use of org.apache.nifi.toolkit.tls.configuration.TlsConfig in project nifi by apache.
the class TlsCertificateAuthorityManager method getOrGenerateCertificateAuthority.
/**
* Reads the CA from the KeyStore, creating one and putting it into the KeyStore if not present
*
* @return the PrivateKeyEntry for the CA
*
* @throws GeneralSecurityException if there is a security problem
* @throws IOException if there is an IO problem
*/
public KeyStore.PrivateKeyEntry getOrGenerateCertificateAuthority() throws GeneralSecurityException, IOException {
KeyStore.Entry entry = getEntry(TlsToolkitStandalone.NIFI_KEY);
if (entry == null) {
TlsConfig tlsConfig = getTlsConfig();
KeyPair keyPair = TlsHelper.generateKeyPair(tlsConfig.getKeyPairAlgorithm(), tlsConfig.getKeySize());
X509Certificate caCert = CertificateUtils.generateSelfSignedX509Certificate(keyPair, CertificateUtils.reorderDn(tlsConfig.getDn()), tlsConfig.getSigningAlgorithm(), tlsConfig.getDays());
entry = addPrivateKeyToKeyStore(keyPair, TlsToolkitStandalone.NIFI_KEY, caCert);
} else if (!KeyStore.PrivateKeyEntry.class.isInstance(entry)) {
throw new IOException("Expected " + TlsToolkitStandalone.NIFI_KEY + " alias to contain a private key entry");
}
return (KeyStore.PrivateKeyEntry) entry;
}
use of org.apache.nifi.toolkit.tls.configuration.TlsConfig in project nifi by apache.
the class TlsCertificateAuthorityServiceCommandLine method createConfig.
public TlsConfig createConfig() throws IOException {
String configJsonIn = getConfigJsonIn();
if (!StringUtils.isEmpty(configJsonIn)) {
try (InputStream inputStream = inputStreamFactory.create(new File(configJsonIn))) {
TlsConfig tlsConfig = new ObjectMapper().readValue(inputStream, TlsConfig.class);
tlsConfig.initDefaults();
return tlsConfig;
}
} else {
TlsConfig tlsConfig = new TlsConfig();
tlsConfig.setCaHostname(getCertificateAuthorityHostname());
tlsConfig.setDn(getDn());
tlsConfig.setToken(getToken());
tlsConfig.setPort(getPort());
tlsConfig.setKeyStore(NIFI_CA_KEYSTORE + getKeyStoreType().toLowerCase());
tlsConfig.setKeyStoreType(getKeyStoreType());
tlsConfig.setKeySize(getKeySize());
tlsConfig.setKeyPairAlgorithm(getKeyAlgorithm());
tlsConfig.setSigningAlgorithm(getSigningAlgorithm());
tlsConfig.setDays(getDays());
return tlsConfig;
}
}
use of org.apache.nifi.toolkit.tls.configuration.TlsConfig in project nifi by apache.
the class TlsCertificateAuthorityClientCommandLineTest method testDefaults.
@Test
public void testDefaults() throws CommandLineParseException, IOException {
tlsCertificateAuthorityClientCommandLine.parse("-t", testToken);
TlsClientConfig clientConfig = tlsCertificateAuthorityClientCommandLine.createClientConfig();
assertEquals(TlsConfig.DEFAULT_HOSTNAME, clientConfig.getCaHostname());
Assert.assertEquals(new TlsConfig().calcDefaultDn(InetAddress.getLocalHost().getHostName()), clientConfig.getDn());
assertEquals(TlsCertificateAuthorityClientCommandLine.KEYSTORE + TlsConfig.DEFAULT_KEY_STORE_TYPE.toLowerCase(), clientConfig.getKeyStore());
assertEquals(TlsConfig.DEFAULT_KEY_STORE_TYPE, clientConfig.getKeyStoreType());
assertNull(clientConfig.getKeyStorePassword());
assertNull(clientConfig.getKeyPassword());
assertEquals(TlsCertificateAuthorityClientCommandLine.TRUSTSTORE + TlsConfig.DEFAULT_KEY_STORE_TYPE.toLowerCase(), clientConfig.getTrustStore());
assertEquals(TlsConfig.DEFAULT_KEY_STORE_TYPE, clientConfig.getTrustStoreType());
assertNull(clientConfig.getTrustStorePassword());
assertEquals(TlsConfig.DEFAULT_KEY_SIZE, clientConfig.getKeySize());
assertEquals(TlsConfig.DEFAULT_KEY_PAIR_ALGORITHM, clientConfig.getKeyPairAlgorithm());
assertEquals(testToken, clientConfig.getToken());
assertEquals(TlsConfig.DEFAULT_PORT, clientConfig.getPort());
assertEquals(TlsCertificateAuthorityClientCommandLine.DEFAULT_CONFIG_JSON, tlsCertificateAuthorityClientCommandLine.getConfigJsonOut());
assertNull(tlsCertificateAuthorityClientCommandLine.getConfigJsonIn());
assertEquals(TlsCertificateAuthorityClientCommandLine.DEFAULT_CERTIFICATE_DIRECTORY, tlsCertificateAuthorityClientCommandLine.getCertificateDirectory());
}
use of org.apache.nifi.toolkit.tls.configuration.TlsConfig in project nifi by apache.
the class TlsCertificateSigningRequestPerformerTest method setup.
@Before
public void setup() throws GeneralSecurityException, OperatorCreationException, IOException {
objectMapper = new ObjectMapper();
keyPair = TlsHelper.generateKeyPair(TlsConfig.DEFAULT_KEY_PAIR_ALGORITHM, TlsConfig.DEFAULT_KEY_SIZE);
testToken = "testTokenTestToken";
testCaHostname = "testCaHostname";
testPort = 8993;
certificates = new ArrayList<>();
when(tlsClientConfig.getToken()).thenReturn(testToken);
when(tlsClientConfig.getCaHostname()).thenReturn(testCaHostname);
when(tlsClientConfig.getDn()).thenReturn(new TlsConfig().calcDefaultDn(testCaHostname));
when(tlsClientConfig.getPort()).thenReturn(testPort);
when(tlsClientConfig.createCertificateSigningRequestPerformer()).thenReturn(tlsCertificateSigningRequestPerformer);
when(tlsClientConfig.getSigningAlgorithm()).thenReturn(TlsConfig.DEFAULT_SIGNING_ALGORITHM);
JcaPKCS10CertificationRequest jcaPKCS10CertificationRequest = TlsHelper.generateCertificationRequest(tlsClientConfig.getDn(), null, keyPair, TlsConfig.DEFAULT_SIGNING_ALGORITHM);
String testCsrPem = TlsHelper.pemEncodeJcaObject(jcaPKCS10CertificationRequest);
when(httpClientBuilderSupplier.get()).thenReturn(httpClientBuilder);
when(httpClientBuilder.build()).thenAnswer(invocation -> {
Field sslSocketFactory = HttpClientBuilder.class.getDeclaredField("sslSocketFactory");
sslSocketFactory.setAccessible(true);
Object o = sslSocketFactory.get(httpClientBuilder);
Field field = TlsCertificateAuthorityClientSocketFactory.class.getDeclaredField("certificates");
field.setAccessible(true);
((List<X509Certificate>) field.get(o)).addAll(certificates);
return closeableHttpClient;
});
StatusLine statusLine = mock(StatusLine.class);
when(statusLine.getStatusCode()).thenAnswer(i -> statusCode);
when(closeableHttpClient.execute(eq(new HttpHost(testCaHostname, testPort, "https")), any(HttpPost.class))).thenAnswer(invocation -> {
HttpPost httpPost = (HttpPost) invocation.getArguments()[1];
TlsCertificateAuthorityRequest tlsCertificateAuthorityRequest = objectMapper.readValue(httpPost.getEntity().getContent(), TlsCertificateAuthorityRequest.class);
assertEquals(tlsCertificateAuthorityRequest.getCsr(), testCsrPem);
CloseableHttpResponse closeableHttpResponse = mock(CloseableHttpResponse.class);
when(closeableHttpResponse.getEntity()).thenAnswer(i -> {
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
objectMapper.writeValue(byteArrayOutputStream, tlsCertificateAuthorityResponse);
return new ByteArrayEntity(byteArrayOutputStream.toByteArray());
});
when(closeableHttpResponse.getStatusLine()).thenReturn(statusLine);
return closeableHttpResponse;
});
KeyPair caKeyPair = TlsHelper.generateKeyPair(TlsConfig.DEFAULT_KEY_PAIR_ALGORITHM, TlsConfig.DEFAULT_KEY_SIZE);
caCertificate = CertificateUtils.generateSelfSignedX509Certificate(caKeyPair, "CN=fakeCa", TlsConfig.DEFAULT_SIGNING_ALGORITHM, TlsConfig.DEFAULT_DAYS);
testHmac = TlsHelper.calculateHMac(testToken, caCertificate.getPublicKey());
signedCsr = CertificateUtils.generateIssuedCertificate(jcaPKCS10CertificationRequest.getSubject().toString(), jcaPKCS10CertificationRequest.getPublicKey(), caCertificate, caKeyPair, TlsConfig.DEFAULT_SIGNING_ALGORITHM, TlsConfig.DEFAULT_DAYS);
testSignedCsr = TlsHelper.pemEncodeJcaObject(signedCsr);
tlsCertificateSigningRequestPerformer = new TlsCertificateSigningRequestPerformer(httpClientBuilderSupplier, tlsClientConfig);
}
use of org.apache.nifi.toolkit.tls.configuration.TlsConfig in project nifi by apache.
the class TlsCertificateAuthorityServiceCommandLineTest method testKeyStoreType.
@Test
public void testKeyStoreType() throws CommandLineParseException, IOException {
String testKeyStoreType = "testKeyStoreType";
tlsCertificateAuthorityServiceCommandLine.parse("-t", testToken, "-T", testKeyStoreType);
TlsConfig tlsConfig = tlsCertificateAuthorityServiceCommandLine.createConfig();
assertEquals(testKeyStoreType, tlsConfig.getKeyStoreType());
assertEquals(TlsCertificateAuthorityServiceCommandLine.NIFI_CA_KEYSTORE + tlsConfig.getKeyStoreType().toLowerCase(), tlsConfig.getKeyStore());
}
Aggregations