[GitHub] nifi pull request #695: NIFI-2193 - Command line SSL config utility as well ...

[brosander]

Github user brosander commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/695#discussion_r72882057
  
    --- Diff: 
nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/CertificateUtilsTest.groovy
 ---
    @@ -116,53 +132,7 @@ class CertificateUtilsTest extends GroovyTestCase {
         private
         static X509Certificate generateCertificate(String dn) throws 
IOException, NoSuchAlgorithmException, CertificateException, 
NoSuchProviderException, SignatureException, InvalidKeyException, 
OperatorCreationException {
             KeyPair keyPair = generateKeyPair();
    -        return generateCertificate(dn, keyPair);
    -    }
    -
    -    /**
    -     * Generates a signed certificate with a specific keypair.
    -     *
    -     * @param dn the DN
    -     * @param keyPair the public key will be included in the certificate 
and the the private key is used to sign the certificate
    -     * @return the certificate
    -     * @throws IOException
    -     * @throws NoSuchAlgorithmException
    -     * @throws CertificateException
    -     * @throws NoSuchProviderException
    -     * @throws SignatureException
    -     * @throws InvalidKeyException
    -     * @throws OperatorCreationException
    -     */
    -    private
    -    static X509Certificate generateCertificate(String dn, KeyPair keyPair) 
throws IOException, NoSuchAlgorithmException, CertificateException, 
NoSuchProviderException, SignatureException, InvalidKeyException, 
OperatorCreationException {
    -        PrivateKey privateKey = keyPair.getPrivate();
    -        ContentSigner sigGen = new 
JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(PROVIDER).build(privateKey);
    -        SubjectPublicKeyInfo subPubKeyInfo = 
SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded());
    -        Date startDate = new Date(YESTERDAY);
    -        Date endDate = new Date(ONE_YEAR_FROM_NOW);
    -
    -        X509v3CertificateBuilder certBuilder = new 
X509v3CertificateBuilder(
    -                new X500Name(dn),
    -                BigInteger.valueOf(System.currentTimeMillis()),
    -                startDate, endDate,
    -                new X500Name(dn),
    -                subPubKeyInfo);
    -
    -        // Set certificate extensions
    -        // (1) digitalSignature extension
    -        certBuilder.addExtension(X509Extension.keyUsage, true,
    -                new KeyUsage(KeyUsage.digitalSignature | 
KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.keyAgreement));
    -
    -        // (2) extendedKeyUsage extension
    -        Vector<KeyPurposeId> ekUsages = new Vector<>();
    -        ekUsages.add(KeyPurposeId.id_kp_clientAuth);
    -        ekUsages.add(KeyPurposeId.id_kp_serverAuth);
    -        certBuilder.addExtension(X509Extension.extendedKeyUsage, false, 
new ExtendedKeyUsage(ekUsages));
    -
    -        // Sign the certificate
    -        X509CertificateHolder certificateHolder = 
certBuilder.build(sigGen);
    -        return new JcaX509CertificateConverter().setProvider(PROVIDER)
    -                .getCertificate(certificateHolder);
    +        return CertificateUtils.generateSelfSignedX509Certificate(keyPair, 
dn, SIGNATURE_ALGORITHM, 365);
    --- End diff --
    
    Upping default valid duration to 3 years


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---