Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NIFI-14048 Add fallback to RSA for Framework Application Tokens #9603

Closed
wants to merge 1 commit into from
Closed

NIFI-14048 Add fallback to RSA for Framework Application Tokens #9603

wants to merge 1 commit into from

Conversation

exceptionfactory
Copy link
Contributor

Summary

NIFI-14048 Adjusts the framework web application security configuration to support fallback to the RSA key algorithm and the PS512 JSON Web Signature algorithm when the runtime Java Security Provider does not support the Ed25519 key algorithm.

NiFi versions prior to 2.0.0 used RSA with PS512 for signing and verifying Application Bearer Tokens. NiFi 2.0.0 changed the implementation to use Ed25519 with EdDSA for smaller key and signature sizes providing similar or better security than RSA.

At the time of this writing, Java Security Providers that enforce Federal Information Processing Standards do not include Ed25519 in the list of approved algorithms. FIPS 186-5 published in February 2023 adds Ed25519 to the list of approved algorithms, and FIPS providers such as Bouncy Castle have submitted versions for approval that include Ed25519.

Although the project does not provide official support for operating in a mode compatible with FIPS providers, enabling fallback support for RSA enables a transitional upgrade path for current deployments. Instead of introducing a new framework configuration property, changes in this pull request use java.security.Security to determine whether Ed25519 is supported on startup. In absence of support for Ed25519, the framework selects RSA for rotating JWT key pair generation and PS512 for token signing. The framework logs a message indicating the selected algorithm. This approach also provides the opportunity for subsequent removal when support for Ed25519 is incorporated in providers such as Bouncy Castle.

Tracking

Please complete the following tracking steps prior to pull request creation.

Issue Tracking

Pull Request Tracking

  • Pull Request title starts with Apache NiFi Jira issue number, such as NIFI-00000
  • Pull Request commit message starts with Apache NiFi Jira issue number, as such NIFI-00000

Pull Request Formatting

  • Pull Request based on current revision of the main branch
  • Pull Request refers to a feature branch with one commit containing changes

Verification

Please indicate the verification steps performed prior to pull request creation.

Build

  • Build completed using mvn clean install -P contrib-check
    • JDK 21

Licensing

  • New dependencies are compatible with the Apache License 2.0 according to the License Policy
  • New dependencies are documented in applicable LICENSE and NOTICE files

Documentation

  • Documentation formatting appears as expected in rendered files

@exceptionfactory
NIFI-14048 Added fallback to RSA for Framework Application Tokens
18a6177 
- Added KeyPairGeneratorConfiguration with Security Provider detection for Ed25519 and fallback to RSA when not found
- Added StandardJWSVerifierFactory supporting either EdDSA for Ed25519 or PS512 for RSA signatures
- Updated KeyGenerationCommand with provided KeyPairGenerator and conditional JWS Algorithm selection
@exceptionfactory
Copy link
Contributor Author

exceptionfactory commented Dec 28, 2024
edited
Loading

These changes can be tested at runtime using a standard Java Runtime Environment with a custom Java security properties configuration.

  1. Create java.security.properties in the NiFi conf directory
  2. Add the following line to java.security.properties:
security.provider.3=SunJCE
  1. Add the following line to bootstrap.conf in the NiFi conf directory:
java.arg.securityProperties=-Djava.security.properties=./conf/java.security.properties
  1. Start NiFi and view the nifi-user.log for the selected Key Pair Algorithm, which should be RSA
Configured Key Pair Algorithm [RSA] for JSON Web Signatures

This configuration replaces the default security provider in the third position with SunJCE. The default security provider in the third position is SunEC, which implements the Ed25519 algorithm. With the SunEC provider removed from the configuration, the Key Pair Generator Configuration will fall back to RSA instead of the default Ed25519 algorithm.

@joewitt joewitt closed this in e3fff91 Dec 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@exceptionfactory