[
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15398316#comment-15398316
]
ASF GitHub Bot commented on NIFI-2193:
--------------------------------------
Github user alopresto commented on a diff in the pull request:
https://github.com/apache/nifi/pull/695#discussion_r72713766
--- Diff:
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateAuthorityServiceHandler.java
---
@@ -0,0 +1,97 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.service;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.commons.io.input.BoundedReader;
+import org.apache.nifi.toolkit.tls.util.TlsHelper;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest;
+import org.eclipse.jetty.server.Request;
+import org.eclipse.jetty.server.Response;
+import org.eclipse.jetty.server.handler.AbstractHandler;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.security.KeyPair;
+import java.security.cert.X509Certificate;
+
+/**
+ * Jetty service handler that validates the hmac of a CSR and issues a
certificate if it checks out
+ */
+public class TlsCertificateAuthorityServiceHandler extends AbstractHandler
{
+ public static final String CSR_FIELD_MUST_BE_SET = "csr field must be
set";
+ public static final String HMAC_FIELD_MUST_BE_SET = "hmac field must
be set";
+ public static final String FORBIDDEN = "forbidden";
+ private final TlsHelper tlsHelper;
+ private final String token;
+ private final X509Certificate caCert;
+ private final KeyPair keyPair;
+ private final ObjectMapper objectMapper;
+
+ public TlsCertificateAuthorityServiceHandler(TlsHelper tlsHelper,
String token, X509Certificate caCert, KeyPair keyPair, ObjectMapper
objectMapper) {
+ this.tlsHelper = tlsHelper;
+ this.token = token;
+ this.caCert = caCert;
+ this.keyPair = keyPair;
+ this.objectMapper = objectMapper;
+ }
+
+ @Override
+ public void handle(String target, Request baseRequest,
HttpServletRequest request, HttpServletResponse response) throws IOException,
ServletException {
+ try {
+ TlsCertificateAuthorityRequest tlsCertificateAuthorityRequest
= objectMapper.readValue(new BoundedReader(request.getReader(), 1024 * 1024),
TlsCertificateAuthorityRequest.class);
+
+ if (!tlsCertificateAuthorityRequest.hasCsr()) {
+ writeResponse(objectMapper, response, new
TlsCertificateAuthorityResponse(CSR_FIELD_MUST_BE_SET),
Response.SC_BAD_REQUEST);
+ return;
+ }
+
+ if (!tlsCertificateAuthorityRequest.hasHmac()) {
--- End diff --
I think we should move the HMAC presence & validation to be the first steps
in the logic here.
> Command Line Keystore and Truststore utility
> --------------------------------------------
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
> Issue Type: New Feature
> Reporter: Bryan Rosander
> Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a
> command line utility capable of generating the required keystores,
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that
> they all use, and relevant passwords and configuration files for using the
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based
> certificate authority with corresponding client will allow for each NiFi
> instance to generate its own keypair and then request signing by the CA.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
