Search in sources :

Example 6 with TlsConfig

use of org.apache.nifi.toolkit.tls.configuration.TlsConfig in project nifi by apache.

the class TlsCertificateAuthorityManager method getOrGenerateCertificateAuthority.

/**
 * Reads the CA from the KeyStore, creating one and putting it into the KeyStore if not present
 *
 * @return the PrivateKeyEntry for the CA
 *
 * @throws GeneralSecurityException if there is a security problem
 * @throws IOException if there is an IO problem
 */
public KeyStore.PrivateKeyEntry getOrGenerateCertificateAuthority() throws GeneralSecurityException, IOException {
    KeyStore.Entry entry = getEntry(TlsToolkitStandalone.NIFI_KEY);
    if (entry == null) {
        TlsConfig tlsConfig = getTlsConfig();
        KeyPair keyPair = TlsHelper.generateKeyPair(tlsConfig.getKeyPairAlgorithm(), tlsConfig.getKeySize());
        X509Certificate caCert = CertificateUtils.generateSelfSignedX509Certificate(keyPair, CertificateUtils.reorderDn(tlsConfig.getDn()), tlsConfig.getSigningAlgorithm(), tlsConfig.getDays());
        entry = addPrivateKeyToKeyStore(keyPair, TlsToolkitStandalone.NIFI_KEY, caCert);
    } else if (!KeyStore.PrivateKeyEntry.class.isInstance(entry)) {
        throw new IOException("Expected " + TlsToolkitStandalone.NIFI_KEY + " alias to contain a private key entry");
    }
    return (KeyStore.PrivateKeyEntry) entry;
}
Also used : KeyPair(java.security.KeyPair) TlsConfig(org.apache.nifi.toolkit.tls.configuration.TlsConfig) IOException(java.io.IOException) KeyStore(java.security.KeyStore) X509Certificate(java.security.cert.X509Certificate)

Example 7 with TlsConfig

use of org.apache.nifi.toolkit.tls.configuration.TlsConfig in project nifi by apache.

the class TlsCertificateAuthorityServiceCommandLine method createConfig.

public TlsConfig createConfig() throws IOException {
    String configJsonIn = getConfigJsonIn();
    if (!StringUtils.isEmpty(configJsonIn)) {
        try (InputStream inputStream = inputStreamFactory.create(new File(configJsonIn))) {
            TlsConfig tlsConfig = new ObjectMapper().readValue(inputStream, TlsConfig.class);
            tlsConfig.initDefaults();
            return tlsConfig;
        }
    } else {
        TlsConfig tlsConfig = new TlsConfig();
        tlsConfig.setCaHostname(getCertificateAuthorityHostname());
        tlsConfig.setDn(getDn());
        tlsConfig.setToken(getToken());
        tlsConfig.setPort(getPort());
        tlsConfig.setKeyStore(NIFI_CA_KEYSTORE + getKeyStoreType().toLowerCase());
        tlsConfig.setKeyStoreType(getKeyStoreType());
        tlsConfig.setKeySize(getKeySize());
        tlsConfig.setKeyPairAlgorithm(getKeyAlgorithm());
        tlsConfig.setSigningAlgorithm(getSigningAlgorithm());
        tlsConfig.setDays(getDays());
        return tlsConfig;
    }
}
Also used : FileInputStream(java.io.FileInputStream) InputStream(java.io.InputStream) TlsConfig(org.apache.nifi.toolkit.tls.configuration.TlsConfig) File(java.io.File) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)

Example 8 with TlsConfig

use of org.apache.nifi.toolkit.tls.configuration.TlsConfig in project nifi by apache.

the class TlsCertificateAuthorityClientCommandLineTest method testDefaults.

@Test
public void testDefaults() throws CommandLineParseException, IOException {
    tlsCertificateAuthorityClientCommandLine.parse("-t", testToken);
    TlsClientConfig clientConfig = tlsCertificateAuthorityClientCommandLine.createClientConfig();
    assertEquals(TlsConfig.DEFAULT_HOSTNAME, clientConfig.getCaHostname());
    Assert.assertEquals(new TlsConfig().calcDefaultDn(InetAddress.getLocalHost().getHostName()), clientConfig.getDn());
    assertEquals(TlsCertificateAuthorityClientCommandLine.KEYSTORE + TlsConfig.DEFAULT_KEY_STORE_TYPE.toLowerCase(), clientConfig.getKeyStore());
    assertEquals(TlsConfig.DEFAULT_KEY_STORE_TYPE, clientConfig.getKeyStoreType());
    assertNull(clientConfig.getKeyStorePassword());
    assertNull(clientConfig.getKeyPassword());
    assertEquals(TlsCertificateAuthorityClientCommandLine.TRUSTSTORE + TlsConfig.DEFAULT_KEY_STORE_TYPE.toLowerCase(), clientConfig.getTrustStore());
    assertEquals(TlsConfig.DEFAULT_KEY_STORE_TYPE, clientConfig.getTrustStoreType());
    assertNull(clientConfig.getTrustStorePassword());
    assertEquals(TlsConfig.DEFAULT_KEY_SIZE, clientConfig.getKeySize());
    assertEquals(TlsConfig.DEFAULT_KEY_PAIR_ALGORITHM, clientConfig.getKeyPairAlgorithm());
    assertEquals(testToken, clientConfig.getToken());
    assertEquals(TlsConfig.DEFAULT_PORT, clientConfig.getPort());
    assertEquals(TlsCertificateAuthorityClientCommandLine.DEFAULT_CONFIG_JSON, tlsCertificateAuthorityClientCommandLine.getConfigJsonOut());
    assertNull(tlsCertificateAuthorityClientCommandLine.getConfigJsonIn());
    assertEquals(TlsCertificateAuthorityClientCommandLine.DEFAULT_CERTIFICATE_DIRECTORY, tlsCertificateAuthorityClientCommandLine.getCertificateDirectory());
}
Also used : TlsClientConfig(org.apache.nifi.toolkit.tls.configuration.TlsClientConfig) TlsConfig(org.apache.nifi.toolkit.tls.configuration.TlsConfig) Test(org.junit.Test)

Example 9 with TlsConfig

use of org.apache.nifi.toolkit.tls.configuration.TlsConfig in project nifi by apache.

the class TlsCertificateSigningRequestPerformerTest method setup.

@Before
public void setup() throws GeneralSecurityException, OperatorCreationException, IOException {
    objectMapper = new ObjectMapper();
    keyPair = TlsHelper.generateKeyPair(TlsConfig.DEFAULT_KEY_PAIR_ALGORITHM, TlsConfig.DEFAULT_KEY_SIZE);
    testToken = "testTokenTestToken";
    testCaHostname = "testCaHostname";
    testPort = 8993;
    certificates = new ArrayList<>();
    when(tlsClientConfig.getToken()).thenReturn(testToken);
    when(tlsClientConfig.getCaHostname()).thenReturn(testCaHostname);
    when(tlsClientConfig.getDn()).thenReturn(new TlsConfig().calcDefaultDn(testCaHostname));
    when(tlsClientConfig.getPort()).thenReturn(testPort);
    when(tlsClientConfig.createCertificateSigningRequestPerformer()).thenReturn(tlsCertificateSigningRequestPerformer);
    when(tlsClientConfig.getSigningAlgorithm()).thenReturn(TlsConfig.DEFAULT_SIGNING_ALGORITHM);
    JcaPKCS10CertificationRequest jcaPKCS10CertificationRequest = TlsHelper.generateCertificationRequest(tlsClientConfig.getDn(), null, keyPair, TlsConfig.DEFAULT_SIGNING_ALGORITHM);
    String testCsrPem = TlsHelper.pemEncodeJcaObject(jcaPKCS10CertificationRequest);
    when(httpClientBuilderSupplier.get()).thenReturn(httpClientBuilder);
    when(httpClientBuilder.build()).thenAnswer(invocation -> {
        Field sslSocketFactory = HttpClientBuilder.class.getDeclaredField("sslSocketFactory");
        sslSocketFactory.setAccessible(true);
        Object o = sslSocketFactory.get(httpClientBuilder);
        Field field = TlsCertificateAuthorityClientSocketFactory.class.getDeclaredField("certificates");
        field.setAccessible(true);
        ((List<X509Certificate>) field.get(o)).addAll(certificates);
        return closeableHttpClient;
    });
    StatusLine statusLine = mock(StatusLine.class);
    when(statusLine.getStatusCode()).thenAnswer(i -> statusCode);
    when(closeableHttpClient.execute(eq(new HttpHost(testCaHostname, testPort, "https")), any(HttpPost.class))).thenAnswer(invocation -> {
        HttpPost httpPost = (HttpPost) invocation.getArguments()[1];
        TlsCertificateAuthorityRequest tlsCertificateAuthorityRequest = objectMapper.readValue(httpPost.getEntity().getContent(), TlsCertificateAuthorityRequest.class);
        assertEquals(tlsCertificateAuthorityRequest.getCsr(), testCsrPem);
        CloseableHttpResponse closeableHttpResponse = mock(CloseableHttpResponse.class);
        when(closeableHttpResponse.getEntity()).thenAnswer(i -> {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            objectMapper.writeValue(byteArrayOutputStream, tlsCertificateAuthorityResponse);
            return new ByteArrayEntity(byteArrayOutputStream.toByteArray());
        });
        when(closeableHttpResponse.getStatusLine()).thenReturn(statusLine);
        return closeableHttpResponse;
    });
    KeyPair caKeyPair = TlsHelper.generateKeyPair(TlsConfig.DEFAULT_KEY_PAIR_ALGORITHM, TlsConfig.DEFAULT_KEY_SIZE);
    caCertificate = CertificateUtils.generateSelfSignedX509Certificate(caKeyPair, "CN=fakeCa", TlsConfig.DEFAULT_SIGNING_ALGORITHM, TlsConfig.DEFAULT_DAYS);
    testHmac = TlsHelper.calculateHMac(testToken, caCertificate.getPublicKey());
    signedCsr = CertificateUtils.generateIssuedCertificate(jcaPKCS10CertificationRequest.getSubject().toString(), jcaPKCS10CertificationRequest.getPublicKey(), caCertificate, caKeyPair, TlsConfig.DEFAULT_SIGNING_ALGORITHM, TlsConfig.DEFAULT_DAYS);
    testSignedCsr = TlsHelper.pemEncodeJcaObject(signedCsr);
    tlsCertificateSigningRequestPerformer = new TlsCertificateSigningRequestPerformer(httpClientBuilderSupplier, tlsClientConfig);
}
Also used : HttpPost(org.apache.http.client.methods.HttpPost) JcaPKCS10CertificationRequest(org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest) KeyPair(java.security.KeyPair) ByteArrayOutputStream(java.io.ByteArrayOutputStream) StatusLine(org.apache.http.StatusLine) Field(java.lang.reflect.Field) ByteArrayEntity(org.apache.http.entity.ByteArrayEntity) HttpHost(org.apache.http.HttpHost) TlsCertificateAuthorityRequest(org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityRequest) CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse) TlsConfig(org.apache.nifi.toolkit.tls.configuration.TlsConfig) ArrayList(java.util.ArrayList) List(java.util.List) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper) Before(org.junit.Before)

Example 10 with TlsConfig

use of org.apache.nifi.toolkit.tls.configuration.TlsConfig in project nifi by apache.

the class TlsCertificateAuthorityServiceCommandLineTest method testKeyStoreType.

@Test
public void testKeyStoreType() throws CommandLineParseException, IOException {
    String testKeyStoreType = "testKeyStoreType";
    tlsCertificateAuthorityServiceCommandLine.parse("-t", testToken, "-T", testKeyStoreType);
    TlsConfig tlsConfig = tlsCertificateAuthorityServiceCommandLine.createConfig();
    assertEquals(testKeyStoreType, tlsConfig.getKeyStoreType());
    assertEquals(TlsCertificateAuthorityServiceCommandLine.NIFI_CA_KEYSTORE + tlsConfig.getKeyStoreType().toLowerCase(), tlsConfig.getKeyStore());
}
Also used : TlsConfig(org.apache.nifi.toolkit.tls.configuration.TlsConfig) Test(org.junit.Test)

Aggregations

TlsConfig (org.apache.nifi.toolkit.tls.configuration.TlsConfig)10 ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)4 File (java.io.File)3 Before (org.junit.Before)3 Test (org.junit.Test)3 ByteArrayOutputStream (java.io.ByteArrayOutputStream)2 FileInputStream (java.io.FileInputStream)2 InputStream (java.io.InputStream)2 KeyPair (java.security.KeyPair)2 KeyStore (java.security.KeyStore)2 X509Certificate (java.security.cert.X509Certificate)2 TlsClientConfig (org.apache.nifi.toolkit.tls.configuration.TlsClientConfig)2 BufferedReader (java.io.BufferedReader)1 IOException (java.io.IOException)1 PrintWriter (java.io.PrintWriter)1 StringReader (java.io.StringReader)1 StringWriter (java.io.StringWriter)1 Field (java.lang.reflect.Field)1 Certificate (java.security.cert.Certificate)1 ArrayList (java.util.ArrayList)1