Repository: nifi Updated Branches: refs/heads/master b7f946e84 -> bf112d065
NIFI-3490 added SAN option for TLS toolkit in standalone mode This closes #1530. Signed-off-by: Andy LoPresto <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/nifi/repo Commit: http://git-wip-us.apache.org/repos/asf/nifi/commit/bf112d06 Tree: http://git-wip-us.apache.org/repos/asf/nifi/tree/bf112d06 Diff: http://git-wip-us.apache.org/repos/asf/nifi/diff/bf112d06 Branch: refs/heads/master Commit: bf112d065434ed536fff10b7aaa5eb3b70bc4b9d Parents: b7f946e Author: Pierre Villard <[email protected]> Authored: Wed Feb 22 22:28:13 2017 +0100 Committer: Andy LoPresto <[email protected]> Committed: Mon Mar 6 16:50:18 2017 -0800 ---------------------------------------------------------------------- .../tls/configuration/TlsClientConfig.java | 1 + ...lsCertificateAuthorityClientCommandLine.java | 2 +- .../tls/standalone/TlsToolkitStandalone.java | 6 ++++- .../TlsToolkitStandaloneCommandLine.java | 6 +++++ .../apache/nifi/toolkit/tls/util/TlsHelper.java | 26 +++++++++++++------- .../TlsToolkitStandaloneCommandLineTest.java | 7 ++++++ 6 files changed, 37 insertions(+), 11 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/nifi/blob/bf112d06/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/configuration/TlsClientConfig.java ---------------------------------------------------------------------- diff --git a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/configuration/TlsClientConfig.java b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/configuration/TlsClientConfig.java index c885d84..6e030f6 100644 --- a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/configuration/TlsClientConfig.java +++ b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/configuration/TlsClientConfig.java @@ -44,6 +44,7 @@ public class TlsClientConfig extends TlsConfig { setDnPrefix(tlsConfig.getDnPrefix()); setDnSuffix(tlsConfig.getDnSuffix()); setReorderDn(tlsConfig.getReorderDn()); + setDomainAlternativeNames(tlsConfig.getDomainAlternativeNames()); } http://git-wip-us.apache.org/repos/asf/nifi/blob/bf112d06/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/client/TlsCertificateAuthorityClientCommandLine.java ---------------------------------------------------------------------- diff --git a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/client/TlsCertificateAuthorityClientCommandLine.java b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/client/TlsCertificateAuthorityClientCommandLine.java index db73b41..dde1ff7 100644 --- a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/client/TlsCertificateAuthorityClientCommandLine.java +++ b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/client/TlsCertificateAuthorityClientCommandLine.java @@ -57,7 +57,7 @@ public class TlsCertificateAuthorityClientCommandLine extends BaseCertificateAut super(DESCRIPTION); this.inputStreamFactory = inputStreamFactory; addOptionWithArg("C", CERTIFICATE_DIRECTORY, "The file to write the CA certificate to", DEFAULT_CERTIFICATE_DIRECTORY); - addOptionWithArg("S", SUBJECT_ALTERNATIVE_NAMES, "Comma-separated list of domains to use as Subject Alternative Names in the certificate"); + addOptionWithArg(null, SUBJECT_ALTERNATIVE_NAMES, "Comma-separated list of domains to use as Subject Alternative Names in the certificate"); } public static void main(String[] args) throws Exception { http://git-wip-us.apache.org/repos/asf/nifi/blob/bf112d06/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandalone.java ---------------------------------------------------------------------- diff --git a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandalone.java b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandalone.java index aa619da..fdfaeed 100644 --- a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandalone.java +++ b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandalone.java @@ -17,6 +17,7 @@ package org.apache.nifi.toolkit.tls.standalone; +import org.apache.commons.lang3.StringUtils; import org.apache.nifi.security.util.CertificateUtils; import org.apache.nifi.security.util.KeystoreType; import org.apache.nifi.security.util.KeyStoreUtils; @@ -29,6 +30,7 @@ import org.apache.nifi.toolkit.tls.manager.writer.NifiPropertiesTlsClientConfigW import org.apache.nifi.toolkit.tls.properties.NiFiPropertiesWriterFactory; import org.apache.nifi.toolkit.tls.util.OutputStreamFactory; import org.apache.nifi.toolkit.tls.util.TlsHelper; +import org.bouncycastle.asn1.x509.Extensions; import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator; import org.bouncycastle.util.io.pem.PemWriter; import org.slf4j.Logger; @@ -179,8 +181,10 @@ public class TlsToolkitStandalone { tlsClientConfig.setTrustStorePassword(instanceDefinition.getTrustStorePassword()); TlsClientManager tlsClientManager = new TlsClientManager(tlsClientConfig); KeyPair keyPair = TlsHelper.generateKeyPair(keyPairAlgorithm, keySize); + Extensions sanDnsExtensions = StringUtils.isBlank(tlsClientConfig.getDomainAlternativeNames()) + ? null : TlsHelper.createDomainAlternativeNamesExtensions(tlsClientConfig.getDomainAlternativeNames()); tlsClientManager.addPrivateKeyToKeyStore(keyPair, NIFI_KEY, CertificateUtils.generateIssuedCertificate(tlsClientConfig.calcDefaultDn(hostname), - keyPair.getPublic(), null, certificate, caKeyPair, signingAlgorithm, days), certificate); + keyPair.getPublic(), sanDnsExtensions, certificate, caKeyPair, signingAlgorithm, days), certificate); tlsClientManager.setCertificateEntry(NIFI_CERT, certificate); tlsClientManager.addClientConfigurationWriter(new NifiPropertiesTlsClientConfigWriter(niFiPropertiesWriterFactory, new File(hostDir, "nifi.properties"), hostname, instanceDefinition.getNumber())); http://git-wip-us.apache.org/repos/asf/nifi/blob/bf112d06/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandaloneCommandLine.java ---------------------------------------------------------------------- diff --git a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandaloneCommandLine.java b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandaloneCommandLine.java index fbfe782..159b1d3 100644 --- a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandaloneCommandLine.java +++ b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandaloneCommandLine.java @@ -29,6 +29,7 @@ import java.util.function.Supplier; import java.util.stream.Collectors; import java.util.stream.IntStream; import java.util.stream.Stream; + import org.apache.commons.cli.CommandLine; import org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine; import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException; @@ -58,6 +59,7 @@ public class TlsToolkitStandaloneCommandLine extends BaseCommandLine { public static final String GLOBAL_PORT_SEQUENCE_ARG = "globalPortSequence"; public static final String NIFI_DN_PREFIX_ARG = "nifiDnPrefix"; public static final String NIFI_DN_SUFFIX_ARG = "nifiDnSuffix"; + public static final String SUBJECT_ALTERNATIVE_NAMES = "subjectAlternativeNames"; public static final String DEFAULT_OUTPUT_DIRECTORY = calculateDefaultOutputDirectory(Paths.get(".")); @@ -86,6 +88,7 @@ public class TlsToolkitStandaloneCommandLine extends BaseCommandLine { private boolean overwrite; private String dnPrefix; private String dnSuffix; + private String domainAlternativeNames; public TlsToolkitStandaloneCommandLine() { this(new PasswordUtil()); @@ -104,6 +107,7 @@ public class TlsToolkitStandaloneCommandLine extends BaseCommandLine { addOptionWithArg("B", CLIENT_CERT_PASSWORD_ARG, "Password for client certificate. Must either be one value or one for each client DN. (autogenerate if not specified)"); addOptionWithArg("G", GLOBAL_PORT_SEQUENCE_ARG, "Use sequential ports that are calculated for all hosts according to the provided hostname expressions. " + "(Can be specified multiple times, MUST BE SAME FROM RUN TO RUN.)"); + addOptionWithArg(null, SUBJECT_ALTERNATIVE_NAMES, "Comma-separated list of domains to use as Subject Alternative Names in the certificate"); addOptionWithArg(null, NIFI_DN_PREFIX_ARG, "String to prepend to hostname(s) when determining DN.", TlsConfig.DEFAULT_DN_PREFIX); addOptionWithArg(null, NIFI_DN_SUFFIX_ARG, "String to append to hostname(s) when determining DN.", TlsConfig.DEFAULT_DN_SUFFIX); addOptionNoArg("O", OVERWRITE_ARG, "Overwrite existing host output."); @@ -133,6 +137,7 @@ public class TlsToolkitStandaloneCommandLine extends BaseCommandLine { dnPrefix = commandLine.getOptionValue(NIFI_DN_PREFIX_ARG, TlsConfig.DEFAULT_DN_PREFIX); dnSuffix = commandLine.getOptionValue(NIFI_DN_SUFFIX_ARG, TlsConfig.DEFAULT_DN_SUFFIX); + domainAlternativeNames = commandLine.getOptionValue(SUBJECT_ALTERNATIVE_NAMES); Stream<String> globalOrderExpressions = null; if (commandLine.hasOption(GLOBAL_PORT_SEQUENCE_ARG)) { @@ -228,6 +233,7 @@ public class TlsToolkitStandaloneCommandLine extends BaseCommandLine { standaloneConfig.setDays(getDays()); standaloneConfig.setDnPrefix(dnPrefix); standaloneConfig.setDnSuffix(dnSuffix); + standaloneConfig.setDomainAlternativeNames(domainAlternativeNames); standaloneConfig.initDefaults(); return standaloneConfig; http://git-wip-us.apache.org/repos/asf/nifi/blob/bf112d06/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java ---------------------------------------------------------------------- diff --git a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java index 7465714..c244f07 100644 --- a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java +++ b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java @@ -34,13 +34,16 @@ import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.List; + import javax.crypto.Cipher; import javax.crypto.Mac; import javax.crypto.spec.SecretKeySpec; + import org.apache.commons.lang3.StringUtils; import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.asn1.x509.Extension; +import org.bouncycastle.asn1.x509.Extensions; import org.bouncycastle.asn1.x509.ExtensionsGenerator; import org.bouncycastle.asn1.x509.GeneralName; import org.bouncycastle.asn1.x509.GeneralNames; @@ -198,15 +201,7 @@ public class TlsHelper { // add Subject Alternative Name(s) if(StringUtils.isNotBlank(domainAlternativeNames)) { try { - List<GeneralName> namesList = new ArrayList<>(); - for(String alternativeName : domainAlternativeNames.split(",")) { - namesList.add(new GeneralName(GeneralName.dNSName, alternativeName)); - } - - GeneralNames subjectAltNames = new GeneralNames(namesList.toArray(new GeneralName [] {})); - ExtensionsGenerator extGen = new ExtensionsGenerator(); - extGen.addExtension(Extension.subjectAlternativeName, false, subjectAltNames); - jcaPKCS10CertificationRequestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extGen.generate()); + jcaPKCS10CertificationRequestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, createDomainAlternativeNamesExtensions(domainAlternativeNames)); } catch (IOException e) { throw new OperatorCreationException("Error while adding " + domainAlternativeNames + " as Subject Alternative Name.", e); } @@ -215,4 +210,17 @@ public class TlsHelper { JcaContentSignerBuilder jcaContentSignerBuilder = new JcaContentSignerBuilder(signingAlgorithm); return new JcaPKCS10CertificationRequest(jcaPKCS10CertificationRequestBuilder.build(jcaContentSignerBuilder.build(keyPair.getPrivate()))); } + + public static Extensions createDomainAlternativeNamesExtensions(String domainAlternativeNames) throws IOException { + List<GeneralName> namesList = new ArrayList<>(); + for(String alternativeName : domainAlternativeNames.split(",")) { + namesList.add(new GeneralName(GeneralName.dNSName, alternativeName)); + } + + GeneralNames subjectAltNames = new GeneralNames(namesList.toArray(new GeneralName [] {})); + ExtensionsGenerator extGen = new ExtensionsGenerator(); + extGen.addExtension(Extension.subjectAlternativeName, false, subjectAltNames); + return extGen.generate(); + } + } http://git-wip-us.apache.org/repos/asf/nifi/blob/bf112d06/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandaloneCommandLineTest.java ---------------------------------------------------------------------- diff --git a/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandaloneCommandLineTest.java b/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandaloneCommandLineTest.java index 7437b84..0fe004a 100644 --- a/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandaloneCommandLineTest.java +++ b/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandaloneCommandLineTest.java @@ -117,6 +117,13 @@ public class TlsToolkitStandaloneCommandLineTest { } @Test + public void testSAN() throws CommandLineParseException, IOException { + String dnsSAN = "nifi.apache.org"; + tlsToolkitStandaloneCommandLine.parse("--subjectAlternativeNames", dnsSAN); + assertEquals(dnsSAN, tlsToolkitStandaloneCommandLine.createConfig().getDomainAlternativeNames()); + } + + @Test public void testDaysNotInteger() { try { tlsToolkitStandaloneCommandLine.parse("-d", "badVal");
