[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

ASF GitHub Bot (JIRA) Wed, 27 Jul 2016 17:40:51 -0700

    [ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15396730#comment-15396730
 ]


ASF GitHub Bot commented on NIFI-2193:
--------------------------------------

Github user alopresto commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/695#discussion_r72549313
  
    --- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java
 ---
    @@ -0,0 +1,177 @@
    +/*
    + * Licensed to the Apache Software Foundation (ASF) under one or more
    + * contributor license agreements.  See the NOTICE file distributed with
    + * this work for additional information regarding copyright ownership.
    + * The ASF licenses this file to You under the Apache License, Version 2.0
    + * (the "License"); you may not use this file except in compliance with
    + * the License.  You may obtain a copy of the License at
    + *
    + *     http://www.apache.org/licenses/LICENSE-2.0
    + *
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +
    +package org.apache.nifi.toolkit.tls.util;
    +
    +import org.apache.nifi.security.util.CertificateUtils;
    +import org.apache.nifi.toolkit.tls.commandLine.TlsToolkitCommandLine;
    +import org.apache.nifi.toolkit.tls.configuration.TlsHelperConfig;
    +import org.bouncycastle.cert.X509CertificateHolder;
    +import org.bouncycastle.cert.crmf.CRMFException;
    +import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
    +import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
    +import org.bouncycastle.eac.EACException;
    +import org.bouncycastle.jce.provider.BouncyCastleProvider;
    +import org.bouncycastle.openssl.PEMParser;
    +import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
    +import org.bouncycastle.operator.OperatorCreationException;
    +import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
    +import org.bouncycastle.pkcs.PKCS10CertificationRequest;
    +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest;
    +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
    +import org.bouncycastle.util.io.pem.PemWriter;
    +
    +import javax.crypto.Mac;
    +import javax.crypto.spec.SecretKeySpec;
    +import javax.security.auth.x500.X500Principal;
    +import java.io.IOException;
    +import java.io.StringReader;
    +import java.io.StringWriter;
    +import java.nio.charset.StandardCharsets;
    +import java.security.GeneralSecurityException;
    +import java.security.InvalidKeyException;
    +import java.security.KeyPair;
    +import java.security.KeyPairGenerator;
    +import java.security.KeyStore;
    +import java.security.KeyStoreException;
    +import java.security.MessageDigest;
    +import java.security.NoSuchAlgorithmException;
    +import java.security.NoSuchProviderException;
    +import java.security.PublicKey;
    +import java.security.Security;
    +import java.security.SignatureException;
    +import java.security.cert.Certificate;
    +import java.security.cert.CertificateException;
    +import java.security.cert.X509Certificate;
    +import java.security.spec.InvalidKeySpecException;
    +
    +public class TlsHelper {
    +    public static final String PROVIDER = 
BouncyCastleProvider.PROVIDER_NAME;
    +    public static final String PKCS12 = "PKCS12";
    +    private final KeyPairGenerator keyPairGenerator;
    +    private final int days;
    +    private final String signingAlgorithm;
    +
    +    public TlsHelper(TlsHelperConfig tlsHelperConfig) throws 
NoSuchAlgorithmException {
    +        this(tlsHelperConfig.getDays(), tlsHelperConfig.getKeySize(), 
tlsHelperConfig.getKeyPairAlgorithm(), tlsHelperConfig.getSigningAlgorithm());
    +    }
    +
    +    public TlsHelper(TlsToolkitCommandLine tlsToolkitCommandLine) throws 
NoSuchAlgorithmException {
    +        this(tlsToolkitCommandLine.getTlsHelperConfig());
    +    }
    +
    +    public TlsHelper(int days, int keySize, String keyPairAlgorithm, 
String signingAlgorithm) throws NoSuchAlgorithmException {
    +        this(createKeyPairGenerator(keyPairAlgorithm, keySize), days, 
signingAlgorithm);
    +    }
    +
    +    protected TlsHelper(KeyPairGenerator keyPairGenerator, int days, 
String signingAlgorithm) {
    +        this.keyPairGenerator = keyPairGenerator;
    +        this.days = days;
    +        this.signingAlgorithm = signingAlgorithm;
    +    }
    +
    +    public static void addBouncyCastleProvider() {
    +        Security.addProvider(new BouncyCastleProvider());
    +    }
    +
    +    private static KeyPairGenerator createKeyPairGenerator(String 
algorithm, int keySize) throws NoSuchAlgorithmException {
    +        KeyPairGenerator instance = 
KeyPairGenerator.getInstance(algorithm);
    +        instance.initialize(keySize);
    +        return instance;
    +    }
    +
    +    public KeyPair generateKeyPair() throws NoSuchAlgorithmException {
    +        return keyPairGenerator.generateKeyPair();
    +    }
    +
    +    public void addToKeyStore(KeyStore keyStore, KeyPair keyPair, String 
alias, char[] passphrase, Certificate... certificates) throws 
GeneralSecurityException, IOException {
    +        keyStore.setKeyEntry(alias, keyPair.getPrivate(), passphrase, 
certificates);
    +    }
    +
    +    public KeyStore createKeyStore(String keyStoreType) throws 
KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException, 
NoSuchProviderException {
    +        KeyStore keyStore;
    +        if (PKCS12.equals(keyStoreType)) {
    --- End diff --
    
    Is there a reason you explicitly reference the BouncyCastle provider to get 
an instance of the PKCS12 keystore?


> Command Line Keystore and Truststore utility
> --------------------------------------------
>
>                 Key: NIFI-2193
>                 URL: https://issues.apache.org/jira/browse/NIFI-2193
>             Project: Apache NiFi
>          Issue Type: New Feature
>            Reporter: Bryan Rosander
>            Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

Reply via email to