[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15400451#comment-15400451 ]
ASF GitHub Bot commented on NIFI-2193: -------------------------------------- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72882118 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateAuthorityServiceHandler.java --- @@ -0,0 +1,97 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.service; + +import com.fasterxml.jackson.databind.ObjectMapper; +import org.apache.commons.io.input.BoundedReader; +import org.apache.nifi.toolkit.tls.util.TlsHelper; +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest; +import org.eclipse.jetty.server.Request; +import org.eclipse.jetty.server.Response; +import org.eclipse.jetty.server.handler.AbstractHandler; + +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; +import java.security.KeyPair; +import java.security.cert.X509Certificate; + +/** + * Jetty service handler that validates the hmac of a CSR and issues a certificate if it checks out + */ +public class TlsCertificateAuthorityServiceHandler extends AbstractHandler { + public static final String CSR_FIELD_MUST_BE_SET = "csr field must be set"; + public static final String HMAC_FIELD_MUST_BE_SET = "hmac field must be set"; + public static final String FORBIDDEN = "forbidden"; + private final TlsHelper tlsHelper; + private final String token; + private final X509Certificate caCert; + private final KeyPair keyPair; + private final ObjectMapper objectMapper; + + public TlsCertificateAuthorityServiceHandler(TlsHelper tlsHelper, String token, X509Certificate caCert, KeyPair keyPair, ObjectMapper objectMapper) { + this.tlsHelper = tlsHelper; + this.token = token; + this.caCert = caCert; + this.keyPair = keyPair; + this.objectMapper = objectMapper; + } + + @Override + public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { + try { + TlsCertificateAuthorityRequest tlsCertificateAuthorityRequest = objectMapper.readValue(new BoundedReader(request.getReader(), 1024 * 1024), TlsCertificateAuthorityRequest.class); + + if (!tlsCertificateAuthorityRequest.hasCsr()) { + writeResponse(objectMapper, response, new TlsCertificateAuthorityResponse(CSR_FIELD_MUST_BE_SET), Response.SC_BAD_REQUEST); + return; + } + + if (!tlsCertificateAuthorityRequest.hasHmac()) { + writeResponse(objectMapper, response, new TlsCertificateAuthorityResponse(HMAC_FIELD_MUST_BE_SET), Response.SC_BAD_REQUEST); + return; + } + + JcaPKCS10CertificationRequest jcaPKCS10CertificationRequest = tlsHelper.parseCsr(tlsCertificateAuthorityRequest.getCsr()); + + if (tlsHelper.checkHMac(tlsCertificateAuthorityRequest.getHmac(), token, jcaPKCS10CertificationRequest.getPublicKey())) { --- End diff -- Will do > Command Line Keystore and Truststore utility > -------------------------------------------- > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature > Reporter: Bryan Rosander > Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)