureHasher(Integer hashLength,
                          Integer memory,
                          int parallelism,
                          Integer iterations,
                          Integer saltLength)

Instantiates an Argon2 secure hasher using the provided cost parameters. A unique salt of the specified length will be generated on every hash request. Integer is used instead of int for parameters which have a max value of 2^32 - 1 to allow for unsigned integers exceeding Integer.MAX_VALUE.

Parameters:

hashLength - the output length in bytes (4 to 2^32 - 1)

memory - the integer number of KiB used (8p to 2^32 - 1)

parallelism - degree of parallelism (1 to 2^24 - 1)

iterations - number of iterations (1 to 2^32 - 1)

saltLength - the salt length in bytes 8 to 2^32 - 1)

Method Detail

validateParameters

private void validateParameters(Integer hashLength,
                                Integer memory,
                                int parallelism,
                                Integer iterations,
                                Integer saltLength)

Enforces valid Argon2 secure hasher cost parameters are provided.

Parameters:

hashLength - the output length in bytes (4 to 2^32 - 1)

memory - the integer number of KiB used (8p to 2^32 - 1)

parallelism - degree of parallelism (1 to 2^24 - 1)

iterations - number of iterations (1 to 2^32 - 1)

saltLength - the salt length in bytes 8 to 2^32 - 1)

getAlgorithmName

String getAlgorithmName()

Returns the algorithm-specific name for logging and messages.

Specified by:

getAlgorithmName in class AbstractSecureHasher

Returns:

the algorithm name

acceptsEmptyInput

boolean acceptsEmptyInput()

Returns true if the algorithm can accept empty (non-null) inputs.

Specified by:

acceptsEmptyInput in class AbstractSecureHasher

Returns:

the true if "" is allowable input

isHashLengthValid

public static boolean isHashLengthValid(Integer hashLength)

Returns whether the provided hash length is within boundaries. The lower bound >= 4 and the upper bound <= 2^32 - 1.

Parameters:

hashLength - the output length in bytes

Returns:

true if hashLength is within boundaries

isMemorySizeValid

public static boolean isMemorySizeValid(Integer memory)

Returns whether the provided memory size is within boundaries. The lower bound >= 8 and the upper bound <= 2^32 - 1.

Parameters:

memory - the integer number of KiB used

Returns:

true if memory is within boundaries

isParallelismValid

public static boolean isParallelismValid(int parallelism)

Returns whether the provided parallelization factor is within boundaries. The lower bound >= 1 and the upper bound <= 2^24 - 1.

Parameters:

parallelism - degree of parallelism

Returns:

true if parallelism is within boundaries

isIterationsValid

public static boolean isIterationsValid(Integer iterations)

Returns whether the provided iteration count is within boundaries. The lower bound >= 1 and the upper bound <= 2^32 - 1.

Parameters:

iterations - number of iterations

Returns:

true if iterations is within boundaries

getDefaultSaltLength

int getDefaultSaltLength()

Returns the algorithm-specific default salt length in bytes.

Specified by:

getDefaultSaltLength in class AbstractSecureHasher

Returns:

the default salt length

getMinSaltLength

int getMinSaltLength()

Returns the algorithm-specific minimum salt length in bytes.

Specified by:

getMinSaltLength in class AbstractSecureHasher

Returns:

the min salt length

getMaxSaltLength

int getMaxSaltLength()

Returns the algorithm-specific maximum salt length in bytes.

Specified by:

getMaxSaltLength in class AbstractSecureHasher

Returns:

the max salt length

hash

byte[] hash(byte[] input)

Internal method to hash the raw bytes.

Specified by:

hash in class AbstractSecureHasher

Parameters:

input - the raw bytes to hash (can be length 0)

Returns:

the generated hash

hash

byte[] hash(byte[] input,
            byte[] rawSalt)

Internal method to hash the raw bytes.

Specified by:

hash in class AbstractSecureHasher

Parameters:

input - the raw bytes to hash (can be length 0)

rawSalt - the raw bytes to salt

Returns:

the generated hash