[
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15397768#comment-15397768
]
ASF GitHub Bot commented on NIFI-2193:
--------------------------------------
Github user alopresto commented on a diff in the pull request:
https://github.com/apache/nifi/pull/695#discussion_r72655223
--- Diff:
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java
---
@@ -0,0 +1,177 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.util;
+
+import org.apache.nifi.security.util.CertificateUtils;
+import org.apache.nifi.toolkit.tls.commandLine.TlsToolkitCommandLine;
+import org.apache.nifi.toolkit.tls.configuration.TlsHelperConfig;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cert.crmf.CRMFException;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
+import org.bouncycastle.eac.EACException;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.bouncycastle.pkcs.PKCS10CertificationRequest;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
+import org.bouncycastle.util.io.pem.PemWriter;
+
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+import javax.security.auth.x500.X500Principal;
+import java.io.IOException;
+import java.io.StringReader;
+import java.io.StringWriter;
+import java.nio.charset.StandardCharsets;
+import java.security.GeneralSecurityException;
+import java.security.InvalidKeyException;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PublicKey;
+import java.security.Security;
+import java.security.SignatureException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.security.spec.InvalidKeySpecException;
+
+public class TlsHelper {
+ public static final String PROVIDER =
BouncyCastleProvider.PROVIDER_NAME;
+ public static final String PKCS12 = "PKCS12";
+ private final KeyPairGenerator keyPairGenerator;
+ private final int days;
+ private final String signingAlgorithm;
+
+ public TlsHelper(TlsHelperConfig tlsHelperConfig) throws
NoSuchAlgorithmException {
+ this(tlsHelperConfig.getDays(), tlsHelperConfig.getKeySize(),
tlsHelperConfig.getKeyPairAlgorithm(), tlsHelperConfig.getSigningAlgorithm());
+ }
+
+ public TlsHelper(TlsToolkitCommandLine tlsToolkitCommandLine) throws
NoSuchAlgorithmException {
+ this(tlsToolkitCommandLine.getTlsHelperConfig());
+ }
+
+ public TlsHelper(int days, int keySize, String keyPairAlgorithm,
String signingAlgorithm) throws NoSuchAlgorithmException {
+ this(createKeyPairGenerator(keyPairAlgorithm, keySize), days,
signingAlgorithm);
+ }
+
+ protected TlsHelper(KeyPairGenerator keyPairGenerator, int days,
String signingAlgorithm) {
+ this.keyPairGenerator = keyPairGenerator;
+ this.days = days;
+ this.signingAlgorithm = signingAlgorithm;
+ }
+
+ public static void addBouncyCastleProvider() {
+ Security.addProvider(new BouncyCastleProvider());
+ }
+
+ private static KeyPairGenerator createKeyPairGenerator(String
algorithm, int keySize) throws NoSuchAlgorithmException {
+ KeyPairGenerator instance =
KeyPairGenerator.getInstance(algorithm);
+ instance.initialize(keySize);
+ return instance;
+ }
+
+ public KeyPair generateKeyPair() throws NoSuchAlgorithmException {
+ return keyPairGenerator.generateKeyPair();
+ }
+
+ public void addToKeyStore(KeyStore keyStore, KeyPair keyPair, String
alias, char[] passphrase, Certificate... certificates) throws
GeneralSecurityException, IOException {
+ keyStore.setKeyEntry(alias, keyPair.getPrivate(), passphrase,
certificates);
+ }
+
+ public KeyStore createKeyStore(String keyStoreType) throws
KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException,
NoSuchProviderException {
+ KeyStore keyStore;
+ if (PKCS12.equals(keyStoreType)) {
+ keyStore = KeyStore.getInstance(keyStoreType,
BouncyCastleProvider.PROVIDER_NAME);
+ } else {
+ keyStore = KeyStore.getInstance(keyStoreType);
+ }
+ keyStore.load(null, null);
+ return keyStore;
+ }
+
+ public X509Certificate generateSelfSignedX509Certificate(KeyPair
keyPair, String dn) throws CertificateException {
+ return CertificateUtils.generateSelfSignedX509Certificate(keyPair,
dn, signingAlgorithm, days);
+ }
+
+ public X509Certificate generateIssuedCertificate(String dn, PublicKey
publicKey, X509Certificate issuer, KeyPair issuerKeyPair) throws
CertificateException {
+ return CertificateUtils.generateIssuedCertificate(dn, publicKey,
issuer, issuerKeyPair, signingAlgorithm, days);
+ }
+
+ public JcaPKCS10CertificationRequest
generateCertificationRequest(String requestedDn, KeyPair keyPair) throws
OperatorCreationException {
+ JcaPKCS10CertificationRequestBuilder
jcaPKCS10CertificationRequestBuilder = new
JcaPKCS10CertificationRequestBuilder(new X500Principal(requestedDn),
keyPair.getPublic());
+ JcaContentSignerBuilder jcaContentSignerBuilder = new
JcaContentSignerBuilder(signingAlgorithm);
+ return new
JcaPKCS10CertificationRequest(jcaPKCS10CertificationRequestBuilder.build(jcaContentSignerBuilder.build(keyPair.getPrivate())));
+ }
+
+ public X509Certificate signCsr(JcaPKCS10CertificationRequest
certificationRequest, X509Certificate issuer, KeyPair issuerKeyPair) throws
InvalidKeySpecException, EACException,
+ CertificateException, NoSuchAlgorithmException, IOException,
SignatureException, NoSuchProviderException, InvalidKeyException,
OperatorCreationException, CRMFException {
+ return
generateIssuedCertificate(certificationRequest.getSubject().toString(),
certificationRequest.getPublicKey(), issuer, issuerKeyPair);
+ }
+
+ public boolean checkHMac(byte[] hmac, String token, PublicKey
publicKey) throws CRMFException, NoSuchProviderException,
NoSuchAlgorithmException, InvalidKeyException {
--- End diff --
Same comment -- reduce the breadth of exception classes thrown by a public
method.
> Command Line Keystore and Truststore utility
> --------------------------------------------
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
> Issue Type: New Feature
> Reporter: Bryan Rosander
> Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a
> command line utility capable of generating the required keystores,
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that
> they all use, and relevant passwords and configuration files for using the
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based
> certificate authority with corresponding client will allow for each NiFi
> instance to generate its own keypair and then request signing by the CA.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
