Search in sources :

Example 1 with TlsClientManager

use of org.apache.nifi.toolkit.tls.manager.TlsClientManager in project nifi by apache.

the class TlsCertificateAuthorityClient method generateCertificateAndGetItSigned.

public void generateCertificateAndGetItSigned(TlsClientConfig tlsClientConfig, String certificateDirectory, String configJson, boolean differentKeyAndKeyStorePassword) throws Exception {
    TlsClientManager tlsClientManager;
    try {
        tlsClientManager = new TlsClientManager(tlsClientConfig);
    } catch (IOException e) {
        logger.error("Unable to open existing keystore, it can be reused by specifiying both " + BaseCertificateAuthorityCommandLine.CONFIG_JSON_ARG + " and " + BaseCertificateAuthorityCommandLine.USE_CONFIG_JSON_ARG);
        throw e;
    }
    tlsClientManager.setDifferentKeyAndKeyStorePassword(differentKeyAndKeyStorePassword);
    if (!StringUtils.isEmpty(certificateDirectory)) {
        tlsClientManager.setCertificateAuthorityDirectory(new File(certificateDirectory));
    }
    if (!StringUtils.isEmpty(configJson)) {
        tlsClientManager.addClientConfigurationWriter(new JsonConfigurationWriter<>(new ObjectMapper(), new File(configJson)));
    }
    if (tlsClientManager.getEntry(TlsToolkitStandalone.NIFI_KEY) == null) {
        if (logger.isInfoEnabled()) {
            logger.info("Requesting new certificate from " + tlsClientConfig.getCaHostname() + ":" + tlsClientConfig.getPort());
        }
        KeyPair keyPair = TlsHelper.generateKeyPair(tlsClientConfig.getKeyPairAlgorithm(), tlsClientConfig.getKeySize());
        X509Certificate[] certificates = tlsClientConfig.createCertificateSigningRequestPerformer().perform(keyPair);
        tlsClientManager.addPrivateKeyToKeyStore(keyPair, TlsToolkitStandalone.NIFI_KEY, certificates);
        tlsClientManager.setCertificateEntry(TlsToolkitStandalone.NIFI_CERT, certificates[certificates.length - 1]);
    } else {
        if (logger.isInfoEnabled()) {
            logger.info("Already had entry for " + TlsToolkitStandalone.NIFI_KEY + " not requesting new certificate.");
        }
    }
    tlsClientManager.write(outputStreamFactory);
}
Also used : KeyPair(java.security.KeyPair) TlsClientManager(org.apache.nifi.toolkit.tls.manager.TlsClientManager) IOException(java.io.IOException) File(java.io.File) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper) X509Certificate(java.security.cert.X509Certificate)

Example 2 with TlsClientManager

use of org.apache.nifi.toolkit.tls.manager.TlsClientManager in project nifi by apache.

the class TlsToolkitStandalone method createNifiKeystoresAndTrustStores.

public void createNifiKeystoresAndTrustStores(StandaloneConfig standaloneConfig) throws GeneralSecurityException, IOException {
    File baseDir = standaloneConfig.getBaseDir();
    if (!baseDir.exists() && !baseDir.mkdirs()) {
        throw new IOException(baseDir + " doesn't exist and unable to create it.");
    }
    if (!baseDir.isDirectory()) {
        throw new IOException("Expected directory to output to");
    }
    String signingAlgorithm = standaloneConfig.getSigningAlgorithm();
    int days = standaloneConfig.getDays();
    String keyPairAlgorithm = standaloneConfig.getKeyPairAlgorithm();
    int keySize = standaloneConfig.getKeySize();
    File nifiCert = new File(baseDir, NIFI_CERT + ".pem");
    File nifiKey = new File(baseDir, NIFI_KEY + ".key");
    X509Certificate certificate;
    KeyPair caKeyPair;
    if (logger.isInfoEnabled()) {
        logger.info("Running standalone certificate generation with output directory " + baseDir);
    }
    if (nifiCert.exists()) {
        if (!nifiKey.exists()) {
            throw new IOException(nifiCert + " exists already, but " + nifiKey + " does not, we need both certificate and key to continue with an existing CA.");
        }
        try (FileReader pemEncodedCertificate = new FileReader(nifiCert)) {
            certificate = TlsHelper.parseCertificate(pemEncodedCertificate);
        }
        try (FileReader pemEncodedKeyPair = new FileReader(nifiKey)) {
            caKeyPair = TlsHelper.parseKeyPair(pemEncodedKeyPair);
        }
        certificate.verify(caKeyPair.getPublic());
        if (!caKeyPair.getPublic().equals(certificate.getPublicKey())) {
            throw new IOException("Expected " + nifiKey + " to correspond to CA certificate at " + nifiCert);
        }
        if (logger.isInfoEnabled()) {
            logger.info("Using existing CA certificate " + nifiCert + " and key " + nifiKey);
        }
    } else if (nifiKey.exists()) {
        throw new IOException(nifiKey + " exists already, but " + nifiCert + " does not, we need both certificate and key to continue with an existing CA.");
    } else {
        TlsCertificateAuthorityManager tlsCertificateAuthorityManager = new TlsCertificateAuthorityManager(standaloneConfig);
        KeyStore.PrivateKeyEntry privateKeyEntry = tlsCertificateAuthorityManager.getOrGenerateCertificateAuthority();
        certificate = (X509Certificate) privateKeyEntry.getCertificateChain()[0];
        caKeyPair = new KeyPair(certificate.getPublicKey(), privateKeyEntry.getPrivateKey());
        try (PemWriter pemWriter = new PemWriter(new OutputStreamWriter(outputStreamFactory.create(nifiCert)))) {
            pemWriter.writeObject(new JcaMiscPEMGenerator(certificate));
        }
        try (PemWriter pemWriter = new PemWriter(new OutputStreamWriter(outputStreamFactory.create(nifiKey)))) {
            pemWriter.writeObject(new JcaMiscPEMGenerator(caKeyPair));
        }
        if (logger.isInfoEnabled()) {
            logger.info("Generated new CA certificate " + nifiCert + " and key " + nifiKey);
        }
    }
    NiFiPropertiesWriterFactory niFiPropertiesWriterFactory = standaloneConfig.getNiFiPropertiesWriterFactory();
    boolean overwrite = standaloneConfig.isOverwrite();
    List<InstanceDefinition> instanceDefinitions = standaloneConfig.getInstanceDefinitions();
    if (instanceDefinitions.isEmpty() && logger.isInfoEnabled()) {
        logger.info("No " + TlsToolkitStandaloneCommandLine.HOSTNAMES_ARG + " specified, not generating any host certificates or configuration.");
    }
    for (InstanceDefinition instanceDefinition : instanceDefinitions) {
        String hostname = instanceDefinition.getHostname();
        File hostDir;
        int hostIdentifierNumber = instanceDefinition.getInstanceIdentifier().getNumber();
        if (hostIdentifierNumber == 1) {
            hostDir = new File(baseDir, hostname);
        } else {
            hostDir = new File(baseDir, hostname + "_" + hostIdentifierNumber);
        }
        TlsClientConfig tlsClientConfig = new TlsClientConfig(standaloneConfig);
        File keystore = new File(hostDir, "keystore." + tlsClientConfig.getKeyStoreType().toLowerCase());
        File truststore = new File(hostDir, "truststore." + tlsClientConfig.getTrustStoreType().toLowerCase());
        if (hostDir.exists()) {
            if (!hostDir.isDirectory()) {
                throw new IOException(hostDir + " exists but is not a directory.");
            } else if (overwrite) {
                if (logger.isInfoEnabled()) {
                    logger.info("Overwriting any existing ssl configuration in " + hostDir);
                }
                keystore.delete();
                if (keystore.exists()) {
                    throw new IOException("Keystore " + keystore + " already exists and couldn't be deleted.");
                }
                truststore.delete();
                if (truststore.exists()) {
                    throw new IOException("Truststore " + truststore + " already exists and couldn't be deleted.");
                }
            } else {
                throw new IOException(hostDir + " exists and overwrite is not set.");
            }
        } else if (!hostDir.mkdirs()) {
            throw new IOException("Unable to make directory: " + hostDir.getAbsolutePath());
        } else if (logger.isInfoEnabled()) {
            logger.info("Writing new ssl configuration to " + hostDir);
        }
        tlsClientConfig.setKeyStore(keystore.getAbsolutePath());
        tlsClientConfig.setKeyStorePassword(instanceDefinition.getKeyStorePassword());
        tlsClientConfig.setKeyPassword(instanceDefinition.getKeyPassword());
        tlsClientConfig.setTrustStore(truststore.getAbsolutePath());
        tlsClientConfig.setTrustStorePassword(instanceDefinition.getTrustStorePassword());
        TlsClientManager tlsClientManager = new TlsClientManager(tlsClientConfig);
        KeyPair keyPair = TlsHelper.generateKeyPair(keyPairAlgorithm, keySize);
        Extensions sanDnsExtensions = TlsHelper.createDomainAlternativeNamesExtensions(tlsClientConfig.getDomainAlternativeNames(), tlsClientConfig.calcDefaultDn(hostname));
        tlsClientManager.addPrivateKeyToKeyStore(keyPair, NIFI_KEY, CertificateUtils.generateIssuedCertificate(tlsClientConfig.calcDefaultDn(hostname), keyPair.getPublic(), sanDnsExtensions, certificate, caKeyPair, signingAlgorithm, days), certificate);
        tlsClientManager.setCertificateEntry(NIFI_CERT, certificate);
        tlsClientManager.addClientConfigurationWriter(new NifiPropertiesTlsClientConfigWriter(niFiPropertiesWriterFactory, new File(hostDir, "nifi.properties"), hostname, instanceDefinition.getNumber()));
        tlsClientManager.write(outputStreamFactory);
        if (logger.isInfoEnabled()) {
            logger.info("Successfully generated TLS configuration for " + hostname + " " + hostIdentifierNumber + " in " + hostDir);
        }
    }
    List<String> clientDns = standaloneConfig.getClientDns();
    if (standaloneConfig.getClientDns().isEmpty() && logger.isInfoEnabled()) {
        logger.info("No " + TlsToolkitStandaloneCommandLine.CLIENT_CERT_DN_ARG + " specified, not generating any client certificates.");
    }
    List<String> clientPasswords = standaloneConfig.getClientPasswords();
    for (int i = 0; i < clientDns.size(); i++) {
        String reorderedDn = CertificateUtils.reorderDn(clientDns.get(i));
        String clientDnFile = getClientDnFile(reorderedDn);
        File clientCertFile = new File(baseDir, clientDnFile + ".p12");
        if (clientCertFile.exists()) {
            if (overwrite) {
                if (logger.isInfoEnabled()) {
                    logger.info("Overwriting existing client cert " + clientCertFile);
                }
            } else {
                throw new IOException(clientCertFile + " exists and overwrite is not set.");
            }
        } else if (logger.isInfoEnabled()) {
            logger.info("Generating new client certificate " + clientCertFile);
        }
        KeyPair keyPair = TlsHelper.generateKeyPair(keyPairAlgorithm, keySize);
        X509Certificate clientCert = CertificateUtils.generateIssuedCertificate(reorderedDn, keyPair.getPublic(), null, certificate, caKeyPair, signingAlgorithm, days);
        KeyStore keyStore = KeyStoreUtils.getKeyStore(KeystoreType.PKCS12.toString());
        keyStore.load(null, null);
        keyStore.setKeyEntry(NIFI_KEY, keyPair.getPrivate(), null, new Certificate[] { clientCert, certificate });
        String password = TlsHelper.writeKeyStore(keyStore, outputStreamFactory, clientCertFile, clientPasswords.get(i), standaloneConfig.isClientPasswordsGenerated());
        try (FileWriter fileWriter = new FileWriter(new File(baseDir, clientDnFile + ".password"))) {
            fileWriter.write(password);
        }
        if (logger.isInfoEnabled()) {
            logger.info("Successfully generated client certificate " + clientCertFile);
        }
    }
    if (logger.isInfoEnabled()) {
        logger.info("tls-toolkit standalone completed successfully");
    }
}
Also used : InstanceDefinition(org.apache.nifi.toolkit.tls.configuration.InstanceDefinition) KeyPair(java.security.KeyPair) TlsClientManager(org.apache.nifi.toolkit.tls.manager.TlsClientManager) PemWriter(org.bouncycastle.util.io.pem.PemWriter) FileWriter(java.io.FileWriter) IOException(java.io.IOException) TlsCertificateAuthorityManager(org.apache.nifi.toolkit.tls.manager.TlsCertificateAuthorityManager) Extensions(org.bouncycastle.asn1.x509.Extensions) NiFiPropertiesWriterFactory(org.apache.nifi.toolkit.tls.properties.NiFiPropertiesWriterFactory) NifiPropertiesTlsClientConfigWriter(org.apache.nifi.toolkit.tls.manager.writer.NifiPropertiesTlsClientConfigWriter) KeyStore(java.security.KeyStore) X509Certificate(java.security.cert.X509Certificate) JcaMiscPEMGenerator(org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator) TlsClientConfig(org.apache.nifi.toolkit.tls.configuration.TlsClientConfig) FileReader(java.io.FileReader) OutputStreamWriter(java.io.OutputStreamWriter) File(java.io.File)

Aggregations

File (java.io.File)2 IOException (java.io.IOException)2 KeyPair (java.security.KeyPair)2 X509Certificate (java.security.cert.X509Certificate)2 TlsClientManager (org.apache.nifi.toolkit.tls.manager.TlsClientManager)2 ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)1 FileReader (java.io.FileReader)1 FileWriter (java.io.FileWriter)1 OutputStreamWriter (java.io.OutputStreamWriter)1 KeyStore (java.security.KeyStore)1 InstanceDefinition (org.apache.nifi.toolkit.tls.configuration.InstanceDefinition)1 TlsClientConfig (org.apache.nifi.toolkit.tls.configuration.TlsClientConfig)1 TlsCertificateAuthorityManager (org.apache.nifi.toolkit.tls.manager.TlsCertificateAuthorityManager)1 NifiPropertiesTlsClientConfigWriter (org.apache.nifi.toolkit.tls.manager.writer.NifiPropertiesTlsClientConfigWriter)1 NiFiPropertiesWriterFactory (org.apache.nifi.toolkit.tls.properties.NiFiPropertiesWriterFactory)1 Extensions (org.bouncycastle.asn1.x509.Extensions)1 JcaMiscPEMGenerator (org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator)1 PemWriter (org.bouncycastle.util.io.pem.PemWriter)1