This is an automated email from the ASF dual-hosted git repository.
joewitt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
commit c76191fa4b80309ea239aa30d63951188b7fef76
Author: exceptionfactory <exceptionfact...@apache.org>
AuthorDate: Fri Sep 29 16:13:02 2023 -0500
NIFI-12152 This closes #7818. Refactored addProvider() Bouncy Castle
references
- Removed Security.addProvider() references from several tests
- Refactored KeyStoreUtils to use instance of BouncyCastleProvider instead
of BC provider name string
- Refactored MiNiFi references to pass BouncyCastleProvider for BCFKS
Signed-off-by: Joseph Witt <joew...@apache.org>
---
.../ingestors/RestChangeIngestor.java | 36 +++++++++-----
.../apache/nifi/minifi/c2/jetty/JettyServer.java | 35 ++++++++-----
.../nifi/security/ssl/StandardKeyStoreBuilder.java | 9 ++--
.../apache/nifi/security/util/KeyStoreUtils.java | 57 +++++-----------------
.../x509/ocsp/OcspCertificateValidatorTest.java | 23 ++-------
.../nifi/processors/snowflake/SnowflakePipeIT.java | 8 ---
.../standard/CryptographicHashContentTest.java | 8 ---
.../properties/NiFiRegistryPropertiesLoader.java | 3 --
.../nifi/registry/security/util/KeyStoreUtils.java | 44 ++---------------
.../registry/security/util/KeyStoreUtilsTest.java | 14 ------
.../nifi/properties/ConfigEncryptionTool.groovy | 4 --
.../toolkit/encryptconfig/EncryptConfigMain.groovy | 5 --
.../nifi/toolkit/tls/util/TlsHelperTest.java | 21 +-------
13 files changed, 73 insertions(+), 194 deletions(-)
diff --git
a/minifi/minifi-bootstrap/src/main/java/org/apache/nifi/minifi/bootstrap/configuration/ingestors/RestChangeIngestor.java
b/minifi/minifi-bootstrap/src/main/java/org/apache/nifi/minifi/bootstrap/configuration/ingestors/RestChangeIngestor.java
index a33520e318..b2b648ca2e 100644
---
a/minifi/minifi-bootstrap/src/main/java/org/apache/nifi/minifi/bootstrap/configuration/ingestors/RestChangeIngestor.java
+++
b/minifi/minifi-bootstrap/src/main/java/org/apache/nifi/minifi/bootstrap/configuration/ingestors/RestChangeIngestor.java
@@ -31,7 +31,6 @@ import java.io.UncheckedIOException;
import java.net.URI;
import java.nio.ByteBuffer;
import java.security.KeyStore;
-import java.security.Security;
import java.util.Collection;
import java.util.Map;
import java.util.Properties;
@@ -48,6 +47,7 @@ import
org.apache.nifi.minifi.bootstrap.configuration.differentiators.WholeConfi
import
org.apache.nifi.minifi.bootstrap.configuration.ingestors.interfaces.ChangeIngestor;
import org.apache.nifi.security.ssl.StandardKeyStoreBuilder;
import org.apache.nifi.security.ssl.StandardSslContextBuilder;
+import org.apache.nifi.security.util.KeystoreType;
import org.apache.nifi.security.util.TlsPlatform;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.eclipse.jetty.server.Request;
@@ -62,10 +62,6 @@ import org.slf4j.LoggerFactory;
public class RestChangeIngestor implements ChangeIngestor {
- static {
- Security.addProvider(new BouncyCastleProvider());
- }
-
public static final String GET_TEXT = "This is a config change listener
for an Apache NiFi - MiNiFi instance.\n" +
"Use this rest server to upload a flow.json to configure the MiNiFi
instance.\n" +
"Send a POST http request to '/' to upload the file.";
@@ -86,6 +82,8 @@ public class RestChangeIngestor implements ChangeIngestor {
private final static Logger logger =
LoggerFactory.getLogger(RestChangeIngestor.class);
+ private static final BouncyCastleProvider BOUNCY_CASTLE_PROVIDER = new
BouncyCastleProvider();
+
private static final Map<String, Supplier<Differentiator<ByteBuffer>>>
DIFFERENTIATOR_CONSTRUCTOR_MAP = Map.of(
WHOLE_CONFIG_KEY,
WholeConfigDifferentiator::getByteBufferDifferentiator
);
@@ -174,22 +172,34 @@ public class RestChangeIngestor implements ChangeIngestor
{
KeyStore trustStore = null;
try (FileInputStream keyStoreStream = new
FileInputStream(properties.getProperty(KEYSTORE_LOCATION_KEY))) {
- keyStore = new StandardKeyStoreBuilder()
- .type(properties.getProperty(KEYSTORE_TYPE_KEY))
+ final String keyStoreType =
properties.getProperty(KEYSTORE_TYPE_KEY);
+ final StandardKeyStoreBuilder builder = new
StandardKeyStoreBuilder()
+ .type(keyStoreType)
.inputStream(keyStoreStream)
-
.password(properties.getProperty(KEYSTORE_PASSWORD_KEY).toCharArray())
- .build();
+
.password(properties.getProperty(KEYSTORE_PASSWORD_KEY).toCharArray());
+
+ if (KeystoreType.BCFKS.getType().equals(keyStoreType)) {
+ builder.provider(BOUNCY_CASTLE_PROVIDER);
+ }
+
+ keyStore = builder.build();
} catch (IOException ioe) {
throw new UncheckedIOException("Key Store loading failed", ioe);
}
if (properties.getProperty(TRUSTSTORE_LOCATION_KEY) != null) {
+ final String trustStoreType =
properties.getProperty(TRUSTSTORE_TYPE_KEY);
try (FileInputStream trustStoreStream = new
FileInputStream(properties.getProperty(TRUSTSTORE_LOCATION_KEY))) {
- trustStore = new StandardKeyStoreBuilder()
- .type(properties.getProperty(TRUSTSTORE_TYPE_KEY))
+ final StandardKeyStoreBuilder builder = new
StandardKeyStoreBuilder()
+ .type(trustStoreType)
.inputStream(trustStoreStream)
-
.password(properties.getProperty(TRUSTSTORE_PASSWORD_KEY).toCharArray())
- .build();
+
.password(properties.getProperty(TRUSTSTORE_PASSWORD_KEY).toCharArray());
+
+ if (KeystoreType.BCFKS.getType().equals(trustStoreType)) {
+ builder.provider(BOUNCY_CASTLE_PROVIDER);
+ }
+
+ trustStore = builder.build();
} catch (IOException ioe) {
throw new UncheckedIOException("Trust Store loading failed",
ioe);
}
diff --git
a/minifi/minifi-c2/minifi-c2-jetty/src/main/java/org/apache/nifi/minifi/c2/jetty/JettyServer.java
b/minifi/minifi-c2/minifi-c2-jetty/src/main/java/org/apache/nifi/minifi/c2/jetty/JettyServer.java
index 3f7d5f559e..5769c605f9 100644
---
a/minifi/minifi-c2/minifi-c2-jetty/src/main/java/org/apache/nifi/minifi/c2/jetty/JettyServer.java
+++
b/minifi/minifi-c2/minifi-c2-jetty/src/main/java/org/apache/nifi/minifi/c2/jetty/JettyServer.java
@@ -33,7 +33,6 @@ import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyStore;
-import java.security.Security;
import java.util.stream.Stream;
import javax.net.ssl.SSLContext;
import
org.apache.nifi.jetty.configuration.connector.StandardServerConnectorFactory;
@@ -56,9 +55,8 @@ public class JettyServer {
private static final String C2_SERVER_HOME =
System.getenv("C2_SERVER_HOME");
private static final String WEB_DEFAULTS_XML = "webdefault.xml";
- static {
- Security.addProvider(new BouncyCastleProvider());
- }
+ private static final BouncyCastleProvider BOUNCY_CASTLE_PROVIDER = new
BouncyCastleProvider();
+ private static final String BCFKS = "BCFKS";
public static void main(String[] args) throws Exception {
C2Properties properties = C2Properties.getInstance();
@@ -116,11 +114,17 @@ public class JettyServer {
File keyStoreFile =
Paths.get(C2_SERVER_HOME).resolve(properties.getProperty(MINIFI_C2_SERVER_KEYSTORE)).toFile();
logger.debug("Loading Key Store [{}]", keyStoreFile.getPath());
try (FileInputStream keyStoreStream = new
FileInputStream(keyStoreFile)) {
- keyStore = new StandardKeyStoreBuilder()
- .type(properties.getProperty(MINIFI_C2_SERVER_KEYSTORE_TYPE))
+ final String keyStoreType =
properties.getProperty(MINIFI_C2_SERVER_KEYSTORE_TYPE);
+ final StandardKeyStoreBuilder builder = new
StandardKeyStoreBuilder()
+ .type(keyStoreType)
.inputStream(keyStoreStream)
-
.password(properties.getProperty(MINIFI_C2_SERVER_KEYSTORE_PASSWD).toCharArray())
- .build();
+
.password(properties.getProperty(MINIFI_C2_SERVER_KEYSTORE_PASSWD).toCharArray());
+
+ if (BCFKS.equals(keyStoreType)) {
+ builder.provider(BOUNCY_CASTLE_PROVIDER);
+ }
+
+ keyStore = builder.build();
} catch (IOException ioe) {
throw new UncheckedIOException("Key Store loading failed", ioe);
}
@@ -128,11 +132,18 @@ public class JettyServer {
File trustStoreFile =
Paths.get(C2_SERVER_HOME).resolve(properties.getProperty(MINIFI_C2_SERVER_TRUSTSTORE)).toFile();
logger.debug("Loading Trust Store [{}]", trustStoreFile.getPath());
try (FileInputStream trustStoreStream = new
FileInputStream(trustStoreFile)) {
- truststore = new StandardKeyStoreBuilder()
- .type(properties.getProperty(MINIFI_C2_SERVER_TRUSTSTORE_TYPE))
+ final String trustStoreType =
properties.getProperty(MINIFI_C2_SERVER_TRUSTSTORE_TYPE);
+
+ final StandardKeyStoreBuilder builder = new
StandardKeyStoreBuilder()
+ .type(trustStoreType)
.inputStream(trustStoreStream)
-
.password(properties.getProperty(MINIFI_C2_SERVER_TRUSTSTORE_PASSWD).toCharArray())
- .build();
+
.password(properties.getProperty(MINIFI_C2_SERVER_TRUSTSTORE_PASSWD).toCharArray());
+
+ if (BCFKS.equals(trustStoreType)) {
+ builder.provider(BOUNCY_CASTLE_PROVIDER);
+ }
+
+ truststore = builder.build();
} catch (IOException ioe) {
throw new UncheckedIOException("Trust Store loading failed", ioe);
}
diff --git
a/nifi-commons/nifi-security-ssl/src/main/java/org/apache/nifi/security/ssl/StandardKeyStoreBuilder.java
b/nifi-commons/nifi-security-ssl/src/main/java/org/apache/nifi/security/ssl/StandardKeyStoreBuilder.java
index 2f5271bd51..aef8ea3626 100644
---
a/nifi-commons/nifi-security-ssl/src/main/java/org/apache/nifi/security/ssl/StandardKeyStoreBuilder.java
+++
b/nifi-commons/nifi-security-ssl/src/main/java/org/apache/nifi/security/ssl/StandardKeyStoreBuilder.java
@@ -21,7 +21,7 @@ import java.io.InputStream;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
+import java.security.Provider;
import java.security.cert.CertificateException;
import java.util.Objects;
@@ -29,7 +29,7 @@ import java.util.Objects;
* Standard implementation of Key Store Builder
*/
public class StandardKeyStoreBuilder implements KeyStoreBuilder {
- private String provider;
+ private Provider provider;
private String type = KeyStore.getDefaultType();
@@ -65,7 +65,7 @@ public class StandardKeyStoreBuilder implements
KeyStoreBuilder {
* @param provider Key Store Provider
* @return Builder
*/
- public StandardKeyStoreBuilder provider(final String provider) {
+ public StandardKeyStoreBuilder provider(final Provider provider) {
this.provider = Objects.requireNonNull(provider, "Key Store Provider
required");
return this;
}
@@ -109,9 +109,6 @@ public class StandardKeyStoreBuilder implements
KeyStoreBuilder {
} catch (final KeyStoreException e) {
final String message = String.format("Key Store Type [%s] creation
failed", type);
throw new BuilderConfigurationException(message, e);
- } catch (final NoSuchProviderException e) {
- final String message = String.format("Key Store Type [%s] Provider
[%s] creation failed", type, provider);
- throw new BuilderConfigurationException(message, e);
}
}
}
diff --git
a/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/KeyStoreUtils.java
b/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/KeyStoreUtils.java
index 1a7b60d01d..4b541c0ce6 100644
---
a/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/KeyStoreUtils.java
+++
b/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/KeyStoreUtils.java
@@ -32,9 +32,7 @@ import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
import java.security.SecureRandom;
-import java.security.Security;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
@@ -60,8 +58,8 @@ import org.slf4j.LoggerFactory;
public class KeyStoreUtils {
private static final Logger logger =
LoggerFactory.getLogger(KeyStoreUtils.class);
- public static final String SUN_PROVIDER_NAME = "SUN";
- public static final String SUN_JSSE_PROVIDER_NAME = "SunJSSE";
+ private static final BouncyCastleProvider BOUNCY_CASTLE_PROVIDER = new
BouncyCastleProvider();
+
private static final String JKS_EXT = ".jks";
private static final String PKCS12_EXT = ".p12";
private static final String BCFKS_EXT = ".bcfks";
@@ -76,20 +74,7 @@ public class KeyStoreUtils {
private static final String KEYSTORE_ERROR_MSG = "There was an error
creating a Keystore.";
private static final String TRUSTSTORE_ERROR_MSG = "There was an error
creating a Truststore.";
- private static final Map<String, String> KEY_STORE_TYPE_PROVIDERS = new
HashMap<>();
private static final Map<KeystoreType, String> KEY_STORE_EXTENSIONS = new
HashMap<>();
- private static final Map<KeystoreType, String> SECRET_KEY_STORE_PROVIDERS
= new HashMap<>();
-
- static {
- Security.addProvider(new BouncyCastleProvider());
-
- KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.BCFKS.getType(),
BouncyCastleProvider.PROVIDER_NAME);
- KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.PKCS12.getType(),
SUN_JSSE_PROVIDER_NAME);
- KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.JKS.getType(),
SUN_PROVIDER_NAME);
-
- SECRET_KEY_STORE_PROVIDERS.put(KeystoreType.BCFKS,
BouncyCastleProvider.PROVIDER_NAME);
- SECRET_KEY_STORE_PROVIDERS.put(KeystoreType.PKCS12,
SUN_JSSE_PROVIDER_NAME);
- }
static {
KEY_STORE_EXTENSIONS.put(KeystoreType.JKS, JKS_EXT);
@@ -97,17 +82,6 @@ public class KeyStoreUtils {
KEY_STORE_EXTENSIONS.put(KeystoreType.BCFKS, BCFKS_EXT);
}
- /**
- * Returns the provider that will be used for the given keyStoreType
- *
- * @param keyStoreType the keyStoreType
- * @return Key Store Provider Name or null when not found
- */
- public static String getKeyStoreProvider(final String keyStoreType) {
- final String storeType = StringUtils.upperCase(keyStoreType);
- return KEY_STORE_TYPE_PROVIDERS.get(storeType);
- }
-
/**
* Returns an empty KeyStore backed by the appropriate provider
*
@@ -116,15 +90,11 @@ public class KeyStoreUtils {
* @throws KeyStoreException if a KeyStore of the given type cannot be
instantiated
*/
public static KeyStore getKeyStore(final String keyStoreType) throws
KeyStoreException {
- final String keyStoreProvider = getKeyStoreProvider(keyStoreType);
- if (StringUtils.isNotEmpty(keyStoreProvider)) {
- try {
- return KeyStore.getInstance(keyStoreType, keyStoreProvider);
- } catch (final Exception e) {
- logger.error("KeyStore Type [{}] Provider [{}] instance
creation failed", keyStoreType, keyStoreProvider, e);
- }
+ if (KeystoreType.BCFKS.toString().equals(keyStoreType)) {
+ return KeyStore.getInstance(keyStoreType, BOUNCY_CASTLE_PROVIDER);
+ } else {
+ return KeyStore.getInstance(keyStoreType);
}
- return KeyStore.getInstance(keyStoreType);
}
/**
@@ -136,15 +106,14 @@ public class KeyStoreUtils {
*/
public static KeyStore getSecretKeyStore(final String keystoreTypeName)
throws KeyStoreException {
final KeystoreType keystoreType = getKeystoreType(keystoreTypeName);
- final String provider = SECRET_KEY_STORE_PROVIDERS.get(keystoreType);
- if (provider == null) {
+
+ if (KeystoreType.BCFKS == keystoreType) {
+ return KeyStore.getInstance(keystoreType.getType(),
BOUNCY_CASTLE_PROVIDER);
+ } else if (KeystoreType.PKCS12 == keystoreType) {
+ return KeyStore.getInstance(keystoreType.getType());
+ } else {
throw new KeyStoreException(String.format("Keystore Type [%s] does
not support Secret Keys", keystoreType.getType()));
}
- try {
- return KeyStore.getInstance(keystoreType.getType(), provider);
- } catch (final NoSuchProviderException e) {
- throw new KeyStoreException(String.format("KeyStore Type [%s]
Provider [%s] not found", keystoreType.getType(), provider), e);
- }
}
/**
@@ -493,7 +462,7 @@ public class KeyStoreUtils {
* @return Secret Key Entry supported status
*/
public static boolean isSecretKeyEntrySupported(final KeystoreType
keystoreType) {
- return SECRET_KEY_STORE_PROVIDERS.containsKey(keystoreType);
+ return KeystoreType.BCFKS == keystoreType || KeystoreType.PKCS12 ==
keystoreType;
}
/**
diff --git
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/x509/ocsp/OcspCertificateValidatorTest.java
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/x509/ocsp/OcspCertificateValidatorTest.java
index 09e57e5763..215e5c1c1f 100644
---
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/x509/ocsp/OcspCertificateValidatorTest.java
+++
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/x509/ocsp/OcspCertificateValidatorTest.java
@@ -23,7 +23,6 @@ import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
-import java.security.Security;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
@@ -39,18 +38,15 @@ import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
-import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.junit.jupiter.api.Assertions.assertTrue;
public class OcspCertificateValidatorTest {
private static final Logger logger =
LoggerFactory.getLogger(OcspCertificateValidatorTest.class);
@@ -60,12 +56,6 @@ public class OcspCertificateValidatorTest {
private static final long YESTERDAY = System.currentTimeMillis() - 24 * 60
* 60 * 1000;
private static final long ONE_YEAR_FROM_NOW = System.currentTimeMillis() +
365L * 24 * 60 * 60 * 1000;
private static final String SIGNATURE_ALGORITHM = "SHA256withRSA";
- private static final String PROVIDER = "BC";
-
- @BeforeAll
- public static void setUpOnce() {
- Security.addProvider(new BouncyCastleProvider());
- }
/**
* Generates a public/private RSA keypair using the default key size.
@@ -108,7 +98,7 @@ public class OcspCertificateValidatorTest {
private static X509Certificate generateCertificate(String dn, KeyPair
keyPair) throws IOException, CertificateException,
OperatorCreationException {
PrivateKey privateKey = keyPair.getPrivate();
- ContentSigner sigGen = new
JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(PROVIDER).build(privateKey);
+ ContentSigner sigGen = new
JcaContentSignerBuilder(SIGNATURE_ALGORITHM).build(privateKey);
SubjectPublicKeyInfo subPubKeyInfo =
SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded());
Date startDate = new Date(YESTERDAY);
Date endDate = new Date(ONE_YEAR_FROM_NOW);
@@ -133,8 +123,7 @@ public class OcspCertificateValidatorTest {
// Sign the certificate
X509CertificateHolder certificateHolder = certBuilder.build(sigGen);
- return new JcaX509CertificateConverter().setProvider(PROVIDER)
- .getCertificate(certificateHolder);
+ return new
JcaX509CertificateConverter().getCertificate(certificateHolder);
}
/**
@@ -167,7 +156,7 @@ public class OcspCertificateValidatorTest {
*/
private static X509Certificate generateIssuedCertificate(String dn,
PublicKey publicKey, String issuerDn, PrivateKey issuerKey) throws
CertificateException, OperatorCreationException {
- ContentSigner sigGen = new
JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(PROVIDER).build(issuerKey);
+ ContentSigner sigGen = new
JcaContentSignerBuilder(SIGNATURE_ALGORITHM).build(issuerKey);
SubjectPublicKeyInfo subPubKeyInfo =
SubjectPublicKeyInfo.getInstance(publicKey.getEncoded());
Date startDate = new Date(YESTERDAY);
Date endDate = new Date(ONE_YEAR_FROM_NOW);
@@ -180,8 +169,7 @@ public class OcspCertificateValidatorTest {
subPubKeyInfo);
X509CertificateHolder certificateHolder = v3CertGen.build(sigGen);
- return new JcaX509CertificateConverter().setProvider(PROVIDER)
- .getCertificate(certificateHolder);
+ return new
JcaX509CertificateConverter().getCertificate(certificateHolder);
}
@Test
@@ -237,7 +225,6 @@ public class OcspCertificateValidatorTest {
assertEquals(issuerDn, certificate.getIssuerX500Principal().getName());
certificate.verify(issuerCertificate.getPublicKey());
- SignatureException se = assertThrows(SignatureException.class, () ->
certificate.verify(certificate.getPublicKey()));
- assertTrue(se.getMessage().contains("certificate does not verify with
supplied key"));
+ assertThrows(SignatureException.class, () ->
certificate.verify(certificate.getPublicKey()));
}
}
\ No newline at end of file
diff --git
a/nifi-nar-bundles/nifi-snowflake-bundle/nifi-snowflake-processors/src/test/java/org/apache/nifi/processors/snowflake/SnowflakePipeIT.java
b/nifi-nar-bundles/nifi-snowflake-bundle/nifi-snowflake-processors/src/test/java/org/apache/nifi/processors/snowflake/SnowflakePipeIT.java
index 225e46fa3f..ce602d6990 100644
---
a/nifi-nar-bundles/nifi-snowflake-bundle/nifi-snowflake-processors/src/test/java/org/apache/nifi/processors/snowflake/SnowflakePipeIT.java
+++
b/nifi-nar-bundles/nifi-snowflake-bundle/nifi-snowflake-processors/src/test/java/org/apache/nifi/processors/snowflake/SnowflakePipeIT.java
@@ -17,7 +17,6 @@
package org.apache.nifi.processors.snowflake;
-import java.security.Security;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
@@ -29,17 +28,10 @@ import
org.apache.nifi.processors.snowflake.util.SnowflakeAttributes;
import org.apache.nifi.processors.snowflake.util.SnowflakeInternalStageType;
import org.apache.nifi.util.TestRunner;
import org.apache.nifi.util.TestRunners;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
-import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
class SnowflakePipeIT implements SnowflakeConfigAware {
- @BeforeAll
- static void setUpOnce() {
- Security.addProvider(new BouncyCastleProvider());
- }
-
@Test
void shouldPutIntoInternalStage() throws Exception {
final PutSnowflakeInternalStage processor = new
PutSnowflakeInternalStage();
diff --git
a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/CryptographicHashContentTest.java
b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/CryptographicHashContentTest.java
index 5573c79372..dce05cad1c 100644
---
a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/CryptographicHashContentTest.java
+++
b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/CryptographicHashContentTest.java
@@ -22,15 +22,12 @@ import org.apache.nifi.security.util.crypto.HashService;
import org.apache.nifi.util.MockFlowFile;
import org.apache.nifi.util.TestRunner;
import org.apache.nifi.util.TestRunners;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
-import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
-import java.security.Security;
import java.util.Collections;
import java.util.List;
import java.util.Map;
@@ -41,11 +38,6 @@ import static
org.junit.jupiter.api.Assertions.assertNotEquals;
public class CryptographicHashContentTest {
private TestRunner runner;
- @BeforeAll
- static void setUpOnce() {
- Security.addProvider(new BouncyCastleProvider());
- }
-
@BeforeEach
void setupRunner() {
runner = TestRunners.newTestRunner(new CryptographicHashContent());
diff --git
a/nifi-registry/nifi-registry-core/nifi-registry-properties-loader/src/main/java/org/apache/nifi/registry/properties/NiFiRegistryPropertiesLoader.java
b/nifi-registry/nifi-registry-core/nifi-registry-properties-loader/src/main/java/org/apache/nifi/registry/properties/NiFiRegistryPropertiesLoader.java
index c5f5a750c2..1fdaf9862e 100644
---
a/nifi-registry/nifi-registry-core/nifi-registry-properties-loader/src/main/java/org/apache/nifi/registry/properties/NiFiRegistryPropertiesLoader.java
+++
b/nifi-registry/nifi-registry-core/nifi-registry-properties-loader/src/main/java/org/apache/nifi/registry/properties/NiFiRegistryPropertiesLoader.java
@@ -21,14 +21,12 @@ import org.apache.nifi.properties.SensitivePropertyProvider;
import org.apache.nifi.properties.SensitivePropertyProviderFactory;
import org.apache.nifi.properties.StandardSensitivePropertyProviderFactory;
import org.apache.nifi.registry.properties.util.NiFiRegistryBootstrapUtils;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.File;
import java.io.FileReader;
import java.io.IOException;
-import java.security.Security;
import java.util.Properties;
public class NiFiRegistryPropertiesLoader {
@@ -125,7 +123,6 @@ public class NiFiRegistryPropertiesLoader {
public NiFiRegistryProperties load(final File file) {
final ProtectedNiFiRegistryProperties protectedNiFiProperties =
readProtectedPropertiesFromDisk(file);
if (protectedNiFiProperties.hasProtectedKeys()) {
- Security.addProvider(new BouncyCastleProvider());
getSensitivePropertyProviderFactory()
.getSupportedProviders()
.forEach(protectedNiFiProperties::addSensitivePropertyProvider);
diff --git
a/nifi-registry/nifi-registry-core/nifi-registry-security-utils/src/main/java/org/apache/nifi/registry/security/util/KeyStoreUtils.java
b/nifi-registry/nifi-registry-core/nifi-registry-security-utils/src/main/java/org/apache/nifi/registry/security/util/KeyStoreUtils.java
index 952419d183..26e2af9622 100644
---
a/nifi-registry/nifi-registry-core/nifi-registry-security-utils/src/main/java/org/apache/nifi/registry/security/util/KeyStoreUtils.java
+++
b/nifi-registry/nifi-registry-core/nifi-registry-security-utils/src/main/java/org/apache/nifi/registry/security/util/KeyStoreUtils.java
@@ -17,42 +17,13 @@
package org.apache.nifi.registry.security.util;
-import org.apache.commons.lang3.StringUtils;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
import java.security.KeyStore;
import java.security.KeyStoreException;
-import java.security.Security;
-import java.util.HashMap;
-import java.util.Map;
public class KeyStoreUtils {
- private static final Logger logger =
LoggerFactory.getLogger(KeyStoreUtils.class);
-
- private static final String SUN_SECURITY_PROVIDER = "SUN";
-
- private static final Map<String, String> KEY_STORE_TYPE_PROVIDERS = new
HashMap<>();
-
- static {
- Security.addProvider(new BouncyCastleProvider());
-
- KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.JKS.toString(),
SUN_SECURITY_PROVIDER);
- KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.PKCS12.toString(),
BouncyCastleProvider.PROVIDER_NAME);
- KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.BCFKS.toString(),
BouncyCastleProvider.PROVIDER_NAME);
- }
-
- /**
- * Returns the provider that will be used for the given keyStoreType
- *
- * @param keyStoreType the keyStoreType
- * @return the provider that will be used
- */
- public static String getKeyStoreProvider(final String keyStoreType) {
- final String storeType = StringUtils.upperCase(keyStoreType);
- return KEY_STORE_TYPE_PROVIDERS.get(storeType);
- }
+ private static final BouncyCastleProvider BOUNCY_CASTLE_PROVIDER = new
BouncyCastleProvider();
/**
* Returns an empty KeyStore backed by the appropriate provider
@@ -62,15 +33,10 @@ public class KeyStoreUtils {
* @throws KeyStoreException if a KeyStore of the given type cannot be
instantiated
*/
public static KeyStore getKeyStore(final String keyStoreType) throws
KeyStoreException {
- final String keyStoreProvider = getKeyStoreProvider(keyStoreType);
- if (StringUtils.isNotEmpty(keyStoreProvider)) {
- try {
- return KeyStore.getInstance(keyStoreType, keyStoreProvider);
- } catch (Exception e) {
- logger.error("Unable to load " + keyStoreProvider + " " +
keyStoreType
- + " keystore. This may cause issues getting trusted
CA certificates as well as Certificate Chains for use in TLS.", e);
- }
+ if (KeystoreType.BCFKS.toString().equals(keyStoreType)) {
+ return KeyStore.getInstance(keyStoreType, BOUNCY_CASTLE_PROVIDER);
+ } else {
+ return KeyStore.getInstance(keyStoreType);
}
- return KeyStore.getInstance(keyStoreType);
}
}
diff --git
a/nifi-registry/nifi-registry-core/nifi-registry-security-utils/src/test/java/org/apache/nifi/registry/security/util/KeyStoreUtilsTest.java
b/nifi-registry/nifi-registry-core/nifi-registry-security-utils/src/test/java/org/apache/nifi/registry/security/util/KeyStoreUtilsTest.java
index a6178bbcd8..2e81a15084 100644
---
a/nifi-registry/nifi-registry-core/nifi-registry-security-utils/src/test/java/org/apache/nifi/registry/security/util/KeyStoreUtilsTest.java
+++
b/nifi-registry/nifi-registry-core/nifi-registry-security-utils/src/test/java/org/apache/nifi/registry/security/util/KeyStoreUtilsTest.java
@@ -16,7 +16,6 @@
*/
package org.apache.nifi.registry.security.util;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.junit.jupiter.api.Test;
import java.security.KeyStore;
@@ -24,7 +23,6 @@ import java.security.KeyStoreException;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNotNull;
-import static org.junit.jupiter.api.Assertions.assertNull;
public class KeyStoreUtilsTest {
@@ -36,16 +34,4 @@ public class KeyStoreUtilsTest {
assertEquals(keystoreType.name(), keyStore.getType());
}
}
-
- @Test
- public void testGetKeyStoreProviderNullType() {
- final String keyStoreProvider =
KeyStoreUtils.getKeyStoreProvider(null);
- assertNull(keyStoreProvider);
- }
-
- @Test
- public void testGetKeyStoreProviderBouncyCastleProvider() {
- final String keyStoreProvider =
KeyStoreUtils.getKeyStoreProvider(KeystoreType.PKCS12.name());
- assertEquals(BouncyCastleProvider.PROVIDER_NAME, keyStoreProvider);
- }
}
diff --git
a/nifi-toolkit/nifi-toolkit-encrypt-config/src/main/groovy/org/apache/nifi/properties/ConfigEncryptionTool.groovy
b/nifi-toolkit/nifi-toolkit-encrypt-config/src/main/groovy/org/apache/nifi/properties/ConfigEncryptionTool.groovy
index b11df35c63..cbfe5b920a 100644
---
a/nifi-toolkit/nifi-toolkit-encrypt-config/src/main/groovy/org/apache/nifi/properties/ConfigEncryptionTool.groovy
+++
b/nifi-toolkit/nifi-toolkit-encrypt-config/src/main/groovy/org/apache/nifi/properties/ConfigEncryptionTool.groovy
@@ -43,7 +43,6 @@ import org.apache.nifi.util.NiFiProperties
import org.apache.nifi.util.console.TextDevice
import org.apache.nifi.util.console.TextDevices
import org.bouncycastle.crypto.generators.SCrypt
-import org.bouncycastle.jce.provider.BouncyCastleProvider
import org.slf4j.Logger
import org.slf4j.LoggerFactory
import org.xml.sax.SAXException
@@ -56,7 +55,6 @@ import java.nio.file.Path
import java.nio.file.Paths
import java.nio.file.StandardCopyOption
import java.security.KeyException
-import java.security.Security
import java.util.function.Supplier
import java.util.regex.Matcher
import java.util.zip.GZIPInputStream
@@ -1348,8 +1346,6 @@ class ConfigEncryptionTool {
* @param args the command-line arguments
*/
static void main(String[] args) {
- Security.addProvider(new BouncyCastleProvider())
-
ConfigEncryptionTool tool = new ConfigEncryptionTool()
try {
diff --git
a/nifi-toolkit/nifi-toolkit-encrypt-config/src/main/groovy/org/apache/nifi/toolkit/encryptconfig/EncryptConfigMain.groovy
b/nifi-toolkit/nifi-toolkit-encrypt-config/src/main/groovy/org/apache/nifi/toolkit/encryptconfig/EncryptConfigMain.groovy
index e6ce68e3cc..4d38d00d28 100644
---
a/nifi-toolkit/nifi-toolkit-encrypt-config/src/main/groovy/org/apache/nifi/toolkit/encryptconfig/EncryptConfigMain.groovy
+++
b/nifi-toolkit/nifi-toolkit-encrypt-config/src/main/groovy/org/apache/nifi/toolkit/encryptconfig/EncryptConfigMain.groovy
@@ -19,12 +19,9 @@ package org.apache.nifi.toolkit.encryptconfig
import org.apache.commons.cli.HelpFormatter
import org.apache.commons.cli.Options
import org.apache.nifi.properties.ConfigEncryptionTool
-import org.bouncycastle.jce.provider.BouncyCastleProvider
import org.slf4j.Logger
import org.slf4j.LoggerFactory
-import java.security.Security
-
class EncryptConfigMain {
private static final Logger logger =
LoggerFactory.getLogger(EncryptConfigMain.class)
@@ -90,8 +87,6 @@ class EncryptConfigMain {
}
static void main(String[] args) {
- Security.addProvider(new BouncyCastleProvider())
-
if (args.length < 1) {
printUsageAndExit(EXIT_STATUS_FAILURE)
}
diff --git
a/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/util/TlsHelperTest.java
b/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/util/TlsHelperTest.java
index 738cefbd0e..285f7775e0 100644
---
a/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/util/TlsHelperTest.java
+++
b/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/util/TlsHelperTest.java
@@ -28,10 +28,8 @@ import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;
-import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest;
import org.bouncycastle.util.IPAddress;
import org.junit.jupiter.api.BeforeAll;
@@ -59,7 +57,6 @@ import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
-import java.security.Security;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
@@ -89,25 +86,11 @@ public class TlsHelperTest {
private int keySize;
private String keyPairAlgorithm;
- public static KeyPair loadKeyPair(final Reader reader) throws IOException {
- try (PEMParser pemParser = new PEMParser(reader)) {
- Object object = pemParser.readObject();
- assertEquals(PEMKeyPair.class, object.getClass());
- return new JcaPEMKeyConverter().getKeyPair((PEMKeyPair) object);
- }
- }
-
- public static KeyPair loadKeyPair(File file) throws IOException {
- try (final FileReader fileReader = new FileReader(file)) {
- return loadKeyPair(fileReader);
- }
- }
-
public static X509Certificate loadCertificate(final Reader reader) throws
IOException, CertificateException {
try (PEMParser pemParser = new PEMParser(reader)) {
Object object = pemParser.readObject();
assertEquals(X509CertificateHolder.class, object.getClass());
- return new
JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME).getCertificate((X509CertificateHolder)
object);
+ return new
JcaX509CertificateConverter().getCertificate((X509CertificateHolder) object);
}
}
@@ -310,8 +293,6 @@ public class TlsHelperTest {
@Test
public void testOutputToFileTwoCertsAsPem(@TempDir final File folder)
throws IOException, CertificateException, NoSuchAlgorithmException,
KeyStoreException {
- Security.addProvider(new
org.bouncycastle.jce.provider.BouncyCastleProvider());
-
KeyStore keyStore = setupKeystore();
HashMap<String, Certificate> certs = TlsHelper.extractCerts(keyStore);
TlsHelper.outputCertsAsPem(certs, folder,".crt");
