Skip to content

Instantly share code, notes, and snippets.

View alopresto's full-sized avatar
🔏
Focusing on NiFi security...

Andy LoPresto alopresto

🔏
Focusing on NiFi security...
72 followers · 31 following
View GitHub Profile
@alopresto
alopresto / test_output.txt
Created December 13, 2015 00:41
Test output from trying multiple PBE ciphers on various security providers
/Library/Java/JavaVirtualMachines/jdk1.8.0_66.jdk/Contents/Home/bin/java *.crypto.OpenSSLPBEEncryptorTest,testShouldNotEncryptAndDecryptWithPBELongPasswordWith128BitKeyAndDefaultJCEProvider
[main] INFO com.hortonworks.crypto.OpenSSLPBEEncryptorTest - Running in limited encryption mode
[main] INFO com.hortonworks.crypto.OpenSSLPBEEncryptorTest - Available JCE providers: SUN, SunRsaSign, SunEC, SunJSSE, SunJCE, SunJGSS, SunSASL, XMLDSig, SunPCSC, Apple, BC
[main] INFO com.hortonworks.crypto.OpenSSLPBEEncryptorTest - Password: thisIsABadPassword
[main] INFO com.hortonworks.crypto.OpenSSLPBEEncryptorTest - Salt : saltsalt
[main] INFO com.hortonworks.crypto.OpenSSLPBEEncryptorTest - Checking algorithm PBEWITHMD5AND128BITAES-CBC-OPENSSL
[main] INFO com.hortonworks.crypto.OpenSSLPBEEncryptorTest - Running with provider SUN
[main] WARN com.hortonworks.crypto.OpenSSLPBEEncryptorTest - Provider SUN does not support cipher PBEWITHMD5AND128BITAES-CBC-OPENSSL
[main] INFO com.hortonworks.crypto.OpenSSLPBE
@alopresto
alopresto / test_output_pem.txt
Created December 16, 2015 22:42
Test code and output using BcPEMDecryptorProvider to try to decrypt an OpenSSL-encrypted file
@Test
public void testShouldDecryptOpenSSLWithBcPEMDecryptor() throws Exception {
// Arrange
if (!isUnlimitedStrengthCrypto()) {
logger.info("Running in limited encryption mode. Overriding...")
setJCEUnlimitedStrength()
logger.info("Now running with unlimited strength crypto")
}
logger.info("Plaintext: ${plaintext}")
@alopresto
alopresto / NiFi certificate explanation.md
Created March 1, 2016 20:22
A response to a comment trying to separate the concerns of NiFi TLS, client authentication, and external service TLS.

I understand the differences are subtle because a lot of the terminology overlaps, but these are two very different activities. In the article you linked to, the steps described are intended to strengthen the service NiFi is providing and the ability of users to connect. As an analogy, let's describe building a bank.

By default, the bank is built of wood, has large clear windows with no blinds, and no official sign out front. You've taped a piece of paper saying "GeoffreyBank" to the door (this is plaintext, default, unencrypted HTTP communication from your browser to http://localhost:8080/nifi).

Now, of course, you want to secure your bank. It is going to store valuable items, and people will not use it if they do not trust that you are protecting their property. So, you build stronger walls and put an inner office so that their transactions cannot simply be observed by anyone on the street and you have professional signage so they can recognize that it is the correct bank.

This is analogous to

@alopresto
alopresto / noneEmptyELTest.java
Created March 23, 2016 05:17
A Java JUnit test demonstrating an expression language query which will return true if and only if all attributes enumerated are not empty (i.e. not null, zero-length, or all whitespace characters).
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
@alopresto
alopresto / pgp_encryption_template.xml
Created March 29, 2016 01:05
Generates empty flowfiles, replaces the contents with a static plaintext message, and writes them as a file to a directory. Reads files from a directory, encrypts using PGP, logs, decrypts, and writes the plaintext files to a new directory.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><template><description>Generates empty flowfiles, replaces the contents with a static plaintext message, and writes them as a file to a directory.
Reads files from a directory, encrypts using PGP, logs, decrypts, and writes the plaintext files to a new directory. </description><name>PGP Encryption Test</name><snippet><connections><id>69f574fd-134b-4946-b23c-6e63927c8141</id><parentGroupId>ea8b935a-765e-42d4-aeb8-6b22a423af81</parentGroupId><backPressureDataSizeThreshold>0 MB</backPressureDataSizeThreshold><backPressureObjectThreshold>0</backPressureObjectThreshold><destination><groupId>ea8b935a-765e-42d4-aeb8-6b22a423af81</groupId><id>13567097-57a3-47bc-925e-c2b525b0e6d3</id><type>PROCESSOR</type></destination><flowFileExpiration>0 sec</flowFileExpiration><labelIndex>1</labelIndex><name></name><selectedRelationships>success</selectedRelationships><source><groupId>ea8b935a-765e-42d4-aeb8-6b22a423af81</groupId><id>4a8b0595-4233-4dda-ba15-64cb41db7b63</id>
@alopresto
alopresto / cipherscan.txt
Created March 30, 2016 05:38
Results of cipherscan and analysis for default secure NiFi 0.6.0.
hw12203:/Users/alopresto/Workspace/cipherscan alopresto
🔓 1s @ 21:57:02 $ python analyze.py -t nifi.nifi.apache.org:8443
nifi.nifi.apache.org:8443 has bad ssl/tls
Things that are bad:
* don't use an untrusted or self-signed certificate
Changes needed to match the old level:
* enable SSLv3
* use a certificate with sha1WithRSAEncryption signature
@alopresto
alopresto / Merging PR for 2 branches
Last active May 15, 2024 15:16
Instructions to merge pull requests for multiple branches (master, support, etc.)
#Steps to merge/close pull requests with two main branches
As NiFi now has a 1.0 (master) and 0.x (support) branch, pull requests (PR) must be applied to both. Here is a step-by-step guide for committers to ensure this occurs for all PRs.
1. Check out the latest master
``` $ git checkout master
$ git pull upstream master
```
2. Check out the PR (example #327). This will be in `detached-HEAD` state. (Note: You may need to edit the `.git/config` file to add the `fetch` lines [below](#fetch))
@alopresto
alopresto / nifi-checkstyle.xml
Last active November 10, 2021 20:15
NiFi checkstyle rules for IntelliJ IDEA.
<?xml version="1.0"?>
<!DOCTYPE module PUBLIC
"-//Puppy Crawl//DTD Check Configuration 1.3//EN"
"http://www.puppycrawl.com/dtds/configuration_1_3.dtd">
<module name="Checker">
<property name="charset" value="UTF-8" />
<property name="severity" value="warning" />
<!-- Checks for whitespace -->
<!-- See http://checkstyle.sf.net/config_whitespace.html -->
@alopresto
alopresto / gpg_git_signing.md
Last active September 10, 2024 17:07
Steps to enable GPG signing of git commits.

If anyone is interested in setting up their system to automatically (or manually) sign their git commits with their GPG key, here are the steps:

  1. Generate and add your key to GitHub
  2. $ git config --global commit.gpgsign true ([OPTIONAL] every commit will now be signed)
  3. $ git config --global user.signingkey ABCDEF01 (where ABCDEF01 is the fingerprint of the key to use)
  4. $ git config --global alias.logs "log --show-signature" (now available as $ git logs)
  5. $ git config --global alias.cis "commit -S" (optional if global signing is false)
  6. $ echo "Some content" >> example.txt
  7. $ git add example.txt
  8. $ git cis -m "This commit is signed by a GPG key." (regular commit will work if global signing is enabled)
@alopresto
alopresto / nifi.properties
Created May 15, 2016 23:37
Example NiFi configuration file for debugging AuthorityProvider context loading error.
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software