[
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15405205#comment-15405205
]
ASF GitHub Bot commented on NIFI-2193:
--------------------------------------
Github user brosander commented on a diff in the pull request:
https://github.com/apache/nifi/pull/695#discussion_r73272771
--- Diff:
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/manager/TlsClientManager.java
---
@@ -0,0 +1,116 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.manager;
+
+import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig;
+import org.apache.nifi.toolkit.tls.manager.writer.ConfigurationWriter;
+import org.apache.nifi.toolkit.tls.util.InputStreamFactory;
+import org.apache.nifi.toolkit.tls.util.OutputStreamFactory;
+import org.apache.nifi.toolkit.tls.util.PasswordUtil;
+import org.apache.nifi.util.StringUtils;
+import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
+import org.bouncycastle.util.io.pem.PemWriter;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.io.OutputStreamWriter;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableEntryException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+public class TlsClientManager extends BaseTlsManager {
+ private final TlsClientConfig tlsClientConfig;
+ private final KeyStore trustStore;
+ private final List<ConfigurationWriter<TlsClientConfig>>
configurationWriters;
+ private final Set<String> certificateAliases;
+ private File certificateAuthorityDirectory;
+
+ public TlsClientManager(TlsClientConfig tlsClientConfig) throws
GeneralSecurityException, IOException {
+ this(tlsClientConfig, new PasswordUtil(), FileInputStream::new);
+ }
+
+ public TlsClientManager(TlsClientConfig tlsClientConfig, PasswordUtil
passwordUtil, InputStreamFactory inputStreamFactory) throws
GeneralSecurityException, IOException {
+ super(tlsClientConfig, passwordUtil, inputStreamFactory);
+ this.trustStore = loadKeystore(tlsClientConfig.getTrustStore(),
tlsClientConfig.getTrustStoreType(), tlsClientConfig.getTrustStorePassword());
+ this.tlsClientConfig = tlsClientConfig;
+ this.configurationWriters = new ArrayList<>();
+ this.certificateAliases = new HashSet<>();
+ }
+
+ public void setCertificateEntry(String alias, Certificate cert) throws
KeyStoreException {
+ trustStore.setCertificateEntry(alias, cert);
+ certificateAliases.add(alias);
+ }
+
+ public void setCertificateAuthorityDirectory(File
certificateAuthorityDirectory) {
+ this.certificateAuthorityDirectory = certificateAuthorityDirectory;
+ }
+
+ @Override
+ public void write(OutputStreamFactory outputStreamFactory) throws
IOException, CertificateException, NoSuchAlgorithmException, KeyStoreException {
+ super.write(outputStreamFactory);
+
+ String trustStorePassword =
tlsClientConfig.getTrustStorePassword();
+ if (StringUtils.isEmpty(trustStorePassword)) {
+ trustStorePassword = getPasswordUtil().generatePassword();
+ tlsClientConfig.setTrustStorePassword(trustStorePassword);
+ }
+
+ try (OutputStream outputStream = outputStreamFactory.create(new
File(tlsClientConfig.getTrustStore()))) {
+ trustStore.store(outputStream,
trustStorePassword.toCharArray());
+ }
+
+ for (ConfigurationWriter<TlsClientConfig> configurationWriter :
configurationWriters) {
+ configurationWriter.write(tlsClientConfig);
+ }
+
+ if (certificateAuthorityDirectory != null) {
--- End diff --
Intended to address a possible future case where there are multiple trusted
CAs to import into a browser
> Command Line Keystore and Truststore utility
> --------------------------------------------
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
> Issue Type: New Feature
> Reporter: Bryan Rosander
> Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a
> command line utility capable of generating the required keystores,
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that
> they all use, and relevant passwords and configuration files for using the
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based
> certificate authority with corresponding client will allow for each NiFi
> instance to generate its own keypair and then request signing by the CA.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
