Search in sources :

Example 1 with NiFiPropertiesWriterFactory

use of org.apache.nifi.toolkit.tls.properties.NiFiPropertiesWriterFactory in project nifi by apache.

the class TlsToolkitStandaloneCommandLine method doParse.

@Override
protected CommandLine doParse(String... args) throws CommandLineParseException {
    CommandLine commandLine = super.doParse(args);
    String outputDirectory = commandLine.getOptionValue(OUTPUT_DIRECTORY_ARG, DEFAULT_OUTPUT_DIRECTORY);
    baseDir = new File(outputDirectory);
    dnPrefix = commandLine.getOptionValue(NIFI_DN_PREFIX_ARG, TlsConfig.DEFAULT_DN_PREFIX);
    dnSuffix = commandLine.getOptionValue(NIFI_DN_SUFFIX_ARG, TlsConfig.DEFAULT_DN_SUFFIX);
    domainAlternativeNames = commandLine.getOptionValue(SUBJECT_ALTERNATIVE_NAMES);
    Stream<String> globalOrderExpressions = null;
    if (commandLine.hasOption(GLOBAL_PORT_SEQUENCE_ARG)) {
        globalOrderExpressions = Arrays.stream(commandLine.getOptionValues(GLOBAL_PORT_SEQUENCE_ARG)).flatMap(s -> Arrays.stream(s.split(","))).map(String::trim);
    }
    if (commandLine.hasOption(HOSTNAMES_ARG)) {
        instanceDefinitions = Collections.unmodifiableList(InstanceDefinition.createDefinitions(globalOrderExpressions, Arrays.stream(commandLine.getOptionValues(HOSTNAMES_ARG)).flatMap(s -> Arrays.stream(s.split(",")).map(String::trim)), parsePasswordSupplier(commandLine, KEY_STORE_PASSWORD_ARG, passwordUtil.passwordSupplier()), parsePasswordSupplier(commandLine, KEY_PASSWORD_ARG, commandLine.hasOption(DIFFERENT_KEY_AND_KEYSTORE_PASSWORDS_ARG) ? passwordUtil.passwordSupplier() : null), parsePasswordSupplier(commandLine, TRUST_STORE_PASSWORD_ARG, passwordUtil.passwordSupplier())));
    } else {
        instanceDefinitions = Collections.emptyList();
    }
    String[] clientDnValues = commandLine.getOptionValues(CLIENT_CERT_DN_ARG);
    if (clientDnValues != null) {
        clientDns = Collections.unmodifiableList(Arrays.stream(clientDnValues).collect(Collectors.toList()));
    } else {
        clientDns = Collections.emptyList();
    }
    clientPasswords = Collections.unmodifiableList(getPasswords(CLIENT_CERT_PASSWORD_ARG, commandLine, clientDns.size(), CLIENT_CERT_DN_ARG));
    clientPasswordsGenerated = commandLine.getOptionValues(CLIENT_CERT_PASSWORD_ARG) == null;
    overwrite = commandLine.hasOption(OVERWRITE_ARG);
    String nifiPropertiesFile = commandLine.getOptionValue(NIFI_PROPERTIES_FILE_ARG, "");
    try {
        if (StringUtils.isEmpty(nifiPropertiesFile)) {
            logger.info("No " + NIFI_PROPERTIES_FILE_ARG + " specified, using embedded one.");
            niFiPropertiesWriterFactory = new NiFiPropertiesWriterFactory();
        } else {
            logger.info("Using " + nifiPropertiesFile + " as template.");
            niFiPropertiesWriterFactory = new NiFiPropertiesWriterFactory(new FileInputStream(nifiPropertiesFile));
        }
    } catch (IOException e) {
        printUsageAndThrow("Unable to read nifi.properties from " + (StringUtils.isEmpty(nifiPropertiesFile) ? "classpath" : nifiPropertiesFile), ExitCode.ERROR_READING_NIFI_PROPERTIES);
    }
    return commandLine;
}
Also used : IntStream(java.util.stream.IntStream) ExitCode(org.apache.nifi.toolkit.tls.commandLine.ExitCode) Arrays(java.util.Arrays) Logger(org.slf4j.Logger) BaseTlsToolkitCommandLine(org.apache.nifi.toolkit.tls.commandLine.BaseTlsToolkitCommandLine) TlsConfig(org.apache.nifi.toolkit.tls.configuration.TlsConfig) PasswordUtil(org.apache.nifi.toolkit.tls.util.PasswordUtil) LoggerFactory(org.slf4j.LoggerFactory) IOException(java.io.IOException) FileInputStream(java.io.FileInputStream) StringUtils(org.apache.nifi.util.StringUtils) Supplier(java.util.function.Supplier) Collectors(java.util.stream.Collectors) File(java.io.File) CommandLineParseException(org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException) NiFiPropertiesWriterFactory(org.apache.nifi.toolkit.tls.properties.NiFiPropertiesWriterFactory) List(java.util.List) Stream(java.util.stream.Stream) InstanceDefinition(org.apache.nifi.toolkit.tls.configuration.InstanceDefinition) Paths(java.nio.file.Paths) CommandLine(org.apache.commons.cli.CommandLine) Path(java.nio.file.Path) Collections(java.util.Collections) StandaloneConfig(org.apache.nifi.toolkit.tls.configuration.StandaloneConfig) BaseTlsToolkitCommandLine(org.apache.nifi.toolkit.tls.commandLine.BaseTlsToolkitCommandLine) CommandLine(org.apache.commons.cli.CommandLine) IOException(java.io.IOException) File(java.io.File) NiFiPropertiesWriterFactory(org.apache.nifi.toolkit.tls.properties.NiFiPropertiesWriterFactory) FileInputStream(java.io.FileInputStream)

Example 2 with NiFiPropertiesWriterFactory

use of org.apache.nifi.toolkit.tls.properties.NiFiPropertiesWriterFactory in project nifi by apache.

the class TlsToolkitStandalone method createNifiKeystoresAndTrustStores.

public void createNifiKeystoresAndTrustStores(StandaloneConfig standaloneConfig) throws GeneralSecurityException, IOException {
    File baseDir = standaloneConfig.getBaseDir();
    if (!baseDir.exists() && !baseDir.mkdirs()) {
        throw new IOException(baseDir + " doesn't exist and unable to create it.");
    }
    if (!baseDir.isDirectory()) {
        throw new IOException("Expected directory to output to");
    }
    String signingAlgorithm = standaloneConfig.getSigningAlgorithm();
    int days = standaloneConfig.getDays();
    String keyPairAlgorithm = standaloneConfig.getKeyPairAlgorithm();
    int keySize = standaloneConfig.getKeySize();
    File nifiCert = new File(baseDir, NIFI_CERT + ".pem");
    File nifiKey = new File(baseDir, NIFI_KEY + ".key");
    X509Certificate certificate;
    KeyPair caKeyPair;
    if (logger.isInfoEnabled()) {
        logger.info("Running standalone certificate generation with output directory " + baseDir);
    }
    if (nifiCert.exists()) {
        if (!nifiKey.exists()) {
            throw new IOException(nifiCert + " exists already, but " + nifiKey + " does not, we need both certificate and key to continue with an existing CA.");
        }
        try (FileReader pemEncodedCertificate = new FileReader(nifiCert)) {
            certificate = TlsHelper.parseCertificate(pemEncodedCertificate);
        }
        try (FileReader pemEncodedKeyPair = new FileReader(nifiKey)) {
            caKeyPair = TlsHelper.parseKeyPair(pemEncodedKeyPair);
        }
        certificate.verify(caKeyPair.getPublic());
        if (!caKeyPair.getPublic().equals(certificate.getPublicKey())) {
            throw new IOException("Expected " + nifiKey + " to correspond to CA certificate at " + nifiCert);
        }
        if (logger.isInfoEnabled()) {
            logger.info("Using existing CA certificate " + nifiCert + " and key " + nifiKey);
        }
    } else if (nifiKey.exists()) {
        throw new IOException(nifiKey + " exists already, but " + nifiCert + " does not, we need both certificate and key to continue with an existing CA.");
    } else {
        TlsCertificateAuthorityManager tlsCertificateAuthorityManager = new TlsCertificateAuthorityManager(standaloneConfig);
        KeyStore.PrivateKeyEntry privateKeyEntry = tlsCertificateAuthorityManager.getOrGenerateCertificateAuthority();
        certificate = (X509Certificate) privateKeyEntry.getCertificateChain()[0];
        caKeyPair = new KeyPair(certificate.getPublicKey(), privateKeyEntry.getPrivateKey());
        try (PemWriter pemWriter = new PemWriter(new OutputStreamWriter(outputStreamFactory.create(nifiCert)))) {
            pemWriter.writeObject(new JcaMiscPEMGenerator(certificate));
        }
        try (PemWriter pemWriter = new PemWriter(new OutputStreamWriter(outputStreamFactory.create(nifiKey)))) {
            pemWriter.writeObject(new JcaMiscPEMGenerator(caKeyPair));
        }
        if (logger.isInfoEnabled()) {
            logger.info("Generated new CA certificate " + nifiCert + " and key " + nifiKey);
        }
    }
    NiFiPropertiesWriterFactory niFiPropertiesWriterFactory = standaloneConfig.getNiFiPropertiesWriterFactory();
    boolean overwrite = standaloneConfig.isOverwrite();
    List<InstanceDefinition> instanceDefinitions = standaloneConfig.getInstanceDefinitions();
    if (instanceDefinitions.isEmpty() && logger.isInfoEnabled()) {
        logger.info("No " + TlsToolkitStandaloneCommandLine.HOSTNAMES_ARG + " specified, not generating any host certificates or configuration.");
    }
    for (InstanceDefinition instanceDefinition : instanceDefinitions) {
        String hostname = instanceDefinition.getHostname();
        File hostDir;
        int hostIdentifierNumber = instanceDefinition.getInstanceIdentifier().getNumber();
        if (hostIdentifierNumber == 1) {
            hostDir = new File(baseDir, hostname);
        } else {
            hostDir = new File(baseDir, hostname + "_" + hostIdentifierNumber);
        }
        TlsClientConfig tlsClientConfig = new TlsClientConfig(standaloneConfig);
        File keystore = new File(hostDir, "keystore." + tlsClientConfig.getKeyStoreType().toLowerCase());
        File truststore = new File(hostDir, "truststore." + tlsClientConfig.getTrustStoreType().toLowerCase());
        if (hostDir.exists()) {
            if (!hostDir.isDirectory()) {
                throw new IOException(hostDir + " exists but is not a directory.");
            } else if (overwrite) {
                if (logger.isInfoEnabled()) {
                    logger.info("Overwriting any existing ssl configuration in " + hostDir);
                }
                keystore.delete();
                if (keystore.exists()) {
                    throw new IOException("Keystore " + keystore + " already exists and couldn't be deleted.");
                }
                truststore.delete();
                if (truststore.exists()) {
                    throw new IOException("Truststore " + truststore + " already exists and couldn't be deleted.");
                }
            } else {
                throw new IOException(hostDir + " exists and overwrite is not set.");
            }
        } else if (!hostDir.mkdirs()) {
            throw new IOException("Unable to make directory: " + hostDir.getAbsolutePath());
        } else if (logger.isInfoEnabled()) {
            logger.info("Writing new ssl configuration to " + hostDir);
        }
        tlsClientConfig.setKeyStore(keystore.getAbsolutePath());
        tlsClientConfig.setKeyStorePassword(instanceDefinition.getKeyStorePassword());
        tlsClientConfig.setKeyPassword(instanceDefinition.getKeyPassword());
        tlsClientConfig.setTrustStore(truststore.getAbsolutePath());
        tlsClientConfig.setTrustStorePassword(instanceDefinition.getTrustStorePassword());
        TlsClientManager tlsClientManager = new TlsClientManager(tlsClientConfig);
        KeyPair keyPair = TlsHelper.generateKeyPair(keyPairAlgorithm, keySize);
        Extensions sanDnsExtensions = TlsHelper.createDomainAlternativeNamesExtensions(tlsClientConfig.getDomainAlternativeNames(), tlsClientConfig.calcDefaultDn(hostname));
        tlsClientManager.addPrivateKeyToKeyStore(keyPair, NIFI_KEY, CertificateUtils.generateIssuedCertificate(tlsClientConfig.calcDefaultDn(hostname), keyPair.getPublic(), sanDnsExtensions, certificate, caKeyPair, signingAlgorithm, days), certificate);
        tlsClientManager.setCertificateEntry(NIFI_CERT, certificate);
        tlsClientManager.addClientConfigurationWriter(new NifiPropertiesTlsClientConfigWriter(niFiPropertiesWriterFactory, new File(hostDir, "nifi.properties"), hostname, instanceDefinition.getNumber()));
        tlsClientManager.write(outputStreamFactory);
        if (logger.isInfoEnabled()) {
            logger.info("Successfully generated TLS configuration for " + hostname + " " + hostIdentifierNumber + " in " + hostDir);
        }
    }
    List<String> clientDns = standaloneConfig.getClientDns();
    if (standaloneConfig.getClientDns().isEmpty() && logger.isInfoEnabled()) {
        logger.info("No " + TlsToolkitStandaloneCommandLine.CLIENT_CERT_DN_ARG + " specified, not generating any client certificates.");
    }
    List<String> clientPasswords = standaloneConfig.getClientPasswords();
    for (int i = 0; i < clientDns.size(); i++) {
        String reorderedDn = CertificateUtils.reorderDn(clientDns.get(i));
        String clientDnFile = getClientDnFile(reorderedDn);
        File clientCertFile = new File(baseDir, clientDnFile + ".p12");
        if (clientCertFile.exists()) {
            if (overwrite) {
                if (logger.isInfoEnabled()) {
                    logger.info("Overwriting existing client cert " + clientCertFile);
                }
            } else {
                throw new IOException(clientCertFile + " exists and overwrite is not set.");
            }
        } else if (logger.isInfoEnabled()) {
            logger.info("Generating new client certificate " + clientCertFile);
        }
        KeyPair keyPair = TlsHelper.generateKeyPair(keyPairAlgorithm, keySize);
        X509Certificate clientCert = CertificateUtils.generateIssuedCertificate(reorderedDn, keyPair.getPublic(), null, certificate, caKeyPair, signingAlgorithm, days);
        KeyStore keyStore = KeyStoreUtils.getKeyStore(KeystoreType.PKCS12.toString());
        keyStore.load(null, null);
        keyStore.setKeyEntry(NIFI_KEY, keyPair.getPrivate(), null, new Certificate[] { clientCert, certificate });
        String password = TlsHelper.writeKeyStore(keyStore, outputStreamFactory, clientCertFile, clientPasswords.get(i), standaloneConfig.isClientPasswordsGenerated());
        try (FileWriter fileWriter = new FileWriter(new File(baseDir, clientDnFile + ".password"))) {
            fileWriter.write(password);
        }
        if (logger.isInfoEnabled()) {
            logger.info("Successfully generated client certificate " + clientCertFile);
        }
    }
    if (logger.isInfoEnabled()) {
        logger.info("tls-toolkit standalone completed successfully");
    }
}
Also used : InstanceDefinition(org.apache.nifi.toolkit.tls.configuration.InstanceDefinition) KeyPair(java.security.KeyPair) TlsClientManager(org.apache.nifi.toolkit.tls.manager.TlsClientManager) PemWriter(org.bouncycastle.util.io.pem.PemWriter) FileWriter(java.io.FileWriter) IOException(java.io.IOException) TlsCertificateAuthorityManager(org.apache.nifi.toolkit.tls.manager.TlsCertificateAuthorityManager) Extensions(org.bouncycastle.asn1.x509.Extensions) NiFiPropertiesWriterFactory(org.apache.nifi.toolkit.tls.properties.NiFiPropertiesWriterFactory) NifiPropertiesTlsClientConfigWriter(org.apache.nifi.toolkit.tls.manager.writer.NifiPropertiesTlsClientConfigWriter) KeyStore(java.security.KeyStore) X509Certificate(java.security.cert.X509Certificate) JcaMiscPEMGenerator(org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator) TlsClientConfig(org.apache.nifi.toolkit.tls.configuration.TlsClientConfig) FileReader(java.io.FileReader) OutputStreamWriter(java.io.OutputStreamWriter) File(java.io.File)

Aggregations

File (java.io.File)2 IOException (java.io.IOException)2 InstanceDefinition (org.apache.nifi.toolkit.tls.configuration.InstanceDefinition)2 NiFiPropertiesWriterFactory (org.apache.nifi.toolkit.tls.properties.NiFiPropertiesWriterFactory)2 FileInputStream (java.io.FileInputStream)1 FileReader (java.io.FileReader)1 FileWriter (java.io.FileWriter)1 OutputStreamWriter (java.io.OutputStreamWriter)1 Path (java.nio.file.Path)1 Paths (java.nio.file.Paths)1 KeyPair (java.security.KeyPair)1 KeyStore (java.security.KeyStore)1 X509Certificate (java.security.cert.X509Certificate)1 Arrays (java.util.Arrays)1 Collections (java.util.Collections)1 List (java.util.List)1 Supplier (java.util.function.Supplier)1 Collectors (java.util.stream.Collectors)1 IntStream (java.util.stream.IntStream)1 Stream (java.util.stream.Stream)1