use of org.apache.nifi.toolkit.tls.configuration.TlsClientConfig in project nifi by apache.
the class NifiPropertiesTlsClientConfigWriter method updateProperties.
protected void updateProperties(NiFiPropertiesWriter niFiPropertiesWriter, TlsClientConfig tlsClientConfig) throws IOException {
niFiPropertiesWriter.setPropertyValue(NiFiProperties.SECURITY_KEYSTORE, CONF + new File(tlsClientConfig.getKeyStore()).getName());
niFiPropertiesWriter.setPropertyValue(NiFiProperties.SECURITY_KEYSTORE_TYPE, tlsClientConfig.getKeyStoreType());
niFiPropertiesWriter.setPropertyValue(NiFiProperties.SECURITY_KEYSTORE_PASSWD, tlsClientConfig.getKeyStorePassword());
niFiPropertiesWriter.setPropertyValue(NiFiProperties.SECURITY_KEY_PASSWD, tlsClientConfig.getKeyPassword());
niFiPropertiesWriter.setPropertyValue(NiFiProperties.SECURITY_TRUSTSTORE, CONF + new File(tlsClientConfig.getTrustStore()).getName());
niFiPropertiesWriter.setPropertyValue(NiFiProperties.SECURITY_TRUSTSTORE_TYPE, tlsClientConfig.getTrustStoreType());
niFiPropertiesWriter.setPropertyValue(NiFiProperties.SECURITY_TRUSTSTORE_PASSWD, tlsClientConfig.getTrustStorePassword());
getHostnamePropertyStream().forEach(s -> niFiPropertiesWriter.setPropertyValue(s, hostname));
overlayProperties.stringPropertyNames().stream().filter(s -> !metaProperties.contains(s)).forEach(s -> niFiPropertiesWriter.setPropertyValue(s, overlayProperties.getProperty(s)));
getIncrementingPropertyMap().entrySet().forEach(nameToIntegerEntry -> niFiPropertiesWriter.setPropertyValue(nameToIntegerEntry.getKey(), Integer.toString(nameToIntegerEntry.getValue())));
}
use of org.apache.nifi.toolkit.tls.configuration.TlsClientConfig in project nifi by apache.
the class TlsCertificateAuthorityTest method setup.
@Before
public void setup() throws FileNotFoundException {
objectMapper = new ObjectMapper();
serverConfigFile = new File("fake.server.config");
clientConfigFile = new File("fake.client.config");
String serverKeyStore = "serverKeyStore";
String clientKeyStore = "clientKeyStore";
String clientTrustStore = "clientTrustStore";
serverKeyStoreOutputStream = new ByteArrayOutputStream();
clientKeyStoreOutputStream = new ByteArrayOutputStream();
clientTrustStoreOutputStream = new ByteArrayOutputStream();
serverConfigFileOutputStream = new ByteArrayOutputStream();
clientConfigFileOutputStream = new ByteArrayOutputStream();
String myTestTokenUseSomethingStronger = "myTestTokenUseSomethingStronger";
int port = availablePort();
serverConfig = new TlsConfig();
serverConfig.setCaHostname("localhost");
serverConfig.setToken(myTestTokenUseSomethingStronger);
serverConfig.setKeyStore(serverKeyStore);
serverConfig.setPort(port);
serverConfig.setDays(5);
serverConfig.setKeySize(2048);
serverConfig.initDefaults();
clientConfig = new TlsClientConfig();
clientConfig.setCaHostname("localhost");
clientConfig.setDn("OU=NIFI,CN=otherHostname");
clientConfig.setKeyStore(clientKeyStore);
clientConfig.setTrustStore(clientTrustStore);
clientConfig.setToken(myTestTokenUseSomethingStronger);
clientConfig.setPort(port);
clientConfig.setKeySize(2048);
clientConfig.initDefaults();
outputStreamFactory = mock(OutputStreamFactory.class);
mockReturnOutputStream(outputStreamFactory, new File(serverKeyStore), serverKeyStoreOutputStream);
mockReturnOutputStream(outputStreamFactory, new File(clientKeyStore), clientKeyStoreOutputStream);
mockReturnOutputStream(outputStreamFactory, new File(clientTrustStore), clientTrustStoreOutputStream);
mockReturnOutputStream(outputStreamFactory, serverConfigFile, serverConfigFileOutputStream);
mockReturnOutputStream(outputStreamFactory, clientConfigFile, clientConfigFileOutputStream);
inputStreamFactory = mock(InputStreamFactory.class);
mockReturnProperties(inputStreamFactory, serverConfigFile, serverConfig);
mockReturnProperties(inputStreamFactory, clientConfigFile, clientConfig);
}
use of org.apache.nifi.toolkit.tls.configuration.TlsClientConfig in project nifi by apache.
the class TlsClientManager method write.
@Override
public void write(OutputStreamFactory outputStreamFactory) throws IOException, GeneralSecurityException {
super.write(outputStreamFactory);
String trustStorePassword = tlsClientConfig.getTrustStorePassword();
boolean trustStorePasswordGenerated = false;
if (StringUtils.isEmpty(trustStorePassword)) {
trustStorePassword = getPasswordUtil().generatePassword();
trustStorePasswordGenerated = true;
}
trustStorePassword = TlsHelper.writeKeyStore(trustStore, outputStreamFactory, new File(tlsClientConfig.getTrustStore()), trustStorePassword, trustStorePasswordGenerated);
tlsClientConfig.setTrustStorePassword(trustStorePassword);
for (ConfigurationWriter<TlsClientConfig> configurationWriter : configurationWriters) {
configurationWriter.write(tlsClientConfig, outputStreamFactory);
}
if (certificateAuthorityDirectory != null) {
// Write out all trusted certificates from truststore
for (String alias : Collections.list(trustStore.aliases())) {
try {
KeyStore.Entry trustStoreEntry = trustStore.getEntry(alias, null);
if (trustStoreEntry instanceof KeyStore.TrustedCertificateEntry) {
Certificate trustedCertificate = ((KeyStore.TrustedCertificateEntry) trustStoreEntry).getTrustedCertificate();
try (OutputStream outputStream = outputStreamFactory.create(new File(certificateAuthorityDirectory, alias + ".pem"));
OutputStreamWriter outputStreamWriter = new OutputStreamWriter(outputStream);
PemWriter pemWriter = new PemWriter(outputStreamWriter)) {
pemWriter.writeObject(new JcaMiscPEMGenerator(trustedCertificate));
}
}
} catch (UnrecoverableEntryException e) {
// Ignore, not a trusted cert
}
}
}
}
use of org.apache.nifi.toolkit.tls.configuration.TlsClientConfig in project nifi by apache.
the class TlsCertificateAuthorityClientCommandLine method createClientConfig.
public TlsClientConfig createClientConfig() throws IOException {
String configJsonIn = getConfigJsonIn();
if (!StringUtils.isEmpty(configJsonIn)) {
try (InputStream inputStream = inputStreamFactory.create(new File(configJsonIn))) {
TlsClientConfig tlsClientConfig = new ObjectMapper().readValue(inputStream, TlsClientConfig.class);
tlsClientConfig.initDefaults();
return tlsClientConfig;
}
} else {
TlsClientConfig tlsClientConfig = new TlsClientConfig();
tlsClientConfig.setCaHostname(getCertificateAuthorityHostname());
tlsClientConfig.setDn(getDn());
tlsClientConfig.setDomainAlternativeNames(getDomainAlternativeNames());
tlsClientConfig.setToken(getToken());
tlsClientConfig.setPort(getPort());
tlsClientConfig.setKeyStore(KEYSTORE + getKeyStoreType().toLowerCase());
tlsClientConfig.setKeyStoreType(getKeyStoreType());
tlsClientConfig.setTrustStore(TRUSTSTORE + tlsClientConfig.getTrustStoreType().toLowerCase());
tlsClientConfig.setKeySize(getKeySize());
tlsClientConfig.setKeyPairAlgorithm(getKeyAlgorithm());
tlsClientConfig.setSigningAlgorithm(getSigningAlgorithm());
return tlsClientConfig;
}
}
use of org.apache.nifi.toolkit.tls.configuration.TlsClientConfig in project nifi by apache.
the class TlsToolkitStandalone method createNifiKeystoresAndTrustStores.
public void createNifiKeystoresAndTrustStores(StandaloneConfig standaloneConfig) throws GeneralSecurityException, IOException {
File baseDir = standaloneConfig.getBaseDir();
if (!baseDir.exists() && !baseDir.mkdirs()) {
throw new IOException(baseDir + " doesn't exist and unable to create it.");
}
if (!baseDir.isDirectory()) {
throw new IOException("Expected directory to output to");
}
String signingAlgorithm = standaloneConfig.getSigningAlgorithm();
int days = standaloneConfig.getDays();
String keyPairAlgorithm = standaloneConfig.getKeyPairAlgorithm();
int keySize = standaloneConfig.getKeySize();
File nifiCert = new File(baseDir, NIFI_CERT + ".pem");
File nifiKey = new File(baseDir, NIFI_KEY + ".key");
X509Certificate certificate;
KeyPair caKeyPair;
if (logger.isInfoEnabled()) {
logger.info("Running standalone certificate generation with output directory " + baseDir);
}
if (nifiCert.exists()) {
if (!nifiKey.exists()) {
throw new IOException(nifiCert + " exists already, but " + nifiKey + " does not, we need both certificate and key to continue with an existing CA.");
}
try (FileReader pemEncodedCertificate = new FileReader(nifiCert)) {
certificate = TlsHelper.parseCertificate(pemEncodedCertificate);
}
try (FileReader pemEncodedKeyPair = new FileReader(nifiKey)) {
caKeyPair = TlsHelper.parseKeyPair(pemEncodedKeyPair);
}
certificate.verify(caKeyPair.getPublic());
if (!caKeyPair.getPublic().equals(certificate.getPublicKey())) {
throw new IOException("Expected " + nifiKey + " to correspond to CA certificate at " + nifiCert);
}
if (logger.isInfoEnabled()) {
logger.info("Using existing CA certificate " + nifiCert + " and key " + nifiKey);
}
} else if (nifiKey.exists()) {
throw new IOException(nifiKey + " exists already, but " + nifiCert + " does not, we need both certificate and key to continue with an existing CA.");
} else {
TlsCertificateAuthorityManager tlsCertificateAuthorityManager = new TlsCertificateAuthorityManager(standaloneConfig);
KeyStore.PrivateKeyEntry privateKeyEntry = tlsCertificateAuthorityManager.getOrGenerateCertificateAuthority();
certificate = (X509Certificate) privateKeyEntry.getCertificateChain()[0];
caKeyPair = new KeyPair(certificate.getPublicKey(), privateKeyEntry.getPrivateKey());
try (PemWriter pemWriter = new PemWriter(new OutputStreamWriter(outputStreamFactory.create(nifiCert)))) {
pemWriter.writeObject(new JcaMiscPEMGenerator(certificate));
}
try (PemWriter pemWriter = new PemWriter(new OutputStreamWriter(outputStreamFactory.create(nifiKey)))) {
pemWriter.writeObject(new JcaMiscPEMGenerator(caKeyPair));
}
if (logger.isInfoEnabled()) {
logger.info("Generated new CA certificate " + nifiCert + " and key " + nifiKey);
}
}
NiFiPropertiesWriterFactory niFiPropertiesWriterFactory = standaloneConfig.getNiFiPropertiesWriterFactory();
boolean overwrite = standaloneConfig.isOverwrite();
List<InstanceDefinition> instanceDefinitions = standaloneConfig.getInstanceDefinitions();
if (instanceDefinitions.isEmpty() && logger.isInfoEnabled()) {
logger.info("No " + TlsToolkitStandaloneCommandLine.HOSTNAMES_ARG + " specified, not generating any host certificates or configuration.");
}
for (InstanceDefinition instanceDefinition : instanceDefinitions) {
String hostname = instanceDefinition.getHostname();
File hostDir;
int hostIdentifierNumber = instanceDefinition.getInstanceIdentifier().getNumber();
if (hostIdentifierNumber == 1) {
hostDir = new File(baseDir, hostname);
} else {
hostDir = new File(baseDir, hostname + "_" + hostIdentifierNumber);
}
TlsClientConfig tlsClientConfig = new TlsClientConfig(standaloneConfig);
File keystore = new File(hostDir, "keystore." + tlsClientConfig.getKeyStoreType().toLowerCase());
File truststore = new File(hostDir, "truststore." + tlsClientConfig.getTrustStoreType().toLowerCase());
if (hostDir.exists()) {
if (!hostDir.isDirectory()) {
throw new IOException(hostDir + " exists but is not a directory.");
} else if (overwrite) {
if (logger.isInfoEnabled()) {
logger.info("Overwriting any existing ssl configuration in " + hostDir);
}
keystore.delete();
if (keystore.exists()) {
throw new IOException("Keystore " + keystore + " already exists and couldn't be deleted.");
}
truststore.delete();
if (truststore.exists()) {
throw new IOException("Truststore " + truststore + " already exists and couldn't be deleted.");
}
} else {
throw new IOException(hostDir + " exists and overwrite is not set.");
}
} else if (!hostDir.mkdirs()) {
throw new IOException("Unable to make directory: " + hostDir.getAbsolutePath());
} else if (logger.isInfoEnabled()) {
logger.info("Writing new ssl configuration to " + hostDir);
}
tlsClientConfig.setKeyStore(keystore.getAbsolutePath());
tlsClientConfig.setKeyStorePassword(instanceDefinition.getKeyStorePassword());
tlsClientConfig.setKeyPassword(instanceDefinition.getKeyPassword());
tlsClientConfig.setTrustStore(truststore.getAbsolutePath());
tlsClientConfig.setTrustStorePassword(instanceDefinition.getTrustStorePassword());
TlsClientManager tlsClientManager = new TlsClientManager(tlsClientConfig);
KeyPair keyPair = TlsHelper.generateKeyPair(keyPairAlgorithm, keySize);
Extensions sanDnsExtensions = TlsHelper.createDomainAlternativeNamesExtensions(tlsClientConfig.getDomainAlternativeNames(), tlsClientConfig.calcDefaultDn(hostname));
tlsClientManager.addPrivateKeyToKeyStore(keyPair, NIFI_KEY, CertificateUtils.generateIssuedCertificate(tlsClientConfig.calcDefaultDn(hostname), keyPair.getPublic(), sanDnsExtensions, certificate, caKeyPair, signingAlgorithm, days), certificate);
tlsClientManager.setCertificateEntry(NIFI_CERT, certificate);
tlsClientManager.addClientConfigurationWriter(new NifiPropertiesTlsClientConfigWriter(niFiPropertiesWriterFactory, new File(hostDir, "nifi.properties"), hostname, instanceDefinition.getNumber()));
tlsClientManager.write(outputStreamFactory);
if (logger.isInfoEnabled()) {
logger.info("Successfully generated TLS configuration for " + hostname + " " + hostIdentifierNumber + " in " + hostDir);
}
}
List<String> clientDns = standaloneConfig.getClientDns();
if (standaloneConfig.getClientDns().isEmpty() && logger.isInfoEnabled()) {
logger.info("No " + TlsToolkitStandaloneCommandLine.CLIENT_CERT_DN_ARG + " specified, not generating any client certificates.");
}
List<String> clientPasswords = standaloneConfig.getClientPasswords();
for (int i = 0; i < clientDns.size(); i++) {
String reorderedDn = CertificateUtils.reorderDn(clientDns.get(i));
String clientDnFile = getClientDnFile(reorderedDn);
File clientCertFile = new File(baseDir, clientDnFile + ".p12");
if (clientCertFile.exists()) {
if (overwrite) {
if (logger.isInfoEnabled()) {
logger.info("Overwriting existing client cert " + clientCertFile);
}
} else {
throw new IOException(clientCertFile + " exists and overwrite is not set.");
}
} else if (logger.isInfoEnabled()) {
logger.info("Generating new client certificate " + clientCertFile);
}
KeyPair keyPair = TlsHelper.generateKeyPair(keyPairAlgorithm, keySize);
X509Certificate clientCert = CertificateUtils.generateIssuedCertificate(reorderedDn, keyPair.getPublic(), null, certificate, caKeyPair, signingAlgorithm, days);
KeyStore keyStore = KeyStoreUtils.getKeyStore(KeystoreType.PKCS12.toString());
keyStore.load(null, null);
keyStore.setKeyEntry(NIFI_KEY, keyPair.getPrivate(), null, new Certificate[] { clientCert, certificate });
String password = TlsHelper.writeKeyStore(keyStore, outputStreamFactory, clientCertFile, clientPasswords.get(i), standaloneConfig.isClientPasswordsGenerated());
try (FileWriter fileWriter = new FileWriter(new File(baseDir, clientDnFile + ".password"))) {
fileWriter.write(password);
}
if (logger.isInfoEnabled()) {
logger.info("Successfully generated client certificate " + clientCertFile);
}
}
if (logger.isInfoEnabled()) {
logger.info("tls-toolkit standalone completed successfully");
}
}
Aggregations