[
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15404937#comment-15404937
]
ASF GitHub Bot commented on NIFI-2193:
--------------------------------------
Github user alopresto commented on a diff in the pull request:
https://github.com/apache/nifi/pull/695#discussion_r73251864
--- Diff:
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandalone.java
---
@@ -0,0 +1,101 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.standalone;
+
+import org.apache.nifi.security.util.CertificateUtils;
+import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig;
+import org.apache.nifi.toolkit.tls.configuration.TlsConfig;
+import org.apache.nifi.toolkit.tls.manager.TlsCertificateAuthorityManager;
+import org.apache.nifi.toolkit.tls.manager.TlsClientManager;
+import
org.apache.nifi.toolkit.tls.manager.writer.NifiPropertiesTlsClientConfigWriter;
+import org.apache.nifi.toolkit.tls.properties.NiFiPropertiesWriterFactory;
+import org.apache.nifi.toolkit.tls.util.OutputStreamFactory;
+import org.apache.nifi.toolkit.tls.util.TlsHelper;
+import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
+import org.bouncycastle.util.io.pem.PemWriter;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.OutputStreamWriter;
+import java.security.GeneralSecurityException;
+import java.security.KeyPair;
+import java.security.KeyStore;
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+public class TlsToolkitStandalone {
+ public static final String NIFI_KEY = "nifi-key";
+ public static final String NIFI_CERT = "nifi-cert";
+ public static final String ROOT_CERT_PRIVATE_KEY = "rootCert.key";
+ public static final String ROOT_CERT_CRT = "rootCert.crt";
+ public static final String NIFI_PROPERTIES = "nifi.properties";
+
+ private final OutputStreamFactory outputStreamFactory;
+
+ public TlsToolkitStandalone() {
+ this(FileOutputStream::new);
+ }
+
+ public TlsToolkitStandalone(OutputStreamFactory outputStreamFactory) {
+ this.outputStreamFactory = outputStreamFactory;
+ }
+
+ public void createNifiKeystoresAndTrustStores(File baseDir, TlsConfig
tlsConfig, NiFiPropertiesWriterFactory niFiPropertiesWriterFactory,
List<String> hostnames, List<String> keyStorePasswords,
+ List<String>
keyPasswords, List<String> trustStorePasswords, String httpsPort) throws
GeneralSecurityException, IOException {
+ String signingAlgorithm = tlsConfig.getSigningAlgorithm();
+ int days = tlsConfig.getDays();
+ String keyPairAlgorithm = tlsConfig.getKeyPairAlgorithm();
+ int keySize = tlsConfig.getKeySize();
+ TlsCertificateAuthorityManager tlsCertificateAuthorityManager =
new TlsCertificateAuthorityManager(tlsConfig);
+ KeyStore.PrivateKeyEntry privateKeyEntry =
tlsCertificateAuthorityManager.getOrGenerateCertificateAuthority();
+ X509Certificate certificate = (X509Certificate)
privateKeyEntry.getCertificateChain()[0];
+ KeyPair caKeyPair = new KeyPair(certificate.getPublicKey(),
privateKeyEntry.getPrivateKey());
+
+ try (PemWriter pemWriter = new PemWriter(new
OutputStreamWriter(outputStreamFactory.create(new File(baseDir,
ROOT_CERT_CRT))))) {
+ pemWriter.writeObject(new JcaMiscPEMGenerator(certificate));
+ }
+
+ try (PemWriter pemWriter = new PemWriter(new
OutputStreamWriter(outputStreamFactory.create(new File(baseDir,
ROOT_CERT_PRIVATE_KEY))))) {
+ pemWriter.writeObject(new JcaMiscPEMGenerator(caKeyPair));
+ }
+
+ for (int i = 0; i < hostnames.size(); i++) {
+ String hostname = hostnames.get(i);
+ File hostDir = new File(baseDir, hostname);
+
+ if (!hostDir.mkdirs()) {
--- End diff --
If the directory already exists, this will return `false` and throw an
exception. Check if the directory exists and either log a warning before
clearing it, or skip generating that hostname's directory.
Example:
```bash
hw12203:...assembly/target/nifi-toolkit-1.0.0-SNAPSHOT-bin/nifi-toolkit-1.0.0-SNAPSHOT
(pr695) alopresto
🔓 355s @ 15:34:06 $ ./bin/tls-toolkit.sh standalone -n host1, host2
hw12203:...assembly/target/nifi-toolkit-1.0.0-SNAPSHOT-bin/nifi-toolkit-1.0.0-SNAPSHOT
(pr695) alopresto
🔓 15s @ 15:34:22 $ tree
.
├── host1
│  ├── keystore.jks
│  ├── nifi.properties
│  └── truststore.jks
├── localhost
│  ├── keystore.jks
│  ├── nifi.properties
│  └── truststore.jks
├── rootCert.crt
└── rootCert.key
5 directories, 37 files
hw12203:...assembly/target/nifi-toolkit-1.0.0-SNAPSHOT-bin/nifi-toolkit-1.0.0-SNAPSHOT
(pr695) alopresto
🔓 65s @ 15:35:31 $ ./bin/tls-toolkit.sh standalone -n host1,host2
Error creating generating tls configuration. (Unable to make directory:
/Users/alopresto/Workspace/nifi/nifi-toolkit/nifi-toolkit-assembly/target/nifi-toolkit-1.0.0-SNAPSHOT-bin/nifi-toolkit-1.0.0-SNAPSHOT/./host1)
```
> Command Line Keystore and Truststore utility
> --------------------------------------------
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
> Issue Type: New Feature
> Reporter: Bryan Rosander
> Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a
> command line utility capable of generating the required keystores,
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that
> they all use, and relevant passwords and configuration files for using the
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based
> certificate authority with corresponding client will allow for each NiFi
> instance to generate its own keypair and then request signing by the CA.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
