[
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15404990#comment-15404990
]
ASF GitHub Bot commented on NIFI-2193:
--------------------------------------
Github user alopresto commented on a diff in the pull request:
https://github.com/apache/nifi/pull/695#discussion_r73255485
--- Diff:
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/client/TlsCertificateAuthorityClientCommandLine.java
---
@@ -0,0 +1,125 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.service.client;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.commons.cli.CommandLine;
+import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException;
+import org.apache.nifi.toolkit.tls.commandLine.ExitCode;
+import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig;
+import
org.apache.nifi.toolkit.tls.service.BaseCertificateAuthorityCommandLine;
+import org.apache.nifi.toolkit.tls.util.InputStreamFactory;
+import org.apache.nifi.toolkit.tls.util.TlsHelper;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+
+public class TlsCertificateAuthorityClientCommandLine extends
BaseCertificateAuthorityCommandLine {
+ public static final String DESCRIPTION = "Generates a private key and
gets it signed by the certificate authority.";
+ public static final String PKCS_12 = "PKCS12";
+ public static final String CERTIFICATE_DIRECTORY =
"certificateDirectory";
+ public static final String DEFAULT_CERTIFICATE_DIRECTORY = ".";
+ public static final String SAME_KEY_AND_KEY_STORE_PASSWORD_ARG =
"sameKeyAndKeyStorePassword";
+
+ private final InputStreamFactory inputStreamFactory;
+
+ private String certificateDirectory;
+ private boolean sameKeyAndKeyStorePassword;
+
+ public TlsCertificateAuthorityClientCommandLine() {
+ this(FileInputStream::new);
+ }
+
+ public TlsCertificateAuthorityClientCommandLine(InputStreamFactory
inputStreamFactory) {
+ super(DESCRIPTION);
+ this.inputStreamFactory = inputStreamFactory;
+ addOptionWithArg("C", CERTIFICATE_DIRECTORY, "The file to write
the CA certificate to", DEFAULT_CERTIFICATE_DIRECTORY);
+ addOptionNoArg("S", SAME_KEY_AND_KEY_STORE_PASSWORD_ARG, "When
generating passwords, use the same one for KeyStore and Key");
+ }
+
+ public static void main(String[] args) throws Exception {
+ TlsHelper.addBouncyCastleProvider();
+ TlsCertificateAuthorityClientCommandLine
tlsCertificateAuthorityClientCommandLine = new
TlsCertificateAuthorityClientCommandLine();
+ try {
+ tlsCertificateAuthorityClientCommandLine.parse(args);
+ } catch (CommandLineParseException e) {
+ System.exit(e.getExitCode());
+ }
+ new
TlsCertificateAuthorityClient().generateCertificateAndGetItSigned(tlsCertificateAuthorityClientCommandLine.createClientConfig(),
+
tlsCertificateAuthorityClientCommandLine.getCertificateDirectory(),
tlsCertificateAuthorityClientCommandLine.getConfigJson(),
+
tlsCertificateAuthorityClientCommandLine.sameKeyAndKeyStorePassword());
+ System.exit(ExitCode.SUCCESS.ordinal());
+ }
+
+ @Override
+ protected boolean shouldAddDaysArg() {
+ return false;
+ }
+
+ @Override
+ protected boolean shouldAddSigningAlgorithmArg() {
+ return false;
+ }
+
+ @Override
+ protected String getKeyStoreTypeDefault() {
+ return PKCS_12;
+ }
+
+ @Override
+ protected CommandLine doParse(String[] args) throws
CommandLineParseException {
+ CommandLine commandLine = super.doParse(args);
+ certificateDirectory =
commandLine.getOptionValue(CERTIFICATE_DIRECTORY,
DEFAULT_CERTIFICATE_DIRECTORY);
+ sameKeyAndKeyStorePassword =
commandLine.hasOption(SAME_KEY_AND_KEY_STORE_PASSWORD_ARG);
+ return commandLine;
+ }
+
+ public boolean sameKeyAndKeyStorePassword() {
+ return sameKeyAndKeyStorePassword;
+ }
+
+ public String getCertificateDirectory() {
+ return certificateDirectory;
+ }
+
+ public TlsClientConfig createClientConfig() throws IOException {
+ if (onlyUseConfigJson()) {
+ try (InputStream inputStream = inputStreamFactory.create(new
File(getConfigJson()))) {
+ TlsClientConfig tlsClientConfig = new
ObjectMapper().readValue(inputStream, TlsClientConfig.class);
+ tlsClientConfig.initDefaults();
+ return tlsClientConfig;
+ }
+ } else {
+ TlsClientConfig tlsClientConfig = new TlsClientConfig();
+
tlsClientConfig.setCaHostname(getCertificateAuthorityHostname());
+ tlsClientConfig.setDn(getDn());
+ tlsClientConfig.setToken(getToken());
+ tlsClientConfig.setPort(getPort());
+ tlsClientConfig.setKeyStore(KEYSTORE +
getKeyStoreType().toLowerCase());
+ tlsClientConfig.setKeyStoreType(getKeyStoreType());
+ tlsClientConfig.setTrustStore(TRUSTSTORE +
getKeyStoreType().toLowerCase());
--- End diff --
This gets the default keystore type (`PKCS12`) to use for the truststore as
well. The truststore rarely ever needs to be `PKCS12` as there is no private
key information in it. I am not sure why the default (even for keystores) is
not `JKS`?
Example:
```bash
hw12203:...assembly/target/nifi-toolkit-1.0.0-SNAPSHOT-bin/nifi-toolkit-1.0.0-SNAPSHOT
(pr695) alopresto
🔓 113s @ 16:01:50 $ ./bin/tls-toolkit.sh client -D
CN=client.nifi.apache.org -t shorttoken
log4j:WARN No appenders could be found for logger
(org.apache.http.client.protocol.RequestAddCookies).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for
more info.
hw12203:...assembly/target/nifi-toolkit-1.0.0-SNAPSHOT-bin/nifi-toolkit-1.0.0-SNAPSHOT
(pr695) alopresto
🔓 43s @ 16:02:33 $ tl
.
...
├── [ 520] config.json
├── [3.3K] keystore.pkcs12
...
├── [2.1K] nifi-ca-keystore.jks
├── [1.1K] nifi-cert
├── [1.2K] rootCert.crt
├── [1.6K] rootCert.key
└── [1.1K] truststore.pkcs12
3 directories, 36 files
```
> Command Line Keystore and Truststore utility
> --------------------------------------------
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
> Issue Type: New Feature
> Reporter: Bryan Rosander
> Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a
> command line utility capable of generating the required keystores,
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that
> they all use, and relevant passwords and configuration files for using the
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based
> certificate authority with corresponding client will allow for each NiFi
> instance to generate its own keypair and then request signing by the CA.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
