org.apache.nifi.security.util.crypto

Class PasswordBasedEncryptor.DecryptCallback

java.lang.Object

org.apache.nifi.security.util.crypto.PasswordBasedEncryptor.DecryptCallback

All Implemented Interfaces:

StreamCallback

Enclosing class:

PasswordBasedEncryptor

private class PasswordBasedEncryptor.DecryptCallback
extends Object
implements StreamCallback

Field Summary

Fields

Modifier and Type	Field and Description
private static boolean	DECRYPT
private static int	RETRY_LIMIT_LENGTH

Constructor Summary

Constructors

Constructor and Description
DecryptCallback()

Method Summary

Modifier and Type	Method and Description
protected void	handleBcryptDecryption(BcryptCipherProvider bcryptCipherProvider, ByteCountingInputStream bcis, ByteCountingOutputStream bcos, byte[] salt, int keyLength, Cipher cipher, byte[] iv, String password) Handles the Bcrypt decryption separately, as the Bcrypt key derivation process changed during NiFi 1.12.0 and some cipher texts encrypted with a legacy key may need to be decrypted.
void	process(InputStream in, OutputStream out)
protected boolean	shouldAttemptLegacyDecrypt(ProcessException e, long bytesConsumed) Returns true if the Bcrypt decryption failed for reasons that might be resolved by attempting a second decryption using the legacy key derivation process.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DECRYPT

private static final boolean DECRYPT

See Also:

Constant Field Values

RETRY_LIMIT_LENGTH

private static final int RETRY_LIMIT_LENGTH

See Also:

Constant Field Values

Constructor Detail

DecryptCallback

public DecryptCallback()

Method Detail

process

public void process(InputStream in,
                    OutputStream out)
             throws IOException

Specified by:

process in interface StreamCallback

Throws:

IOException

handleBcryptDecryption

protected void handleBcryptDecryption(BcryptCipherProvider bcryptCipherProvider,
                                      ByteCountingInputStream bcis,
                                      ByteCountingOutputStream bcos,
                                      byte[] salt,
                                      int keyLength,
                                      Cipher cipher,
                                      byte[] iv,
                                      String password)
                               throws IOException,
                                      ProcessException

Handles the Bcrypt decryption separately, as the Bcrypt key derivation process changed during NiFi 1.12.0 and some cipher texts encrypted with a legacy key may need to be decrypted. This method attempts to decrypt normally, and if certain conditions are met (the cipher text is under 10 MiB and the failure was specifically due to the wrong key), the legacy key derivation is used to make a second attempt.

Parameters:

bcryptCipherProvider - the cipher provider

bcis - the input stream (cipher text)

bcos - the output stream to write the plaintext to

salt - the salt

keyLength - the key length to derive in bits

cipher - the initial cipher object

iv - the IV

password - the password

Throws:

IOException - if there is a problem reading/writing to the streams

ProcessException - if there is any other exception

shouldAttemptLegacyDecrypt

protected boolean shouldAttemptLegacyDecrypt(ProcessException e,
                                             long bytesConsumed)

Returns true if the Bcrypt decryption failed for reasons that might be resolved by attempting a second decryption using the legacy key derivation process.

Parameters:

e - the exception thrown during the initial decryption attempt

bytesConsumed - the number of bytes consumed from the cipher text stream

Returns:

true if the legacy key derivation process should be attempted