[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15400450#comment-15400450 ]
ASF GitHub Bot commented on NIFI-2193: -------------------------------------- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72882113 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java --- @@ -0,0 +1,177 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.util; + +import org.apache.nifi.security.util.CertificateUtils; +import org.apache.nifi.toolkit.tls.commandLine.TlsToolkitCommandLine; +import org.apache.nifi.toolkit.tls.configuration.TlsHelperConfig; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.crmf.CRMFException; +import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; +import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils; +import org.bouncycastle.eac.EACException; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.openssl.PEMParser; +import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator; +import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; +import org.bouncycastle.pkcs.PKCS10CertificationRequest; +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest; +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder; +import org.bouncycastle.util.io.pem.PemWriter; + +import javax.crypto.Mac; +import javax.crypto.spec.SecretKeySpec; +import javax.security.auth.x500.X500Principal; +import java.io.IOException; +import java.io.StringReader; +import java.io.StringWriter; +import java.nio.charset.StandardCharsets; +import java.security.GeneralSecurityException; +import java.security.InvalidKeyException; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.PublicKey; +import java.security.Security; +import java.security.SignatureException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.security.spec.InvalidKeySpecException; + +public class TlsHelper { + public static final String PROVIDER = BouncyCastleProvider.PROVIDER_NAME; + public static final String PKCS12 = "PKCS12"; + private final KeyPairGenerator keyPairGenerator; + private final int days; + private final String signingAlgorithm; + + public TlsHelper(TlsHelperConfig tlsHelperConfig) throws NoSuchAlgorithmException { + this(tlsHelperConfig.getDays(), tlsHelperConfig.getKeySize(), tlsHelperConfig.getKeyPairAlgorithm(), tlsHelperConfig.getSigningAlgorithm()); + } + + public TlsHelper(TlsToolkitCommandLine tlsToolkitCommandLine) throws NoSuchAlgorithmException { + this(tlsToolkitCommandLine.getTlsHelperConfig()); + } + + public TlsHelper(int days, int keySize, String keyPairAlgorithm, String signingAlgorithm) throws NoSuchAlgorithmException { + this(createKeyPairGenerator(keyPairAlgorithm, keySize), days, signingAlgorithm); + } + + protected TlsHelper(KeyPairGenerator keyPairGenerator, int days, String signingAlgorithm) { + this.keyPairGenerator = keyPairGenerator; + this.days = days; + this.signingAlgorithm = signingAlgorithm; + } + + public static void addBouncyCastleProvider() { + Security.addProvider(new BouncyCastleProvider()); + } + + private static KeyPairGenerator createKeyPairGenerator(String algorithm, int keySize) throws NoSuchAlgorithmException { + KeyPairGenerator instance = KeyPairGenerator.getInstance(algorithm); + instance.initialize(keySize); + return instance; + } + + public KeyPair generateKeyPair() throws NoSuchAlgorithmException { + return keyPairGenerator.generateKeyPair(); + } + + public void addToKeyStore(KeyStore keyStore, KeyPair keyPair, String alias, char[] passphrase, Certificate... certificates) throws GeneralSecurityException, IOException { + keyStore.setKeyEntry(alias, keyPair.getPrivate(), passphrase, certificates); + } + + public KeyStore createKeyStore(String keyStoreType) throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException, NoSuchProviderException { + KeyStore keyStore; + if (PKCS12.equals(keyStoreType)) { + keyStore = KeyStore.getInstance(keyStoreType, BouncyCastleProvider.PROVIDER_NAME); + } else { + keyStore = KeyStore.getInstance(keyStoreType); + } + keyStore.load(null, null); + return keyStore; + } + + public X509Certificate generateSelfSignedX509Certificate(KeyPair keyPair, String dn) throws CertificateException { + return CertificateUtils.generateSelfSignedX509Certificate(keyPair, dn, signingAlgorithm, days); + } + + public X509Certificate generateIssuedCertificate(String dn, PublicKey publicKey, X509Certificate issuer, KeyPair issuerKeyPair) throws CertificateException { + return CertificateUtils.generateIssuedCertificate(dn, publicKey, issuer, issuerKeyPair, signingAlgorithm, days); + } + + public JcaPKCS10CertificationRequest generateCertificationRequest(String requestedDn, KeyPair keyPair) throws OperatorCreationException { + JcaPKCS10CertificationRequestBuilder jcaPKCS10CertificationRequestBuilder = new JcaPKCS10CertificationRequestBuilder(new X500Principal(requestedDn), keyPair.getPublic()); + JcaContentSignerBuilder jcaContentSignerBuilder = new JcaContentSignerBuilder(signingAlgorithm); + return new JcaPKCS10CertificationRequest(jcaPKCS10CertificationRequestBuilder.build(jcaContentSignerBuilder.build(keyPair.getPrivate()))); + } + + public X509Certificate signCsr(JcaPKCS10CertificationRequest certificationRequest, X509Certificate issuer, KeyPair issuerKeyPair) throws InvalidKeySpecException, EACException, --- End diff -- Collapsed everything in the helper that throws more than one type of security exception into GeneralSecurityException > Command Line Keystore and Truststore utility > -------------------------------------------- > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature > Reporter: Bryan Rosander > Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)