nifi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy LoPresto <alopresto.apa...@gmail.com>
Subject Re: EncryptContent issues after NIFI-1257 and NIFI-1259
Date Tue, 29 Mar 2016 17:58:07 GMT
Thanks Alan. I don’t anticipate it being a large effort. I have it marked as minor and will
bump it if resources are strained.

Andy LoPresto
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Mar 29, 2016, at 10:32 AM, Alan Jackoway <alanj@cloudera.com> wrote:
> 
> Honestly, it's not clear to me that we should handle this scenario. The
> only reason I would propose fixing it is to handle people (like me) who did
> it wrong and then upgraded. Requiring a keyring isn't that unusual, and the
> docs are pretty specific. I just didn't read them.
> 
> Alan
> 
> On Tue, Mar 29, 2016 at 1:28 PM, Andy LoPresto <alopresto.apache@gmail.com>
> wrote:
> 
>> Alan,
>> 
>> The processor properties for public keyring file and secret keyring file
>> are fairly explicit in their names, so when I upgraded the BouncyCastle
>> dependencies, I wrote logic that performs strict validation on the file
>> format because the underlying library code changed substantially. I was
>> unaware anyone was using the individual key file there.
>> 
>> I have created a Jira [1] for 0.7.0 to add custom logic to handle this
>> scenario.
>> 
>> [1] https://issues.apache.org/jira/browse/NIFI-1694
>> 
>> Andy LoPresto
>> alopresto.apache@gmail.com
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>> 
>> On Mar 29, 2016, at 8:03 AM, Alan Jackoway <alanj@cloudera.com> wrote:
>> 
>> I don't get a stacktrace. Probably because it is a validation failure and
>> the error is caught at
>> https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/EncryptContent.java#L288
>> 
>> I couldn't get your template to work without the gpgkeyring file. However,
>> that clued me into what I believe is the problem.
>> 
>> I have not been using a public keyring file, but rather the public key
>> itself. Somehow that used to work, but the parameter has always been called
>> Public Keyring File so I was using it wrong the whole time.
>> 
>> I attached the encrypt template that is working for me back in 0.3.0 (and
>> should work in 0.4.1 but not 0.5.1)
>> 
>> To fix it for 0.5.1, I had to make a real keyring file AND change the user
>> id to be the right thing.
>> 
>> This feels like a regression to me, but one where I was not following the
>> instructions all along.
>> 
>> Thanks,
>> Alan
>> 
>> On Tue, Mar 29, 2016 at 1:15 AM, Andy LoPresto <alopresto.apache@gmail.com
>>> wrote:
>> 
>>> The only other thing I can think of off the top of my head is that the
>>> userID specification may have changed with the BouncyCastle upgrade and the
>>> provided userID of just an email may be incomplete? In my testing, I had to
>>> specify the "name", "description", and "email" fields from the key in the
>>> format below in order to match the exact format that the library reads from
>>> the keyring.
>>> 
>>> userID = "Name (Description) <Email>"
>>> 
>>> You can test this and evaluate what the library sees as the key userID by
>>> attaching a remote debugger to your running instance and evaluating inside
>>> the iterator loop here [1].
>>> 
>>> I'm not sure what version of GPG you're running, but it is worth
>>> investigating if the format of the stored key no longer matches how NiFi
>>> was reading it.
>>> 
>>> [1]
>>> https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/util/crypto/OpenPGPKeyBasedEncryptor.java#L200
>>> 
>>> 
>>> 
>>> Andy LoPresto
>>> alopresto.apache@gmail.com
>>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>>> 
>>>> On Mar 28, 2016, at 18:24, Andy LoPresto <alopresto.apache@gmail.com>
>>> wrote:
>>>> 
>>>> Forgot to mention you’ll want to change the input/output directories in
>>> the GetFile and PutFile processors, as well as the paths to the public and
>>> secret keyring, the user ID, and the password for the EncryptContent
>>> processors.
>>>> 
>>>> Andy LoPresto
>>>> alopresto.apache@gmail.com
>>>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>>>> 
>>>>> On Mar 28, 2016, at 4:04 PM, Andy LoPresto <alopresto.apache@gmail.com>
>>> wrote:
>>>>> 
>>>>> Hi Alan,
>>>>> 
>>>>> I am investigating this issue (spinning up an instance, setting up a
>>> flow that involves PGP encryption and decryption, etc.) to verify.
>>>>> 
>>>>> As an aside, the setting for “Key Derivation Function” is irrelevant
>>> if “Encryption Algorithm” is set to “PGP” or “PGP_ASCII_ARMOR”. The
KDF is
>>> required for symmetric encryption (deriving a key from the provided
>>> password), but not used for PGP encryption/decryption at all.
>>> Unfortunately, we cannot currently display/hide or change the required-ness
>>> of processor properties based on the value of other properties. There is an
>>> existing Jira open [1] to enhance this functionality. Perhaps this can be
>>> better documented in the Admin Guide [2].
>>>>> 
>>>>> Can you also provide the full stacktrace and your system
>>> configuration, if possible, to help with the troubleshooting? Thank you.
>>>>> 
>>>>> [1] https://issues.apache.org/jira/browse/NIFI-1121
>>>>> [2]
>>> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#encryption
>>>>> 
>>>>> 
>>>>> Andy LoPresto
>>>>> alopresto.apache@gmail.com
>>>>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>>>>> 
>>>>>> On Mar 28, 2016, at 2:18 PM, Alan Jackoway <alanj@cloudera.com>
>>> wrote:
>>>>>> 
>>>>>> Hello,
>>>>>> 
>>>>>> I had an EncryptContent processor running with PGP public key
>>> encryption when we were running NiFi 0.4.x.
>>>>>> 
>>>>>> We recently went up to a 0.5.x, which includes NIFI-1257 and
>>> NIFI-1259. Now my EncryptContent processors are failing to validate my key
>>> with an error message:
>>>>>> 'Public Keyring File' is invalid because Invalid Public Keyring File
>>> filename because java.io.IOException: invalid header encountered
>>>>>> 
>>>>>> I tried all the key derivation functions, but in all cases I got
the
>>> same error.
>>>>>> 
>>>>>> Is there an easy way to talk NiFi into using my key again?
>>>>>> 
>>>>>> I have attached a public key that works on 0.3.0 (I didn't have 0.4
>>> on my machine for some reason) but fails in 0.5.1. The user id is
>>> alanj@cloudera.com
>>>>>> 
>>>>>> Is there any easy fix? Should I file a jira?
>>>>>> 
>>>>>> Since it said invalid header, I tried taking out the comment at the
>>> top of the key. That didn't work.
>>>>>> 
>>>>>> Thanks,
>>>>>> Alan
>>>>>> <TestPublicKey.asc>
>>>> 
>>> 
>> 
>> <AlanEncryptTemplate.xml>
>> 
>> 
>> 


Mime
View raw message