Search in sources :

Example 1 with TlsCertificateAuthorityResponse

use of org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityResponse in project nifi by apache.

the class TlsCertificateSigningRequestPerformer method perform.

/**
 * Submits a CSR to the Certificate authority, checks the resulting hmac, and returns the chain if everything succeeds
 *
 * @param keyPair the keypair to generate the csr for
 * @throws IOException if there is a problem during the process
 * @return the resulting certificate chain
 */
public X509Certificate[] perform(KeyPair keyPair) throws IOException {
    try {
        List<X509Certificate> certificates = new ArrayList<>();
        HttpClientBuilder httpClientBuilder = httpClientBuilderSupplier.get();
        SSLContextBuilder sslContextBuilder = SSLContextBuilder.create();
        sslContextBuilder.useProtocol("TLSv1.2");
        // We will be validating that we are talking to the correct host once we get the response's hmac of the token and public key of the ca
        sslContextBuilder.loadTrustMaterial(null, new TrustSelfSignedStrategy());
        httpClientBuilder.setSSLSocketFactory(new TlsCertificateAuthorityClientSocketFactory(sslContextBuilder.build(), caHostname, certificates));
        String jsonResponseString;
        int responseCode;
        try (CloseableHttpClient client = httpClientBuilder.build()) {
            JcaPKCS10CertificationRequest request = TlsHelper.generateCertificationRequest(dn, domainAlternativeNames, keyPair, signingAlgorithm);
            TlsCertificateAuthorityRequest tlsCertificateAuthorityRequest = new TlsCertificateAuthorityRequest(TlsHelper.calculateHMac(token, request.getPublicKey()), TlsHelper.pemEncodeJcaObject(request));
            HttpPost httpPost = new HttpPost();
            httpPost.setEntity(new ByteArrayEntity(objectMapper.writeValueAsBytes(tlsCertificateAuthorityRequest)));
            if (logger.isInfoEnabled()) {
                logger.info("Requesting certificate with dn " + dn + " from " + caHostname + ":" + port);
            }
            try (CloseableHttpResponse response = client.execute(new HttpHost(caHostname, port, "https"), httpPost)) {
                jsonResponseString = IOUtils.toString(new BoundedInputStream(response.getEntity().getContent(), 1024 * 1024), StandardCharsets.UTF_8);
                responseCode = response.getStatusLine().getStatusCode();
            }
        }
        if (responseCode != Response.SC_OK) {
            throw new IOException(RECEIVED_RESPONSE_CODE + responseCode + " with payload " + jsonResponseString);
        }
        if (certificates.size() != 1) {
            throw new IOException(EXPECTED_ONE_CERTIFICATE);
        }
        TlsCertificateAuthorityResponse tlsCertificateAuthorityResponse = objectMapper.readValue(jsonResponseString, TlsCertificateAuthorityResponse.class);
        if (!tlsCertificateAuthorityResponse.hasHmac()) {
            throw new IOException(EXPECTED_RESPONSE_TO_CONTAIN_HMAC);
        }
        X509Certificate caCertificate = certificates.get(0);
        byte[] expectedHmac = TlsHelper.calculateHMac(token, caCertificate.getPublicKey());
        if (!MessageDigest.isEqual(expectedHmac, tlsCertificateAuthorityResponse.getHmac())) {
            throw new IOException(UNEXPECTED_HMAC_RECEIVED_POSSIBLE_MAN_IN_THE_MIDDLE);
        }
        if (!tlsCertificateAuthorityResponse.hasCertificate()) {
            throw new IOException(EXPECTED_RESPONSE_TO_CONTAIN_CERTIFICATE);
        }
        X509Certificate x509Certificate = TlsHelper.parseCertificate(new StringReader(tlsCertificateAuthorityResponse.getPemEncodedCertificate()));
        x509Certificate.verify(caCertificate.getPublicKey());
        if (logger.isInfoEnabled()) {
            logger.info("Got certificate with dn " + x509Certificate.getSubjectX500Principal());
        }
        return new X509Certificate[] { x509Certificate, caCertificate };
    } catch (IOException e) {
        throw e;
    } catch (Exception e) {
        throw new IOException(e);
    }
}
Also used : CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient) HttpPost(org.apache.http.client.methods.HttpPost) JcaPKCS10CertificationRequest(org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest) TlsCertificateAuthorityResponse(org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityResponse) ArrayList(java.util.ArrayList) HttpClientBuilder(org.apache.http.impl.client.HttpClientBuilder) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) IOException(java.io.IOException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) ByteArrayEntity(org.apache.http.entity.ByteArrayEntity) HttpHost(org.apache.http.HttpHost) BoundedInputStream(org.apache.commons.io.input.BoundedInputStream) TlsCertificateAuthorityRequest(org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityRequest) CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse) StringReader(java.io.StringReader) SSLContextBuilder(org.apache.http.ssl.SSLContextBuilder) TrustSelfSignedStrategy(org.apache.http.conn.ssl.TrustSelfSignedStrategy)

Example 2 with TlsCertificateAuthorityResponse

use of org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityResponse in project nifi by apache.

the class TlsCertificateSigningRequestPerformerTest method testNoHmac.

@Test
public void testNoHmac() throws Exception {
    certificates.add(caCertificate);
    statusCode = Response.SC_OK;
    tlsCertificateAuthorityResponse = new TlsCertificateAuthorityResponse(null, testSignedCsr);
    try {
        tlsCertificateSigningRequestPerformer.perform(keyPair);
        fail("Expected IOE");
    } catch (IOException e) {
        assertEquals(TlsCertificateSigningRequestPerformer.EXPECTED_RESPONSE_TO_CONTAIN_HMAC, e.getMessage());
    }
}
Also used : TlsCertificateAuthorityResponse(org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityResponse) IOException(java.io.IOException) Test(org.junit.Test)

Example 3 with TlsCertificateAuthorityResponse

use of org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityResponse in project nifi by apache.

the class TlsCertificateSigningRequestPerformerTest method testBadHmac.

@Test
public void testBadHmac() throws Exception {
    certificates.add(caCertificate);
    statusCode = Response.SC_OK;
    tlsCertificateAuthorityResponse = new TlsCertificateAuthorityResponse("badHmac".getBytes(StandardCharsets.UTF_8), testSignedCsr);
    try {
        tlsCertificateSigningRequestPerformer.perform(keyPair);
        fail("Expected IOE");
    } catch (IOException e) {
        assertEquals(TlsCertificateSigningRequestPerformer.UNEXPECTED_HMAC_RECEIVED_POSSIBLE_MAN_IN_THE_MIDDLE, e.getMessage());
    }
}
Also used : TlsCertificateAuthorityResponse(org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityResponse) IOException(java.io.IOException) Test(org.junit.Test)

Example 4 with TlsCertificateAuthorityResponse

use of org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityResponse in project nifi by apache.

the class TlsCertificateSigningRequestPerformerTest method testBadStatusCode.

@Test
public void testBadStatusCode() throws Exception {
    statusCode = Response.SC_FORBIDDEN;
    tlsCertificateAuthorityResponse = new TlsCertificateAuthorityResponse();
    try {
        tlsCertificateSigningRequestPerformer.perform(keyPair);
        fail("Expected IOE");
    } catch (IOException e) {
        assertTrue(e.getMessage().startsWith(TlsCertificateSigningRequestPerformer.RECEIVED_RESPONSE_CODE + statusCode));
    }
}
Also used : TlsCertificateAuthorityResponse(org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityResponse) IOException(java.io.IOException) Test(org.junit.Test)

Example 5 with TlsCertificateAuthorityResponse

use of org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityResponse in project nifi by apache.

the class TlsCertificateSigningRequestPerformerTest method test0CertSize.

@Test
public void test0CertSize() throws Exception {
    statusCode = Response.SC_OK;
    tlsCertificateAuthorityResponse = new TlsCertificateAuthorityResponse();
    try {
        tlsCertificateSigningRequestPerformer.perform(keyPair);
        fail("Expected IOE");
    } catch (IOException e) {
        assertEquals(TlsCertificateSigningRequestPerformer.EXPECTED_ONE_CERTIFICATE, e.getMessage());
    }
}
Also used : TlsCertificateAuthorityResponse(org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityResponse) IOException(java.io.IOException) Test(org.junit.Test)

Aggregations

TlsCertificateAuthorityResponse (org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityResponse)9 IOException (java.io.IOException)8 Test (org.junit.Test)7 X509Certificate (java.security.cert.X509Certificate)2 TlsCertificateAuthorityRequest (org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityRequest)2 JcaPKCS10CertificationRequest (org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest)2 StringReader (java.io.StringReader)1 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 ArrayList (java.util.ArrayList)1 ServletException (javax.servlet.ServletException)1 BoundedInputStream (org.apache.commons.io.input.BoundedInputStream)1 BoundedReader (org.apache.commons.io.input.BoundedReader)1 HttpHost (org.apache.http.HttpHost)1 CloseableHttpResponse (org.apache.http.client.methods.CloseableHttpResponse)1 HttpPost (org.apache.http.client.methods.HttpPost)1 TrustSelfSignedStrategy (org.apache.http.conn.ssl.TrustSelfSignedStrategy)1 ByteArrayEntity (org.apache.http.entity.ByteArrayEntity)1 CloseableHttpClient (org.apache.http.impl.client.CloseableHttpClient)1 HttpClientBuilder (org.apache.http.impl.client.HttpClientBuilder)1 SSLContextBuilder (org.apache.http.ssl.SSLContextBuilder)1