Example 1 with TlsCertificateAuthorityResponse
use of org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityResponse in project nifi by apache.
the class TlsCertificateSigningRequestPerformer method perform.
/**
* Submits a CSR to the Certificate authority, checks the resulting hmac, and returns the chain if everything succeeds
*
* @param keyPair the keypair to generate the csr for
* @throws IOException if there is a problem during the process
* @return the resulting certificate chain
*/
public X509Certificate[] perform(KeyPair keyPair) throws IOException {
try {
List<X509Certificate> certificates = new ArrayList<>();
HttpClientBuilder httpClientBuilder = httpClientBuilderSupplier.get();
SSLContextBuilder sslContextBuilder = SSLContextBuilder.create();
sslContextBuilder.useProtocol("TLSv1.2");
// We will be validating that we are talking to the correct host once we get the response's hmac of the token and public key of the ca
sslContextBuilder.loadTrustMaterial(null, new TrustSelfSignedStrategy());
httpClientBuilder.setSSLSocketFactory(new TlsCertificateAuthorityClientSocketFactory(sslContextBuilder.build(), caHostname, certificates));
String jsonResponseString;
int responseCode;
try (CloseableHttpClient client = httpClientBuilder.build()) {
JcaPKCS10CertificationRequest request = TlsHelper.generateCertificationRequest(dn, domainAlternativeNames, keyPair, signingAlgorithm);
TlsCertificateAuthorityRequest tlsCertificateAuthorityRequest = new TlsCertificateAuthorityRequest(TlsHelper.calculateHMac(token, request.getPublicKey()), TlsHelper.pemEncodeJcaObject(request));
HttpPost httpPost = new HttpPost();
httpPost.setEntity(new ByteArrayEntity(objectMapper.writeValueAsBytes(tlsCertificateAuthorityRequest)));
if (logger.isInfoEnabled()) {
logger.info("Requesting certificate with dn " + dn + " from " + caHostname + ":" + port);
}
try (CloseableHttpResponse response = client.execute(new HttpHost(caHostname, port, "https"), httpPost)) {
jsonResponseString = IOUtils.toString(new BoundedInputStream(response.getEntity().getContent(), 1024 * 1024), StandardCharsets.UTF_8);
responseCode = response.getStatusLine().getStatusCode();
}
}
if (responseCode != Response.SC_OK) {
throw new IOException(RECEIVED_RESPONSE_CODE + responseCode + " with payload " + jsonResponseString);
}
if (certificates.size() != 1) {
throw new IOException(EXPECTED_ONE_CERTIFICATE);
}
TlsCertificateAuthorityResponse tlsCertificateAuthorityResponse = objectMapper.readValue(jsonResponseString, TlsCertificateAuthorityResponse.class);
if (!tlsCertificateAuthorityResponse.hasHmac()) {
throw new IOException(EXPECTED_RESPONSE_TO_CONTAIN_HMAC);
}
X509Certificate caCertificate = certificates.get(0);
byte[] expectedHmac = TlsHelper.calculateHMac(token, caCertificate.getPublicKey());
if (!MessageDigest.isEqual(expectedHmac, tlsCertificateAuthorityResponse.getHmac())) {
throw new IOException(UNEXPECTED_HMAC_RECEIVED_POSSIBLE_MAN_IN_THE_MIDDLE);
}
if (!tlsCertificateAuthorityResponse.hasCertificate()) {
throw new IOException(EXPECTED_RESPONSE_TO_CONTAIN_CERTIFICATE);
}
X509Certificate x509Certificate = TlsHelper.parseCertificate(new StringReader(tlsCertificateAuthorityResponse.getPemEncodedCertificate()));
x509Certificate.verify(caCertificate.getPublicKey());
if (logger.isInfoEnabled()) {
logger.info("Got certificate with dn " + x509Certificate.getSubjectX500Principal());
}
return new X509Certificate[] { x509Certificate, caCertificate };
} catch (IOException e) {
throw e;
} catch (Exception e) {
throw new IOException(e);
}
}
Also used :
CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient)
HttpPost(org.apache.http.client.methods.HttpPost)
JcaPKCS10CertificationRequest(org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest)
TlsCertificateAuthorityResponse(org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityResponse)
ArrayList(java.util.ArrayList)
HttpClientBuilder(org.apache.http.impl.client.HttpClientBuilder)
IOException(java.io.IOException)
X509Certificate(java.security.cert.X509Certificate)
IOException(java.io.IOException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
ByteArrayEntity(org.apache.http.entity.ByteArrayEntity)
HttpHost(org.apache.http.HttpHost)
BoundedInputStream(org.apache.commons.io.input.BoundedInputStream)
TlsCertificateAuthorityRequest(org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityRequest)
CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse)
StringReader(java.io.StringReader)
SSLContextBuilder(org.apache.http.ssl.SSLContextBuilder)
TrustSelfSignedStrategy(org.apache.http.conn.ssl.TrustSelfSignedStrategy)
Example 2 with TlsCertificateAuthorityResponse
use of org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityResponse in project nifi by apache.
the class TlsCertificateSigningRequestPerformerTest method testNoHmac.
@Test
public void testNoHmac() throws Exception {
certificates.add(caCertificate);
statusCode = Response.SC_OK;
tlsCertificateAuthorityResponse = new TlsCertificateAuthorityResponse(null, testSignedCsr);
try {
tlsCertificateSigningRequestPerformer.perform(keyPair);
fail("Expected IOE");
} catch (IOException e) {
assertEquals(TlsCertificateSigningRequestPerformer.EXPECTED_RESPONSE_TO_CONTAIN_HMAC, e.getMessage());
}
}
Also used :
TlsCertificateAuthorityResponse(org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityResponse)
IOException(java.io.IOException)
Test(org.junit.Test)
Example 3 with TlsCertificateAuthorityResponse
use of org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityResponse in project nifi by apache.
the class TlsCertificateSigningRequestPerformerTest method testBadHmac.
@Test
public void testBadHmac() throws Exception {
certificates.add(caCertificate);
statusCode = Response.SC_OK;
tlsCertificateAuthorityResponse = new TlsCertificateAuthorityResponse("badHmac".getBytes(StandardCharsets.UTF_8), testSignedCsr);
try {
tlsCertificateSigningRequestPerformer.perform(keyPair);
fail("Expected IOE");
} catch (IOException e) {
assertEquals(TlsCertificateSigningRequestPerformer.UNEXPECTED_HMAC_RECEIVED_POSSIBLE_MAN_IN_THE_MIDDLE, e.getMessage());
}
}
Also used :
TlsCertificateAuthorityResponse(org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityResponse)
IOException(java.io.IOException)
Test(org.junit.Test)
Example 4 with TlsCertificateAuthorityResponse
use of org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityResponse in project nifi by apache.
the class TlsCertificateSigningRequestPerformerTest method testBadStatusCode.
@Test
public void testBadStatusCode() throws Exception {
statusCode = Response.SC_FORBIDDEN;
tlsCertificateAuthorityResponse = new TlsCertificateAuthorityResponse();
try {
tlsCertificateSigningRequestPerformer.perform(keyPair);
fail("Expected IOE");
} catch (IOException e) {
assertTrue(e.getMessage().startsWith(TlsCertificateSigningRequestPerformer.RECEIVED_RESPONSE_CODE + statusCode));
}
}
Also used :
TlsCertificateAuthorityResponse(org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityResponse)
IOException(java.io.IOException)
Test(org.junit.Test)
Example 5 with TlsCertificateAuthorityResponse
use of org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityResponse in project nifi by apache.
the class TlsCertificateSigningRequestPerformerTest method test0CertSize.
@Test
public void test0CertSize() throws Exception {
statusCode = Response.SC_OK;
tlsCertificateAuthorityResponse = new TlsCertificateAuthorityResponse();
try {
tlsCertificateSigningRequestPerformer.perform(keyPair);
fail("Expected IOE");
} catch (IOException e) {
assertEquals(TlsCertificateSigningRequestPerformer.EXPECTED_ONE_CERTIFICATE, e.getMessage());
}
}
Also used :
TlsCertificateAuthorityResponse(org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityResponse)
IOException(java.io.IOException)
Test(org.junit.Test)
Aggregations
TlsCertificateAuthorityResponse (org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityResponse)9
IOException (java.io.IOException)8
Test (org.junit.Test)7
X509Certificate (java.security.cert.X509Certificate)2
TlsCertificateAuthorityRequest (org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityRequest)2
JcaPKCS10CertificationRequest (org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest)2
StringReader (java.io.StringReader)1
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1
ArrayList (java.util.ArrayList)1
ServletException (javax.servlet.ServletException)1
BoundedInputStream (org.apache.commons.io.input.BoundedInputStream)1
BoundedReader (org.apache.commons.io.input.BoundedReader)1
HttpHost (org.apache.http.HttpHost)1
CloseableHttpResponse (org.apache.http.client.methods.CloseableHttpResponse)1
HttpPost (org.apache.http.client.methods.HttpPost)1
TrustSelfSignedStrategy (org.apache.http.conn.ssl.TrustSelfSignedStrategy)1
ByteArrayEntity (org.apache.http.entity.ByteArrayEntity)1
CloseableHttpClient (org.apache.http.impl.client.CloseableHttpClient)1
HttpClientBuilder (org.apache.http.impl.client.HttpClientBuilder)1
SSLContextBuilder (org.apache.http.ssl.SSLContextBuilder)1
