Apache
/
nifi
mirror of https://github.com/apache/nifi.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

NIFI-888 EncryptContent for PGP Leaks File Handles. 

Closes InputStreams created to read the public keys for PGP encryption and several other
streams involved in PGP encryptiong. This prevents NiFi from leaking file handles on
every validate call or encryption attempt in the EncryptContent processor.
This commit is contained in:
Alan Jackoway 2015-08-21 16:45:30 -04:00 committed by Aldrin Piri
parent df1066d2ed
commit b30fbe1f3b
1 changed files with 137 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/util/OpenPGPKeyBasedEncryptor.java
View File

@ -85,28 +85,38 @@ public class OpenPGPKeyBasedEncryptor implements Encryptor {
/*
* Validate secret keyring passphrase
*/
public static boolean validateKeyring(String provider, String secretKeyringFile, char[] passphrase) throws IOException,
public static boolean validateKeyring(String provider,
String secretKeyringFile, char[] passphrase) throws IOException,
PGPException, NoSuchProviderException {
PGPSecretKeyRingCollection pgpsec = new PGPSecretKeyRingCollection(PGPUtil.getDecoderStream(Files.newInputStream(Paths
.get(secretKeyringFile))));
try (InputStream fin = Files.newInputStream(Paths
.get(secretKeyringFile))) {
try (InputStream pin = PGPUtil.getDecoderStream(fin)) {
PGPSecretKeyRingCollection pgpsec = new PGPSecretKeyRingCollection(
pin);
Iterator ringit = pgpsec.getKeyRings();
while (ringit.hasNext()) {
PGPSecretKeyRing secretkeyring = (PGPSecretKeyRing) ringit.next();
PGPSecretKeyRing secretkeyring = (PGPSecretKeyRing) ringit
.next();
PGPSecretKey secretkey = secretkeyring.getSecretKey();
secretkey.extractPrivateKey(passphrase, provider);
return true;
}
return false;
}
}
}
/*
* Get the public key for a specific user id from a keyring.
*/
@SuppressWarnings("rawtypes")
public static PGPPublicKey getPublicKey(String userId, String publicKeyring) throws IOException, PGPException {
public static PGPPublicKey getPublicKey(String userId, String publicKeyring)
throws IOException, PGPException {
PGPPublicKey pubkey = null;
PGPPublicKeyRingCollection pgppub = new
PGPPublicKeyRingCollection(PGPUtil.getDecoderStream(Files.newInputStream(Paths.get(publicKeyring))));
try (InputStream fin = Files.newInputStream(Paths.get(publicKeyring))) {
try (InputStream pin = PGPUtil.getDecoderStream(fin)) {
PGPPublicKeyRingCollection pgppub = new PGPPublicKeyRingCollection(
pin);
Iterator ringit = pgppub.getKeyRings();
while (ringit.hasNext()) {
@ -130,6 +140,8 @@ public class OpenPGPKeyBasedEncryptor implements Encryptor {
}
}
}
}
}
return null;
}
@ -139,15 +151,17 @@ public class OpenPGPKeyBasedEncryptor implements Encryptor {
private String secretKeyring;
private char[] passphrase;
OpenPGPDecryptCallback(final String provider, final String keyring, final char[] passphrase) {
OpenPGPDecryptCallback(final String provider, final String keyring,
final char[] passphrase) {
this.provider = provider;
this.secretKeyring = keyring;
this.passphrase = passphrase;
}
@Override
public void process(InputStream in, OutputStream out) throws IOException {
InputStream pgpin = PGPUtil.getDecoderStream(in);
public void process(InputStream in, OutputStream out)
throws IOException {
try (InputStream pgpin = PGPUtil.getDecoderStream(in)) {
PGPObjectFactory pgpFactory = new PGPObjectFactory(pgpin);
Object obj = pgpFactory.nextObject();
@ -162,10 +176,12 @@ public class OpenPGPKeyBasedEncryptor implements Encryptor {
PGPSecretKeyRingCollection pgpSecretKeyring;
try {
// open secret keyring file
pgpSecretKeyring = new PGPSecretKeyRingCollection(PGPUtil.getDecoderStream(Files
.newInputStream(Paths.get(secretKeyring))));
pgpSecretKeyring = new PGPSecretKeyRingCollection(
PGPUtil.getDecoderStream(Files.newInputStream(Paths
.get(secretKeyring))));
} catch (Exception e) {
throw new ProcessException("Invalid secret keyring - " + e.getMessage());
throw new ProcessException("Invalid secret keyring - "
+ e.getMessage());
}
try {
@ -180,36 +196,45 @@ public class OpenPGPKeyBasedEncryptor implements Encryptor {
throw new ProcessException("Invalid OpenPGP data");
}
encData = (PGPPublicKeyEncryptedData) obj;
PGPSecretKey secretkey = pgpSecretKeyring.getSecretKey(encData.getKeyID());
PGPSecretKey secretkey = pgpSecretKeyring
.getSecretKey(encData.getKeyID());
if (secretkey != null) {
privateKey = secretkey.extractPrivateKey(passphrase, provider);
privateKey = secretkey.extractPrivateKey(
passphrase, provider);
}
}
if (privateKey == null) {
throw new ProcessException("Secret keyring does not contain the key required to decrypt");
throw new ProcessException(
"Secret keyring does not contain the key required to decrypt");
}
InputStream clearData = encData.getDataStream(privateKey, provider);
PGPObjectFactory clearFactory = new PGPObjectFactory(clearData);
try (InputStream clearData = encData.getDataStream(
privateKey, provider)) {
PGPObjectFactory clearFactory = new PGPObjectFactory(
clearData);
obj = clearFactory.nextObject();
if (obj instanceof PGPCompressedData) {
PGPCompressedData compData = (PGPCompressedData) obj;
clearFactory = new PGPObjectFactory(compData.getDataStream());
clearFactory = new PGPObjectFactory(
compData.getDataStream());
obj = clearFactory.nextObject();
}
PGPLiteralData literal = (PGPLiteralData) obj;
InputStream lis = literal.getInputStream();
try (InputStream lis = literal.getInputStream()) {
final byte[] buffer = new byte[4096];
int len;
while ((len = lis.read(buffer)) >= 0) {
out.write(buffer, 0, len);
}
}
}
} catch (Exception e) {
throw new ProcessException(e.getMessage());
}
}
}
}
@ -231,32 +256,40 @@ public class OpenPGPKeyBasedEncryptor implements Encryptor {
}
@Override
public void process(InputStream in, OutputStream out) throws IOException {
public void process(InputStream in, OutputStream out)
throws IOException {
PGPPublicKey publicKey;
try {
publicKey = getPublicKey(userId, publicKeyring);
} catch (Exception e) {
throw new ProcessException("Invalid public keyring - " + e.getMessage());
throw new ProcessException("Invalid public keyring - "
+ e.getMessage());
}
try {
SecureRandom secureRandom = SecureRandom.getInstance(SECURE_RANDOM_ALGORITHM);
SecureRandom secureRandom = SecureRandom
.getInstance(SECURE_RANDOM_ALGORITHM);
OutputStream output = out;
if (EncryptContent.isPGPArmoredAlgorithm(algorithm)) {
output = new ArmoredOutputStream(out);
}
PGPEncryptedDataGenerator encGenerator = new PGPEncryptedDataGenerator(PGPEncryptedData.CAST5, false,
secureRandom, provider);
PGPEncryptedDataGenerator encGenerator = new PGPEncryptedDataGenerator(
PGPEncryptedData.CAST5, false, secureRandom, provider);
encGenerator.addMethod(publicKey);
OutputStream encOut = encGenerator.open(output, new byte[65536]);
try (OutputStream encOut = encGenerator.open(output,
new byte[65536])) {
PGPCompressedDataGenerator compData = new PGPCompressedDataGenerator(PGPCompressedData.ZIP, Deflater.BEST_SPEED);
OutputStream compOut = compData.open(encOut, new byte[65536]);
PGPCompressedDataGenerator compData = new PGPCompressedDataGenerator(
PGPCompressedData.ZIP, Deflater.BEST_SPEED);
try (OutputStream compOut = compData.open(encOut,
new byte[65536])) {
PGPLiteralDataGenerator literal = new PGPLiteralDataGenerator();
OutputStream literalOut = literal.open(compOut, PGPLiteralData.BINARY, filename, new Date(), new byte[65536]);
try (OutputStream literalOut = literal.open(compOut,
PGPLiteralData.BINARY, filename, new Date(),
new byte[65536])) {
final byte[] buffer = new byte[4096];
int len;
@ -264,10 +297,12 @@ public class OpenPGPKeyBasedEncryptor implements Encryptor {
literalOut.write(buffer, 0, len);
}
literalOut.close();
compOut.close();
encOut.close();
}
}
}
if (EncryptContent.isPGPArmoredAlgorithm(algorithm)) {
output.close();
}
} catch (Exception e) {
throw new ProcessException(e.getMessage());
}