[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

Tue, 02 Aug 2016 16:31:48 -0700 

    [ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15405014#comment-15405014
 ] 

ASF GitHub Bot commented on NIFI-2193:
--------------------------------------

Github user alopresto commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/695#discussion_r73257442
  
    --- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/BaseCertificateAuthorityCommandLine.java
 ---
    @@ -0,0 +1,87 @@
    +/*
    + * Licensed to the Apache Software Foundation (ASF) under one or more
    + * contributor license agreements.  See the NOTICE file distributed with
    + * this work for additional information regarding copyright ownership.
    + * The ASF licenses this file to You under the Apache License, Version 2.0
    + * (the "License"); you may not use this file except in compliance with
    + * the License.  You may obtain a copy of the License at
    + *
    + *     http://www.apache.org/licenses/LICENSE-2.0
    + *
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +
    +package org.apache.nifi.toolkit.tls.service;
    +
    +import org.apache.commons.cli.CommandLine;
    +import org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine;
    +import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException;
    +import org.apache.nifi.toolkit.tls.commandLine.ExitCode;
    +import org.apache.nifi.toolkit.tls.configuration.TlsConfig;
    +import org.apache.nifi.util.StringUtils;
    +
    +import java.io.File;
    +
    +public class BaseCertificateAuthorityCommandLine extends BaseCommandLine {
    +    public static final String TOKEN_ARG = "token";
    +    public static final String CONFIG_JSON_ARG = "configJson";
    +    public static final String USE_CONFIG_JSON_ARG = "useConfigJson";
    +    public static final String PORT_ARG = "PORT";
    +
    +    public static final String DEFAULT_CONFIG_JSON = new 
File("config.json").getAbsolutePath();
    +
    +    private String token;
    +    private String configJson;
    +    private boolean onlyUseConfigJson;
    +    private int port;
    +    private String dn;
    +
    +    public BaseCertificateAuthorityCommandLine(String header) {
    +        super(header);
    +        addOptionWithArg("t", TOKEN_ARG, "The token to use to prevent MITM 
(required and must be same as one used by CA)");
    +        addOptionWithArg("f", CONFIG_JSON_ARG, "The place to write 
configuration info", DEFAULT_CONFIG_JSON);
    +        addOptionNoArg("F", USE_CONFIG_JSON_ARG, "Flag specifying that all 
configuration is read from " + CONFIG_JSON_ARG + " to facilitate automated use 
(otherwise "
    +                + CONFIG_JSON_ARG + " will only be written to.");
    +        addOptionWithArg("p", PORT_ARG, "The port to use to communicate 
with the Certificate Authority", TlsConfig.DEFAULT_PORT);
    +        addOptionWithArg("D", DN_ARG, "The dn to use for the certificate", 
TlsConfig.calcDefaultDn(TlsConfig.DEFAULT_HOSTNAME));
    +    }
    +
    +    @Override
    +    protected CommandLine doParse(String[] args) throws 
CommandLineParseException {
    +        CommandLine commandLine = super.doParse(args);
    +
    +        token = commandLine.getOptionValue(TOKEN_ARG);
    +        onlyUseConfigJson = commandLine.hasOption(USE_CONFIG_JSON_ARG);
    +        if (StringUtils.isEmpty(token) && !onlyUseConfigJson) {
    +            printUsageAndThrow(TOKEN_ARG + " argument must not be empty 
unless " + USE_CONFIG_JSON_ARG + " set", ExitCode.ERROR_TOKEN_ARG_EMPTY);
    +        }
    +        configJson = commandLine.getOptionValue(CONFIG_JSON_ARG, 
DEFAULT_CONFIG_JSON);
    +        port = getIntValue(commandLine, PORT_ARG, TlsConfig.DEFAULT_PORT);
    +        dn = commandLine.getOptionValue(DN_ARG, 
TlsConfig.calcDefaultDn(getCertificateAuthorityHostname()));
    --- End diff --
    
    If the user enters only the hostname here (as is the format for the CA 
hostname), the tool throws an exception. 
    
    Example:
    
    ```bash
    
hw12203:...assembly/target/nifi-toolkit-1.0.0-SNAPSHOT-bin/nifi-toolkit-1.0.0-SNAPSHOT
 (pr695) alopresto
    🔓 166s @ 15:58:03 $ ./bin/tls-toolkit.sh server -c rootca.nifi.apache.org 
-D client.nifi.apache.org -t shorttoken
    java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at 
org.apache.nifi.toolkit.tls.TlsToolkitMain.doMain(TlsToolkitMain.java:89)
        at 
org.apache.nifi.toolkit.tls.TlsToolkitMain.main(TlsToolkitMain.java:46)
    Caused by: java.lang.IllegalArgumentException: badly formatted directory 
string
        at org.bouncycastle.asn1.x500.style.IETFUtils.rDNsFromString(Unknown 
Source)
        at org.bouncycastle.asn1.x500.style.BCStyle.fromString(Unknown Source)
        at org.bouncycastle.asn1.x500.X500Name.<init>(Unknown Source)
        at org.bouncycastle.asn1.x500.X500Name.<init>(Unknown Source)
        at 
org.apache.nifi.security.util.CertificateUtils.generateSelfSignedX509Certificate(CertificateUtils.java:370)
        at 
org.apache.nifi.toolkit.tls.manager.TlsCertificateAuthorityManager.getOrGenerateCertificateAuthority(TlsCertificateAuthorityManager.java:41)
        at 
org.apache.nifi.toolkit.tls.service.server.TlsCertificateAuthorityService.start(TlsCertificateAuthorityService.java:86)
        at 
org.apache.nifi.toolkit.tls.service.server.TlsCertificateAuthorityServiceCommandLine.main(TlsCertificateAuthorityServiceCommandLine.java:56)
        ... 6 more
    Service server error: badly formatted directory string
    ```


> Command Line Keystore and Truststore utility
> --------------------------------------------
>
>                 Key: NIFI-2193
>                 URL: https://issues.apache.org/jira/browse/NIFI-2193
>             Project: Apache NiFi
>          Issue Type: New Feature
>            Reporter: Bryan Rosander
>            Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to