alopresto commented on a change in pull request #3204: NIFI-1364 - Removed
custom OCSP certificate revocation checking code and replaced with just using
Java native implementation.
URL: https://github.com/apache/nifi/pull/3204#discussion_r304181067
##########
File path:
nifi-commons/nifi-socket-utils/src/main/java/org/apache/nifi/io/socket/SSLContextFactory.java
##########
@@ -111,4 +117,28 @@ public SSLContext createSslContext() throws
KeyStoreException, IOException, NoSu
return sslContext;
}
+
+ private TrustManagerFactory getTrustManagerFactory(KeyStore trustStore,
boolean ocspEnabled, String responderURL) throws KeyStoreException,
InvalidAlgorithmParameterException, NoSuchAlgorithmException {
+
+ TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+
+ if (ocspEnabled) {
+ if
("PKIX".equalsIgnoreCase(TrustManagerFactory.getDefaultAlgorithm())) {
+ PKIXBuilderParameters pbParams = new
PKIXBuilderParameters(trustStore, new X509CertSelector());
+ pbParams.setRevocationEnabled(true);
+ Security.setProperty("ocsp.enable", "true");
+ if(!StringUtils.isBlank(responderURL)) {
Review comment:
If the responder URL configured in `nifi.properties` is empty, does this
just rely on the per-certificate (chain) OCSP URL? If this is populated, does
it override the per-certificate URL?
Looks like:
> By default, the location of the OCSP responder is determined implicitly
from the certificate being validated. The property is used when the Authority
Information Access extension (defined in RFC 3280) is absent from the
certificate or when it requires overriding.
We should document what is being used in `DEBUG` log messages.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
