[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15398692#comment-15398692 ]
ASF GitHub Bot commented on NIFI-2193: -------------------------------------- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72740552 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateAuthorityClientSocketFactory.java --- @@ -0,0 +1,77 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.service; + +import org.apache.http.HttpHost; +import org.apache.http.conn.ssl.SSLConnectionSocketFactory; +import org.apache.http.protocol.HttpContext; +import org.bouncycastle.asn1.x500.style.BCStyle; +import org.bouncycastle.asn1.x500.style.IETFUtils; +import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder; + +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocket; +import java.io.IOException; +import java.net.InetSocketAddress; +import java.net.Socket; +import java.security.cert.X509Certificate; +import java.util.List; + +/** + * Socket Factory validates that it is talking to a RootCa claiming to have the given hostname. It adds the certificate + * to a list for later validation against the payload's hmac + */ +public class TlsCertificateAuthorityClientSocketFactory extends SSLConnectionSocketFactory { + private final String caHostname; + private final List<X509Certificate> certificates; + + public TlsCertificateAuthorityClientSocketFactory(SSLContext sslContext, String caHostname, List<X509Certificate> certificates) { + super(sslContext); + this.caHostname = caHostname; + this.certificates = certificates; + } + + @Override + public synchronized Socket connectSocket(int connectTimeout, Socket socket, HttpHost host, InetSocketAddress remoteAddress, + InetSocketAddress localAddress, HttpContext context) throws IOException { + Socket result = super.connectSocket(connectTimeout, socket, host, remoteAddress, localAddress, context); + if (!SSLSocket.class.isInstance(result)) { + throw new IOException("Expected tls socket"); + } + SSLSocket sslSocket = (SSLSocket) result; + java.security.cert.Certificate[] peerCertificateChain = sslSocket.getSession().getPeerCertificates(); + if (peerCertificateChain.length != 1) { + throw new IOException("Expected root ca cert"); + } + if (!X509Certificate.class.isInstance(peerCertificateChain[0])) { + throw new IOException("Expected root ca cert in X509 format"); + } + String cn; + try { + X509Certificate certificate = (X509Certificate) peerCertificateChain[0]; + cn = IETFUtils.valueToString(new JcaX509CertificateHolder(certificate).getSubject().getRDNs(BCStyle.CN)[0].getFirst().getValue()); --- End diff -- I'd recommend looking at `CertificateUtils.extractPeerDNFromSSLSocket()` for this operation as it handles a bit more validation. > Command Line Keystore and Truststore utility > -------------------------------------------- > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature > Reporter: Bryan Rosander > Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)