[
https://issues.apache.org/jira/browse/NIFI-1478?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15238270#comment-15238270
]
ASF GitHub Bot commented on NIFI-1478:
--------------------------------------
GitHub user alopresto opened a pull request:
https://github.com/apache/nifi/pull/346
Nifi 1753 Removed legacy X.509 certificate implementation references
Various logic throughout the application referenced
`javax.security.cert.X509Certificate` which is a deprecated class and exists
only for legacy compatibility with older JSSE implementations. As of Java SE 6,
new development should use `java.security.cert.X509Certificate`. Most
references to the legacy classes were in similar logic blocks to retrieve the
distinguished name (DN) from the client certificate chain presented during TLS
mutual authentication.
I refactored this logic into a common utility method to deduplicate and
provided utility methods for converting legacy `X509Certificate`s and the
abstract `java.security.cert.Certificate` returned by the replacement method
(`javax.net.ssl.SSLSession#getPeerCertificateChain()` is succeeded by
`javax.net.ssl.SSLSession#getPeerCertificates()`) to the correct version of
`X509Certificate`.
The module `nifi-security-utils` was added as a dependency to `nifi-utils`
but contains only two utility classes with static helper methods and four
enums. This change may be reverted/expanded as part of the larger-scale work on
NIFI-1478, NIFI-1480, etc., but that is 1.0.0 refactor work, while this was a
surgical fix for both 0.7.0 and 1.0.0.
This will be rebased & squashed before merging.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/alopresto/nifi NIFI-1753
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/nifi/pull/346.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #346
----
commit e2d1c359bb94148679a057b5521b3fb17f6a936a
Author: Andy LoPresto <alopre...@apache.org>
Date: 2016-04-12T03:11:45Z
NIFI-1753 Added convenience methods for converting legacy X.509
certificates and abstract certificates to correct X.509 format.
Added unit tests for certificate manipulation.
Replaced logic retrieving legacy X.509 certificates with new logic in
NodeProtocolSenderImpl.
Added bcpkix (Bouncy Castle PKI implementation) dependency to
nifi-standard-processors pom.
commit b9868ef297228ef7398a30fbddb915abef98eda6
Author: Andy LoPresto <alopre...@apache.org>
Date: 2016-04-12T03:36:38Z
NIFI-1753 Added convenience method for extracting DN from peer certificate
chain in SSL socket (canonical implementation to reduce code duplication and
references to legacy certificate implementations).
Refactored logic retrieving legacy X.509 certificates with reference to
convenience method in NodeProtocolSenderImpl.
Replaced logic retrieving legacy X.509 certificates with reference to
convenience method in SocketProtocolListener.
Cleaned up exception handling in SocketProtocolListener.
Replaced legacy X.509 certificate declarations with new declarations in
HandleHttpRequest (needs manual test).
commit 64208973bf9046d447230c8f096dde09d47d01bd
Author: Andy LoPresto <alopre...@apache.org>
Date: 2016-04-12T03:46:33Z
NIFI-1753 Replaced legacy X.509 certificate declarations with new
declarations in PostHTTP.
commit cd35f9b36d1e373b99490a6f6df735cd16175383
Author: Andy LoPresto <alopre...@apache.org>
Date: 2016-04-12T04:16:57Z
NIFI-1753 Replaced legacy X.509 certificate declarations with new
declarations in SSLSocketChannel and EndpointConnectionPool.
Temporary work-around of duplicate certificate conversion util method
because nifi-utils cannot depend on nifi-security-utils.
commit 965b766f2a0be9f703d10e231ca595464bc57f07
Author: Andy LoPresto <alopre...@apache.org>
Date: 2016-04-12T22:19:14Z
NIFI-1753 Removed temporary work-around of duplicate certificate conversion
util method and added nifi-security-utils as dependency of nifi-utils.
commit 613fe0b62e56898ebe99fed50a25f3aa515d727a
Author: Andy LoPresto <alopre...@apache.org>
Date: 2016-04-12T22:20:22Z
NIFI-1753 Fixed nifi-utils pom.xml comment about additional dependencies.
----
> Audit SSLContextFactory and SSLSocketFactory usage throughout application
> -------------------------------------------------------------------------
>
> Key: NIFI-1478
> URL: https://issues.apache.org/jira/browse/NIFI-1478
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework
> Affects Versions: 0.5.0
> Reporter: Andy LoPresto
> Assignee: Andy LoPresto
> Priority: Critical
> Labels: certificate, security, tls
> Original Estimate: 336h
> Remaining Estimate: 336h
>
> The internal use of {{SSLSocketFactory}} and {{SSLContextFactory}} is
> inconsistent, as the application has grown around the concept of secure
> communications. NiFi can act as both a server and as a client for
> communications, and the default configuration should make it easy for new
> users to quickly secure the application for incoming and outgoing
> connections.
> In addition, {{SSLSocketFactory}} has some inconsistencies and idiosyncrasies
> which may confuse users [1].
> [1] http://stackoverflow.com/a/23365536/70465
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
