[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15398707#comment-15398707
 ] 

ASF GitHub Bot commented on NIFI-2193:
--------------------------------------

Github user alopresto commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/695#discussion_r72741316
  
    --- Diff: 
nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/CertificateUtilsTest.groovy
 ---
    @@ -116,53 +132,7 @@ class CertificateUtilsTest extends GroovyTestCase {
         private
         static X509Certificate generateCertificate(String dn) throws 
IOException, NoSuchAlgorithmException, CertificateException, 
NoSuchProviderException, SignatureException, InvalidKeyException, 
OperatorCreationException {
             KeyPair keyPair = generateKeyPair();
    -        return generateCertificate(dn, keyPair);
    -    }
    -
    -    /**
    -     * Generates a signed certificate with a specific keypair.
    -     *
    -     * @param dn the DN
    -     * @param keyPair the public key will be included in the certificate 
and the the private key is used to sign the certificate
    -     * @return the certificate
    -     * @throws IOException
    -     * @throws NoSuchAlgorithmException
    -     * @throws CertificateException
    -     * @throws NoSuchProviderException
    -     * @throws SignatureException
    -     * @throws InvalidKeyException
    -     * @throws OperatorCreationException
    -     */
    -    private
    -    static X509Certificate generateCertificate(String dn, KeyPair keyPair) 
throws IOException, NoSuchAlgorithmException, CertificateException, 
NoSuchProviderException, SignatureException, InvalidKeyException, 
OperatorCreationException {
    -        PrivateKey privateKey = keyPair.getPrivate();
    -        ContentSigner sigGen = new 
JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(PROVIDER).build(privateKey);
    -        SubjectPublicKeyInfo subPubKeyInfo = 
SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded());
    -        Date startDate = new Date(YESTERDAY);
    -        Date endDate = new Date(ONE_YEAR_FROM_NOW);
    -
    -        X509v3CertificateBuilder certBuilder = new 
X509v3CertificateBuilder(
    -                new X500Name(dn),
    -                BigInteger.valueOf(System.currentTimeMillis()),
    -                startDate, endDate,
    -                new X500Name(dn),
    -                subPubKeyInfo);
    -
    -        // Set certificate extensions
    -        // (1) digitalSignature extension
    -        certBuilder.addExtension(X509Extension.keyUsage, true,
    -                new KeyUsage(KeyUsage.digitalSignature | 
KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.keyAgreement));
    -
    -        // (2) extendedKeyUsage extension
    -        Vector<KeyPurposeId> ekUsages = new Vector<>();
    -        ekUsages.add(KeyPurposeId.id_kp_clientAuth);
    -        ekUsages.add(KeyPurposeId.id_kp_serverAuth);
    -        certBuilder.addExtension(X509Extension.extendedKeyUsage, false, 
new ExtendedKeyUsage(ekUsages));
    -
    -        // Sign the certificate
    -        X509CertificateHolder certificateHolder = 
certBuilder.build(sigGen);
    -        return new JcaX509CertificateConverter().setProvider(PROVIDER)
    -                .getCertificate(certificateHolder);
    +        return CertificateUtils.generateSelfSignedX509Certificate(keyPair, 
dn, SIGNATURE_ALGORITHM, 365);
    --- End diff --
    
    @brosander and I discussed the need for certificate migration, especially 
for the CA, and handling the trust chain amongst the nodes. I think if this 
value (throughout the tool) is increased for now, the additional use cases and 
logic to handle key/cert rollover can be addressed in a `x.1.x` release. Not 
ideal, but it is not an easy problem to tackle so close to the current release 
deadline. 


> Command Line Keystore and Truststore utility
> --------------------------------------------
>
>                 Key: NIFI-2193
>                 URL: https://issues.apache.org/jira/browse/NIFI-2193
>             Project: Apache NiFi
>          Issue Type: New Feature
>            Reporter: Bryan Rosander
>            Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)