[
https://issues.apache.org/jira/browse/NIFI-14001?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17899537#comment-17899537
]
ASF subversion and git services commented on NIFI-14001:
--------------------------------------------------------
Commit e33cbe6df5fc4976242f300b0b43ff012a152f9e in nifi's branch
refs/heads/main from David Handermann
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=e33cbe6df5 ]
NIFI-14001 Added Framework Support for PEM Keys and Certificates (#9517)
> Add Framework Support for PEM Keys and Certificates
> ---------------------------------------------------
>
> Key: NIFI-14001
> URL: https://issues.apache.org/jira/browse/NIFI-14001
> Project: Apache NiFi
> Issue Type: New Feature
> Components: Core Framework
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> NiFi application properties include support for JKS and PKCS12 Key Store
> types, as well as BCFKS, aligning with standard Java capabilities for key and
> certificate information. These types provide some amount of password
> protection for entries, based on Java version and underlying format
> capabilities. The level of security that password protection provides is
> variable, depending on the Key Store implementation and Java system
> properties.
> The historical Privacy Enhanced Mail (PEM) format defined in [RFC
> 1421|https://www.rfc-editor.org/rfc/rfc1421] supports representing keys and
> certificates as Base64-encoded binary with standard headers and footers.
> Standard Java classes are capable of reading PEM keys and certificates with
> some amount of parsing, depending on the particular type of file in question.
> In addition to existing Key Store types, NiFi application properties should
> support using PEM files for mutual TLS communication. Supporting PEM files
> avoids the need for converting to PKCS12 or other formats, and also avoids
> the need for maintaining passwords required to read Key Store files.
> Initial PEM file support should include building a Key Store from individual
> Private Key and Certificate Chain files, and should include building a Trust
> Store from a Certificate Chain file containing one or more Certificates.
> Private Key support should include the following formats and algorithms:
> - PKCS1 for RSA
> - PKCS8 for RSA, Ed25519, or ECDSA with NIST curves P-256, P-384, and P-521
> PKCS1 Private Keys have the header {{BEGIN RSA PRIVATE KEY}} and PKCS8
> Private Keys have the header {{{}BEGIN PRIVATE KEY{}}}.
> These formats and algorithms align with current modern algorithm
> recommendations and usage patterns, such as [Let's Encrypt Supported Key
> Algorithms|https://letsencrypt.org/docs/integration-guide/#supported-key-algorithms].
> Certificate support should include reading standard X.509 files with the
> {{BEGIN CERTIFICATE}} header.
> For disambiguation from existing formats, the {{keystoreType}} and
> {{truststoreType}} should take a new value named {{{}PEM{}}}.
> For loading the Key Store, the {{PEM}} type should trigger loading two new
> properties named:
> - nifi.security.keystore.privateKey
> - nifi.security.keystore.certificate
> This approach provides clear separation between the private key and
> certificate chain, while maintaining the association through the root name of
> both properties.
> For loading the Trust Store, the {{PEM}} type should trigger loading one new
> property named:
> - nifi.security.truststore.certificate
> The initial implementation should maintain compatibility with existing
> properties and prefer existing properties when defined.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
