Repository: nifi
Updated Branches:
  refs/heads/master 9c4fdd4ef -> 9f1267e94


NIFI-4222 - Adding CN by default in SANs for generated certificates with 
tls-toolkit

This closes #2042.

Signed-off-by: Andy LoPresto <alopre...@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/nifi/repo
Commit: http://git-wip-us.apache.org/repos/asf/nifi/commit/9f1267e9
Tree: http://git-wip-us.apache.org/repos/asf/nifi/tree/9f1267e9
Diff: http://git-wip-us.apache.org/repos/asf/nifi/diff/9f1267e9

Branch: refs/heads/master
Commit: 9f1267e9490084219517e4a56c7fa7fcb0d4063e
Parents: 9c4fdd4
Author: Pierre Villard <pierre.villard...@gmail.com>
Authored: Sat Jul 29 12:38:14 2017 +0200
Committer: Andy LoPresto <alopre...@apache.org>
Committed: Wed Aug 9 19:04:36 2017 -0700

----------------------------------------------------------------------
 .../tls/standalone/TlsToolkitStandalone.java    |  4 +--
 .../apache/nifi/toolkit/tls/util/TlsHelper.java | 28 +++++++++++++-------
 .../nifi/toolkit/tls/util/TlsHelperTest.java    |  6 ++++-
 3 files changed, 25 insertions(+), 13 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/nifi/blob/9f1267e9/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandalone.java
----------------------------------------------------------------------
diff --git 
a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandalone.java
 
b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandalone.java
index fdfaeed..304ce7f 100644
--- 
a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandalone.java
+++ 
b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandalone.java
@@ -17,7 +17,6 @@
 
 package org.apache.nifi.toolkit.tls.standalone;
 
-import org.apache.commons.lang3.StringUtils;
 import org.apache.nifi.security.util.CertificateUtils;
 import org.apache.nifi.security.util.KeystoreType;
 import org.apache.nifi.security.util.KeyStoreUtils;
@@ -181,8 +180,7 @@ public class TlsToolkitStandalone {
             
tlsClientConfig.setTrustStorePassword(instanceDefinition.getTrustStorePassword());
             TlsClientManager tlsClientManager = new 
TlsClientManager(tlsClientConfig);
             KeyPair keyPair = TlsHelper.generateKeyPair(keyPairAlgorithm, 
keySize);
-            Extensions sanDnsExtensions = 
StringUtils.isBlank(tlsClientConfig.getDomainAlternativeNames())
-                    ? null : 
TlsHelper.createDomainAlternativeNamesExtensions(tlsClientConfig.getDomainAlternativeNames());
+            Extensions sanDnsExtensions = 
TlsHelper.createDomainAlternativeNamesExtensions(tlsClientConfig.getDomainAlternativeNames(),
 tlsClientConfig.calcDefaultDn(hostname));
             tlsClientManager.addPrivateKeyToKeyStore(keyPair, NIFI_KEY, 
CertificateUtils.generateIssuedCertificate(tlsClientConfig.calcDefaultDn(hostname),
                     keyPair.getPublic(), sanDnsExtensions, certificate, 
caKeyPair, signingAlgorithm, days), certificate);
             tlsClientManager.setCertificateEntry(NIFI_CERT, certificate);

http://git-wip-us.apache.org/repos/asf/nifi/blob/9f1267e9/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java
----------------------------------------------------------------------
diff --git 
a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java
 
b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java
index c244f07..d1d93e4 100644
--- 
a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java
+++ 
b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java
@@ -42,6 +42,8 @@ import javax.crypto.spec.SecretKeySpec;
 import org.apache.commons.lang3.StringUtils;
 import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
 import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x500.style.BCStyle;
+import org.bouncycastle.asn1.x500.style.IETFUtils;
 import org.bouncycastle.asn1.x509.Extension;
 import org.bouncycastle.asn1.x509.Extensions;
 import org.bouncycastle.asn1.x509.ExtensionsGenerator;
@@ -199,22 +201,30 @@ public class TlsHelper {
         JcaPKCS10CertificationRequestBuilder 
jcaPKCS10CertificationRequestBuilder = new 
JcaPKCS10CertificationRequestBuilder(new X500Name(requestedDn), 
keyPair.getPublic());
 
         // add Subject Alternative Name(s)
-        if(StringUtils.isNotBlank(domainAlternativeNames)) {
-            try {
-                
jcaPKCS10CertificationRequestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest,
 createDomainAlternativeNamesExtensions(domainAlternativeNames));
-            } catch (IOException e) {
-                throw new OperatorCreationException("Error while adding " + 
domainAlternativeNames + " as Subject Alternative Name.", e);
-            }
+        try {
+            
jcaPKCS10CertificationRequestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest,
 createDomainAlternativeNamesExtensions(domainAlternativeNames, requestedDn));
+        } catch (IOException e) {
+            throw new OperatorCreationException("Error while adding " + 
domainAlternativeNames + " as Subject Alternative Name.", e);
         }
 
         JcaContentSignerBuilder jcaContentSignerBuilder = new 
JcaContentSignerBuilder(signingAlgorithm);
         return new 
JcaPKCS10CertificationRequest(jcaPKCS10CertificationRequestBuilder.build(jcaContentSignerBuilder.build(keyPair.getPrivate())));
     }
 
-    public static Extensions createDomainAlternativeNamesExtensions(String 
domainAlternativeNames) throws IOException {
+    public static Extensions createDomainAlternativeNamesExtensions(String 
domainAlternativeNames, String requestedDn) throws IOException {
         List<GeneralName> namesList = new ArrayList<>();
-        for(String alternativeName : domainAlternativeNames.split(",")) {
-            namesList.add(new GeneralName(GeneralName.dNSName, 
alternativeName));
+
+        try {
+            final String cn = IETFUtils.valueToString(new 
X500Name(requestedDn).getRDNs(BCStyle.CN)[0].getFirst().getValue());
+            namesList.add(new GeneralName(GeneralName.dNSName, cn));
+        } catch (Exception e) {
+            throw new IOException("Failed to extract CN from request DN: " + 
requestedDn, e);
+        }
+
+        if(StringUtils.isNotBlank(domainAlternativeNames)) {
+            for(String alternativeName : domainAlternativeNames.split(",")) {
+                namesList.add(new GeneralName(GeneralName.dNSName, 
alternativeName));
+            }
         }
 
         GeneralNames subjectAltNames = new GeneralNames(namesList.toArray(new 
GeneralName [] {}));

http://git-wip-us.apache.org/repos/asf/nifi/blob/9f1267e9/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/util/TlsHelperTest.java
----------------------------------------------------------------------
diff --git 
a/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/util/TlsHelperTest.java
 
b/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/util/TlsHelperTest.java
index 223dbb7..9e23496 100644
--- 
a/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/util/TlsHelperTest.java
+++ 
b/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/util/TlsHelperTest.java
@@ -52,6 +52,7 @@ import java.util.Date;
 import java.util.List;
 import java.util.concurrent.TimeUnit;
 import java.util.stream.Collectors;
+
 import org.apache.commons.lang3.StringUtils;
 import org.apache.nifi.security.util.CertificateUtils;
 import org.apache.nifi.toolkit.tls.configuration.TlsConfig;
@@ -319,9 +320,12 @@ public class TlsHelperTest {
         assert subjectName.equals(DN);
 
         List<String> extractedSans = extractSanFromCsr(csrWithSan);
-        assert extractedSans.size() == SAN_COUNT;
+        assert extractedSans.size() == SAN_COUNT + 1;
         List<String> formattedSans = SAN_ENTRIES.stream().map(s -> "DNS: " + 
s).collect(Collectors.toList());
         assert extractedSans.containsAll(formattedSans);
+
+        // We check that the SANs also contain the CN
+        assert extractedSans.contains("DNS: localhost");
     }
 
     private List<String> extractSanFromCsr(JcaPKCS10CertificationRequest csr) {

Reply via email to