nifi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alan Jackoway <al...@cloudera.com>
Subject Re: EncryptContent issues after NIFI-1257 and NIFI-1259
Date Tue, 29 Mar 2016 15:03:35 GMT
I don't get a stacktrace. Probably because it is a validation failure and
the error is caught at
https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/EncryptContent.java#L288

I couldn't get your template to work without the gpgkeyring file. However,
that clued me into what I believe is the problem.

I have not been using a public keyring file, but rather the public key
itself. Somehow that used to work, but the parameter has always been called
Public Keyring File so I was using it wrong the whole time.

I attached the encrypt template that is working for me back in 0.3.0 (and
should work in 0.4.1 but not 0.5.1)

To fix it for 0.5.1, I had to make a real keyring file AND change the user
id to be the right thing.

This feels like a regression to me, but one where I was not following the
instructions all along.

Thanks,
Alan

On Tue, Mar 29, 2016 at 1:15 AM, Andy LoPresto <alopresto.apache@gmail.com>
wrote:

> The only other thing I can think of off the top of my head is that the
> userID specification may have changed with the BouncyCastle upgrade and the
> provided userID of just an email may be incomplete? In my testing, I had to
> specify the "name", "description", and "email" fields from the key in the
> format below in order to match the exact format that the library reads from
> the keyring.
>
> userID = "Name (Description) <Email>"
>
> You can test this and evaluate what the library sees as the key userID by
> attaching a remote debugger to your running instance and evaluating inside
> the iterator loop here [1].
>
> I'm not sure what version of GPG you're running, but it is worth
> investigating if the format of the stored key no longer matches how NiFi
> was reading it.
>
> [1]
> https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/util/crypto/OpenPGPKeyBasedEncryptor.java#L200
>
>
>
> Andy LoPresto
> alopresto.apache@gmail.com
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>
> > On Mar 28, 2016, at 18:24, Andy LoPresto <alopresto.apache@gmail.com>
> wrote:
> >
> > Forgot to mention you’ll want to change the input/output directories in
> the GetFile and PutFile processors, as well as the paths to the public and
> secret keyring, the user ID, and the password for the EncryptContent
> processors.
> >
> > Andy LoPresto
> > alopresto.apache@gmail.com
> > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
> >
> >> On Mar 28, 2016, at 4:04 PM, Andy LoPresto <alopresto.apache@gmail.com>
> wrote:
> >>
> >> Hi Alan,
> >>
> >> I am investigating this issue (spinning up an instance, setting up a
> flow that involves PGP encryption and decryption, etc.) to verify.
> >>
> >> As an aside, the setting for “Key Derivation Function” is irrelevant if
> “Encryption Algorithm” is set to “PGP” or “PGP_ASCII_ARMOR”. The KDF is
> required for symmetric encryption (deriving a key from the provided
> password), but not used for PGP encryption/decryption at all.
> Unfortunately, we cannot currently display/hide or change the required-ness
> of processor properties based on the value of other properties. There is an
> existing Jira open [1] to enhance this functionality. Perhaps this can be
> better documented in the Admin Guide [2].
> >>
> >> Can you also provide the full stacktrace and your system configuration,
> if possible, to help with the troubleshooting? Thank you.
> >>
> >> [1] https://issues.apache.org/jira/browse/NIFI-1121
> >> [2]
> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#encryption
> >>
> >>
> >> Andy LoPresto
> >> alopresto.apache@gmail.com
> >> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
> >>
> >>> On Mar 28, 2016, at 2:18 PM, Alan Jackoway <alanj@cloudera.com> wrote:
> >>>
> >>> Hello,
> >>>
> >>> I had an EncryptContent processor running with PGP public key
> encryption when we were running NiFi 0.4.x.
> >>>
> >>> We recently went up to a 0.5.x, which includes NIFI-1257 and
> NIFI-1259. Now my EncryptContent processors are failing to validate my key
> with an error message:
> >>> 'Public Keyring File' is invalid because Invalid Public Keyring File
> filename because java.io.IOException: invalid header encountered
> >>>
> >>> I tried all the key derivation functions, but in all cases I got the
> same error.
> >>>
> >>> Is there an easy way to talk NiFi into using my key again?
> >>>
> >>> I have attached a public key that works on 0.3.0 (I didn't have 0.4 on
> my machine for some reason) but fails in 0.5.1. The user id is
> alanj@cloudera.com
> >>>
> >>> Is there any easy fix? Should I file a jira?
> >>>
> >>> Since it said invalid header, I tried taking out the comment at the
> top of the key. That didn't work.
> >>>
> >>> Thanks,
> >>> Alan
> >>> <TestPublicKey.asc>
> >
>

Mime
View raw message