From b30fbe1f3bb2996e048112482cae51c9deedfd20 Mon Sep 17 00:00:00 2001 From: Alan Jackoway Date: Fri, 21 Aug 2015 16:45:30 -0400 Subject: [PATCH] NIFI-888 EncryptContent for PGP Leaks File Handles. Closes InputStreams created to read the public keys for PGP encryption and several other streams involved in PGP encryptiong. This prevents NiFi from leaking file handles on every validate call or encryption attempt in the EncryptContent processor. --- .../util/OpenPGPKeyBasedEncryptor.java | 239 ++++++++++-------- 1 file changed, 137 insertions(+), 102 deletions(-) diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/util/OpenPGPKeyBasedEncryptor.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/util/OpenPGPKeyBasedEncryptor.java index 60e3bf8034..2e7834e51c 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/util/OpenPGPKeyBasedEncryptor.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/util/OpenPGPKeyBasedEncryptor.java @@ -85,49 +85,61 @@ public class OpenPGPKeyBasedEncryptor implements Encryptor { /* * Validate secret keyring passphrase */ - public static boolean validateKeyring(String provider, String secretKeyringFile, char[] passphrase) throws IOException, + public static boolean validateKeyring(String provider, + String secretKeyringFile, char[] passphrase) throws IOException, PGPException, NoSuchProviderException { - PGPSecretKeyRingCollection pgpsec = new PGPSecretKeyRingCollection(PGPUtil.getDecoderStream(Files.newInputStream(Paths - .get(secretKeyringFile)))); - Iterator ringit = pgpsec.getKeyRings(); - while (ringit.hasNext()) { - PGPSecretKeyRing secretkeyring = (PGPSecretKeyRing) ringit.next(); - PGPSecretKey secretkey = secretkeyring.getSecretKey(); - secretkey.extractPrivateKey(passphrase, provider); - return true; + try (InputStream fin = Files.newInputStream(Paths + .get(secretKeyringFile))) { + try (InputStream pin = PGPUtil.getDecoderStream(fin)) { + PGPSecretKeyRingCollection pgpsec = new PGPSecretKeyRingCollection( + pin); + Iterator ringit = pgpsec.getKeyRings(); + while (ringit.hasNext()) { + PGPSecretKeyRing secretkeyring = (PGPSecretKeyRing) ringit + .next(); + PGPSecretKey secretkey = secretkeyring.getSecretKey(); + secretkey.extractPrivateKey(passphrase, provider); + return true; + } + return false; + } } - return false; } /* * Get the public key for a specific user id from a keyring. */ @SuppressWarnings("rawtypes") - public static PGPPublicKey getPublicKey(String userId, String publicKeyring) throws IOException, PGPException { + public static PGPPublicKey getPublicKey(String userId, String publicKeyring) + throws IOException, PGPException { PGPPublicKey pubkey = null; - PGPPublicKeyRingCollection pgppub = new - PGPPublicKeyRingCollection(PGPUtil.getDecoderStream(Files.newInputStream(Paths.get(publicKeyring)))); + try (InputStream fin = Files.newInputStream(Paths.get(publicKeyring))) { + try (InputStream pin = PGPUtil.getDecoderStream(fin)) { + PGPPublicKeyRingCollection pgppub = new PGPPublicKeyRingCollection( + pin); - Iterator ringit = pgppub.getKeyRings(); - while (ringit.hasNext()) { - PGPPublicKeyRing kring = (PGPPublicKeyRing) ringit.next(); + Iterator ringit = pgppub.getKeyRings(); + while (ringit.hasNext()) { + PGPPublicKeyRing kring = (PGPPublicKeyRing) ringit.next(); - Iterator keyit = kring.getPublicKeys(); - while (keyit.hasNext()) { - pubkey = (PGPPublicKey) keyit.next(); - boolean userIdMatch = false; + Iterator keyit = kring.getPublicKeys(); + while (keyit.hasNext()) { + pubkey = (PGPPublicKey) keyit.next(); + boolean userIdMatch = false; - Iterator userit = pubkey.getUserIDs(); - while (userit.hasNext()) { - String id = userit.next().toString(); - if (id.contains(userId)) { - userIdMatch = true; - break; + Iterator userit = pubkey.getUserIDs(); + while (userit.hasNext()) { + String id = userit.next().toString(); + if (id.contains(userId)) { + userIdMatch = true; + break; + } + } + if (pubkey.isEncryptionKey() && userIdMatch) { + return pubkey; + } } } - if (pubkey.isEncryptionKey() && userIdMatch) { - return pubkey; - } } } return null; @@ -139,75 +151,88 @@ public class OpenPGPKeyBasedEncryptor implements Encryptor { private String secretKeyring; private char[] passphrase; - OpenPGPDecryptCallback(final String provider, final String keyring, final char[] passphrase) { + OpenPGPDecryptCallback(final String provider, final String keyring, + final char[] passphrase) { this.provider = provider; this.secretKeyring = keyring; this.passphrase = passphrase; } @Override - public void process(InputStream in, OutputStream out) throws IOException { - InputStream pgpin = PGPUtil.getDecoderStream(in); - PGPObjectFactory pgpFactory = new PGPObjectFactory(pgpin); + public void process(InputStream in, OutputStream out) + throws IOException { + try (InputStream pgpin = PGPUtil.getDecoderStream(in)) { + PGPObjectFactory pgpFactory = new PGPObjectFactory(pgpin); - Object obj = pgpFactory.nextObject(); - if (!(obj instanceof PGPEncryptedDataList)) { - obj = pgpFactory.nextObject(); + Object obj = pgpFactory.nextObject(); if (!(obj instanceof PGPEncryptedDataList)) { - throw new ProcessException("Invalid OpenPGP data"); - } - } - PGPEncryptedDataList encList = (PGPEncryptedDataList) obj; - - PGPSecretKeyRingCollection pgpSecretKeyring; - try { - // open secret keyring file - pgpSecretKeyring = new PGPSecretKeyRingCollection(PGPUtil.getDecoderStream(Files - .newInputStream(Paths.get(secretKeyring)))); - } catch (Exception e) { - throw new ProcessException("Invalid secret keyring - " + e.getMessage()); - } - - try { - PGPPrivateKey privateKey = null; - PGPPublicKeyEncryptedData encData = null; - - // find the secret key in the encrypted data - Iterator it = encList.getEncryptedDataObjects(); - while (privateKey == null && it.hasNext()) { - obj = it.next(); - if (!(obj instanceof PGPPublicKeyEncryptedData)) { + obj = pgpFactory.nextObject(); + if (!(obj instanceof PGPEncryptedDataList)) { throw new ProcessException("Invalid OpenPGP data"); } - encData = (PGPPublicKeyEncryptedData) obj; - PGPSecretKey secretkey = pgpSecretKeyring.getSecretKey(encData.getKeyID()); - if (secretkey != null) { - privateKey = secretkey.extractPrivateKey(passphrase, provider); + } + PGPEncryptedDataList encList = (PGPEncryptedDataList) obj; + + PGPSecretKeyRingCollection pgpSecretKeyring; + try { + // open secret keyring file + pgpSecretKeyring = new PGPSecretKeyRingCollection( + PGPUtil.getDecoderStream(Files.newInputStream(Paths + .get(secretKeyring)))); + } catch (Exception e) { + throw new ProcessException("Invalid secret keyring - " + + e.getMessage()); + } + + try { + PGPPrivateKey privateKey = null; + PGPPublicKeyEncryptedData encData = null; + + // find the secret key in the encrypted data + Iterator it = encList.getEncryptedDataObjects(); + while (privateKey == null && it.hasNext()) { + obj = it.next(); + if (!(obj instanceof PGPPublicKeyEncryptedData)) { + throw new ProcessException("Invalid OpenPGP data"); + } + encData = (PGPPublicKeyEncryptedData) obj; + PGPSecretKey secretkey = pgpSecretKeyring + .getSecretKey(encData.getKeyID()); + if (secretkey != null) { + privateKey = secretkey.extractPrivateKey( + passphrase, provider); + } + } + if (privateKey == null) { + throw new ProcessException( + "Secret keyring does not contain the key required to decrypt"); } - } - if (privateKey == null) { - throw new ProcessException("Secret keyring does not contain the key required to decrypt"); - } - InputStream clearData = encData.getDataStream(privateKey, provider); - PGPObjectFactory clearFactory = new PGPObjectFactory(clearData); + try (InputStream clearData = encData.getDataStream( + privateKey, provider)) { + PGPObjectFactory clearFactory = new PGPObjectFactory( + clearData); - obj = clearFactory.nextObject(); - if (obj instanceof PGPCompressedData) { - PGPCompressedData compData = (PGPCompressedData) obj; - clearFactory = new PGPObjectFactory(compData.getDataStream()); - obj = clearFactory.nextObject(); - } - PGPLiteralData literal = (PGPLiteralData) obj; + obj = clearFactory.nextObject(); + if (obj instanceof PGPCompressedData) { + PGPCompressedData compData = (PGPCompressedData) obj; + clearFactory = new PGPObjectFactory( + compData.getDataStream()); + obj = clearFactory.nextObject(); + } + PGPLiteralData literal = (PGPLiteralData) obj; - InputStream lis = literal.getInputStream(); - final byte[] buffer = new byte[4096]; - int len; - while ((len = lis.read(buffer)) >= 0) { - out.write(buffer, 0, len); + try (InputStream lis = literal.getInputStream()) { + final byte[] buffer = new byte[4096]; + int len; + while ((len = lis.read(buffer)) >= 0) { + out.write(buffer, 0, len); + } + } + } + } catch (Exception e) { + throw new ProcessException(e.getMessage()); } - } catch (Exception e) { - throw new ProcessException(e.getMessage()); } } @@ -231,43 +256,53 @@ public class OpenPGPKeyBasedEncryptor implements Encryptor { } @Override - public void process(InputStream in, OutputStream out) throws IOException { + public void process(InputStream in, OutputStream out) + throws IOException { PGPPublicKey publicKey; try { publicKey = getPublicKey(userId, publicKeyring); } catch (Exception e) { - throw new ProcessException("Invalid public keyring - " + e.getMessage()); + throw new ProcessException("Invalid public keyring - " + + e.getMessage()); } try { - SecureRandom secureRandom = SecureRandom.getInstance(SECURE_RANDOM_ALGORITHM); + SecureRandom secureRandom = SecureRandom + .getInstance(SECURE_RANDOM_ALGORITHM); OutputStream output = out; if (EncryptContent.isPGPArmoredAlgorithm(algorithm)) { output = new ArmoredOutputStream(out); } - PGPEncryptedDataGenerator encGenerator = new PGPEncryptedDataGenerator(PGPEncryptedData.CAST5, false, - secureRandom, provider); + PGPEncryptedDataGenerator encGenerator = new PGPEncryptedDataGenerator( + PGPEncryptedData.CAST5, false, secureRandom, provider); encGenerator.addMethod(publicKey); - OutputStream encOut = encGenerator.open(output, new byte[65536]); + try (OutputStream encOut = encGenerator.open(output, + new byte[65536])) { - PGPCompressedDataGenerator compData = new PGPCompressedDataGenerator(PGPCompressedData.ZIP, Deflater.BEST_SPEED); - OutputStream compOut = compData.open(encOut, new byte[65536]); + PGPCompressedDataGenerator compData = new PGPCompressedDataGenerator( + PGPCompressedData.ZIP, Deflater.BEST_SPEED); + try (OutputStream compOut = compData.open(encOut, + new byte[65536])) { - PGPLiteralDataGenerator literal = new PGPLiteralDataGenerator(); - OutputStream literalOut = literal.open(compOut, PGPLiteralData.BINARY, filename, new Date(), new byte[65536]); + PGPLiteralDataGenerator literal = new PGPLiteralDataGenerator(); + try (OutputStream literalOut = literal.open(compOut, + PGPLiteralData.BINARY, filename, new Date(), + new byte[65536])) { - final byte[] buffer = new byte[4096]; - int len; - while ((len = in.read(buffer)) >= 0) { - literalOut.write(buffer, 0, len); + final byte[] buffer = new byte[4096]; + int len; + while ((len = in.read(buffer)) >= 0) { + literalOut.write(buffer, 0, len); + } + + } + } + } + if (EncryptContent.isPGPArmoredAlgorithm(algorithm)) { + output.close(); } - - literalOut.close(); - compOut.close(); - encOut.close(); - output.close(); } catch (Exception e) { throw new ProcessException(e.getMessage()); }