NIFI-11696 Upgraded Bouncy Castle from 1.71 to 1.74

- Adjusted nifi-repository-encryption to remove dependency on Bouncy Castle Provider
- Updated Google Cloud Provider dependencies to remove exclusions and dependencies on Bouncy Castle that no longer apply to current versions

Signed-off-by: Matt Burgess <mattyb149@apache.org>

This closes #7384
This commit is contained in:
exceptionfactory 2023-06-14 15:59:25 -05:00 committed by Matt Burgess
parent 6a129be114
commit 6b19ab8eaa
9 changed files with 15 additions and 75 deletions

View File

@ -65,23 +65,7 @@
<groupId>commons-logging</groupId> <groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId> <artifactId>commons-logging</artifactId>
</exclusion> </exclusion>
<exclusion>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
</exclusion>
<exclusion>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk15on</artifactId>
</exclusion>
</exclusions> </exclusions>
</dependency> </dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk18on</artifactId>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk18on</artifactId>
</dependency>
</dependencies> </dependencies>
</project> </project>

View File

@ -38,8 +38,8 @@
<version>2.0.0-SNAPSHOT</version> <version>2.0.0-SNAPSHOT</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.bouncycastle</groupId> <groupId>commons-codec</groupId>
<artifactId>bcprov-jdk18on</artifactId> <artifactId>commons-codec</artifactId>
</dependency> </dependency>
</dependencies> </dependencies>
</project> </project>

View File

@ -20,7 +20,6 @@ import org.apache.nifi.repository.encryption.configuration.EncryptionMetadataHea
import org.apache.nifi.repository.encryption.configuration.RepositoryEncryptionMethod; import org.apache.nifi.repository.encryption.configuration.RepositoryEncryptionMethod;
import org.apache.nifi.repository.encryption.metadata.RecordMetadata; import org.apache.nifi.repository.encryption.metadata.RecordMetadata;
import org.apache.nifi.security.kms.KeyProvider; import org.apache.nifi.security.kms.KeyProvider;
import org.bouncycastle.util.Arrays;
import javax.crypto.Cipher; import javax.crypto.Cipher;
import java.io.ByteArrayInputStream; import java.io.ByteArrayInputStream;
@ -74,9 +73,17 @@ public class AesGcmByteArrayRepositoryEncryptor extends AesSecretKeyRepositoryEn
try { try {
final byte[] encryptedRecord = cipher.doFinal(record); final byte[] encryptedRecord = cipher.doFinal(record);
final byte[] serializedMetadata = getMetadata(keyId, cipher.getIV(), encryptedRecord.length); final byte[] serializedMetadata = getMetadata(keyId, cipher.getIV(), encryptedRecord.length);
return Arrays.concatenate(serializedMetadata, encryptedRecord); return concatenate(serializedMetadata, encryptedRecord);
} catch (final GeneralSecurityException e) { } catch (final GeneralSecurityException e) {
throw new RepositoryEncryptionException(String.format("Encryption Failed for Record ID [%s]", recordId), e); throw new RepositoryEncryptionException(String.format("Encryption Failed for Record ID [%s]", recordId), e);
} }
} }
private byte[] concatenate(final byte[] serializedMetadata, final byte[] encryptedRecord) {
final int concatenatedLength = serializedMetadata.length + encryptedRecord.length;
final byte[] concatenated = new byte[concatenatedLength];
System.arraycopy(serializedMetadata, 0, concatenated, 0, serializedMetadata.length);
System.arraycopy(encryptedRecord, 0, concatenated, serializedMetadata.length, encryptedRecord.length);
return concatenated;
}
} }

View File

@ -16,6 +16,8 @@
*/ */
package org.apache.nifi.repository.encryption.configuration.kms; package org.apache.nifi.repository.encryption.configuration.kms;
import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Hex;
import org.apache.nifi.repository.encryption.configuration.EncryptedRepositoryType; import org.apache.nifi.repository.encryption.configuration.EncryptedRepositoryType;
import org.apache.nifi.security.kms.KeyProvider; import org.apache.nifi.security.kms.KeyProvider;
import org.apache.nifi.security.kms.KeyProviderFactory; import org.apache.nifi.security.kms.KeyProviderFactory;
@ -29,8 +31,6 @@ import org.apache.nifi.security.util.TlsException;
import org.apache.nifi.util.NiFiBootstrapUtils; import org.apache.nifi.util.NiFiBootstrapUtils;
import org.apache.nifi.util.NiFiProperties; import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.util.StringUtils; import org.apache.nifi.util.StringUtils;
import org.bouncycastle.util.encoders.DecoderException;
import org.bouncycastle.util.encoders.Hex;
import javax.crypto.SecretKey; import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec; import javax.crypto.spec.SecretKeySpec;
@ -140,7 +140,7 @@ public class StandardRepositoryKeyProviderFactory implements RepositoryKeyProvid
private static SecretKey getRootKey() { private static SecretKey getRootKey() {
try { try {
String rootKeyHex = NiFiBootstrapUtils.extractKeyFromBootstrapFile(); String rootKeyHex = NiFiBootstrapUtils.extractKeyFromBootstrapFile();
return new SecretKeySpec(Hex.decode(rootKeyHex), ROOT_KEY_ALGORITHM); return new SecretKeySpec(Hex.decodeHex(rootKeyHex), ROOT_KEY_ALGORITHM);
} catch (final IOException | DecoderException e) { } catch (final IOException | DecoderException e) {
throw new EncryptedConfigurationException("Read Root Key from Bootstrap Failed", e); throw new EncryptedConfigurationException("Read Root Key from Bootstrap Failed", e);
} }

View File

@ -51,24 +51,8 @@
<groupId>commons-logging</groupId> <groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId> <artifactId>commons-logging</artifactId>
</exclusion> </exclusion>
<exclusion>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
</exclusion>
<exclusion>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk15on</artifactId>
</exclusion>
</exclusions> </exclusions>
</dependency> </dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk18on</artifactId>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk18on</artifactId>
</dependency>
<dependency> <dependency>
<groupId>com.google.auth</groupId> <groupId>com.google.auth</groupId>
<artifactId>google-auth-library-oauth2-http</artifactId> <artifactId>google-auth-library-oauth2-http</artifactId>

View File

@ -125,24 +125,8 @@
<groupId>commons-logging</groupId> <groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId> <artifactId>commons-logging</artifactId>
</exclusion> </exclusion>
<exclusion>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
</exclusion>
<exclusion>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk15on</artifactId>
</exclusion>
</exclusions> </exclusions>
</dependency> </dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk18on</artifactId>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk18on</artifactId>
</dependency>
<dependency> <dependency>
<groupId>com.google.cloud</groupId> <groupId>com.google.cloud</groupId>
<artifactId>google-cloud-pubsublite</artifactId> <artifactId>google-cloud-pubsublite</artifactId>
@ -151,14 +135,6 @@
<groupId>commons-logging</groupId> <groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId> <artifactId>commons-logging</artifactId>
</exclusion> </exclusion>
<exclusion>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
</exclusion>
<exclusion>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk15on</artifactId>
</exclusion>
</exclusions> </exclusions>
</dependency> </dependency>
<dependency> <dependency>
@ -208,14 +184,6 @@
<groupId>commons-logging</groupId> <groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId> <artifactId>commons-logging</artifactId>
</exclusion> </exclusion>
<exclusion>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
</exclusion>
<exclusion>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk15on</artifactId>
</exclusion>
</exclusions> </exclusions>
</dependency> </dependency>
</dependencies> </dependencies>

View File

@ -35,7 +35,6 @@
<dependency> <dependency>
<groupId>org.bouncycastle</groupId> <groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk18on</artifactId> <artifactId>bcprov-jdk18on</artifactId>
<version>${org.bouncycastle.version}</version>
</dependency> </dependency>
</dependencies> </dependencies>
</project> </project>

View File

@ -26,12 +26,10 @@
<dependency> <dependency>
<groupId>org.bouncycastle</groupId> <groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk18on</artifactId> <artifactId>bcprov-jdk18on</artifactId>
<version>${org.bouncycastle.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.bouncycastle</groupId> <groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk18on</artifactId> <artifactId>bcpkix-jdk18on</artifactId>
<version>${org.bouncycastle.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.apache.commons</groupId> <groupId>org.apache.commons</groupId>

View File

@ -116,7 +116,7 @@
<org.apache.commons.text.version>1.10.0</org.apache.commons.text.version> <org.apache.commons.text.version>1.10.0</org.apache.commons.text.version>
<org.apache.httpcomponents.httpclient.version>4.5.14</org.apache.httpcomponents.httpclient.version> <org.apache.httpcomponents.httpclient.version>4.5.14</org.apache.httpcomponents.httpclient.version>
<org.apache.httpcomponents.httpcore.version>4.4.16</org.apache.httpcomponents.httpcore.version> <org.apache.httpcomponents.httpcore.version>4.4.16</org.apache.httpcomponents.httpcore.version>
<org.bouncycastle.version>1.71</org.bouncycastle.version> <org.bouncycastle.version>1.74</org.bouncycastle.version>
<testcontainers.version>1.18.3</testcontainers.version> <testcontainers.version>1.18.3</testcontainers.version>
<org.slf4j.version>2.0.7</org.slf4j.version> <org.slf4j.version>2.0.7</org.slf4j.version>
<ranger.version>2.4.0</ranger.version> <ranger.version>2.4.0</ranger.version>