Search in sources :

Example 1 with TlsClientConfig

use of org.apache.nifi.toolkit.tls.configuration.TlsClientConfig in project nifi by apache.

the class NifiPropertiesTlsClientConfigWriter method updateProperties.

protected void updateProperties(NiFiPropertiesWriter niFiPropertiesWriter, TlsClientConfig tlsClientConfig) throws IOException {
    niFiPropertiesWriter.setPropertyValue(NiFiProperties.SECURITY_KEYSTORE, CONF + new File(tlsClientConfig.getKeyStore()).getName());
    niFiPropertiesWriter.setPropertyValue(NiFiProperties.SECURITY_KEYSTORE_TYPE, tlsClientConfig.getKeyStoreType());
    niFiPropertiesWriter.setPropertyValue(NiFiProperties.SECURITY_KEYSTORE_PASSWD, tlsClientConfig.getKeyStorePassword());
    niFiPropertiesWriter.setPropertyValue(NiFiProperties.SECURITY_KEY_PASSWD, tlsClientConfig.getKeyPassword());
    niFiPropertiesWriter.setPropertyValue(NiFiProperties.SECURITY_TRUSTSTORE, CONF + new File(tlsClientConfig.getTrustStore()).getName());
    niFiPropertiesWriter.setPropertyValue(NiFiProperties.SECURITY_TRUSTSTORE_TYPE, tlsClientConfig.getTrustStoreType());
    niFiPropertiesWriter.setPropertyValue(NiFiProperties.SECURITY_TRUSTSTORE_PASSWD, tlsClientConfig.getTrustStorePassword());
    getHostnamePropertyStream().forEach(s -> niFiPropertiesWriter.setPropertyValue(s, hostname));
    overlayProperties.stringPropertyNames().stream().filter(s -> !metaProperties.contains(s)).forEach(s -> niFiPropertiesWriter.setPropertyValue(s, overlayProperties.getProperty(s)));
    getIncrementingPropertyMap().entrySet().forEach(nameToIntegerEntry -> niFiPropertiesWriter.setPropertyValue(nameToIntegerEntry.getKey(), Integer.toString(nameToIntegerEntry.getValue())));
}
Also used : OutputStream(java.io.OutputStream) Arrays(java.util.Arrays) Properties(java.util.Properties) Set(java.util.Set) IOException(java.io.IOException) StringUtils(org.apache.nifi.util.StringUtils) Function(java.util.function.Function) Collectors(java.util.stream.Collectors) File(java.io.File) HashSet(java.util.HashSet) NiFiPropertiesWriterFactory(org.apache.nifi.toolkit.tls.properties.NiFiPropertiesWriterFactory) Stream(java.util.stream.Stream) NiFiProperties(org.apache.nifi.util.NiFiProperties) TlsClientConfig(org.apache.nifi.toolkit.tls.configuration.TlsClientConfig) OutputStreamFactory(org.apache.nifi.toolkit.tls.util.OutputStreamFactory) Map(java.util.Map) NiFiPropertiesWriter(org.apache.nifi.toolkit.tls.properties.NiFiPropertiesWriter) Collections(java.util.Collections) File(java.io.File)

Example 2 with TlsClientConfig

use of org.apache.nifi.toolkit.tls.configuration.TlsClientConfig in project nifi by apache.

the class TlsCertificateAuthorityTest method setup.

@Before
public void setup() throws FileNotFoundException {
    objectMapper = new ObjectMapper();
    serverConfigFile = new File("fake.server.config");
    clientConfigFile = new File("fake.client.config");
    String serverKeyStore = "serverKeyStore";
    String clientKeyStore = "clientKeyStore";
    String clientTrustStore = "clientTrustStore";
    serverKeyStoreOutputStream = new ByteArrayOutputStream();
    clientKeyStoreOutputStream = new ByteArrayOutputStream();
    clientTrustStoreOutputStream = new ByteArrayOutputStream();
    serverConfigFileOutputStream = new ByteArrayOutputStream();
    clientConfigFileOutputStream = new ByteArrayOutputStream();
    String myTestTokenUseSomethingStronger = "myTestTokenUseSomethingStronger";
    int port = availablePort();
    serverConfig = new TlsConfig();
    serverConfig.setCaHostname("localhost");
    serverConfig.setToken(myTestTokenUseSomethingStronger);
    serverConfig.setKeyStore(serverKeyStore);
    serverConfig.setPort(port);
    serverConfig.setDays(5);
    serverConfig.setKeySize(2048);
    serverConfig.initDefaults();
    clientConfig = new TlsClientConfig();
    clientConfig.setCaHostname("localhost");
    clientConfig.setDn("OU=NIFI,CN=otherHostname");
    clientConfig.setKeyStore(clientKeyStore);
    clientConfig.setTrustStore(clientTrustStore);
    clientConfig.setToken(myTestTokenUseSomethingStronger);
    clientConfig.setPort(port);
    clientConfig.setKeySize(2048);
    clientConfig.initDefaults();
    outputStreamFactory = mock(OutputStreamFactory.class);
    mockReturnOutputStream(outputStreamFactory, new File(serverKeyStore), serverKeyStoreOutputStream);
    mockReturnOutputStream(outputStreamFactory, new File(clientKeyStore), clientKeyStoreOutputStream);
    mockReturnOutputStream(outputStreamFactory, new File(clientTrustStore), clientTrustStoreOutputStream);
    mockReturnOutputStream(outputStreamFactory, serverConfigFile, serverConfigFileOutputStream);
    mockReturnOutputStream(outputStreamFactory, clientConfigFile, clientConfigFileOutputStream);
    inputStreamFactory = mock(InputStreamFactory.class);
    mockReturnProperties(inputStreamFactory, serverConfigFile, serverConfig);
    mockReturnProperties(inputStreamFactory, clientConfigFile, clientConfig);
}
Also used : TlsClientConfig(org.apache.nifi.toolkit.tls.configuration.TlsClientConfig) OutputStreamFactory(org.apache.nifi.toolkit.tls.util.OutputStreamFactory) TlsConfig(org.apache.nifi.toolkit.tls.configuration.TlsConfig) ByteArrayOutputStream(java.io.ByteArrayOutputStream) InputStreamFactory(org.apache.nifi.toolkit.tls.util.InputStreamFactory) File(java.io.File) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper) Before(org.junit.Before)

Example 3 with TlsClientConfig

use of org.apache.nifi.toolkit.tls.configuration.TlsClientConfig in project nifi by apache.

the class TlsClientManager method write.

@Override
public void write(OutputStreamFactory outputStreamFactory) throws IOException, GeneralSecurityException {
    super.write(outputStreamFactory);
    String trustStorePassword = tlsClientConfig.getTrustStorePassword();
    boolean trustStorePasswordGenerated = false;
    if (StringUtils.isEmpty(trustStorePassword)) {
        trustStorePassword = getPasswordUtil().generatePassword();
        trustStorePasswordGenerated = true;
    }
    trustStorePassword = TlsHelper.writeKeyStore(trustStore, outputStreamFactory, new File(tlsClientConfig.getTrustStore()), trustStorePassword, trustStorePasswordGenerated);
    tlsClientConfig.setTrustStorePassword(trustStorePassword);
    for (ConfigurationWriter<TlsClientConfig> configurationWriter : configurationWriters) {
        configurationWriter.write(tlsClientConfig, outputStreamFactory);
    }
    if (certificateAuthorityDirectory != null) {
        // Write out all trusted certificates from truststore
        for (String alias : Collections.list(trustStore.aliases())) {
            try {
                KeyStore.Entry trustStoreEntry = trustStore.getEntry(alias, null);
                if (trustStoreEntry instanceof KeyStore.TrustedCertificateEntry) {
                    Certificate trustedCertificate = ((KeyStore.TrustedCertificateEntry) trustStoreEntry).getTrustedCertificate();
                    try (OutputStream outputStream = outputStreamFactory.create(new File(certificateAuthorityDirectory, alias + ".pem"));
                        OutputStreamWriter outputStreamWriter = new OutputStreamWriter(outputStream);
                        PemWriter pemWriter = new PemWriter(outputStreamWriter)) {
                        pemWriter.writeObject(new JcaMiscPEMGenerator(trustedCertificate));
                    }
                }
            } catch (UnrecoverableEntryException e) {
            // Ignore, not a trusted cert
            }
        }
    }
}
Also used : PemWriter(org.bouncycastle.util.io.pem.PemWriter) OutputStream(java.io.OutputStream) KeyStore(java.security.KeyStore) JcaMiscPEMGenerator(org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator) TlsClientConfig(org.apache.nifi.toolkit.tls.configuration.TlsClientConfig) UnrecoverableEntryException(java.security.UnrecoverableEntryException) OutputStreamWriter(java.io.OutputStreamWriter) File(java.io.File) Certificate(java.security.cert.Certificate)

Example 4 with TlsClientConfig

use of org.apache.nifi.toolkit.tls.configuration.TlsClientConfig in project nifi by apache.

the class TlsCertificateAuthorityClientCommandLine method createClientConfig.

public TlsClientConfig createClientConfig() throws IOException {
    String configJsonIn = getConfigJsonIn();
    if (!StringUtils.isEmpty(configJsonIn)) {
        try (InputStream inputStream = inputStreamFactory.create(new File(configJsonIn))) {
            TlsClientConfig tlsClientConfig = new ObjectMapper().readValue(inputStream, TlsClientConfig.class);
            tlsClientConfig.initDefaults();
            return tlsClientConfig;
        }
    } else {
        TlsClientConfig tlsClientConfig = new TlsClientConfig();
        tlsClientConfig.setCaHostname(getCertificateAuthorityHostname());
        tlsClientConfig.setDn(getDn());
        tlsClientConfig.setDomainAlternativeNames(getDomainAlternativeNames());
        tlsClientConfig.setToken(getToken());
        tlsClientConfig.setPort(getPort());
        tlsClientConfig.setKeyStore(KEYSTORE + getKeyStoreType().toLowerCase());
        tlsClientConfig.setKeyStoreType(getKeyStoreType());
        tlsClientConfig.setTrustStore(TRUSTSTORE + tlsClientConfig.getTrustStoreType().toLowerCase());
        tlsClientConfig.setKeySize(getKeySize());
        tlsClientConfig.setKeyPairAlgorithm(getKeyAlgorithm());
        tlsClientConfig.setSigningAlgorithm(getSigningAlgorithm());
        return tlsClientConfig;
    }
}
Also used : TlsClientConfig(org.apache.nifi.toolkit.tls.configuration.TlsClientConfig) FileInputStream(java.io.FileInputStream) InputStream(java.io.InputStream) File(java.io.File) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)

Example 5 with TlsClientConfig

use of org.apache.nifi.toolkit.tls.configuration.TlsClientConfig in project nifi by apache.

the class TlsToolkitStandalone method createNifiKeystoresAndTrustStores.

public void createNifiKeystoresAndTrustStores(StandaloneConfig standaloneConfig) throws GeneralSecurityException, IOException {
    File baseDir = standaloneConfig.getBaseDir();
    if (!baseDir.exists() && !baseDir.mkdirs()) {
        throw new IOException(baseDir + " doesn't exist and unable to create it.");
    }
    if (!baseDir.isDirectory()) {
        throw new IOException("Expected directory to output to");
    }
    String signingAlgorithm = standaloneConfig.getSigningAlgorithm();
    int days = standaloneConfig.getDays();
    String keyPairAlgorithm = standaloneConfig.getKeyPairAlgorithm();
    int keySize = standaloneConfig.getKeySize();
    File nifiCert = new File(baseDir, NIFI_CERT + ".pem");
    File nifiKey = new File(baseDir, NIFI_KEY + ".key");
    X509Certificate certificate;
    KeyPair caKeyPair;
    if (logger.isInfoEnabled()) {
        logger.info("Running standalone certificate generation with output directory " + baseDir);
    }
    if (nifiCert.exists()) {
        if (!nifiKey.exists()) {
            throw new IOException(nifiCert + " exists already, but " + nifiKey + " does not, we need both certificate and key to continue with an existing CA.");
        }
        try (FileReader pemEncodedCertificate = new FileReader(nifiCert)) {
            certificate = TlsHelper.parseCertificate(pemEncodedCertificate);
        }
        try (FileReader pemEncodedKeyPair = new FileReader(nifiKey)) {
            caKeyPair = TlsHelper.parseKeyPair(pemEncodedKeyPair);
        }
        certificate.verify(caKeyPair.getPublic());
        if (!caKeyPair.getPublic().equals(certificate.getPublicKey())) {
            throw new IOException("Expected " + nifiKey + " to correspond to CA certificate at " + nifiCert);
        }
        if (logger.isInfoEnabled()) {
            logger.info("Using existing CA certificate " + nifiCert + " and key " + nifiKey);
        }
    } else if (nifiKey.exists()) {
        throw new IOException(nifiKey + " exists already, but " + nifiCert + " does not, we need both certificate and key to continue with an existing CA.");
    } else {
        TlsCertificateAuthorityManager tlsCertificateAuthorityManager = new TlsCertificateAuthorityManager(standaloneConfig);
        KeyStore.PrivateKeyEntry privateKeyEntry = tlsCertificateAuthorityManager.getOrGenerateCertificateAuthority();
        certificate = (X509Certificate) privateKeyEntry.getCertificateChain()[0];
        caKeyPair = new KeyPair(certificate.getPublicKey(), privateKeyEntry.getPrivateKey());
        try (PemWriter pemWriter = new PemWriter(new OutputStreamWriter(outputStreamFactory.create(nifiCert)))) {
            pemWriter.writeObject(new JcaMiscPEMGenerator(certificate));
        }
        try (PemWriter pemWriter = new PemWriter(new OutputStreamWriter(outputStreamFactory.create(nifiKey)))) {
            pemWriter.writeObject(new JcaMiscPEMGenerator(caKeyPair));
        }
        if (logger.isInfoEnabled()) {
            logger.info("Generated new CA certificate " + nifiCert + " and key " + nifiKey);
        }
    }
    NiFiPropertiesWriterFactory niFiPropertiesWriterFactory = standaloneConfig.getNiFiPropertiesWriterFactory();
    boolean overwrite = standaloneConfig.isOverwrite();
    List<InstanceDefinition> instanceDefinitions = standaloneConfig.getInstanceDefinitions();
    if (instanceDefinitions.isEmpty() && logger.isInfoEnabled()) {
        logger.info("No " + TlsToolkitStandaloneCommandLine.HOSTNAMES_ARG + " specified, not generating any host certificates or configuration.");
    }
    for (InstanceDefinition instanceDefinition : instanceDefinitions) {
        String hostname = instanceDefinition.getHostname();
        File hostDir;
        int hostIdentifierNumber = instanceDefinition.getInstanceIdentifier().getNumber();
        if (hostIdentifierNumber == 1) {
            hostDir = new File(baseDir, hostname);
        } else {
            hostDir = new File(baseDir, hostname + "_" + hostIdentifierNumber);
        }
        TlsClientConfig tlsClientConfig = new TlsClientConfig(standaloneConfig);
        File keystore = new File(hostDir, "keystore." + tlsClientConfig.getKeyStoreType().toLowerCase());
        File truststore = new File(hostDir, "truststore." + tlsClientConfig.getTrustStoreType().toLowerCase());
        if (hostDir.exists()) {
            if (!hostDir.isDirectory()) {
                throw new IOException(hostDir + " exists but is not a directory.");
            } else if (overwrite) {
                if (logger.isInfoEnabled()) {
                    logger.info("Overwriting any existing ssl configuration in " + hostDir);
                }
                keystore.delete();
                if (keystore.exists()) {
                    throw new IOException("Keystore " + keystore + " already exists and couldn't be deleted.");
                }
                truststore.delete();
                if (truststore.exists()) {
                    throw new IOException("Truststore " + truststore + " already exists and couldn't be deleted.");
                }
            } else {
                throw new IOException(hostDir + " exists and overwrite is not set.");
            }
        } else if (!hostDir.mkdirs()) {
            throw new IOException("Unable to make directory: " + hostDir.getAbsolutePath());
        } else if (logger.isInfoEnabled()) {
            logger.info("Writing new ssl configuration to " + hostDir);
        }
        tlsClientConfig.setKeyStore(keystore.getAbsolutePath());
        tlsClientConfig.setKeyStorePassword(instanceDefinition.getKeyStorePassword());
        tlsClientConfig.setKeyPassword(instanceDefinition.getKeyPassword());
        tlsClientConfig.setTrustStore(truststore.getAbsolutePath());
        tlsClientConfig.setTrustStorePassword(instanceDefinition.getTrustStorePassword());
        TlsClientManager tlsClientManager = new TlsClientManager(tlsClientConfig);
        KeyPair keyPair = TlsHelper.generateKeyPair(keyPairAlgorithm, keySize);
        Extensions sanDnsExtensions = TlsHelper.createDomainAlternativeNamesExtensions(tlsClientConfig.getDomainAlternativeNames(), tlsClientConfig.calcDefaultDn(hostname));
        tlsClientManager.addPrivateKeyToKeyStore(keyPair, NIFI_KEY, CertificateUtils.generateIssuedCertificate(tlsClientConfig.calcDefaultDn(hostname), keyPair.getPublic(), sanDnsExtensions, certificate, caKeyPair, signingAlgorithm, days), certificate);
        tlsClientManager.setCertificateEntry(NIFI_CERT, certificate);
        tlsClientManager.addClientConfigurationWriter(new NifiPropertiesTlsClientConfigWriter(niFiPropertiesWriterFactory, new File(hostDir, "nifi.properties"), hostname, instanceDefinition.getNumber()));
        tlsClientManager.write(outputStreamFactory);
        if (logger.isInfoEnabled()) {
            logger.info("Successfully generated TLS configuration for " + hostname + " " + hostIdentifierNumber + " in " + hostDir);
        }
    }
    List<String> clientDns = standaloneConfig.getClientDns();
    if (standaloneConfig.getClientDns().isEmpty() && logger.isInfoEnabled()) {
        logger.info("No " + TlsToolkitStandaloneCommandLine.CLIENT_CERT_DN_ARG + " specified, not generating any client certificates.");
    }
    List<String> clientPasswords = standaloneConfig.getClientPasswords();
    for (int i = 0; i < clientDns.size(); i++) {
        String reorderedDn = CertificateUtils.reorderDn(clientDns.get(i));
        String clientDnFile = getClientDnFile(reorderedDn);
        File clientCertFile = new File(baseDir, clientDnFile + ".p12");
        if (clientCertFile.exists()) {
            if (overwrite) {
                if (logger.isInfoEnabled()) {
                    logger.info("Overwriting existing client cert " + clientCertFile);
                }
            } else {
                throw new IOException(clientCertFile + " exists and overwrite is not set.");
            }
        } else if (logger.isInfoEnabled()) {
            logger.info("Generating new client certificate " + clientCertFile);
        }
        KeyPair keyPair = TlsHelper.generateKeyPair(keyPairAlgorithm, keySize);
        X509Certificate clientCert = CertificateUtils.generateIssuedCertificate(reorderedDn, keyPair.getPublic(), null, certificate, caKeyPair, signingAlgorithm, days);
        KeyStore keyStore = KeyStoreUtils.getKeyStore(KeystoreType.PKCS12.toString());
        keyStore.load(null, null);
        keyStore.setKeyEntry(NIFI_KEY, keyPair.getPrivate(), null, new Certificate[] { clientCert, certificate });
        String password = TlsHelper.writeKeyStore(keyStore, outputStreamFactory, clientCertFile, clientPasswords.get(i), standaloneConfig.isClientPasswordsGenerated());
        try (FileWriter fileWriter = new FileWriter(new File(baseDir, clientDnFile + ".password"))) {
            fileWriter.write(password);
        }
        if (logger.isInfoEnabled()) {
            logger.info("Successfully generated client certificate " + clientCertFile);
        }
    }
    if (logger.isInfoEnabled()) {
        logger.info("tls-toolkit standalone completed successfully");
    }
}
Also used : InstanceDefinition(org.apache.nifi.toolkit.tls.configuration.InstanceDefinition) KeyPair(java.security.KeyPair) TlsClientManager(org.apache.nifi.toolkit.tls.manager.TlsClientManager) PemWriter(org.bouncycastle.util.io.pem.PemWriter) FileWriter(java.io.FileWriter) IOException(java.io.IOException) TlsCertificateAuthorityManager(org.apache.nifi.toolkit.tls.manager.TlsCertificateAuthorityManager) Extensions(org.bouncycastle.asn1.x509.Extensions) NiFiPropertiesWriterFactory(org.apache.nifi.toolkit.tls.properties.NiFiPropertiesWriterFactory) NifiPropertiesTlsClientConfigWriter(org.apache.nifi.toolkit.tls.manager.writer.NifiPropertiesTlsClientConfigWriter) KeyStore(java.security.KeyStore) X509Certificate(java.security.cert.X509Certificate) JcaMiscPEMGenerator(org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator) TlsClientConfig(org.apache.nifi.toolkit.tls.configuration.TlsClientConfig) FileReader(java.io.FileReader) OutputStreamWriter(java.io.OutputStreamWriter) File(java.io.File)

Aggregations

TlsClientConfig (org.apache.nifi.toolkit.tls.configuration.TlsClientConfig)8 File (java.io.File)5 ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)2 ByteArrayOutputStream (java.io.ByteArrayOutputStream)2 IOException (java.io.IOException)2 OutputStream (java.io.OutputStream)2 OutputStreamWriter (java.io.OutputStreamWriter)2 KeyStore (java.security.KeyStore)2 TlsConfig (org.apache.nifi.toolkit.tls.configuration.TlsConfig)2 NiFiPropertiesWriter (org.apache.nifi.toolkit.tls.properties.NiFiPropertiesWriter)2 NiFiPropertiesWriterFactory (org.apache.nifi.toolkit.tls.properties.NiFiPropertiesWriterFactory)2 OutputStreamFactory (org.apache.nifi.toolkit.tls.util.OutputStreamFactory)2 JcaMiscPEMGenerator (org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator)2 PemWriter (org.bouncycastle.util.io.pem.PemWriter)2 Before (org.junit.Before)2 Test (org.junit.Test)2 FileInputStream (java.io.FileInputStream)1 FileReader (java.io.FileReader)1 FileWriter (java.io.FileWriter)1 InputStream (java.io.InputStream)1