Github user alopresto commented on a diff in the pull request:
https://github.com/apache/nifi/pull/695#discussion_r72741316
--- Diff:
nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/CertificateUtilsTest.groovy
---
@@ -116,53 +132,7 @@ class CertificateUtilsTest extends GroovyTestCase {
private
static X509Certificate generateCertificate(String dn) throws
IOException, NoSuchAlgorithmException, CertificateException,
NoSuchProviderException, SignatureException, InvalidKeyException,
OperatorCreationException {
KeyPair keyPair = generateKeyPair();
- return generateCertificate(dn, keyPair);
- }
-
- /**
- * Generates a signed certificate with a specific keypair.
- *
- * @param dn the DN
- * @param keyPair the public key will be included in the certificate
and the the private key is used to sign the certificate
- * @return the certificate
- * @throws IOException
- * @throws NoSuchAlgorithmException
- * @throws CertificateException
- * @throws NoSuchProviderException
- * @throws SignatureException
- * @throws InvalidKeyException
- * @throws OperatorCreationException
- */
- private
- static X509Certificate generateCertificate(String dn, KeyPair keyPair)
throws IOException, NoSuchAlgorithmException, CertificateException,
NoSuchProviderException, SignatureException, InvalidKeyException,
OperatorCreationException {
- PrivateKey privateKey = keyPair.getPrivate();
- ContentSigner sigGen = new
JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(PROVIDER).build(privateKey);
- SubjectPublicKeyInfo subPubKeyInfo =
SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded());
- Date startDate = new Date(YESTERDAY);
- Date endDate = new Date(ONE_YEAR_FROM_NOW);
-
- X509v3CertificateBuilder certBuilder = new
X509v3CertificateBuilder(
- new X500Name(dn),
- BigInteger.valueOf(System.currentTimeMillis()),
- startDate, endDate,
- new X500Name(dn),
- subPubKeyInfo);
-
- // Set certificate extensions
- // (1) digitalSignature extension
- certBuilder.addExtension(X509Extension.keyUsage, true,
- new KeyUsage(KeyUsage.digitalSignature |
KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.keyAgreement));
-
- // (2) extendedKeyUsage extension
- Vector<KeyPurposeId> ekUsages = new Vector<>();
- ekUsages.add(KeyPurposeId.id_kp_clientAuth);
- ekUsages.add(KeyPurposeId.id_kp_serverAuth);
- certBuilder.addExtension(X509Extension.extendedKeyUsage, false,
new ExtendedKeyUsage(ekUsages));
-
- // Sign the certificate
- X509CertificateHolder certificateHolder =
certBuilder.build(sigGen);
- return new JcaX509CertificateConverter().setProvider(PROVIDER)
- .getCertificate(certificateHolder);
+ return CertificateUtils.generateSelfSignedX509Certificate(keyPair,
dn, SIGNATURE_ALGORITHM, 365);
--- End diff --
@brosander and I discussed the need for certificate migration, especially
for the CA, and handling the trust chain amongst the nodes. I think if this
value (throughout the tool) is increased for now, the additional use cases and
logic to handle key/cert rollover can be addressed in a `x.1.x` release. Not
ideal, but it is not an easy problem to tackle so close to the current release
deadline.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
