nifi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy LoPresto <alopresto.apa...@gmail.com>
Subject Re: EncryptContent issues after NIFI-1257 and NIFI-1259
Date Tue, 29 Mar 2016 05:15:36 GMT
The only other thing I can think of off the top of my head is that the userID specification
may have changed with the BouncyCastle upgrade and the provided userID of just an email may
be incomplete? In my testing, I had to specify the "name", "description", and "email" fields
from the key in the format below in order to match the exact format that the library reads
from the keyring. 

userID = "Name (Description) <Email>"

You can test this and evaluate what the library sees as the key userID by attaching a remote
debugger to your running instance and evaluating inside the iterator loop here [1]. 

I'm not sure what version of GPG you're running, but it is worth investigating if the format
of the stored key no longer matches how NiFi was reading it. 

[1] https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/util/crypto/OpenPGPKeyBasedEncryptor.java#L200



Andy LoPresto
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Mar 28, 2016, at 18:24, Andy LoPresto <alopresto.apache@gmail.com> wrote:
> 
> Forgot to mention you’ll want to change the input/output directories in the GetFile
and PutFile processors, as well as the paths to the public and secret keyring, the user ID,
and the password for the EncryptContent processors. 
> 
> Andy LoPresto
> alopresto.apache@gmail.com
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
> 
>> On Mar 28, 2016, at 4:04 PM, Andy LoPresto <alopresto.apache@gmail.com> wrote:
>> 
>> Hi Alan,
>> 
>> I am investigating this issue (spinning up an instance, setting up a flow that involves
PGP encryption and decryption, etc.) to verify. 
>> 
>> As an aside, the setting for “Key Derivation Function” is irrelevant if “Encryption
Algorithm” is set to “PGP” or “PGP_ASCII_ARMOR”. The KDF is required for symmetric
encryption (deriving a key from the provided password), but not used for PGP encryption/decryption
at all. Unfortunately, we cannot currently display/hide or change the required-ness of processor
properties based on the value of other properties. There is an existing Jira open [1] to enhance
this functionality. Perhaps this can be better documented in the Admin Guide [2]. 
>> 
>> Can you also provide the full stacktrace and your system configuration, if possible,
to help with the troubleshooting? Thank you. 
>> 
>> [1] https://issues.apache.org/jira/browse/NIFI-1121
>> [2] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#encryption
>> 
>> 
>> Andy LoPresto
>> alopresto.apache@gmail.com
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>> 
>>> On Mar 28, 2016, at 2:18 PM, Alan Jackoway <alanj@cloudera.com> wrote:
>>> 
>>> Hello,
>>> 
>>> I had an EncryptContent processor running with PGP public key encryption when
we were running NiFi 0.4.x.
>>> 
>>> We recently went up to a 0.5.x, which includes NIFI-1257 and NIFI-1259. Now my
EncryptContent processors are failing to validate my key with an error message:
>>> 'Public Keyring File' is invalid because Invalid Public Keyring File filename
because java.io.IOException: invalid header encountered
>>> 
>>> I tried all the key derivation functions, but in all cases I got the same error.
>>> 
>>> Is there an easy way to talk NiFi into using my key again?
>>> 
>>> I have attached a public key that works on 0.3.0 (I didn't have 0.4 on my machine
for some reason) but fails in 0.5.1. The user id is alanj@cloudera.com
>>> 
>>> Is there any easy fix? Should I file a jira?
>>> 
>>> Since it said invalid header, I tried taking out the comment at the top of the
key. That didn't work.
>>> 
>>> Thanks,
>>> Alan
>>> <TestPublicKey.asc>
> 

Mime
  • Unnamed multipart/alternative (inline, 7-Bit, 0 bytes)
View raw message