I'm attempting to decrypt some values in an Apache Nifi (1.23.1) flow.xml.gz (or flow.json.gz) file in python. From doing some patching of the Java files, I've found the following information:

I have the following code which results in a ValueError: MAC check failed

# https://asecuritysite.com/encryption/aes_gcm2 from Crypto.Cipher import AES import hashlib from Crypto.Protocol.KDF import PBKDF2 from Crypto.Hash import SHA256, SHA512 # plaintext='Changeit!' password='1+LFssX4whxz9lOPQ9OS7g4NvQzbCe8j' salt = b'NiFi Static Salt' def decrypt(ciphertext, key, mode): (ciphertext, authTag, nonce) = ciphertext encobj = AES.new(key, mode, nonce) return(encobj.decrypt_and_verify(ciphertext, authTag)) key = hashlib.sha256(password.encode()).digest() # /home/nifi/nifi/nifi-commons/nifi-security-crypto-key/src/main/java/org/apache/nifi/security/crypto/key/pbkdf2/Pbkdf2DerivedKeyProvider.java says sha512 hmac # /home/nifi/nifi/nifi-nar-bundles/nifi-cipher-bundle/nifi-cipher-processors/src/main/java/org/apache/nifi/processors/cipher/DecryptContent.java key length bytes 16 key = PBKDF2(password, salt, 16, count=160000, hmac_hash_module=SHA512) # key = PBKDF2(password, salt, 32, count=160000, hmac_hash_module=SHA256) # from original code example # 697a84312aac99fbe2315f0637c960352242e26ffd3e2c33c298f06730fffa9687cb0d845f57c1a645 from a real run, should decrypt to Changeit! # 2242e26ffd3e2c33c298f06730fffa9687cb0d845f57c1a645 cipherbinary from java # in java, IV in /home/nifi/nifi/nifi-commons/nifi-property-encryptor/src/main/java/org/apache/nifi/encrypt/KeyedCipherPropertyEncryptor.java is 697a84312aac99fbe2315f0637c96035 ciphertext = (b'697a84312aac99fbe2315f0637c96035', b'2242e26ffd3e2c33c2', b'98f06730fffa9687cb0d845f57c1a645') res = decrypt(ciphertext,key,AES.MODE_GCM) print ("\n\nDecrypted:\t",res.decode()) 

I'm attempting to decrypt some values in an Apache Nifi (1.23.1) flow.xml.gz (or flow.json.gz) file in Python. From doing some patching of the Java files, I've found the following information:

I have the following code, which results in a ValueError: MAC check failed

# https://asecuritysite.com/encryption/aes_gcm2 from Crypto.Cipher import AES import hashlib from Crypto.Protocol.KDF import PBKDF2 from Crypto.Hash import SHA256, SHA512 # plaintext='Changeit!' password='1+LFssX4whxz9lOPQ9OS7g4NvQzbCe8j' salt = b'NiFi Static Salt' def decrypt(ciphertext, key, mode): (ciphertext, authTag, nonce) = ciphertext encobj = AES.new(key, mode, nonce) return(encobj.decrypt_and_verify(ciphertext, authTag)) key = hashlib.sha256(password.encode()).digest() # /home/nifi/nifi/nifi-commons/nifi-security-crypto-key/src/main/java/org/apache/nifi/security/crypto/key/pbkdf2/Pbkdf2DerivedKeyProvider.java says sha512 hmac # /home/nifi/nifi/nifi-nar-bundles/nifi-cipher-bundle/nifi-cipher-processors/src/main/java/org/apache/nifi/processors/cipher/DecryptContent.java key length bytes 16 key = PBKDF2(password, salt, 16, count=160000, hmac_hash_module=SHA512) # key = PBKDF2(password, salt, 32, count=160000, hmac_hash_module=SHA256) # from original code example # 697a84312aac99fbe2315f0637c960352242e26ffd3e2c33c298f06730fffa9687cb0d845f57c1a645 from a real run, should decrypt to Changeit! # 2242e26ffd3e2c33c298f06730fffa9687cb0d845f57c1a645 cipherbinary from java # in java, IV in /home/nifi/nifi/nifi-commons/nifi-property-encryptor/src/main/java/org/apache/nifi/encrypt/KeyedCipherPropertyEncryptor.java is 697a84312aac99fbe2315f0637c96035 ciphertext = (b'697a84312aac99fbe2315f0637c96035', b'2242e26ffd3e2c33c2', b'98f06730fffa9687cb0d845f57c1a645') res = decrypt(ciphertext,key,AES.MODE_GCM) print ("\n\nDecrypted:\t",res.decode())