[jira] [Commented] (NIFI-2476) Further refine tls-toolkit based on feedback gathered during beta

Mon, 08 Aug 2016 10:34:44 -0700 

    [ 
https://issues.apache.org/jira/browse/NIFI-2476?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15412128#comment-15412128
 ] 

Bryan Bende commented on NIFI-2476:
-----------------------------------

I was testing out the the toolkit based on the discussion Andy raised on the 
Dev list where the DN gets reversed. I ran through all the steps he provided 
and noticed the following....

If you run "keytool --list -v -storetype PKCS12 -keystore client.p12" it shows:
{code}
Owner: OU=NIFI, CN=ca.nifi.apache.org
Issuer: OU=NIFI, CN=ca.nifi.apache.org
{code}

If you run "openssl x509 -in nifi-cert.pem -text -noout" it shows:
{code}
Issuer: CN=ca.nifi.apache.org, OU=NIFI
{code}

When NiFi authenticates users it calls this code which gets the DN in reversed 
order (same as keytool):
{code}
    public Object extractPrincipal(X509Certificate cert) {
        return cert.getSubjectDN().getName().trim();
    }
{code}

I think overall NiFi should not be dependent on the ordering of the DN, but for 
the 1.0.0 release if we can make the toolkit produce the expected order it will 
be a much more contained change.

Also, of note... I was investigating the use of cert.getSubjectDN() vs. 
cert.getSubjectX500Principal() and noticed they do produce different ordering:
{code}
X509Certificate x509Certificate = 
CertificateUtils.generateIssuedCertificate(dn, keyPair.getPublic(), issuer, 
issuerKeyPair, signingAlgorithm, days);
System.out.println(x509Certificate.getSubjectDN().getName());
System.out.println(x509Certificate.getSubjectX500Principal().getName());
{code}

Produces:
{code}
CN=testIssued,O=testOrg
O=testOrg,CN=testIssued
{code}

This may have some relationship to what we are seeing, but not sure at this 
point in time.

> Further refine tls-toolkit based on feedback gathered during beta
> -----------------------------------------------------------------
>
>                 Key: NIFI-2476
>                 URL: https://issues.apache.org/jira/browse/NIFI-2476
>             Project: Apache NiFi
>          Issue Type: Improvement
>            Reporter: Bryan Rosander
>            Assignee: Bryan Rosander
>
> The basic functionality of generating keystores, truststores, 
> nifi.properties, and a configuration json is implemented.
> As people start using this tool to ease the tls setup process in NiFi, 
> shortcomings in the initial implementation will need to be addressed.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to