org.apache.nifi.security.util.crypto

Class BcryptSecureHasher

java.lang.Object

org.apache.nifi.security.util.crypto.AbstractSecureHasher

org.apache.nifi.security.util.crypto.BcryptSecureHasher

All Implemented Interfaces:

SecureHasher

Direct Known Subclasses:

KeyDerivationBcryptSecureHasher

public class BcryptSecureHasher
extends AbstractSecureHasher

Provides an implementation of Bcrypt for secure password hashing.

One critical difference is that this implementation uses a static universal salt unless instructed otherwise, which provides strict determinism across nodes in a cluster. The purpose for this is to allow for blind equality comparison of sensitive values hashed on different nodes (with potentially different nifi.sensitive.props.key values) during flow inheritance (see FingerprintFactory).

The resulting output is referred to as a hash to be consistent with SecureHasher terminology.

Field Summary

Fields

Modifier and Type	Field and Description
private int	cost
private static int	DEFAULT_COST These values can be calculated automatically using the code BcryptCipherProviderGroovyTest#calculateMinimumParameters or manually updated by a maintainer
private static int	DEFAULT_SALT_LENGTH
private static org.slf4j.Logger	logger
private static int	MAX_COST
private static int	MIN_COST
private static int	MIN_SALT_LENGTH

Fields inherited from class org.apache.nifi.security.util.crypto.AbstractSecureHasher

saltLength, UPPER_BOUNDARY

Constructor Summary

Constructors

Constructor and Description
BcryptSecureHasher() Instantiates a Bcrypt secure hasher using the default cost parameter (cost = DEFAULT_COST
BcryptSecureHasher(int cost) Instantiates a Bcrypt secure hasher using the provided cost parameters.
BcryptSecureHasher(int cost, int saltLength) Instantiates an Bcrypt secure hasher using the provided cost parameters.

Method Summary

Modifier and Type	Method and Description
(package private) boolean	acceptsEmptyInput() Returns true if the algorithm can accept empty (non-null) inputs.
static String	convertBcryptRadix64ToMimeBase64(String radix64)
static String	convertMimeBase64ToBcryptRadix64(String base64)
(package private) String	getAlgorithmName() Returns the algorithm-specific name for logging and messages.
(package private) int	getDefaultSaltLength() Returns the algorithm-specific default salt length in bytes.
(package private) int	getMaxSaltLength() Returns the algorithm-specific maximum salt length in bytes.
(package private) int	getMinSaltLength() Returns the algorithm-specific minimum salt length in bytes.
(package private) byte[]	hash(byte[] input) Internal method to hash the raw bytes.
(package private) byte[]	hash(byte[] input, byte[] rawSalt) Internal method to hash the raw bytes.
static boolean	isCostValid(Integer cost) Returns true if the provided cost factor is within boundaries.
private void	validateParameters(Integer cost, Integer saltLength) Enforces valid Scrypt secure hasher cost parameters are provided.

Methods inherited from class org.apache.nifi.security.util.crypto.AbstractSecureHasher

getSalt, hashBase64, hashBase64, hashHex, hashHex, hashRaw, hashRaw, initializeSalt, isSaltLengthValid, isUsingStaticSalt

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

logger

private static final org.slf4j.Logger logger

DEFAULT_COST

private static final int DEFAULT_COST

These values can be calculated automatically using the code BcryptCipherProviderGroovyTest#calculateMinimumParameters or manually updated by a maintainer

See Also:

Constant Field Values

DEFAULT_SALT_LENGTH

private static final int DEFAULT_SALT_LENGTH

See Also:

Constant Field Values

MIN_COST

private static final int MIN_COST

See Also:

Constant Field Values

MAX_COST

private static final int MAX_COST

See Also:

Constant Field Values

MIN_SALT_LENGTH

private static final int MIN_SALT_LENGTH

See Also:

Constant Field Values

cost

private final int cost

Constructor Detail

BcryptSecureHasher

public BcryptSecureHasher()

Instantiates a Bcrypt secure hasher using the default cost parameter (cost = DEFAULT_COST

BcryptSecureHasher

public BcryptSecureHasher(int cost)

Instantiates a Bcrypt secure hasher using the provided cost parameters. A static DEFAULT_SALT_LENGTH byte salt will be generated on every hash request.

Parameters:

cost - the (log) number of key expansion rounds [4..31]

BcryptSecureHasher

public BcryptSecureHasher(int cost,
                          int saltLength)

Instantiates an Bcrypt secure hasher using the provided cost parameters. A unique salt of the specified length will be generated on every hash request.

Parameters:

cost - the (log) number of key expansion rounds [4..31]

saltLength - the salt length in bytes >= 8)

Method Detail

validateParameters

private void validateParameters(Integer cost,
                                Integer saltLength)

Enforces valid Scrypt secure hasher cost parameters are provided.

Parameters:

cost - the (log) number of key expansion rounds [4..31]

saltLength - the salt length in bytes >= 16)

isCostValid

public static boolean isCostValid(Integer cost)

Returns true if the provided cost factor is within boundaries. The lower bound >= 4 and the upper bound <= 31.

Parameters:

cost - the (log) number of key expansion rounds [4..31]

Returns:

true if cost factor is within boundaries

convertBcryptRadix64ToMimeBase64

public static String convertBcryptRadix64ToMimeBase64(String radix64)

convertMimeBase64ToBcryptRadix64

public static String convertMimeBase64ToBcryptRadix64(String base64)

getDefaultSaltLength

int getDefaultSaltLength()

Returns the algorithm-specific default salt length in bytes.

Specified by:

getDefaultSaltLength in class AbstractSecureHasher

Returns:

the default salt length

getMinSaltLength

int getMinSaltLength()

Returns the algorithm-specific minimum salt length in bytes.

Specified by:

getMinSaltLength in class AbstractSecureHasher

Returns:

the min salt length

getMaxSaltLength

int getMaxSaltLength()

Returns the algorithm-specific maximum salt length in bytes.

Specified by:

getMaxSaltLength in class AbstractSecureHasher

Returns:

the max salt length

getAlgorithmName

String getAlgorithmName()

Returns the algorithm-specific name for logging and messages.

Specified by:

getAlgorithmName in class AbstractSecureHasher

Returns:

the algorithm name

acceptsEmptyInput

boolean acceptsEmptyInput()

Returns true if the algorithm can accept empty (non-null) inputs.

Specified by:

acceptsEmptyInput in class AbstractSecureHasher

Returns:

the true if "" is allowable input

hash

byte[] hash(byte[] input)

Internal method to hash the raw bytes.

Specified by:

hash in class AbstractSecureHasher

Parameters:

input - the raw bytes to hash (can be length 0)

Returns:

the generated hash

hash

byte[] hash(byte[] input,
            byte[] rawSalt)

Internal method to hash the raw bytes.

Specified by:

hash in class AbstractSecureHasher

Parameters:

input - the raw bytes to hash (can be length 0)

rawSalt - the raw bytes to salt

Returns:

the generated hash