Andy LoPresto alopresto

## test_output.txt
/Library/Java/JavaVirtualMachines/jdk1.8.0_66.jdk/Contents/Home/bin/java *.crypto.OpenSSLPBEEncryptorTest,testShouldNotEncryptAndDecryptWithPBELongPasswordWith128BitKeyAndDefaultJCEProvider
[main] INFO  com.hortonworks.crypto.OpenSSLPBEEncryptorTest  - Running in limited encryption mode
[main] INFO  com.hortonworks.crypto.OpenSSLPBEEncryptorTest  - Available JCE providers: SUN, SunRsaSign, SunEC, SunJSSE, SunJCE, SunJGSS, SunSASL, XMLDSig, SunPCSC, Apple, BC
[main] INFO  com.hortonworks.crypto.OpenSSLPBEEncryptorTest  - Password: thisIsABadPassword
[main] INFO  com.hortonworks.crypto.OpenSSLPBEEncryptorTest  - Salt    : saltsalt
[main] INFO  com.hortonworks.crypto.OpenSSLPBEEncryptorTest  - Checking algorithm PBEWITHMD5AND128BITAES-CBC-OPENSSL
[main] INFO  com.hortonworks.crypto.OpenSSLPBEEncryptorTest  - Running with provider SUN
[main] WARN  com.hortonworks.crypto.OpenSSLPBEEncryptorTest  - Provider SUN does not support cipher PBEWITHMD5AND128BITAES-CBC-OPENSSL
[main] INFO  com.hortonworks.crypto.OpenSSLPBE

## test_output_pem.txt
  @Test
    public void testShouldDecryptOpenSSLWithBcPEMDecryptor() throws Exception {
        // Arrange
        if (!isUnlimitedStrengthCrypto()) {
            logger.info("Running in limited encryption mode. Overriding...")
            setJCEUnlimitedStrength()
            logger.info("Now running with unlimited strength crypto")
        }

        logger.info("Plaintext: ${plaintext}")

## NiFi certificate explanation.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                alopresto
                / NiFi certificate explanation.md
            
            
              Created
              March 1, 2016 20:22
            
              
                A response to a comment trying to separate the concerns of NiFi TLS, client authentication, and external service TLS. 
              
          
    I understand the differences are subtle because a lot of the terminology overlaps, but these are two very different activities. In the article you linked to, the steps described are intended to strengthen the service NiFi is providing and the ability of users to connect. As an analogy, let's describe building a bank.
By default, the bank is built of wood, has large clear windows with no blinds, and no official sign out front. You've taped a piece of paper saying "GeoffreyBank" to the door (this is plaintext, default, unencrypted HTTP communication from your browser to http://localhost:8080/nifi).
Now, of course, you want to secure your bank. It is going to store valuable items, and people will not use it if they do not trust that you are protecting their property. So, you build stronger walls and put an inner office so that their transactions cannot simply be observed by anyone on the street and you have professional signage so they can recognize that it is the correct bank.
This is analogous to

  
## noneEmptyELTest.java
/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *

## pgp_encryption_template.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><template><description>Generates empty flowfiles, replaces the contents with a static plaintext message, and writes them as a file to a directory.

Reads files from a directory, encrypts using PGP, logs, decrypts, and writes the plaintext files to a new directory. </description><name>PGP Encryption Test</name><snippet><connections><id>69f574fd-134b-4946-b23c-6e63927c8141</id><parentGroupId>ea8b935a-765e-42d4-aeb8-6b22a423af81</parentGroupId><backPressureDataSizeThreshold>0 MB</backPressureDataSizeThreshold><backPressureObjectThreshold>0</backPressureObjectThreshold><destination><groupId>ea8b935a-765e-42d4-aeb8-6b22a423af81</groupId><id>13567097-57a3-47bc-925e-c2b525b0e6d3</id><type>PROCESSOR</type></destination><flowFileExpiration>0 sec</flowFileExpiration><labelIndex>1</labelIndex><name></name><selectedRelationships>success</selectedRelationships><source><groupId>ea8b935a-765e-42d4-aeb8-6b22a423af81</groupId><id>4a8b0595-4233-4dda-ba15-64cb41db7b63</id>

## cipherscan.txt
hw12203:/Users/alopresto/Workspace/cipherscan alopresto
🔓 1s @ 21:57:02 $ python analyze.py -t nifi.nifi.apache.org:8443
nifi.nifi.apache.org:8443 has bad ssl/tls

Things that are bad:
* don't use an untrusted or self-signed certificate

Changes needed to match the old level:
* enable SSLv3
* use a certificate with sha1WithRSAEncryption signature

## Merging PR for 2 branches
#Steps to merge/close pull requests with two main branches

As NiFi now has a 1.0 (master) and 0.x (support) branch, pull requests (PR) must be applied to both. Here is a step-by-step guide for committers to ensure this occurs for all PRs.

1. Check out the latest master
```	$ git checkout master
	$ git pull upstream master
```

2. Check out the PR (example #327). This will be in `detached-HEAD` state. (Note: You may need to edit the `.git/config` file to add the `fetch` lines [below](#fetch))

## nifi-checkstyle.xml
<?xml version="1.0"?>
<!DOCTYPE module PUBLIC
          "-//Puppy Crawl//DTD Check Configuration 1.3//EN"
	            "http://www.puppycrawl.com/dtds/configuration_1_3.dtd">

<module name="Checker">
    <property name="charset" value="UTF-8" />
    <property name="severity" value="warning" />
    <!-- Checks for whitespace -->
    <!-- See http://checkstyle.sf.net/config_whitespace.html -->

## gpg_git_signing.md

      
              1 file
            
          
              41 forks
            
          
              5 comments
            
          
              187 stars
            
          
                alopresto
                / gpg_git_signing.md
            
            
              Last active
              January 18, 2024 22:42
            
              
                Steps to enable GPG signing of git commits. 
              
          
    If anyone is interested in setting up their system to automatically (or manually) sign their git commits with their GPG key, here are the steps:

Generate and add your key to GitHub
$ git config --global commit.gpgsign true ([OPTIONAL] every commit will now be signed)
$ git config --global user.signingkey ABCDEF01 (where ABCDEF01 is the fingerprint of the key to use)
$ git config --global alias.logs "log --show-signature" (now available as $ git logs)
$ git config --global alias.cis "commit -S" (optional if global signing is false)
$ echo "Some content" >> example.txt
$ git add example.txt
$ git cis -m "This commit is signed by a GPG key." (regular commit will work if global signing is enabled)


## nifi.properties
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
	/Library/Java/JavaVirtualMachines/jdk1.8.0_66.jdk/Contents/Home/bin/java *.crypto.OpenSSLPBEEncryptorTest,testShouldNotEncryptAndDecryptWithPBELongPasswordWith128BitKeyAndDefaultJCEProvider
	[main] INFO com.hortonworks.crypto.OpenSSLPBEEncryptorTest - Running in limited encryption mode
	[main] INFO com.hortonworks.crypto.OpenSSLPBEEncryptorTest - Available JCE providers: SUN, SunRsaSign, SunEC, SunJSSE, SunJCE, SunJGSS, SunSASL, XMLDSig, SunPCSC, Apple, BC
	[main] INFO com.hortonworks.crypto.OpenSSLPBEEncryptorTest - Password: thisIsABadPassword
	[main] INFO com.hortonworks.crypto.OpenSSLPBEEncryptorTest - Salt : saltsalt
	[main] INFO com.hortonworks.crypto.OpenSSLPBEEncryptorTest - Checking algorithm PBEWITHMD5AND128BITAES-CBC-OPENSSL
	[main] INFO com.hortonworks.crypto.OpenSSLPBEEncryptorTest - Running with provider SUN
	[main] WARN com.hortonworks.crypto.OpenSSLPBEEncryptorTest - Provider SUN does not support cipher PBEWITHMD5AND128BITAES-CBC-OPENSSL
	[main] INFO com.hortonworks.crypto.OpenSSLPBE
	@Test
	public void testShouldDecryptOpenSSLWithBcPEMDecryptor() throws Exception {
	// Arrange
	if (!isUnlimitedStrengthCrypto()) {
	logger.info("Running in limited encryption mode. Overriding...")
	setJCEUnlimitedStrength()
	logger.info("Now running with unlimited strength crypto")
	}

	logger.info("Plaintext: ${plaintext}")
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	<?xml version="1.0" encoding="UTF-8" standalone="yes"?><template><description>Generates empty flowfiles, replaces the contents with a static plaintext message, and writes them as a file to a directory.

	Reads files from a directory, encrypts using PGP, logs, decrypts, and writes the plaintext files to a new directory. </description><name>PGP Encryption Test</name><snippet><connections><id>69f574fd-134b-4946-b23c-6e63927c8141</id><parentGroupId>ea8b935a-765e-42d4-aeb8-6b22a423af81</parentGroupId><backPressureDataSizeThreshold>0 MB</backPressureDataSizeThreshold><backPressureObjectThreshold>0</backPressureObjectThreshold><destination><groupId>ea8b935a-765e-42d4-aeb8-6b22a423af81</groupId><id>13567097-57a3-47bc-925e-c2b525b0e6d3</id><type>PROCESSOR</type></destination><flowFileExpiration>0 sec</flowFileExpiration><labelIndex>1</labelIndex><name></name><selectedRelationships>success</selectedRelationships><source><groupId>ea8b935a-765e-42d4-aeb8-6b22a423af81</groupId><id>4a8b0595-4233-4dda-ba15-64cb41db7b63</id>
	hw12203:/Users/alopresto/Workspace/cipherscan alopresto
	🔓 1s @ 21:57:02 $ python analyze.py -t nifi.nifi.apache.org:8443
	nifi.nifi.apache.org:8443 has bad ssl/tls

	Things that are bad:
	* don't use an untrusted or self-signed certificate

	Changes needed to match the old level:
	* enable SSLv3
	* use a certificate with sha1WithRSAEncryption signature
	#Steps to merge/close pull requests with two main branches

	As NiFi now has a 1.0 (master) and 0.x (support) branch, pull requests (PR) must be applied to both. Here is a step-by-step guide for committers to ensure this occurs for all PRs.

	1. Check out the latest master
	``` $ git checkout master
	$ git pull upstream master
	```

	2. Check out the PR (example #327). This will be in `detached-HEAD` state. (Note: You may need to edit the `.git/config` file to add the `fetch` lines [below](#fetch))
	<?xml version="1.0"?>
	<!DOCTYPE module PUBLIC
	"-//Puppy Crawl//DTD Check Configuration 1.3//EN"
	"http://www.puppycrawl.com/dtds/configuration_1_3.dtd">

	<module name="Checker">
	<property name="charset" value="UTF-8" />
	<property name="severity" value="warning" />
	<!-- Checks for whitespace -->
	<!-- See http://checkstyle.sf.net/config_whitespace.html -->
	# Licensed to the Apache Software Foundation (ASF) under one or more
	# contributor license agreements. See the NOTICE file distributed with
	# this work for additional information regarding copyright ownership.
	# The ASF licenses this file to You under the Apache License, Version 2.0
	# (the "License"); you may not use this file except in compliance with
	# the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software