NIFI-3367 Added token length check and unit test.

This closes #2463.

Signed-off-by: Andy LoPresto <alopresto@apache.org>

nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java

@@ -100,7 +100,7 @@ public class TlsHelper {
         logger.warn("resulting client certificate: " + fileToString);
         logger.warn("");
         logger.warn("openssl pkcs12 -in '" + fileToString + "' -out '/tmp/" + fileName + "'");
-        logger.warn("openssl pkcs12 -export -in '/tmp/"  + fileName + "' -out '" + fileToString + "'");
+        logger.warn("openssl pkcs12 -export -in '/tmp/" + fileName + "' -out '" + fileToString + "'");
         logger.warn("rm -f '/tmp/" + fileName + "'");
         logger.warn("");
         logger.warn("**********************************************************************************");
@@ -146,7 +146,14 @@ public class TlsHelper {
     }
 
     public static byte[] calculateHMac(String token, PublicKey publicKey) throws GeneralSecurityException {
-        SecretKeySpec keySpec = new SecretKeySpec(token.getBytes(StandardCharsets.UTF_8), "RAW");
+        if (token == null) {
+            throw new IllegalArgumentException("Token cannot be null");
+        }
+        byte[] tokenBytes = token.getBytes(StandardCharsets.UTF_8);
+        if (tokenBytes.length < 16) {
+            throw new GeneralSecurityException("Token does not meet minimum size of 16 bytes.");
+        }
+        SecretKeySpec keySpec = new SecretKeySpec(tokenBytes, "RAW");
         Mac mac = Mac.getInstance("Hmac-SHA256", BouncyCastleProvider.PROVIDER_NAME);
         mac.init(keySpec);
         return mac.doFinal(getKeyIdentifier(publicKey));
@@ -197,7 +204,7 @@ public class TlsHelper {
     }
 
     public static JcaPKCS10CertificationRequest generateCertificationRequest(String requestedDn, String domainAlternativeNames,
-            KeyPair keyPair, String signingAlgorithm) throws OperatorCreationException {
+                                                                             KeyPair keyPair, String signingAlgorithm) throws OperatorCreationException {
         JcaPKCS10CertificationRequestBuilder jcaPKCS10CertificationRequestBuilder = new JcaPKCS10CertificationRequestBuilder(new X500Name(requestedDn), keyPair.getPublic());
 
         // add Subject Alternative Name(s)
@@ -221,13 +228,13 @@ public class TlsHelper {
             throw new IOException("Failed to extract CN from request DN: " + requestedDn, e);
         }
 
-        if(StringUtils.isNotBlank(domainAlternativeNames)) {
+        if (StringUtils.isNotBlank(domainAlternativeNames)) {
-            for(String alternativeName : domainAlternativeNames.split(",")) {
+            for (String alternativeName : domainAlternativeNames.split(",")) {
                 namesList.add(new GeneralName(GeneralName.dNSName, alternativeName));
             }
         }
 
-        GeneralNames subjectAltNames = new GeneralNames(namesList.toArray(new GeneralName [] {}));
+        GeneralNames subjectAltNames = new GeneralNames(namesList.toArray(new GeneralName[]{}));
         ExtensionsGenerator extGen = new ExtensionsGenerator();
         extGen.addExtension(Extension.subjectAlternativeName, false, subjectAltNames);
         return extGen.generate();

nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/service/client/TlsCertificateSigningRequestPerformerTest.java

@@ -95,7 +95,7 @@ public class TlsCertificateSigningRequestPerformerTest {
         objectMapper = new ObjectMapper();
         keyPair = TlsHelper.generateKeyPair(TlsConfig.DEFAULT_KEY_PAIR_ALGORITHM, TlsConfig.DEFAULT_KEY_SIZE);
 
-        testToken = "testToken";
+        testToken = "testTokenTestToken";
         testCaHostname = "testCaHostname";
         testPort = 8993;
         certificates = new ArrayList<>();

nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/service/server/TlsCertificateAuthorityServiceHandlerTest.java

@@ -98,7 +98,7 @@ public class TlsCertificateAuthorityServiceHandlerTest {
 
     @Before
     public void setup() throws Exception {
-        testToken = "testToken";
+        testToken = "testTokenTestToken";
         testPemEncodedSignedCertificate = "testPemEncodedSignedCertificate";
         keyPair = TlsHelper.generateKeyPair(TlsConfig.DEFAULT_KEY_PAIR_ALGORITHM, TlsConfig.DEFAULT_KEY_SIZE);
         objectMapper = new ObjectMapper();

nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/util/TlsHelperTest.java

@@ -43,6 +43,7 @@ import java.security.KeyStoreSpi;
 import java.security.NoSuchAlgorithmException;
 import java.security.NoSuchProviderException;
 import java.security.Provider;
+import java.security.PublicKey;
 import java.security.SignatureException;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
@@ -52,7 +53,6 @@ import java.util.Date;
 import java.util.List;
 import java.util.concurrent.TimeUnit;
 import java.util.stream.Collectors;
-
 import org.apache.commons.lang3.StringUtils;
 import org.apache.nifi.security.util.CertificateUtils;
 import org.apache.nifi.toolkit.tls.configuration.TlsConfig;
@@ -171,6 +171,41 @@ public class TlsHelperTest {
         return new Date(System.currentTimeMillis() + TimeUnit.DAYS.toMillis(days));
     }
 
+    @Test
+    public void testTokenLengthInCalculateHmac() throws CertificateException, NoSuchAlgorithmException {
+        List<String> badTokens = new ArrayList<>();
+        List<String> goodTokens = new ArrayList<>();
+        badTokens.add(null);
+        badTokens.add("");
+        badTokens.add("123");
+        goodTokens.add("0123456789abcdefghijklm");
+        goodTokens.add("0123456789abcdef");
+
+        String dn = "CN=testDN,O=testOrg";
+        X509Certificate x509Certificate = CertificateUtils.generateSelfSignedX509Certificate(TlsHelper.generateKeyPair(keyPairAlgorithm, keySize), dn, signingAlgorithm, days);
+        PublicKey pubKey = x509Certificate.getPublicKey();
+
+        for (String token : badTokens) {
+            try {
+                TlsHelper.calculateHMac(token, pubKey);
+                fail("HMAC was calculated with a token that was too short.");
+            } catch (GeneralSecurityException e) {
+                assertEquals("Token does not meet minimum size of 16 bytes.", e.getMessage());
+            } catch (IllegalArgumentException e) {
+                assertEquals("Token cannot be null", e.getMessage());
+            }
+        }
+
+        for (String token : goodTokens) {
+            try {
+                byte[] hmac = TlsHelper.calculateHMac(token, pubKey);
+                assertTrue("HMAC length ok", hmac.length > 0);
+            } catch (GeneralSecurityException e) {
+                fail(e.getMessage());
+            }
+        }
+    }
+
     @Test
     public void testGenerateSelfSignedCert() throws GeneralSecurityException, IOException, OperatorCreationException {
         String dn = "CN=testDN,O=testOrg";