NIFI-3367 Added token length check and unit test.

This closes #2463. Signed-off-by: Andy LoPresto <alopresto@apache.org>
2025-02-25 04:59:05 +00:00 · 2018-02-10 00:46:33 +00:00 · 2018-02-10 00:46:33 +00:00 · b7fdb235ee
commit b7fdb235ee
parent 61c6f0305b
4 changed files with 51 additions and 9 deletions
--- a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java
+++ b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java
@ -100,7 +100,7 @@ public class TlsHelper {
        logger.warn("resulting client certificate: " + fileToString);
        logger.warn("");
        logger.warn("openssl pkcs12 -in '" + fileToString + "' -out '/tmp/" + fileName + "'");
-        logger.warn("openssl pkcs12 -export -in '/tmp/"  + fileName + "' -out '" + fileToString + "'");
+        logger.warn("openssl pkcs12 -export -in '/tmp/" + fileName + "' -out '" + fileToString + "'");
        logger.warn("rm -f '/tmp/" + fileName + "'");
        logger.warn("");
        logger.warn("**********************************************************************************");
@ -146,7 +146,14 @@ public class TlsHelper {
    }

    public static byte[] calculateHMac(String token, PublicKey publicKey) throws GeneralSecurityException {
-        SecretKeySpec keySpec = new SecretKeySpec(token.getBytes(StandardCharsets.UTF_8), "RAW");
+        if (token == null) {
+            throw new IllegalArgumentException("Token cannot be null");
+        }
+        byte[] tokenBytes = token.getBytes(StandardCharsets.UTF_8);
+        if (tokenBytes.length < 16) {
+            throw new GeneralSecurityException("Token does not meet minimum size of 16 bytes.");
+        }
+        SecretKeySpec keySpec = new SecretKeySpec(tokenBytes, "RAW");
        Mac mac = Mac.getInstance("Hmac-SHA256", BouncyCastleProvider.PROVIDER_NAME);
        mac.init(keySpec);
        return mac.doFinal(getKeyIdentifier(publicKey));
@ -197,7 +204,7 @@ public class TlsHelper {
    }

    public static JcaPKCS10CertificationRequest generateCertificationRequest(String requestedDn, String domainAlternativeNames,
-            KeyPair keyPair, String signingAlgorithm) throws OperatorCreationException {
+                                                                             KeyPair keyPair, String signingAlgorithm) throws OperatorCreationException {
        JcaPKCS10CertificationRequestBuilder jcaPKCS10CertificationRequestBuilder = new JcaPKCS10CertificationRequestBuilder(new X500Name(requestedDn), keyPair.getPublic());

        // add Subject Alternative Name(s)
@ -221,13 +228,13 @@ public class TlsHelper {
            throw new IOException("Failed to extract CN from request DN: " + requestedDn, e);
        }

-        if(StringUtils.isNotBlank(domainAlternativeNames)) {
-            for(String alternativeName : domainAlternativeNames.split(",")) {
+        if (StringUtils.isNotBlank(domainAlternativeNames)) {
+            for (String alternativeName : domainAlternativeNames.split(",")) {
                namesList.add(new GeneralName(GeneralName.dNSName, alternativeName));
            }
        }

-        GeneralNames subjectAltNames = new GeneralNames(namesList.toArray(new GeneralName [] {}));
+        GeneralNames subjectAltNames = new GeneralNames(namesList.toArray(new GeneralName[]{}));
        ExtensionsGenerator extGen = new ExtensionsGenerator();
        extGen.addExtension(Extension.subjectAlternativeName, false, subjectAltNames);
        return extGen.generate();
--- a/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/service/client/TlsCertificateSigningRequestPerformerTest.java
+++ b/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/service/client/TlsCertificateSigningRequestPerformerTest.java
@ -95,7 +95,7 @@ public class TlsCertificateSigningRequestPerformerTest {
        objectMapper = new ObjectMapper();
        keyPair = TlsHelper.generateKeyPair(TlsConfig.DEFAULT_KEY_PAIR_ALGORITHM, TlsConfig.DEFAULT_KEY_SIZE);

-        testToken = "testToken";
+        testToken = "testTokenTestToken";
        testCaHostname = "testCaHostname";
        testPort = 8993;
        certificates = new ArrayList<>();
--- a/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/service/server/TlsCertificateAuthorityServiceHandlerTest.java
+++ b/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/service/server/TlsCertificateAuthorityServiceHandlerTest.java
@ -98,7 +98,7 @@ public class TlsCertificateAuthorityServiceHandlerTest {

    @Before
    public void setup() throws Exception {
-        testToken = "testToken";
+        testToken = "testTokenTestToken";
        testPemEncodedSignedCertificate = "testPemEncodedSignedCertificate";
        keyPair = TlsHelper.generateKeyPair(TlsConfig.DEFAULT_KEY_PAIR_ALGORITHM, TlsConfig.DEFAULT_KEY_SIZE);
        objectMapper = new ObjectMapper();
--- a/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/util/TlsHelperTest.java
+++ b/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/util/TlsHelperTest.java
@ -43,6 +43,7 @@ import java.security.KeyStoreSpi;
 import java.security.NoSuchAlgorithmException;
 import java.security.NoSuchProviderException;
 import java.security.Provider;
+import java.security.PublicKey;
 import java.security.SignatureException;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
@ -52,7 +53,6 @@ import java.util.Date;
 import java.util.List;
 import java.util.concurrent.TimeUnit;
 import java.util.stream.Collectors;
-
 import org.apache.commons.lang3.StringUtils;
 import org.apache.nifi.security.util.CertificateUtils;
 import org.apache.nifi.toolkit.tls.configuration.TlsConfig;
@ -171,6 +171,41 @@ public class TlsHelperTest {
        return new Date(System.currentTimeMillis() + TimeUnit.DAYS.toMillis(days));
    }

+    @Test
+    public void testTokenLengthInCalculateHmac() throws CertificateException, NoSuchAlgorithmException {
+        List<String> badTokens = new ArrayList<>();
+        List<String> goodTokens = new ArrayList<>();
+        badTokens.add(null);
+        badTokens.add("");
+        badTokens.add("123");
+        goodTokens.add("0123456789abcdefghijklm");
+        goodTokens.add("0123456789abcdef");
+
+        String dn = "CN=testDN,O=testOrg";
+        X509Certificate x509Certificate = CertificateUtils.generateSelfSignedX509Certificate(TlsHelper.generateKeyPair(keyPairAlgorithm, keySize), dn, signingAlgorithm, days);
+        PublicKey pubKey = x509Certificate.getPublicKey();
+
+        for (String token : badTokens) {
+            try {
+                TlsHelper.calculateHMac(token, pubKey);
+                fail("HMAC was calculated with a token that was too short.");
+            } catch (GeneralSecurityException e) {
+                assertEquals("Token does not meet minimum size of 16 bytes.", e.getMessage());
+            } catch (IllegalArgumentException e) {
+                assertEquals("Token cannot be null", e.getMessage());
+            }
+        }
+
+        for (String token : goodTokens) {
+            try {
+                byte[] hmac = TlsHelper.calculateHMac(token, pubKey);
+                assertTrue("HMAC length ok", hmac.length > 0);
+            } catch (GeneralSecurityException e) {
+                fail(e.getMessage());
+            }
+        }
+    }
+
    @Test
    public void testGenerateSelfSignedCert() throws GeneralSecurityException, IOException, OperatorCreationException {
        String dn = "CN=testDN,O=testOrg";