[
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15398692#comment-15398692
]
ASF GitHub Bot commented on NIFI-2193:
--------------------------------------
Github user alopresto commented on a diff in the pull request:
https://github.com/apache/nifi/pull/695#discussion_r72740552
--- Diff:
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateAuthorityClientSocketFactory.java
---
@@ -0,0 +1,77 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.service;
+
+import org.apache.http.HttpHost;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
+import org.apache.http.protocol.HttpContext;
+import org.bouncycastle.asn1.x500.style.BCStyle;
+import org.bouncycastle.asn1.x500.style.IETFUtils;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
+import java.io.IOException;
+import java.net.InetSocketAddress;
+import java.net.Socket;
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+/**
+ * Socket Factory validates that it is talking to a RootCa claiming to
have the given hostname. It adds the certificate
+ * to a list for later validation against the payload's hmac
+ */
+public class TlsCertificateAuthorityClientSocketFactory extends
SSLConnectionSocketFactory {
+ private final String caHostname;
+ private final List<X509Certificate> certificates;
+
+ public TlsCertificateAuthorityClientSocketFactory(SSLContext
sslContext, String caHostname, List<X509Certificate> certificates) {
+ super(sslContext);
+ this.caHostname = caHostname;
+ this.certificates = certificates;
+ }
+
+ @Override
+ public synchronized Socket connectSocket(int connectTimeout, Socket
socket, HttpHost host, InetSocketAddress remoteAddress,
+ InetSocketAddress
localAddress, HttpContext context) throws IOException {
+ Socket result = super.connectSocket(connectTimeout, socket, host,
remoteAddress, localAddress, context);
+ if (!SSLSocket.class.isInstance(result)) {
+ throw new IOException("Expected tls socket");
+ }
+ SSLSocket sslSocket = (SSLSocket) result;
+ java.security.cert.Certificate[] peerCertificateChain =
sslSocket.getSession().getPeerCertificates();
+ if (peerCertificateChain.length != 1) {
+ throw new IOException("Expected root ca cert");
+ }
+ if (!X509Certificate.class.isInstance(peerCertificateChain[0])) {
+ throw new IOException("Expected root ca cert in X509 format");
+ }
+ String cn;
+ try {
+ X509Certificate certificate = (X509Certificate)
peerCertificateChain[0];
+ cn = IETFUtils.valueToString(new
JcaX509CertificateHolder(certificate).getSubject().getRDNs(BCStyle.CN)[0].getFirst().getValue());
--- End diff --
I'd recommend looking at `CertificateUtils.extractPeerDNFromSSLSocket()`
for this operation as it handles a bit more validation.
> Command Line Keystore and Truststore utility
> --------------------------------------------
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
> Issue Type: New Feature
> Reporter: Bryan Rosander
> Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a
> command line utility capable of generating the required keystores,
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that
> they all use, and relevant passwords and configuration files for using the
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based
> certificate authority with corresponding client will allow for each NiFi
> instance to generate its own keypair and then request signing by the CA.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
