Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-3063

TLS Toolkit ignores provided password if longer than 7 characters and switches to auto-generated 7 character password

    XMLWordPrintableJSON

    Details

      Description

      Because of work done for NIFI-2943, the TLS Toolkit cannot accept a password longer than 7 characters for a PKCS12 keystore if the JCE unlimited strength cryptographic jurisdiction policies are not installed. While the tool correctly warns about this, it quietly switches from the provided password to an auto-generated 7 character password. There is a small log message saying the password has been switched to an auto-generated, reduced password, but this is easy to miss and surprising functionality. While not as secure, truncating the provided password to 7 characters is less likely to cause confusion for users.

      Example output:

      hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT (master) alopresto
      🔒 7s @ 20:06:39 $ ./bin/tls-toolkit.sh standalone -C 'CN=test' -P password
      2016/11/17 20:06:44 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No nifiPropertiesFile specified, using embedded one.
      2016/11/17 20:06:44 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone certificate generation with output directory ../nifi-toolkit-1.1.0-SNAPSHOT
      2016/11/17 20:06:44 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing CA certificate ../nifi-toolkit-1.1.0-SNAPSHOT/nifi-cert.pem and key ../nifi-toolkit-1.1.0-SNAPSHOT/nifi-key.key
      2016/11/17 20:06:44 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No hostnames specified, not generating any host certificates or configuration.
      2016/11/17 20:06:44 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Generating new client certificate ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12
      2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: **********************************************************************************
      2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:                                     WARNING!!!!
      2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: **********************************************************************************
      2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Unlimited JCE Policy is not installed which means we cannot utilize a
      2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: PKCS12 password longer than 7 characters.
      2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Autogenerated password has been reduced to 7 characters.
      2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
      2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Please strongly consider installing Unlimited JCE Policy at
      2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
      2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
      2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Another alternative is to add a stronger password with the openssl tool to the
      2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: resulting client certificate: ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12
      2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
      2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: openssl pkcs12 -in '../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12' -out '/tmp/CN=test.p12'
      2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: openssl pkcs12 -export -in '/tmp/CN=test.p12' -out '../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12'
      2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: rm -f '/tmp/CN=test.p12'
      2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
      2016/11/17 20:06:45 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: **********************************************************************************
      2016/11/17 20:06:45 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated client certificate ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12
      2016/11/17 20:06:45 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit standalone completed successfully
      hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT (master) alopresto
      🔒 6s @ 20:06:46 $ more CN\=test.password
      aW5aV2E
      hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT (master) alopresto
      🔒 4s @ 20:06:51 $
      

      Suggested solutions (in order of preference):

      1. Fail to generate the keystore in this case and print reason
      2. Truncate provided password to 7 characters
      3. Print larger message explaining that the provided password is ignored completely and auto-generated password is used

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Karthikkadajji karthik kadajji
                Reporter:
                alopresto Andy LoPresto
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: