exceptionfactory commented on PR #10031: URL: https://github.com/apache/nifi/pull/10031#issuecomment-3237030048
> Thanks @exceptionfactory for the comment. > > I based the `KeyManagerFactory` creation on a similar approach used in the [MQTT](https://github.com/apache/nifi/blob/main/nifi-extension-bundles/nifi-mqtt-bundle/nifi-mqtt-processors/src/main/java/org/apache/nifi/processors/mqtt/adapters/HiveMqV5ClientAdapter.java#L201) bundle. I have since checked the `KeyManager` approach you suggested, but unfortunately, it requires providing an alias as parameter to get the `PrivateKey`, which is not suitable for our use case. > MQTT is one of the poor examples to which I was referring, so from this perspective, it does not provide a good model to follow. > The `TrustStore` is currently being created in the same way. Is this approach acceptable for the `TrustStore`, or should it be handled differently? Yes, the trust store should also be handled differently. > > I think it would be useful to extend the `SSLContextProvider` to create both `KeyManagerFactory` and `TrustManagerFactory` or for now, we could remove keystore-based authentication from the scope of this pull request and revisit it later. That might be worth considering, but it would need to be a more common usage pattern. > > Let me know what you think. On further review, the Couchbase Client [Authenticator interface](https://github.com/couchbase/couchbase-jvm-clients/blob/002cdca7341ee529ba2dce15e3f5dbd2ecb9562b/core-io/src/main/java/com/couchbase/client/core/env/Authenticator.java#L67) has an `applyTlsProperties()` method that takes a Netty [SslContextBuilder](https://netty.io/4.1/api/io/netty/handler/ssl/SslContextBuilder.html). The `SslContextBuilder` itself supports being configured directly with a `KeyManager`, instead of other options. Creating a custom implementation of that interface should allow the `SSLContextProvider` Controller Service interface to be used. With this approach, the Couchbase Service can support either the PEM-based implementation, or the JKS/PKCS12 implementation. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
