[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407130#comment-15407130 ] ASF subversion and git services commented on NIFI-2193: --- Commit fa4c6ab03cae9dae98e41ac984901df90fdd1b2a in nifi's branch refs/heads/master from [~bryanrosan...@gmail.com] [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=fa4c6ab ] NIFI-2193 - Added functionality to automate certificate generation, keystore and truststore generation, and nifi.properties keystore and truststore password population. Follow-on changes will be made under NIFI-2476. This closes #695. Signed-off-by: Andy LoPrestoDefaulting to same keyStore, key password (+18 squashed commits) Squashed commits: [9d01ba0] NIFI-2193 - Fixing typo [55440bc] NIFI-2193 - Standalone can run as long as there are no conflicting files/folders [0ca34ed] NIFI-2193 - Fixing some filename, absolute path issues [9d4f65b] NIFI-2193 - Incorporating feedback [f7550b4] NIFI-2193 - Cleaning up imports [59a7637] NIFI-2193 - Updating umask to allow owner to execute [cf824e7] NIFI-2193 - Moving DN arg to CA service specific parent class [921ee13] NIFI-2193 - Making keystore getInstance more consistent [a283c4b] NIFI-2193 - Updating sample config files in assembly to reflect new structure [8d3a21d] NIFI-2193 - Making TlsHelper static, adding option to use same password for Key, KeyStore [b13d247] NIFI-2193 - Addressing PR feedback [46ef8ed] NIFI-2193 - Removing commons-logging, log4j from notice [d4cf41a] NIFI-2193 - Adding option to specify output file for CA certificate when using cli client [b74bf25] NIFI-2193 - Removing Bouncy Castle from notice [6e34f9a] NIFI-2193 - Adding CLI client for easier generation of client certificates [2924fca] NIFI-2193 - nifi-toolkit-ssl -> nifi-toolkit-tls, removing unused constants [886167e] NIFI-2193 - Adding slf4j to avoid runtime issue [082de46] NIFI-2193 - Command line SSL config utility as well as certificate authority client/server > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > Labels: certificate, security, tls > Fix For: 1.0.0 > > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407132#comment-15407132 ] ASF subversion and git services commented on NIFI-2193: --- Commit fa4c6ab03cae9dae98e41ac984901df90fdd1b2a in nifi's branch refs/heads/master from [~bryanrosan...@gmail.com] [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=fa4c6ab ] NIFI-2193 - Added functionality to automate certificate generation, keystore and truststore generation, and nifi.properties keystore and truststore password population. Follow-on changes will be made under NIFI-2476. This closes #695. Signed-off-by: Andy LoPrestoDefaulting to same keyStore, key password (+18 squashed commits) Squashed commits: [9d01ba0] NIFI-2193 - Fixing typo [55440bc] NIFI-2193 - Standalone can run as long as there are no conflicting files/folders [0ca34ed] NIFI-2193 - Fixing some filename, absolute path issues [9d4f65b] NIFI-2193 - Incorporating feedback [f7550b4] NIFI-2193 - Cleaning up imports [59a7637] NIFI-2193 - Updating umask to allow owner to execute [cf824e7] NIFI-2193 - Moving DN arg to CA service specific parent class [921ee13] NIFI-2193 - Making keystore getInstance more consistent [a283c4b] NIFI-2193 - Updating sample config files in assembly to reflect new structure [8d3a21d] NIFI-2193 - Making TlsHelper static, adding option to use same password for Key, KeyStore [b13d247] NIFI-2193 - Addressing PR feedback [46ef8ed] NIFI-2193 - Removing commons-logging, log4j from notice [d4cf41a] NIFI-2193 - Adding option to specify output file for CA certificate when using cli client [b74bf25] NIFI-2193 - Removing Bouncy Castle from notice [6e34f9a] NIFI-2193 - Adding CLI client for easier generation of client certificates [2924fca] NIFI-2193 - nifi-toolkit-ssl -> nifi-toolkit-tls, removing unused constants [886167e] NIFI-2193 - Adding slf4j to avoid runtime issue [082de46] NIFI-2193 - Command line SSL config utility as well as certificate authority client/server > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > Labels: certificate, security, tls > Fix For: 1.0.0 > > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407128#comment-15407128 ] ASF subversion and git services commented on NIFI-2193: --- Commit fa4c6ab03cae9dae98e41ac984901df90fdd1b2a in nifi's branch refs/heads/master from [~bryanrosan...@gmail.com] [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=fa4c6ab ] NIFI-2193 - Added functionality to automate certificate generation, keystore and truststore generation, and nifi.properties keystore and truststore password population. Follow-on changes will be made under NIFI-2476. This closes #695. Signed-off-by: Andy LoPrestoDefaulting to same keyStore, key password (+18 squashed commits) Squashed commits: [9d01ba0] NIFI-2193 - Fixing typo [55440bc] NIFI-2193 - Standalone can run as long as there are no conflicting files/folders [0ca34ed] NIFI-2193 - Fixing some filename, absolute path issues [9d4f65b] NIFI-2193 - Incorporating feedback [f7550b4] NIFI-2193 - Cleaning up imports [59a7637] NIFI-2193 - Updating umask to allow owner to execute [cf824e7] NIFI-2193 - Moving DN arg to CA service specific parent class [921ee13] NIFI-2193 - Making keystore getInstance more consistent [a283c4b] NIFI-2193 - Updating sample config files in assembly to reflect new structure [8d3a21d] NIFI-2193 - Making TlsHelper static, adding option to use same password for Key, KeyStore [b13d247] NIFI-2193 - Addressing PR feedback [46ef8ed] NIFI-2193 - Removing commons-logging, log4j from notice [d4cf41a] NIFI-2193 - Adding option to specify output file for CA certificate when using cli client [b74bf25] NIFI-2193 - Removing Bouncy Castle from notice [6e34f9a] NIFI-2193 - Adding CLI client for easier generation of client certificates [2924fca] NIFI-2193 - nifi-toolkit-ssl -> nifi-toolkit-tls, removing unused constants [886167e] NIFI-2193 - Adding slf4j to avoid runtime issue [082de46] NIFI-2193 - Command line SSL config utility as well as certificate authority client/server > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > Labels: certificate, security, tls > Fix For: 1.0.0 > > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407139#comment-15407139 ] ASF subversion and git services commented on NIFI-2193: --- Commit fa4c6ab03cae9dae98e41ac984901df90fdd1b2a in nifi's branch refs/heads/master from [~bryanrosan...@gmail.com] [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=fa4c6ab ] NIFI-2193 - Added functionality to automate certificate generation, keystore and truststore generation, and nifi.properties keystore and truststore password population. Follow-on changes will be made under NIFI-2476. This closes #695. Signed-off-by: Andy LoPrestoDefaulting to same keyStore, key password (+18 squashed commits) Squashed commits: [9d01ba0] NIFI-2193 - Fixing typo [55440bc] NIFI-2193 - Standalone can run as long as there are no conflicting files/folders [0ca34ed] NIFI-2193 - Fixing some filename, absolute path issues [9d4f65b] NIFI-2193 - Incorporating feedback [f7550b4] NIFI-2193 - Cleaning up imports [59a7637] NIFI-2193 - Updating umask to allow owner to execute [cf824e7] NIFI-2193 - Moving DN arg to CA service specific parent class [921ee13] NIFI-2193 - Making keystore getInstance more consistent [a283c4b] NIFI-2193 - Updating sample config files in assembly to reflect new structure [8d3a21d] NIFI-2193 - Making TlsHelper static, adding option to use same password for Key, KeyStore [b13d247] NIFI-2193 - Addressing PR feedback [46ef8ed] NIFI-2193 - Removing commons-logging, log4j from notice [d4cf41a] NIFI-2193 - Adding option to specify output file for CA certificate when using cli client [b74bf25] NIFI-2193 - Removing Bouncy Castle from notice [6e34f9a] NIFI-2193 - Adding CLI client for easier generation of client certificates [2924fca] NIFI-2193 - nifi-toolkit-ssl -> nifi-toolkit-tls, removing unused constants [886167e] NIFI-2193 - Adding slf4j to avoid runtime issue [082de46] NIFI-2193 - Command line SSL config utility as well as certificate authority client/server > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > Labels: certificate, security, tls > Fix For: 1.0.0 > > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407135#comment-15407135 ] ASF subversion and git services commented on NIFI-2193: --- Commit fa4c6ab03cae9dae98e41ac984901df90fdd1b2a in nifi's branch refs/heads/master from [~bryanrosan...@gmail.com] [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=fa4c6ab ] NIFI-2193 - Added functionality to automate certificate generation, keystore and truststore generation, and nifi.properties keystore and truststore password population. Follow-on changes will be made under NIFI-2476. This closes #695. Signed-off-by: Andy LoPrestoDefaulting to same keyStore, key password (+18 squashed commits) Squashed commits: [9d01ba0] NIFI-2193 - Fixing typo [55440bc] NIFI-2193 - Standalone can run as long as there are no conflicting files/folders [0ca34ed] NIFI-2193 - Fixing some filename, absolute path issues [9d4f65b] NIFI-2193 - Incorporating feedback [f7550b4] NIFI-2193 - Cleaning up imports [59a7637] NIFI-2193 - Updating umask to allow owner to execute [cf824e7] NIFI-2193 - Moving DN arg to CA service specific parent class [921ee13] NIFI-2193 - Making keystore getInstance more consistent [a283c4b] NIFI-2193 - Updating sample config files in assembly to reflect new structure [8d3a21d] NIFI-2193 - Making TlsHelper static, adding option to use same password for Key, KeyStore [b13d247] NIFI-2193 - Addressing PR feedback [46ef8ed] NIFI-2193 - Removing commons-logging, log4j from notice [d4cf41a] NIFI-2193 - Adding option to specify output file for CA certificate when using cli client [b74bf25] NIFI-2193 - Removing Bouncy Castle from notice [6e34f9a] NIFI-2193 - Adding CLI client for easier generation of client certificates [2924fca] NIFI-2193 - nifi-toolkit-ssl -> nifi-toolkit-tls, removing unused constants [886167e] NIFI-2193 - Adding slf4j to avoid runtime issue [082de46] NIFI-2193 - Command line SSL config utility as well as certificate authority client/server > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > Labels: certificate, security, tls > Fix For: 1.0.0 > > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407137#comment-15407137 ] ASF subversion and git services commented on NIFI-2193: --- Commit fa4c6ab03cae9dae98e41ac984901df90fdd1b2a in nifi's branch refs/heads/master from [~bryanrosan...@gmail.com] [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=fa4c6ab ] NIFI-2193 - Added functionality to automate certificate generation, keystore and truststore generation, and nifi.properties keystore and truststore password population. Follow-on changes will be made under NIFI-2476. This closes #695. Signed-off-by: Andy LoPrestoDefaulting to same keyStore, key password (+18 squashed commits) Squashed commits: [9d01ba0] NIFI-2193 - Fixing typo [55440bc] NIFI-2193 - Standalone can run as long as there are no conflicting files/folders [0ca34ed] NIFI-2193 - Fixing some filename, absolute path issues [9d4f65b] NIFI-2193 - Incorporating feedback [f7550b4] NIFI-2193 - Cleaning up imports [59a7637] NIFI-2193 - Updating umask to allow owner to execute [cf824e7] NIFI-2193 - Moving DN arg to CA service specific parent class [921ee13] NIFI-2193 - Making keystore getInstance more consistent [a283c4b] NIFI-2193 - Updating sample config files in assembly to reflect new structure [8d3a21d] NIFI-2193 - Making TlsHelper static, adding option to use same password for Key, KeyStore [b13d247] NIFI-2193 - Addressing PR feedback [46ef8ed] NIFI-2193 - Removing commons-logging, log4j from notice [d4cf41a] NIFI-2193 - Adding option to specify output file for CA certificate when using cli client [b74bf25] NIFI-2193 - Removing Bouncy Castle from notice [6e34f9a] NIFI-2193 - Adding CLI client for easier generation of client certificates [2924fca] NIFI-2193 - nifi-toolkit-ssl -> nifi-toolkit-tls, removing unused constants [886167e] NIFI-2193 - Adding slf4j to avoid runtime issue [082de46] NIFI-2193 - Command line SSL config utility as well as certificate authority client/server > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > Labels: certificate, security, tls > Fix For: 1.0.0 > > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407125#comment-15407125 ] ASF subversion and git services commented on NIFI-2193: --- Commit fa4c6ab03cae9dae98e41ac984901df90fdd1b2a in nifi's branch refs/heads/master from [~bryanrosan...@gmail.com] [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=fa4c6ab ] NIFI-2193 - Added functionality to automate certificate generation, keystore and truststore generation, and nifi.properties keystore and truststore password population. Follow-on changes will be made under NIFI-2476. This closes #695. Signed-off-by: Andy LoPrestoDefaulting to same keyStore, key password (+18 squashed commits) Squashed commits: [9d01ba0] NIFI-2193 - Fixing typo [55440bc] NIFI-2193 - Standalone can run as long as there are no conflicting files/folders [0ca34ed] NIFI-2193 - Fixing some filename, absolute path issues [9d4f65b] NIFI-2193 - Incorporating feedback [f7550b4] NIFI-2193 - Cleaning up imports [59a7637] NIFI-2193 - Updating umask to allow owner to execute [cf824e7] NIFI-2193 - Moving DN arg to CA service specific parent class [921ee13] NIFI-2193 - Making keystore getInstance more consistent [a283c4b] NIFI-2193 - Updating sample config files in assembly to reflect new structure [8d3a21d] NIFI-2193 - Making TlsHelper static, adding option to use same password for Key, KeyStore [b13d247] NIFI-2193 - Addressing PR feedback [46ef8ed] NIFI-2193 - Removing commons-logging, log4j from notice [d4cf41a] NIFI-2193 - Adding option to specify output file for CA certificate when using cli client [b74bf25] NIFI-2193 - Removing Bouncy Castle from notice [6e34f9a] NIFI-2193 - Adding CLI client for easier generation of client certificates [2924fca] NIFI-2193 - nifi-toolkit-ssl -> nifi-toolkit-tls, removing unused constants [886167e] NIFI-2193 - Adding slf4j to avoid runtime issue [082de46] NIFI-2193 - Command line SSL config utility as well as certificate authority client/server > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > Labels: certificate, security, tls > Fix For: 1.0.0 > > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407129#comment-15407129 ] ASF subversion and git services commented on NIFI-2193: --- Commit fa4c6ab03cae9dae98e41ac984901df90fdd1b2a in nifi's branch refs/heads/master from [~bryanrosan...@gmail.com] [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=fa4c6ab ] NIFI-2193 - Added functionality to automate certificate generation, keystore and truststore generation, and nifi.properties keystore and truststore password population. Follow-on changes will be made under NIFI-2476. This closes #695. Signed-off-by: Andy LoPrestoDefaulting to same keyStore, key password (+18 squashed commits) Squashed commits: [9d01ba0] NIFI-2193 - Fixing typo [55440bc] NIFI-2193 - Standalone can run as long as there are no conflicting files/folders [0ca34ed] NIFI-2193 - Fixing some filename, absolute path issues [9d4f65b] NIFI-2193 - Incorporating feedback [f7550b4] NIFI-2193 - Cleaning up imports [59a7637] NIFI-2193 - Updating umask to allow owner to execute [cf824e7] NIFI-2193 - Moving DN arg to CA service specific parent class [921ee13] NIFI-2193 - Making keystore getInstance more consistent [a283c4b] NIFI-2193 - Updating sample config files in assembly to reflect new structure [8d3a21d] NIFI-2193 - Making TlsHelper static, adding option to use same password for Key, KeyStore [b13d247] NIFI-2193 - Addressing PR feedback [46ef8ed] NIFI-2193 - Removing commons-logging, log4j from notice [d4cf41a] NIFI-2193 - Adding option to specify output file for CA certificate when using cli client [b74bf25] NIFI-2193 - Removing Bouncy Castle from notice [6e34f9a] NIFI-2193 - Adding CLI client for easier generation of client certificates [2924fca] NIFI-2193 - nifi-toolkit-ssl -> nifi-toolkit-tls, removing unused constants [886167e] NIFI-2193 - Adding slf4j to avoid runtime issue [082de46] NIFI-2193 - Command line SSL config utility as well as certificate authority client/server > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > Labels: certificate, security, tls > Fix For: 1.0.0 > > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407136#comment-15407136 ] ASF subversion and git services commented on NIFI-2193: --- Commit fa4c6ab03cae9dae98e41ac984901df90fdd1b2a in nifi's branch refs/heads/master from [~bryanrosan...@gmail.com] [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=fa4c6ab ] NIFI-2193 - Added functionality to automate certificate generation, keystore and truststore generation, and nifi.properties keystore and truststore password population. Follow-on changes will be made under NIFI-2476. This closes #695. Signed-off-by: Andy LoPrestoDefaulting to same keyStore, key password (+18 squashed commits) Squashed commits: [9d01ba0] NIFI-2193 - Fixing typo [55440bc] NIFI-2193 - Standalone can run as long as there are no conflicting files/folders [0ca34ed] NIFI-2193 - Fixing some filename, absolute path issues [9d4f65b] NIFI-2193 - Incorporating feedback [f7550b4] NIFI-2193 - Cleaning up imports [59a7637] NIFI-2193 - Updating umask to allow owner to execute [cf824e7] NIFI-2193 - Moving DN arg to CA service specific parent class [921ee13] NIFI-2193 - Making keystore getInstance more consistent [a283c4b] NIFI-2193 - Updating sample config files in assembly to reflect new structure [8d3a21d] NIFI-2193 - Making TlsHelper static, adding option to use same password for Key, KeyStore [b13d247] NIFI-2193 - Addressing PR feedback [46ef8ed] NIFI-2193 - Removing commons-logging, log4j from notice [d4cf41a] NIFI-2193 - Adding option to specify output file for CA certificate when using cli client [b74bf25] NIFI-2193 - Removing Bouncy Castle from notice [6e34f9a] NIFI-2193 - Adding CLI client for easier generation of client certificates [2924fca] NIFI-2193 - nifi-toolkit-ssl -> nifi-toolkit-tls, removing unused constants [886167e] NIFI-2193 - Adding slf4j to avoid runtime issue [082de46] NIFI-2193 - Command line SSL config utility as well as certificate authority client/server > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > Labels: certificate, security, tls > Fix For: 1.0.0 > > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407138#comment-15407138 ] ASF GitHub Bot commented on NIFI-2193: -- Github user asfgit closed the pull request at: https://github.com/apache/nifi/pull/695 > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > Labels: certificate, security, tls > Fix For: 1.0.0 > > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407131#comment-15407131 ] ASF subversion and git services commented on NIFI-2193: --- Commit fa4c6ab03cae9dae98e41ac984901df90fdd1b2a in nifi's branch refs/heads/master from [~bryanrosan...@gmail.com] [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=fa4c6ab ] NIFI-2193 - Added functionality to automate certificate generation, keystore and truststore generation, and nifi.properties keystore and truststore password population. Follow-on changes will be made under NIFI-2476. This closes #695. Signed-off-by: Andy LoPrestoDefaulting to same keyStore, key password (+18 squashed commits) Squashed commits: [9d01ba0] NIFI-2193 - Fixing typo [55440bc] NIFI-2193 - Standalone can run as long as there are no conflicting files/folders [0ca34ed] NIFI-2193 - Fixing some filename, absolute path issues [9d4f65b] NIFI-2193 - Incorporating feedback [f7550b4] NIFI-2193 - Cleaning up imports [59a7637] NIFI-2193 - Updating umask to allow owner to execute [cf824e7] NIFI-2193 - Moving DN arg to CA service specific parent class [921ee13] NIFI-2193 - Making keystore getInstance more consistent [a283c4b] NIFI-2193 - Updating sample config files in assembly to reflect new structure [8d3a21d] NIFI-2193 - Making TlsHelper static, adding option to use same password for Key, KeyStore [b13d247] NIFI-2193 - Addressing PR feedback [46ef8ed] NIFI-2193 - Removing commons-logging, log4j from notice [d4cf41a] NIFI-2193 - Adding option to specify output file for CA certificate when using cli client [b74bf25] NIFI-2193 - Removing Bouncy Castle from notice [6e34f9a] NIFI-2193 - Adding CLI client for easier generation of client certificates [2924fca] NIFI-2193 - nifi-toolkit-ssl -> nifi-toolkit-tls, removing unused constants [886167e] NIFI-2193 - Adding slf4j to avoid runtime issue [082de46] NIFI-2193 - Command line SSL config utility as well as certificate authority client/server > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > Labels: certificate, security, tls > Fix For: 1.0.0 > > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407133#comment-15407133 ] ASF subversion and git services commented on NIFI-2193: --- Commit fa4c6ab03cae9dae98e41ac984901df90fdd1b2a in nifi's branch refs/heads/master from [~bryanrosan...@gmail.com] [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=fa4c6ab ] NIFI-2193 - Added functionality to automate certificate generation, keystore and truststore generation, and nifi.properties keystore and truststore password population. Follow-on changes will be made under NIFI-2476. This closes #695. Signed-off-by: Andy LoPrestoDefaulting to same keyStore, key password (+18 squashed commits) Squashed commits: [9d01ba0] NIFI-2193 - Fixing typo [55440bc] NIFI-2193 - Standalone can run as long as there are no conflicting files/folders [0ca34ed] NIFI-2193 - Fixing some filename, absolute path issues [9d4f65b] NIFI-2193 - Incorporating feedback [f7550b4] NIFI-2193 - Cleaning up imports [59a7637] NIFI-2193 - Updating umask to allow owner to execute [cf824e7] NIFI-2193 - Moving DN arg to CA service specific parent class [921ee13] NIFI-2193 - Making keystore getInstance more consistent [a283c4b] NIFI-2193 - Updating sample config files in assembly to reflect new structure [8d3a21d] NIFI-2193 - Making TlsHelper static, adding option to use same password for Key, KeyStore [b13d247] NIFI-2193 - Addressing PR feedback [46ef8ed] NIFI-2193 - Removing commons-logging, log4j from notice [d4cf41a] NIFI-2193 - Adding option to specify output file for CA certificate when using cli client [b74bf25] NIFI-2193 - Removing Bouncy Castle from notice [6e34f9a] NIFI-2193 - Adding CLI client for easier generation of client certificates [2924fca] NIFI-2193 - nifi-toolkit-ssl -> nifi-toolkit-tls, removing unused constants [886167e] NIFI-2193 - Adding slf4j to avoid runtime issue [082de46] NIFI-2193 - Command line SSL config utility as well as certificate authority client/server > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > Labels: certificate, security, tls > Fix For: 1.0.0 > > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407124#comment-15407124 ] ASF subversion and git services commented on NIFI-2193: --- Commit fa4c6ab03cae9dae98e41ac984901df90fdd1b2a in nifi's branch refs/heads/master from [~bryanrosan...@gmail.com] [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=fa4c6ab ] NIFI-2193 - Added functionality to automate certificate generation, keystore and truststore generation, and nifi.properties keystore and truststore password population. Follow-on changes will be made under NIFI-2476. This closes #695. Signed-off-by: Andy LoPrestoDefaulting to same keyStore, key password (+18 squashed commits) Squashed commits: [9d01ba0] NIFI-2193 - Fixing typo [55440bc] NIFI-2193 - Standalone can run as long as there are no conflicting files/folders [0ca34ed] NIFI-2193 - Fixing some filename, absolute path issues [9d4f65b] NIFI-2193 - Incorporating feedback [f7550b4] NIFI-2193 - Cleaning up imports [59a7637] NIFI-2193 - Updating umask to allow owner to execute [cf824e7] NIFI-2193 - Moving DN arg to CA service specific parent class [921ee13] NIFI-2193 - Making keystore getInstance more consistent [a283c4b] NIFI-2193 - Updating sample config files in assembly to reflect new structure [8d3a21d] NIFI-2193 - Making TlsHelper static, adding option to use same password for Key, KeyStore [b13d247] NIFI-2193 - Addressing PR feedback [46ef8ed] NIFI-2193 - Removing commons-logging, log4j from notice [d4cf41a] NIFI-2193 - Adding option to specify output file for CA certificate when using cli client [b74bf25] NIFI-2193 - Removing Bouncy Castle from notice [6e34f9a] NIFI-2193 - Adding CLI client for easier generation of client certificates [2924fca] NIFI-2193 - nifi-toolkit-ssl -> nifi-toolkit-tls, removing unused constants [886167e] NIFI-2193 - Adding slf4j to avoid runtime issue [082de46] NIFI-2193 - Command line SSL config utility as well as certificate authority client/server > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > Labels: certificate, security, tls > Fix For: 1.0.0 > > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407142#comment-15407142 ] ASF subversion and git services commented on NIFI-2193: --- Commit fa4c6ab03cae9dae98e41ac984901df90fdd1b2a in nifi's branch refs/heads/master from [~bryanrosan...@gmail.com] [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=fa4c6ab ] NIFI-2193 - Added functionality to automate certificate generation, keystore and truststore generation, and nifi.properties keystore and truststore password population. Follow-on changes will be made under NIFI-2476. This closes #695. Signed-off-by: Andy LoPrestoDefaulting to same keyStore, key password (+18 squashed commits) Squashed commits: [9d01ba0] NIFI-2193 - Fixing typo [55440bc] NIFI-2193 - Standalone can run as long as there are no conflicting files/folders [0ca34ed] NIFI-2193 - Fixing some filename, absolute path issues [9d4f65b] NIFI-2193 - Incorporating feedback [f7550b4] NIFI-2193 - Cleaning up imports [59a7637] NIFI-2193 - Updating umask to allow owner to execute [cf824e7] NIFI-2193 - Moving DN arg to CA service specific parent class [921ee13] NIFI-2193 - Making keystore getInstance more consistent [a283c4b] NIFI-2193 - Updating sample config files in assembly to reflect new structure [8d3a21d] NIFI-2193 - Making TlsHelper static, adding option to use same password for Key, KeyStore [b13d247] NIFI-2193 - Addressing PR feedback [46ef8ed] NIFI-2193 - Removing commons-logging, log4j from notice [d4cf41a] NIFI-2193 - Adding option to specify output file for CA certificate when using cli client [b74bf25] NIFI-2193 - Removing Bouncy Castle from notice [6e34f9a] NIFI-2193 - Adding CLI client for easier generation of client certificates [2924fca] NIFI-2193 - nifi-toolkit-ssl -> nifi-toolkit-tls, removing unused constants [886167e] NIFI-2193 - Adding slf4j to avoid runtime issue [082de46] NIFI-2193 - Command line SSL config utility as well as certificate authority client/server > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > Labels: certificate, security, tls > Fix For: 1.0.0 > > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407122#comment-15407122 ] ASF subversion and git services commented on NIFI-2193: --- Commit fa4c6ab03cae9dae98e41ac984901df90fdd1b2a in nifi's branch refs/heads/master from [~bryanrosan...@gmail.com] [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=fa4c6ab ] NIFI-2193 - Added functionality to automate certificate generation, keystore and truststore generation, and nifi.properties keystore and truststore password population. Follow-on changes will be made under NIFI-2476. This closes #695. Signed-off-by: Andy LoPrestoDefaulting to same keyStore, key password (+18 squashed commits) Squashed commits: [9d01ba0] NIFI-2193 - Fixing typo [55440bc] NIFI-2193 - Standalone can run as long as there are no conflicting files/folders [0ca34ed] NIFI-2193 - Fixing some filename, absolute path issues [9d4f65b] NIFI-2193 - Incorporating feedback [f7550b4] NIFI-2193 - Cleaning up imports [59a7637] NIFI-2193 - Updating umask to allow owner to execute [cf824e7] NIFI-2193 - Moving DN arg to CA service specific parent class [921ee13] NIFI-2193 - Making keystore getInstance more consistent [a283c4b] NIFI-2193 - Updating sample config files in assembly to reflect new structure [8d3a21d] NIFI-2193 - Making TlsHelper static, adding option to use same password for Key, KeyStore [b13d247] NIFI-2193 - Addressing PR feedback [46ef8ed] NIFI-2193 - Removing commons-logging, log4j from notice [d4cf41a] NIFI-2193 - Adding option to specify output file for CA certificate when using cli client [b74bf25] NIFI-2193 - Removing Bouncy Castle from notice [6e34f9a] NIFI-2193 - Adding CLI client for easier generation of client certificates [2924fca] NIFI-2193 - nifi-toolkit-ssl -> nifi-toolkit-tls, removing unused constants [886167e] NIFI-2193 - Adding slf4j to avoid runtime issue [082de46] NIFI-2193 - Command line SSL config utility as well as certificate authority client/server > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > Labels: certificate, security, tls > Fix For: 1.0.0 > > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407127#comment-15407127 ] ASF subversion and git services commented on NIFI-2193: --- Commit fa4c6ab03cae9dae98e41ac984901df90fdd1b2a in nifi's branch refs/heads/master from [~bryanrosan...@gmail.com] [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=fa4c6ab ] NIFI-2193 - Added functionality to automate certificate generation, keystore and truststore generation, and nifi.properties keystore and truststore password population. Follow-on changes will be made under NIFI-2476. This closes #695. Signed-off-by: Andy LoPrestoDefaulting to same keyStore, key password (+18 squashed commits) Squashed commits: [9d01ba0] NIFI-2193 - Fixing typo [55440bc] NIFI-2193 - Standalone can run as long as there are no conflicting files/folders [0ca34ed] NIFI-2193 - Fixing some filename, absolute path issues [9d4f65b] NIFI-2193 - Incorporating feedback [f7550b4] NIFI-2193 - Cleaning up imports [59a7637] NIFI-2193 - Updating umask to allow owner to execute [cf824e7] NIFI-2193 - Moving DN arg to CA service specific parent class [921ee13] NIFI-2193 - Making keystore getInstance more consistent [a283c4b] NIFI-2193 - Updating sample config files in assembly to reflect new structure [8d3a21d] NIFI-2193 - Making TlsHelper static, adding option to use same password for Key, KeyStore [b13d247] NIFI-2193 - Addressing PR feedback [46ef8ed] NIFI-2193 - Removing commons-logging, log4j from notice [d4cf41a] NIFI-2193 - Adding option to specify output file for CA certificate when using cli client [b74bf25] NIFI-2193 - Removing Bouncy Castle from notice [6e34f9a] NIFI-2193 - Adding CLI client for easier generation of client certificates [2924fca] NIFI-2193 - nifi-toolkit-ssl -> nifi-toolkit-tls, removing unused constants [886167e] NIFI-2193 - Adding slf4j to avoid runtime issue [082de46] NIFI-2193 - Command line SSL config utility as well as certificate authority client/server > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > Labels: certificate, security, tls > Fix For: 1.0.0 > > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407115#comment-15407115 ] ASF GitHub Bot commented on NIFI-2193: -- Github user alopresto commented on the issue: https://github.com/apache/nifi/pull/695 I am merging this for the beta release tomorrow. There are still some rough edges, and those are being captured in [NIFI-2476](https://issues.apache.org/jira/browse/NIFI-2476). The documentation for using the tools here is temporarily provided in the original Jira [NIFI-2193](https://issues.apache.org/jira/browse/NIFI-2193) until it can be properly reviewed and merged into the User Guide and Admin Guide [NIFI-2477](https://issues.apache.org/jira/browse/NIFI-2477). I will run contrib-check, rebase, squash, and merge. > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407111#comment-15407111 ] Bryan Rosander commented on NIFI-2193: -- Here is a rough draft of the documentation Admin Guide: The tls-toolkit has two primary modes of operation: Standalone -- generates the certificate authority, keystores, truststores, and nifi.properties files in one command. Client/Server mode -- uses a Certificate Authority Server that accepts Certificate Signing Requests from clients, signs them, and sends the resulting certificates back. Both client and server validate the other’s identity through a shared secret. Standalone: Standalone mode can be invoked by running “tls-toolkit.sh standalone -h” which will print the usage information along with descriptions of options that can be specified. The most common options to specify are: -n (or --hostnames) a comma-separated list of hostnames that you’d like to generate certificates for -f (or --nifiPropertiesFile) a base nifi.properties file that the tool will update for each host -o (or --outputDirectory) the directory to use for the resulting Certificate Authority files and NiFi configurations. A subdirectory will be made for each host. -R (or --sameKeyAndKeyStorePassword) use the same value when generating KeyStore and TrustStore passwords which is currently needed -p (or --httpsPort) the https port in nifi.properties and enable secure site-to-site. This is optional and not necessary if you’ve provided a template nifi.properties. Client/Server: Server: Client/Server mode relies on a long-running CA (Certificate Authority) (that can be stopped when you’re not bringing nodes online) to issue certificates. The CA server can be invoked by running “tls-toolkit server -h” which will print the usage information. The most likely options to be specified are: -f (or --configJson) the location of the json config (written after first run) -F (or --useConfigJson) load all relevant configuration from the config json (if using, configJson is the only other argument necessary) -t (or --token) the token used to prevent man in the middle attacks (this should be a long, random value and needs to be known when invoking the client) -D (or --dn) the dn for the CA Client: The client can be used to request new Certificates from the CA. The client utility will generate a keypair and CSR (Certificate Signing Request) and send the CSR to the certificate authority. The client can be invoked by running “tls-toolkit.sh client -h” which will print usage information. The most likely options to be specified are: -f (or --configJson) the json config file -c (or --certificateAuthorityHostname) the hostname of the CA -D (or --DN) the dn for the CSR (and Certificate) -t (or --token) the token used to prevent man in the middle attacks (this should be a long, random value and needs to be known when invoking the client) -T (or --keyStoreType) the type of keystore to create (specify jks for NiFi nodes, leave default to create client cert) After running the client you will have the CA’s certificate, a keystore, a truststore, and a config.json with information about them as well as their passwords. If you leave -T (or --keyStoreType) as its default value, PKCS12 will be used in order to make it easy to import into a browser (for client certificates). Developer Guide: This is a developer-oriented document, for the tls-toolkit. For the usage information, please consult the Admin Guide. The Client/Server mode of operation came about from the desire to be able to autogenerate required TLS configuration artifacts without needing to perform that generation in a centralized place. This simplifies configuration in a clustered environment. Since we don’t necessarily have a central place to run the generation logic or a trusted Certificate Authority, a shared secret is used to authenticate the clients and server to each other. The tls-toolkit prevents man in the middle attacks using HMAC verification of the public keys of the CA server and the CSR the client sends, using a shared secret (the token) as the HMAC key. The basic process goes as follows: The client generates a KeyPair. The client generates a request json payload containing a CSR and an HMAC with the token as the key and the CSR’s public key fingerprint as the data. The client connects to the CA Hostname at the https port specified and validates that the CN of the CA’s certificate matches the hostname (NOTE: because we don’t trust the CA at this point, this adds NO security, it is just a way to error out early if possible) The server validates the HMAC from the client payload using the token as the key and the CSR’s public key fingerprint as the data. This proves that the client knows the shared secret and that it wanted a CSR with that public key to be signed. (A man in the middle could forward
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15406301#comment-15406301 ] ASF GitHub Bot commented on NIFI-2193: -- Github user alopresto commented on the issue: https://github.com/apache/nifi/pull/695 Ok I will build locally, smoke test, run contrib check, and if all pass, rebase/squash and merge into `master`. > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15406081#comment-15406081 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on the issue: https://github.com/apache/nifi/pull/695 the newly failing test from last commit is in the snmp processor, not sure that it applies to anything I touched > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15406076#comment-15406076 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on the issue: https://github.com/apache/nifi/pull/695 @alopresto I think I've incorporated your feedback, please let me know if you see anything else that needs addressing before the beta, otherwise I agree that as people use it, we'll get more information on what could/should be improved > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405236#comment-15405236 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on the issue: https://github.com/apache/nifi/pull/695 Improving logging, making client and server both error instead of overwriting > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405205#comment-15405205 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r73272771 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/manager/TlsClientManager.java --- @@ -0,0 +1,116 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.manager; + +import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig; +import org.apache.nifi.toolkit.tls.manager.writer.ConfigurationWriter; +import org.apache.nifi.toolkit.tls.util.InputStreamFactory; +import org.apache.nifi.toolkit.tls.util.OutputStreamFactory; +import org.apache.nifi.toolkit.tls.util.PasswordUtil; +import org.apache.nifi.util.StringUtils; +import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator; +import org.bouncycastle.util.io.pem.PemWriter; + +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.io.OutputStream; +import java.io.OutputStreamWriter; +import java.security.GeneralSecurityException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.UnrecoverableEntryException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.util.ArrayList; +import java.util.Collections; +import java.util.HashSet; +import java.util.List; +import java.util.Set; + +public class TlsClientManager extends BaseTlsManager { +private final TlsClientConfig tlsClientConfig; +private final KeyStore trustStore; +private final ListconfigurationWriters; +private final Set certificateAliases; +private File certificateAuthorityDirectory; + +public TlsClientManager(TlsClientConfig tlsClientConfig) throws GeneralSecurityException, IOException { +this(tlsClientConfig, new PasswordUtil(), FileInputStream::new); +} + +public TlsClientManager(TlsClientConfig tlsClientConfig, PasswordUtil passwordUtil, InputStreamFactory inputStreamFactory) throws GeneralSecurityException, IOException { +super(tlsClientConfig, passwordUtil, inputStreamFactory); +this.trustStore = loadKeystore(tlsClientConfig.getTrustStore(), tlsClientConfig.getTrustStoreType(), tlsClientConfig.getTrustStorePassword()); +this.tlsClientConfig = tlsClientConfig; +this.configurationWriters = new ArrayList<>(); +this.certificateAliases = new HashSet<>(); +} + +public void setCertificateEntry(String alias, Certificate cert) throws KeyStoreException { +trustStore.setCertificateEntry(alias, cert); +certificateAliases.add(alias); +} + +public void setCertificateAuthorityDirectory(File certificateAuthorityDirectory) { +this.certificateAuthorityDirectory = certificateAuthorityDirectory; +} + +@Override +public void write(OutputStreamFactory outputStreamFactory) throws IOException, CertificateException, NoSuchAlgorithmException, KeyStoreException { +super.write(outputStreamFactory); + +String trustStorePassword = tlsClientConfig.getTrustStorePassword(); +if (StringUtils.isEmpty(trustStorePassword)) { +trustStorePassword = getPasswordUtil().generatePassword(); +tlsClientConfig.setTrustStorePassword(trustStorePassword); +} + +try (OutputStream outputStream = outputStreamFactory.create(new File(tlsClientConfig.getTrustStore( { +trustStore.store(outputStream, trustStorePassword.toCharArray()); +} + +for (ConfigurationWriter
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405185#comment-15405185 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r73271149 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/BaseCertificateAuthorityCommandLine.java --- @@ -0,0 +1,87 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.service; + +import org.apache.commons.cli.CommandLine; +import org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine; +import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException; +import org.apache.nifi.toolkit.tls.commandLine.ExitCode; +import org.apache.nifi.toolkit.tls.configuration.TlsConfig; +import org.apache.nifi.util.StringUtils; + +import java.io.File; + +public class BaseCertificateAuthorityCommandLine extends BaseCommandLine { +public static final String TOKEN_ARG = "token"; +public static final String CONFIG_JSON_ARG = "configJson"; +public static final String USE_CONFIG_JSON_ARG = "useConfigJson"; +public static final String PORT_ARG = "PORT"; + +public static final String DEFAULT_CONFIG_JSON = new File("config.json").getAbsolutePath(); + +private String token; +private String configJson; +private boolean onlyUseConfigJson; +private int port; +private String dn; + +public BaseCertificateAuthorityCommandLine(String header) { +super(header); +addOptionWithArg("t", TOKEN_ARG, "The token to use to prevent MITM (required and must be same as one used by CA)"); +addOptionWithArg("f", CONFIG_JSON_ARG, "The place to write configuration info", DEFAULT_CONFIG_JSON); +addOptionNoArg("F", USE_CONFIG_JSON_ARG, "Flag specifying that all configuration is read from " + CONFIG_JSON_ARG + " to facilitate automated use (otherwise " ++ CONFIG_JSON_ARG + " will only be written to."); +addOptionWithArg("p", PORT_ARG, "The port to use to communicate with the Certificate Authority", TlsConfig.DEFAULT_PORT); +addOptionWithArg("D", DN_ARG, "The dn to use for the certificate", TlsConfig.calcDefaultDn(TlsConfig.DEFAULT_HOSTNAME)); +} + +@Override +protected CommandLine doParse(String[] args) throws CommandLineParseException { +CommandLine commandLine = super.doParse(args); + +token = commandLine.getOptionValue(TOKEN_ARG); +onlyUseConfigJson = commandLine.hasOption(USE_CONFIG_JSON_ARG); +if (StringUtils.isEmpty(token) && !onlyUseConfigJson) { +printUsageAndThrow(TOKEN_ARG + " argument must not be empty unless " + USE_CONFIG_JSON_ARG + " set", ExitCode.ERROR_TOKEN_ARG_EMPTY); +} +configJson = commandLine.getOptionValue(CONFIG_JSON_ARG, DEFAULT_CONFIG_JSON); +port = getIntValue(commandLine, PORT_ARG, TlsConfig.DEFAULT_PORT); +dn = commandLine.getOptionValue(DN_ARG, TlsConfig.calcDefaultDn(getCertificateAuthorityHostname())); --- End diff -- Usage: The dn to use for the CA certificate (default: CN=localhost,OU=NIFI) is there an implication that you can specify just a hostname for DN? Trying to clarify by changing default to say CA_HOSTNAME and HOSTNAME for CA and client respectively, this shouldn't be mandatory > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405179#comment-15405179 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r73270811 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/BaseCertificateAuthorityCommandLine.java --- @@ -0,0 +1,87 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.service; + +import org.apache.commons.cli.CommandLine; +import org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine; +import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException; +import org.apache.nifi.toolkit.tls.commandLine.ExitCode; +import org.apache.nifi.toolkit.tls.configuration.TlsConfig; +import org.apache.nifi.util.StringUtils; + +import java.io.File; + +public class BaseCertificateAuthorityCommandLine extends BaseCommandLine { +public static final String TOKEN_ARG = "token"; +public static final String CONFIG_JSON_ARG = "configJson"; +public static final String USE_CONFIG_JSON_ARG = "useConfigJson"; +public static final String PORT_ARG = "PORT"; + +public static final String DEFAULT_CONFIG_JSON = new File("config.json").getAbsolutePath(); + +private String token; +private String configJson; +private boolean onlyUseConfigJson; +private int port; +private String dn; + +public BaseCertificateAuthorityCommandLine(String header) { +super(header); +addOptionWithArg("t", TOKEN_ARG, "The token to use to prevent MITM (required and must be same as one used by CA)"); --- End diff -- This is a common parent class for both client and server, I can add distinct messages by making it an abstract method > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405178#comment-15405178 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r73270744 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/BaseCertificateAuthorityCommandLine.java --- @@ -0,0 +1,87 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.service; + +import org.apache.commons.cli.CommandLine; +import org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine; +import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException; +import org.apache.nifi.toolkit.tls.commandLine.ExitCode; +import org.apache.nifi.toolkit.tls.configuration.TlsConfig; +import org.apache.nifi.util.StringUtils; + +import java.io.File; + +public class BaseCertificateAuthorityCommandLine extends BaseCommandLine { +public static final String TOKEN_ARG = "token"; +public static final String CONFIG_JSON_ARG = "configJson"; +public static final String USE_CONFIG_JSON_ARG = "useConfigJson"; +public static final String PORT_ARG = "PORT"; + +public static final String DEFAULT_CONFIG_JSON = new File("config.json").getAbsolutePath(); --- End diff -- using getPath > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405175#comment-15405175 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r73270563 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/BaseCertificateAuthorityCommandLine.java --- @@ -0,0 +1,87 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.service; + +import org.apache.commons.cli.CommandLine; +import org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine; +import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException; +import org.apache.nifi.toolkit.tls.commandLine.ExitCode; +import org.apache.nifi.toolkit.tls.configuration.TlsConfig; +import org.apache.nifi.util.StringUtils; + +import java.io.File; + +public class BaseCertificateAuthorityCommandLine extends BaseCommandLine { +public static final String TOKEN_ARG = "token"; +public static final String CONFIG_JSON_ARG = "configJson"; +public static final String USE_CONFIG_JSON_ARG = "useConfigJson"; +public static final String PORT_ARG = "PORT"; + +public static final String DEFAULT_CONFIG_JSON = new File("config.json").getAbsolutePath(); + +private String token; +private String configJson; +private boolean onlyUseConfigJson; +private int port; +private String dn; + +public BaseCertificateAuthorityCommandLine(String header) { +super(header); +addOptionWithArg("t", TOKEN_ARG, "The token to use to prevent MITM (required and must be same as one used by CA)"); +addOptionWithArg("f", CONFIG_JSON_ARG, "The place to write configuration info", DEFAULT_CONFIG_JSON); +addOptionNoArg("F", USE_CONFIG_JSON_ARG, "Flag specifying that all configuration is read from " + CONFIG_JSON_ARG + " to facilitate automated use (otherwise " ++ CONFIG_JSON_ARG + " will only be written to."); +addOptionWithArg("p", PORT_ARG, "The port to use to communicate with the Certificate Authority", TlsConfig.DEFAULT_PORT); +addOptionWithArg("D", DN_ARG, "The dn to use for the certificate", TlsConfig.calcDefaultDn(TlsConfig.DEFAULT_HOSTNAME)); --- End diff -- Also same message for both client and server, will change to abstract method here and override > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405117#comment-15405117 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r73265781 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/BaseCertificateAuthorityCommandLine.java --- @@ -0,0 +1,87 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.service; + +import org.apache.commons.cli.CommandLine; +import org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine; +import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException; +import org.apache.nifi.toolkit.tls.commandLine.ExitCode; +import org.apache.nifi.toolkit.tls.configuration.TlsConfig; +import org.apache.nifi.util.StringUtils; + +import java.io.File; + +public class BaseCertificateAuthorityCommandLine extends BaseCommandLine { +public static final String TOKEN_ARG = "token"; +public static final String CONFIG_JSON_ARG = "configJson"; +public static final String USE_CONFIG_JSON_ARG = "useConfigJson"; +public static final String PORT_ARG = "PORT"; + +public static final String DEFAULT_CONFIG_JSON = new File("config.json").getAbsolutePath(); + +private String token; +private String configJson; +private boolean onlyUseConfigJson; +private int port; +private String dn; + +public BaseCertificateAuthorityCommandLine(String header) { +super(header); +addOptionWithArg("t", TOKEN_ARG, "The token to use to prevent MITM (required and must be same as one used by CA)"); +addOptionWithArg("f", CONFIG_JSON_ARG, "The place to write configuration info", DEFAULT_CONFIG_JSON); +addOptionNoArg("F", USE_CONFIG_JSON_ARG, "Flag specifying that all configuration is read from " + CONFIG_JSON_ARG + " to facilitate automated use (otherwise " ++ CONFIG_JSON_ARG + " will only be written to."); +addOptionWithArg("p", PORT_ARG, "The port to use to communicate with the Certificate Authority", TlsConfig.DEFAULT_PORT); --- End diff -- message is generic because it's being used by both client and server, I can add specific messages for both though > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405101#comment-15405101 ] ASF GitHub Bot commented on NIFI-2193: -- Github user alopresto commented on the issue: https://github.com/apache/nifi/pull/695 @brosander I understand the direction of this PR and I think as it is functional, and I'd like to see it included in the beta vote on Thursday to increase the coverage of community testing. If you can fix the quick issues outlined above, we can merge this as is. I would propose we then raise a Jira to evaluate refactoring to see where we might streamline it for the general availability release. That can include more documentation and edge case/input validation. > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405097#comment-15405097 ] ASF GitHub Bot commented on NIFI-2193: -- Github user alopresto commented on the issue: https://github.com/apache/nifi/pull/695 Running the client script multiple times in the same directory silently overwrites the same keystore file. It should warn the user and fail, or require a force flag to overwrite. > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405085#comment-15405085 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r73263071 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/client/TlsCertificateAuthorityClientCommandLine.java --- @@ -0,0 +1,125 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.service.client; + +import com.fasterxml.jackson.databind.ObjectMapper; +import org.apache.commons.cli.CommandLine; +import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException; +import org.apache.nifi.toolkit.tls.commandLine.ExitCode; +import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig; +import org.apache.nifi.toolkit.tls.service.BaseCertificateAuthorityCommandLine; +import org.apache.nifi.toolkit.tls.util.InputStreamFactory; +import org.apache.nifi.toolkit.tls.util.TlsHelper; + +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.io.InputStream; + +public class TlsCertificateAuthorityClientCommandLine extends BaseCertificateAuthorityCommandLine { +public static final String DESCRIPTION = "Generates a private key and gets it signed by the certificate authority."; +public static final String PKCS_12 = "PKCS12"; +public static final String CERTIFICATE_DIRECTORY = "certificateDirectory"; +public static final String DEFAULT_CERTIFICATE_DIRECTORY = "."; +public static final String SAME_KEY_AND_KEY_STORE_PASSWORD_ARG = "sameKeyAndKeyStorePassword"; + +private final InputStreamFactory inputStreamFactory; + +private String certificateDirectory; +private boolean sameKeyAndKeyStorePassword; + +public TlsCertificateAuthorityClientCommandLine() { +this(FileInputStream::new); +} + +public TlsCertificateAuthorityClientCommandLine(InputStreamFactory inputStreamFactory) { +super(DESCRIPTION); +this.inputStreamFactory = inputStreamFactory; +addOptionWithArg("C", CERTIFICATE_DIRECTORY, "The file to write the CA certificate to", DEFAULT_CERTIFICATE_DIRECTORY); +addOptionNoArg("S", SAME_KEY_AND_KEY_STORE_PASSWORD_ARG, "When generating passwords, use the same one for KeyStore and Key"); +} + +public static void main(String[] args) throws Exception { +TlsHelper.addBouncyCastleProvider(); +TlsCertificateAuthorityClientCommandLine tlsCertificateAuthorityClientCommandLine = new TlsCertificateAuthorityClientCommandLine(); +try { +tlsCertificateAuthorityClientCommandLine.parse(args); +} catch (CommandLineParseException e) { +System.exit(e.getExitCode()); +} +new TlsCertificateAuthorityClient().generateCertificateAndGetItSigned(tlsCertificateAuthorityClientCommandLine.createClientConfig(), + tlsCertificateAuthorityClientCommandLine.getCertificateDirectory(), tlsCertificateAuthorityClientCommandLine.getConfigJson(), + tlsCertificateAuthorityClientCommandLine.sameKeyAndKeyStorePassword()); +System.exit(ExitCode.SUCCESS.ordinal()); +} + +@Override +protected boolean shouldAddDaysArg() { +return false; +} + +@Override +protected boolean shouldAddSigningAlgorithmArg() { +return false; +} + +@Override +protected String getKeyStoreTypeDefault() { +return PKCS_12; +} + +@Override +protected CommandLine doParse(String[] args) throws CommandLineParseException { +CommandLine commandLine = super.doParse(args); +certificateDirectory =
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405075#comment-15405075 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r73262290 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandaloneCommandLine.java --- @@ -0,0 +1,188 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.standalone; + +import org.apache.commons.cli.CommandLine; +import org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine; +import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException; +import org.apache.nifi.toolkit.tls.commandLine.ExitCode; +import org.apache.nifi.toolkit.tls.configuration.TlsConfig; +import org.apache.nifi.toolkit.tls.properties.NiFiPropertiesWriterFactory; +import org.apache.nifi.toolkit.tls.util.PasswordUtil; +import org.apache.nifi.toolkit.tls.util.TlsHelper; +import org.apache.nifi.util.StringUtils; + +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collections; +import java.util.List; +import java.util.stream.Collectors; +import java.util.stream.IntStream; + +public class TlsToolkitStandaloneCommandLine extends BaseCommandLine { +public static final String OUTPUT_DIRECTORY_ARG = "outputDirectory"; +public static final String NIFI_PROPERTIES_FILE_ARG = "nifiPropertiesFile"; +public static final String KEY_STORE_PASSWORD_ARG = "keyStorePassword"; +public static final String TRUST_STORE_PASSWORD_ARG = "trustStorePassword"; +public static final String KEY_PASSWORD_ARG = "keyPassword"; +public static final String SAME_KEY_AND_KEY_STORE_PASSWORD_ARG = "sameKeyAndKeyStorePassword"; +public static final String HOSTNAMES_ARG = "hostnames"; +public static final String HTTPS_PORT_ARG = "httpsPort"; + +public static final String DEFAULT_OUTPUT_DIRECTORY = new File(".").getAbsolutePath(); + +public static final String DESCRIPTION = "Creates certificates and config files for nifi cluster."; + +private final PasswordUtil passwordUtil; +private File baseDir; +private List hostnames; +private String httpsPort; +private NiFiPropertiesWriterFactory niFiPropertiesWriterFactory; +private List keyStorePasswords; +private List keyPasswords; +private List trustStorePasswords; + +public TlsToolkitStandaloneCommandLine() { +this(new PasswordUtil()); +} + +protected TlsToolkitStandaloneCommandLine(PasswordUtil passwordUtil) { +super(DESCRIPTION); +this.passwordUtil = passwordUtil; +addOptionWithArg("o", OUTPUT_DIRECTORY_ARG, "The directory to output keystores, truststore, config files.", DEFAULT_OUTPUT_DIRECTORY); +addOptionWithArg("n", HOSTNAMES_ARG, "Comma separated list of hostnames.", TlsConfig.DEFAULT_HOSTNAME); --- End diff -- @alopresto good point, I'd left blank because it will use the machine's hostname if blank but your way is definitely better in the ssl case > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405029#comment-15405029 ] ASF GitHub Bot commented on NIFI-2193: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r73258286 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/manager/TlsClientManager.java --- @@ -0,0 +1,116 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.manager; + +import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig; +import org.apache.nifi.toolkit.tls.manager.writer.ConfigurationWriter; +import org.apache.nifi.toolkit.tls.util.InputStreamFactory; +import org.apache.nifi.toolkit.tls.util.OutputStreamFactory; +import org.apache.nifi.toolkit.tls.util.PasswordUtil; +import org.apache.nifi.util.StringUtils; +import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator; +import org.bouncycastle.util.io.pem.PemWriter; + +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.io.OutputStream; +import java.io.OutputStreamWriter; +import java.security.GeneralSecurityException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.UnrecoverableEntryException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.util.ArrayList; +import java.util.Collections; +import java.util.HashSet; +import java.util.List; +import java.util.Set; + +public class TlsClientManager extends BaseTlsManager { +private final TlsClientConfig tlsClientConfig; +private final KeyStore trustStore; +private final ListconfigurationWriters; +private final Set certificateAliases; +private File certificateAuthorityDirectory; + +public TlsClientManager(TlsClientConfig tlsClientConfig) throws GeneralSecurityException, IOException { +this(tlsClientConfig, new PasswordUtil(), FileInputStream::new); +} + +public TlsClientManager(TlsClientConfig tlsClientConfig, PasswordUtil passwordUtil, InputStreamFactory inputStreamFactory) throws GeneralSecurityException, IOException { +super(tlsClientConfig, passwordUtil, inputStreamFactory); +this.trustStore = loadKeystore(tlsClientConfig.getTrustStore(), tlsClientConfig.getTrustStoreType(), tlsClientConfig.getTrustStorePassword()); +this.tlsClientConfig = tlsClientConfig; +this.configurationWriters = new ArrayList<>(); +this.certificateAliases = new HashSet<>(); +} + +public void setCertificateEntry(String alias, Certificate cert) throws KeyStoreException { +trustStore.setCertificateEntry(alias, cert); +certificateAliases.add(alias); +} + +public void setCertificateAuthorityDirectory(File certificateAuthorityDirectory) { +this.certificateAuthorityDirectory = certificateAuthorityDirectory; +} + +@Override +public void write(OutputStreamFactory outputStreamFactory) throws IOException, CertificateException, NoSuchAlgorithmException, KeyStoreException { +super.write(outputStreamFactory); + +String trustStorePassword = tlsClientConfig.getTrustStorePassword(); +if (StringUtils.isEmpty(trustStorePassword)) { +trustStorePassword = getPasswordUtil().generatePassword(); +tlsClientConfig.setTrustStorePassword(trustStorePassword); +} + +try (OutputStream outputStream = outputStreamFactory.create(new File(tlsClientConfig.getTrustStore( { +trustStore.store(outputStream, trustStorePassword.toCharArray()); +} + +for (ConfigurationWriter
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405016#comment-15405016 ] ASF GitHub Bot commented on NIFI-2193: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r73257593 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandalone.java --- @@ -0,0 +1,101 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.standalone; + +import org.apache.nifi.security.util.CertificateUtils; +import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig; +import org.apache.nifi.toolkit.tls.configuration.TlsConfig; +import org.apache.nifi.toolkit.tls.manager.TlsCertificateAuthorityManager; +import org.apache.nifi.toolkit.tls.manager.TlsClientManager; +import org.apache.nifi.toolkit.tls.manager.writer.NifiPropertiesTlsClientConfigWriter; +import org.apache.nifi.toolkit.tls.properties.NiFiPropertiesWriterFactory; +import org.apache.nifi.toolkit.tls.util.OutputStreamFactory; +import org.apache.nifi.toolkit.tls.util.TlsHelper; +import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator; +import org.bouncycastle.util.io.pem.PemWriter; + +import java.io.File; +import java.io.FileOutputStream; +import java.io.IOException; +import java.io.OutputStreamWriter; +import java.security.GeneralSecurityException; +import java.security.KeyPair; +import java.security.KeyStore; +import java.security.cert.X509Certificate; +import java.util.List; + +public class TlsToolkitStandalone { +public static final String NIFI_KEY = "nifi-key"; +public static final String NIFI_CERT = "nifi-cert"; --- End diff -- This should have a `.pem` extension to inform the user of the PEM encoding. > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405017#comment-15405017 ] ASF GitHub Bot commented on NIFI-2193: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r73257620 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandalone.java --- @@ -0,0 +1,101 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.standalone; + +import org.apache.nifi.security.util.CertificateUtils; +import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig; +import org.apache.nifi.toolkit.tls.configuration.TlsConfig; +import org.apache.nifi.toolkit.tls.manager.TlsCertificateAuthorityManager; +import org.apache.nifi.toolkit.tls.manager.TlsClientManager; +import org.apache.nifi.toolkit.tls.manager.writer.NifiPropertiesTlsClientConfigWriter; +import org.apache.nifi.toolkit.tls.properties.NiFiPropertiesWriterFactory; +import org.apache.nifi.toolkit.tls.util.OutputStreamFactory; +import org.apache.nifi.toolkit.tls.util.TlsHelper; +import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator; +import org.bouncycastle.util.io.pem.PemWriter; + +import java.io.File; +import java.io.FileOutputStream; +import java.io.IOException; +import java.io.OutputStreamWriter; +import java.security.GeneralSecurityException; +import java.security.KeyPair; +import java.security.KeyStore; +import java.security.cert.X509Certificate; +import java.util.List; + +public class TlsToolkitStandalone { +public static final String NIFI_KEY = "nifi-key"; --- End diff -- This should have a `.key` extension. > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405014#comment-15405014 ] ASF GitHub Bot commented on NIFI-2193: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r73257442 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/BaseCertificateAuthorityCommandLine.java --- @@ -0,0 +1,87 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.service; + +import org.apache.commons.cli.CommandLine; +import org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine; +import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException; +import org.apache.nifi.toolkit.tls.commandLine.ExitCode; +import org.apache.nifi.toolkit.tls.configuration.TlsConfig; +import org.apache.nifi.util.StringUtils; + +import java.io.File; + +public class BaseCertificateAuthorityCommandLine extends BaseCommandLine { +public static final String TOKEN_ARG = "token"; +public static final String CONFIG_JSON_ARG = "configJson"; +public static final String USE_CONFIG_JSON_ARG = "useConfigJson"; +public static final String PORT_ARG = "PORT"; + +public static final String DEFAULT_CONFIG_JSON = new File("config.json").getAbsolutePath(); + +private String token; +private String configJson; +private boolean onlyUseConfigJson; +private int port; +private String dn; + +public BaseCertificateAuthorityCommandLine(String header) { +super(header); +addOptionWithArg("t", TOKEN_ARG, "The token to use to prevent MITM (required and must be same as one used by CA)"); +addOptionWithArg("f", CONFIG_JSON_ARG, "The place to write configuration info", DEFAULT_CONFIG_JSON); +addOptionNoArg("F", USE_CONFIG_JSON_ARG, "Flag specifying that all configuration is read from " + CONFIG_JSON_ARG + " to facilitate automated use (otherwise " ++ CONFIG_JSON_ARG + " will only be written to."); +addOptionWithArg("p", PORT_ARG, "The port to use to communicate with the Certificate Authority", TlsConfig.DEFAULT_PORT); +addOptionWithArg("D", DN_ARG, "The dn to use for the certificate", TlsConfig.calcDefaultDn(TlsConfig.DEFAULT_HOSTNAME)); +} + +@Override +protected CommandLine doParse(String[] args) throws CommandLineParseException { +CommandLine commandLine = super.doParse(args); + +token = commandLine.getOptionValue(TOKEN_ARG); +onlyUseConfigJson = commandLine.hasOption(USE_CONFIG_JSON_ARG); +if (StringUtils.isEmpty(token) && !onlyUseConfigJson) { +printUsageAndThrow(TOKEN_ARG + " argument must not be empty unless " + USE_CONFIG_JSON_ARG + " set", ExitCode.ERROR_TOKEN_ARG_EMPTY); +} +configJson = commandLine.getOptionValue(CONFIG_JSON_ARG, DEFAULT_CONFIG_JSON); +port = getIntValue(commandLine, PORT_ARG, TlsConfig.DEFAULT_PORT); +dn = commandLine.getOptionValue(DN_ARG, TlsConfig.calcDefaultDn(getCertificateAuthorityHostname())); --- End diff -- If the user enters only the hostname here (as is the format for the CA hostname), the tool throws an exception. Example: ```bash hw12203:...assembly/target/nifi-toolkit-1.0.0-SNAPSHOT-bin/nifi-toolkit-1.0.0-SNAPSHOT (pr695) alopresto 166s @ 15:58:03 $ ./bin/tls-toolkit.sh server -c rootca.nifi.apache.org -D client.nifi.apache.org -t shorttoken java.lang.reflect.InvocationTargetException at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405006#comment-15405006 ] ASF GitHub Bot commented on NIFI-2193: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r73256631 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/BaseCertificateAuthorityCommandLine.java --- @@ -0,0 +1,87 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.service; + +import org.apache.commons.cli.CommandLine; +import org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine; +import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException; +import org.apache.nifi.toolkit.tls.commandLine.ExitCode; +import org.apache.nifi.toolkit.tls.configuration.TlsConfig; +import org.apache.nifi.util.StringUtils; + +import java.io.File; + +public class BaseCertificateAuthorityCommandLine extends BaseCommandLine { +public static final String TOKEN_ARG = "token"; +public static final String CONFIG_JSON_ARG = "configJson"; +public static final String USE_CONFIG_JSON_ARG = "useConfigJson"; +public static final String PORT_ARG = "PORT"; + +public static final String DEFAULT_CONFIG_JSON = new File("config.json").getAbsolutePath(); + +private String token; +private String configJson; +private boolean onlyUseConfigJson; +private int port; +private String dn; + +public BaseCertificateAuthorityCommandLine(String header) { +super(header); +addOptionWithArg("t", TOKEN_ARG, "The token to use to prevent MITM (required and must be same as one used by CA)"); --- End diff -- I think this message was copied from the client. This is the CA, so it should read "clients must use this token to authenticate". > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405004#comment-15405004 ] ASF GitHub Bot commented on NIFI-2193: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r73256427 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/BaseCertificateAuthorityCommandLine.java --- @@ -0,0 +1,87 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.service; + +import org.apache.commons.cli.CommandLine; +import org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine; +import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException; +import org.apache.nifi.toolkit.tls.commandLine.ExitCode; +import org.apache.nifi.toolkit.tls.configuration.TlsConfig; +import org.apache.nifi.util.StringUtils; + +import java.io.File; + +public class BaseCertificateAuthorityCommandLine extends BaseCommandLine { +public static final String TOKEN_ARG = "token"; +public static final String CONFIG_JSON_ARG = "configJson"; +public static final String USE_CONFIG_JSON_ARG = "useConfigJson"; +public static final String PORT_ARG = "PORT"; + +public static final String DEFAULT_CONFIG_JSON = new File("config.json").getAbsolutePath(); --- End diff -- The absolute path is often very long (when running from inside the built location, it is at least 114 characters). Example: ```bash -f,--configJson The place to write configuration info (default: /Users/alopresto/Workspace/nifi/nifi-toolkit/nifi-toolkit-assembly/target/nifi-toolkit-1.0.0-SNAPSHOT-bin/nifi-toolkit-1.0.0-SNAPSHOT/config.json) ``` > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405000#comment-15405000 ] ASF GitHub Bot commented on NIFI-2193: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r73256120 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/BaseCertificateAuthorityCommandLine.java --- @@ -0,0 +1,87 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.service; + +import org.apache.commons.cli.CommandLine; +import org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine; +import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException; +import org.apache.nifi.toolkit.tls.commandLine.ExitCode; +import org.apache.nifi.toolkit.tls.configuration.TlsConfig; +import org.apache.nifi.util.StringUtils; + +import java.io.File; + +public class BaseCertificateAuthorityCommandLine extends BaseCommandLine { +public static final String TOKEN_ARG = "token"; +public static final String CONFIG_JSON_ARG = "configJson"; +public static final String USE_CONFIG_JSON_ARG = "useConfigJson"; +public static final String PORT_ARG = "PORT"; + +public static final String DEFAULT_CONFIG_JSON = new File("config.json").getAbsolutePath(); + +private String token; +private String configJson; +private boolean onlyUseConfigJson; +private int port; +private String dn; + +public BaseCertificateAuthorityCommandLine(String header) { +super(header); +addOptionWithArg("t", TOKEN_ARG, "The token to use to prevent MITM (required and must be same as one used by CA)"); +addOptionWithArg("f", CONFIG_JSON_ARG, "The place to write configuration info", DEFAULT_CONFIG_JSON); +addOptionNoArg("F", USE_CONFIG_JSON_ARG, "Flag specifying that all configuration is read from " + CONFIG_JSON_ARG + " to facilitate automated use (otherwise " ++ CONFIG_JSON_ARG + " will only be written to."); +addOptionWithArg("p", PORT_ARG, "The port to use to communicate with the Certificate Authority", TlsConfig.DEFAULT_PORT); +addOptionWithArg("D", DN_ARG, "The dn to use for the certificate", TlsConfig.calcDefaultDn(TlsConfig.DEFAULT_HOSTNAME)); --- End diff -- This is ambiguous -- is it the DN of the certificate authority certificate? > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15404999#comment-15404999 ] ASF GitHub Bot commented on NIFI-2193: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r73256049 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/BaseCertificateAuthorityCommandLine.java --- @@ -0,0 +1,87 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.service; + +import org.apache.commons.cli.CommandLine; +import org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine; +import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException; +import org.apache.nifi.toolkit.tls.commandLine.ExitCode; +import org.apache.nifi.toolkit.tls.configuration.TlsConfig; +import org.apache.nifi.util.StringUtils; + +import java.io.File; + +public class BaseCertificateAuthorityCommandLine extends BaseCommandLine { +public static final String TOKEN_ARG = "token"; +public static final String CONFIG_JSON_ARG = "configJson"; +public static final String USE_CONFIG_JSON_ARG = "useConfigJson"; +public static final String PORT_ARG = "PORT"; + +public static final String DEFAULT_CONFIG_JSON = new File("config.json").getAbsolutePath(); + +private String token; +private String configJson; +private boolean onlyUseConfigJson; +private int port; +private String dn; + +public BaseCertificateAuthorityCommandLine(String header) { +super(header); +addOptionWithArg("t", TOKEN_ARG, "The token to use to prevent MITM (required and must be same as one used by CA)"); +addOptionWithArg("f", CONFIG_JSON_ARG, "The place to write configuration info", DEFAULT_CONFIG_JSON); +addOptionNoArg("F", USE_CONFIG_JSON_ARG, "Flag specifying that all configuration is read from " + CONFIG_JSON_ARG + " to facilitate automated use (otherwise " ++ CONFIG_JSON_ARG + " will only be written to."); +addOptionWithArg("p", PORT_ARG, "The port to use to communicate with the Certificate Authority", TlsConfig.DEFAULT_PORT); --- End diff -- The default HTTPS port is `8443` but if this is running on the same instance as a secured NiFi instance, it will collide with the default HTTPS port there as well. > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15404995#comment-15404995 ] ASF GitHub Bot commented on NIFI-2193: -- Github user alopresto commented on the issue: https://github.com/apache/nifi/pull/695 Running the bash scripts only provides console output when an exception occurs. Especially for the standalone, but also the client/server scripts, could we please provide positive output explaining what was accomplished? In addition, there are Log4J warnings printed. Example: ```bash hw12203:...assembly/target/nifi-toolkit-1.0.0-SNAPSHOT-bin/nifi-toolkit-1.0.0-SNAPSHOT (pr695) alopresto 7s @ 16:00:40 $ ./bin/tls-toolkit.sh server -D CN=rootca.nifi.apache.org -t shorttoken log4j:WARN No appenders could be found for logger (org.eclipse.jetty.util.log). log4j:WARN Please initialize the log4j system properly. log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info. Server Started ^C ``` ```bash hw12203:...assembly/target/nifi-toolkit-1.0.0-SNAPSHOT-bin/nifi-toolkit-1.0.0-SNAPSHOT (pr695) alopresto 113s @ 16:01:50 $ ./bin/tls-toolkit.sh client -D CN=client.nifi.apache.org -t shorttoken log4j:WARN No appenders could be found for logger (org.apache.http.client.protocol.RequestAddCookies). log4j:WARN Please initialize the log4j system properly. log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info. hw12203:...assembly/target/nifi-toolkit-1.0.0-SNAPSHOT-bin/nifi-toolkit-1.0.0-SNAPSHOT (pr695) alopresto 43s @ 16:02:33 $ ``` > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15404990#comment-15404990 ] ASF GitHub Bot commented on NIFI-2193: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r73255485 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/client/TlsCertificateAuthorityClientCommandLine.java --- @@ -0,0 +1,125 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.service.client; + +import com.fasterxml.jackson.databind.ObjectMapper; +import org.apache.commons.cli.CommandLine; +import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException; +import org.apache.nifi.toolkit.tls.commandLine.ExitCode; +import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig; +import org.apache.nifi.toolkit.tls.service.BaseCertificateAuthorityCommandLine; +import org.apache.nifi.toolkit.tls.util.InputStreamFactory; +import org.apache.nifi.toolkit.tls.util.TlsHelper; + +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.io.InputStream; + +public class TlsCertificateAuthorityClientCommandLine extends BaseCertificateAuthorityCommandLine { +public static final String DESCRIPTION = "Generates a private key and gets it signed by the certificate authority."; +public static final String PKCS_12 = "PKCS12"; +public static final String CERTIFICATE_DIRECTORY = "certificateDirectory"; +public static final String DEFAULT_CERTIFICATE_DIRECTORY = "."; +public static final String SAME_KEY_AND_KEY_STORE_PASSWORD_ARG = "sameKeyAndKeyStorePassword"; + +private final InputStreamFactory inputStreamFactory; + +private String certificateDirectory; +private boolean sameKeyAndKeyStorePassword; + +public TlsCertificateAuthorityClientCommandLine() { +this(FileInputStream::new); +} + +public TlsCertificateAuthorityClientCommandLine(InputStreamFactory inputStreamFactory) { +super(DESCRIPTION); +this.inputStreamFactory = inputStreamFactory; +addOptionWithArg("C", CERTIFICATE_DIRECTORY, "The file to write the CA certificate to", DEFAULT_CERTIFICATE_DIRECTORY); +addOptionNoArg("S", SAME_KEY_AND_KEY_STORE_PASSWORD_ARG, "When generating passwords, use the same one for KeyStore and Key"); +} + +public static void main(String[] args) throws Exception { +TlsHelper.addBouncyCastleProvider(); +TlsCertificateAuthorityClientCommandLine tlsCertificateAuthorityClientCommandLine = new TlsCertificateAuthorityClientCommandLine(); +try { +tlsCertificateAuthorityClientCommandLine.parse(args); +} catch (CommandLineParseException e) { +System.exit(e.getExitCode()); +} +new TlsCertificateAuthorityClient().generateCertificateAndGetItSigned(tlsCertificateAuthorityClientCommandLine.createClientConfig(), + tlsCertificateAuthorityClientCommandLine.getCertificateDirectory(), tlsCertificateAuthorityClientCommandLine.getConfigJson(), + tlsCertificateAuthorityClientCommandLine.sameKeyAndKeyStorePassword()); +System.exit(ExitCode.SUCCESS.ordinal()); +} + +@Override +protected boolean shouldAddDaysArg() { +return false; +} + +@Override +protected boolean shouldAddSigningAlgorithmArg() { +return false; +} + +@Override +protected String getKeyStoreTypeDefault() { +return PKCS_12; +} + +@Override +protected CommandLine doParse(String[] args) throws CommandLineParseException { +CommandLine commandLine = super.doParse(args); +certificateDirectory =
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15404953#comment-15404953 ] ASF GitHub Bot commented on NIFI-2193: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r73253303 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandaloneCommandLine.java --- @@ -0,0 +1,188 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.standalone; + +import org.apache.commons.cli.CommandLine; +import org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine; +import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException; +import org.apache.nifi.toolkit.tls.commandLine.ExitCode; +import org.apache.nifi.toolkit.tls.configuration.TlsConfig; +import org.apache.nifi.toolkit.tls.properties.NiFiPropertiesWriterFactory; +import org.apache.nifi.toolkit.tls.util.PasswordUtil; +import org.apache.nifi.toolkit.tls.util.TlsHelper; +import org.apache.nifi.util.StringUtils; + +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collections; +import java.util.List; +import java.util.stream.Collectors; +import java.util.stream.IntStream; + +public class TlsToolkitStandaloneCommandLine extends BaseCommandLine { +public static final String OUTPUT_DIRECTORY_ARG = "outputDirectory"; +public static final String NIFI_PROPERTIES_FILE_ARG = "nifiPropertiesFile"; +public static final String KEY_STORE_PASSWORD_ARG = "keyStorePassword"; +public static final String TRUST_STORE_PASSWORD_ARG = "trustStorePassword"; +public static final String KEY_PASSWORD_ARG = "keyPassword"; +public static final String SAME_KEY_AND_KEY_STORE_PASSWORD_ARG = "sameKeyAndKeyStorePassword"; +public static final String HOSTNAMES_ARG = "hostnames"; +public static final String HTTPS_PORT_ARG = "httpsPort"; + +public static final String DEFAULT_OUTPUT_DIRECTORY = new File(".").getAbsolutePath(); + +public static final String DESCRIPTION = "Creates certificates and config files for nifi cluster."; + +private final PasswordUtil passwordUtil; +private File baseDir; +private List hostnames; +private String httpsPort; +private NiFiPropertiesWriterFactory niFiPropertiesWriterFactory; +private List keyStorePasswords; +private List keyPasswords; +private List trustStorePasswords; + +public TlsToolkitStandaloneCommandLine() { +this(new PasswordUtil()); +} + +protected TlsToolkitStandaloneCommandLine(PasswordUtil passwordUtil) { +super(DESCRIPTION); +this.passwordUtil = passwordUtil; +addOptionWithArg("o", OUTPUT_DIRECTORY_ARG, "The directory to output keystores, truststore, config files.", DEFAULT_OUTPUT_DIRECTORY); +addOptionWithArg("n", HOSTNAMES_ARG, "Comma separated list of hostnames.", TlsConfig.DEFAULT_HOSTNAME); --- End diff -- If `-p` is set, the HTTPS port will be set, but the HTTPS hostname is not. It should be available from this list, so it should be populated. > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15404937#comment-15404937 ] ASF GitHub Bot commented on NIFI-2193: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r73251864 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandalone.java --- @@ -0,0 +1,101 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.standalone; + +import org.apache.nifi.security.util.CertificateUtils; +import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig; +import org.apache.nifi.toolkit.tls.configuration.TlsConfig; +import org.apache.nifi.toolkit.tls.manager.TlsCertificateAuthorityManager; +import org.apache.nifi.toolkit.tls.manager.TlsClientManager; +import org.apache.nifi.toolkit.tls.manager.writer.NifiPropertiesTlsClientConfigWriter; +import org.apache.nifi.toolkit.tls.properties.NiFiPropertiesWriterFactory; +import org.apache.nifi.toolkit.tls.util.OutputStreamFactory; +import org.apache.nifi.toolkit.tls.util.TlsHelper; +import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator; +import org.bouncycastle.util.io.pem.PemWriter; + +import java.io.File; +import java.io.FileOutputStream; +import java.io.IOException; +import java.io.OutputStreamWriter; +import java.security.GeneralSecurityException; +import java.security.KeyPair; +import java.security.KeyStore; +import java.security.cert.X509Certificate; +import java.util.List; + +public class TlsToolkitStandalone { +public static final String NIFI_KEY = "nifi-key"; +public static final String NIFI_CERT = "nifi-cert"; +public static final String ROOT_CERT_PRIVATE_KEY = "rootCert.key"; +public static final String ROOT_CERT_CRT = "rootCert.crt"; +public static final String NIFI_PROPERTIES = "nifi.properties"; + +private final OutputStreamFactory outputStreamFactory; + +public TlsToolkitStandalone() { +this(FileOutputStream::new); +} + +public TlsToolkitStandalone(OutputStreamFactory outputStreamFactory) { +this.outputStreamFactory = outputStreamFactory; +} + +public void createNifiKeystoresAndTrustStores(File baseDir, TlsConfig tlsConfig, NiFiPropertiesWriterFactory niFiPropertiesWriterFactory, List hostnames, List keyStorePasswords, + List keyPasswords, List trustStorePasswords, String httpsPort) throws GeneralSecurityException, IOException { +String signingAlgorithm = tlsConfig.getSigningAlgorithm(); +int days = tlsConfig.getDays(); +String keyPairAlgorithm = tlsConfig.getKeyPairAlgorithm(); +int keySize = tlsConfig.getKeySize(); +TlsCertificateAuthorityManager tlsCertificateAuthorityManager = new TlsCertificateAuthorityManager(tlsConfig); +KeyStore.PrivateKeyEntry privateKeyEntry = tlsCertificateAuthorityManager.getOrGenerateCertificateAuthority(); +X509Certificate certificate = (X509Certificate) privateKeyEntry.getCertificateChain()[0]; +KeyPair caKeyPair = new KeyPair(certificate.getPublicKey(), privateKeyEntry.getPrivateKey()); + +try (PemWriter pemWriter = new PemWriter(new OutputStreamWriter(outputStreamFactory.create(new File(baseDir, ROOT_CERT_CRT) { +pemWriter.writeObject(new JcaMiscPEMGenerator(certificate)); +} + +try (PemWriter pemWriter = new PemWriter(new OutputStreamWriter(outputStreamFactory.create(new File(baseDir, ROOT_CERT_PRIVATE_KEY) { +pemWriter.writeObject(new JcaMiscPEMGenerator(caKeyPair)); +} + +for (int i = 0; i < hostnames.size(); i++) { +String hostname = hostnames.get(i); +File hostDir = new File(baseDir,
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15404380#comment-15404380 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r73194331 --- Diff: nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/CertificateUtilsTest.groovy --- @@ -53,6 +54,21 @@ import java.security.SignatureException import java.security.cert.Certificate import java.security.cert.CertificateException import java.security.cert.X509Certificate +import java.util.concurrent.TimeUnit + +import static org.junit.Assert.assertEquals --- End diff -- maybe auto import fail? will fix > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15404315#comment-15404315 ] ASF GitHub Bot commented on NIFI-2193: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r73189115 --- Diff: nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/CertificateUtilsTest.groovy --- @@ -53,6 +54,21 @@ import java.security.SignatureException import java.security.cert.Certificate import java.security.cert.CertificateException import java.security.cert.X509Certificate +import java.util.concurrent.TimeUnit + +import static org.junit.Assert.assertEquals --- End diff -- Is this a bug? Why are the same two static methods imported 5-8 times each? > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15402293#comment-15402293 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r73004076 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java --- @@ -0,0 +1,177 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.util; + +import org.apache.nifi.security.util.CertificateUtils; +import org.apache.nifi.toolkit.tls.commandLine.TlsToolkitCommandLine; +import org.apache.nifi.toolkit.tls.configuration.TlsHelperConfig; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.crmf.CRMFException; +import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; +import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils; +import org.bouncycastle.eac.EACException; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.openssl.PEMParser; +import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator; +import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; +import org.bouncycastle.pkcs.PKCS10CertificationRequest; +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest; +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder; +import org.bouncycastle.util.io.pem.PemWriter; + +import javax.crypto.Mac; +import javax.crypto.spec.SecretKeySpec; +import javax.security.auth.x500.X500Principal; +import java.io.IOException; +import java.io.StringReader; +import java.io.StringWriter; +import java.nio.charset.StandardCharsets; +import java.security.GeneralSecurityException; +import java.security.InvalidKeyException; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.PublicKey; +import java.security.Security; +import java.security.SignatureException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.security.spec.InvalidKeySpecException; + +public class TlsHelper { +public static final String PROVIDER = BouncyCastleProvider.PROVIDER_NAME; +public static final String PKCS12 = "PKCS12"; +private final KeyPairGenerator keyPairGenerator; +private final int days; +private final String signingAlgorithm; + +public TlsHelper(TlsHelperConfig tlsHelperConfig) throws NoSuchAlgorithmException { +this(tlsHelperConfig.getDays(), tlsHelperConfig.getKeySize(), tlsHelperConfig.getKeyPairAlgorithm(), tlsHelperConfig.getSigningAlgorithm()); +} + +public TlsHelper(TlsToolkitCommandLine tlsToolkitCommandLine) throws NoSuchAlgorithmException { +this(tlsToolkitCommandLine.getTlsHelperConfig()); +} + +public TlsHelper(int days, int keySize, String keyPairAlgorithm, String signingAlgorithm) throws NoSuchAlgorithmException { +this(createKeyPairGenerator(keyPairAlgorithm, keySize), days, signingAlgorithm); +} + +protected TlsHelper(KeyPairGenerator keyPairGenerator, int days, String signingAlgorithm) { +this.keyPairGenerator = keyPairGenerator; +this.days = days; +this.signingAlgorithm = signingAlgorithm; +} + +public static void addBouncyCastleProvider() { +Security.addProvider(new BouncyCastleProvider()); +} + +private static KeyPairGenerator
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15400907#comment-15400907 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on the issue: https://github.com/apache/nifi/pull/695 As far as Documentation goes, I believe standard practice is to create a separate Jira to update the guides. > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15400906#comment-15400906 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72896762 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java --- @@ -0,0 +1,177 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.util; + +import org.apache.nifi.security.util.CertificateUtils; +import org.apache.nifi.toolkit.tls.commandLine.TlsToolkitCommandLine; +import org.apache.nifi.toolkit.tls.configuration.TlsHelperConfig; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.crmf.CRMFException; +import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; +import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils; +import org.bouncycastle.eac.EACException; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.openssl.PEMParser; +import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator; +import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; +import org.bouncycastle.pkcs.PKCS10CertificationRequest; +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest; +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder; +import org.bouncycastle.util.io.pem.PemWriter; + +import javax.crypto.Mac; +import javax.crypto.spec.SecretKeySpec; +import javax.security.auth.x500.X500Principal; +import java.io.IOException; +import java.io.StringReader; +import java.io.StringWriter; +import java.nio.charset.StandardCharsets; +import java.security.GeneralSecurityException; +import java.security.InvalidKeyException; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.PublicKey; +import java.security.Security; +import java.security.SignatureException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.security.spec.InvalidKeySpecException; + +public class TlsHelper { +public static final String PROVIDER = BouncyCastleProvider.PROVIDER_NAME; +public static final String PKCS12 = "PKCS12"; +private final KeyPairGenerator keyPairGenerator; +private final int days; +private final String signingAlgorithm; + +public TlsHelper(TlsHelperConfig tlsHelperConfig) throws NoSuchAlgorithmException { +this(tlsHelperConfig.getDays(), tlsHelperConfig.getKeySize(), tlsHelperConfig.getKeyPairAlgorithm(), tlsHelperConfig.getSigningAlgorithm()); +} + +public TlsHelper(TlsToolkitCommandLine tlsToolkitCommandLine) throws NoSuchAlgorithmException { +this(tlsToolkitCommandLine.getTlsHelperConfig()); +} + +public TlsHelper(int days, int keySize, String keyPairAlgorithm, String signingAlgorithm) throws NoSuchAlgorithmException { +this(createKeyPairGenerator(keyPairAlgorithm, keySize), days, signingAlgorithm); +} + +protected TlsHelper(KeyPairGenerator keyPairGenerator, int days, String signingAlgorithm) { +this.keyPairGenerator = keyPairGenerator; +this.days = days; +this.signingAlgorithm = signingAlgorithm; +} + +public static void addBouncyCastleProvider() { +Security.addProvider(new BouncyCastleProvider()); +} + +private static KeyPairGenerator
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15400904#comment-15400904 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72896746 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateSigningRequestPerformer.java --- @@ -0,0 +1,144 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.service; + +import com.fasterxml.jackson.databind.ObjectMapper; +import org.apache.commons.io.IOUtils; +import org.apache.commons.io.input.BoundedInputStream; +import org.apache.http.HttpHost; +import org.apache.http.client.methods.CloseableHttpResponse; +import org.apache.http.client.methods.HttpPost; +import org.apache.http.conn.ssl.TrustSelfSignedStrategy; +import org.apache.http.entity.ByteArrayEntity; +import org.apache.http.impl.client.CloseableHttpClient; +import org.apache.http.impl.client.HttpClientBuilder; +import org.apache.http.ssl.SSLContextBuilder; +import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig; +import org.apache.nifi.toolkit.tls.util.TlsHelper; +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest; +import org.eclipse.jetty.server.Response; + +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.security.KeyPair; +import java.security.NoSuchAlgorithmException; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.List; +import java.util.function.Supplier; + +public class TlsCertificateSigningRequestPerformer { +public static final String RECEIVED_RESPONSE_CODE = "Received response code "; +public static final String EXPECTED_ONE_CERTIFICATE = "Expected one certificate"; +public static final String EXPECTED_RESPONSE_TO_CONTAIN_HMAC = "Expected response to contain hmac"; +public static final String UNEXPECTED_HMAC_RECEIVED_POSSIBLE_MAN_IN_THE_MIDDLE = "Unexpected hmac received, possible man in the middle"; +public static final String EXPECTED_RESPONSE_TO_CONTAIN_CERTIFICATE = "Expected response to contain certificate"; +private final Supplier httpClientBuilderSupplier; +private final String caHostname; +private final String dn; +private final String token; +private final int port; +private final TlsHelper tlsHelper; + +public TlsCertificateSigningRequestPerformer(TlsClientConfig tlsClientConfig) throws NoSuchAlgorithmException { +this(HttpClientBuilder::create, tlsClientConfig.getCaHostname(), tlsClientConfig.getDn(), tlsClientConfig.getToken(), tlsClientConfig.getPort(), tlsClientConfig.createTlsHelper()); +} + +public TlsCertificateSigningRequestPerformer(Supplier httpClientBuilderSupplier, TlsClientConfig tlsClientConfig) throws NoSuchAlgorithmException { +this(httpClientBuilderSupplier, tlsClientConfig.getCaHostname(), tlsClientConfig.getDn(), tlsClientConfig.getToken(), tlsClientConfig.getPort(), tlsClientConfig.createTlsHelper()); +} + +public TlsCertificateSigningRequestPerformer(Supplier httpClientBuilderSupplier, String caHostname, String dn, String token, int port, TlsHelper tlsHelper) { +this.httpClientBuilderSupplier = httpClientBuilderSupplier; +this.caHostname = caHostname; +this.dn = dn; +this.token = token; +this.port = port; +this.tlsHelper = tlsHelper; +} + +public static String getDn(String hostname) { +return "CN=" + hostname + ",OU=NIFI"; +} + +/** + * Submits a CSR to the Certificate authority, checks the resulting hmac, and returns the chain if everything succeeds + * + * @param objectMapper for
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15400897#comment-15400897 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72896574 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java --- @@ -0,0 +1,177 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.util; + +import org.apache.nifi.security.util.CertificateUtils; +import org.apache.nifi.toolkit.tls.commandLine.TlsToolkitCommandLine; +import org.apache.nifi.toolkit.tls.configuration.TlsHelperConfig; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.crmf.CRMFException; +import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; +import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils; +import org.bouncycastle.eac.EACException; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.openssl.PEMParser; +import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator; +import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; +import org.bouncycastle.pkcs.PKCS10CertificationRequest; +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest; +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder; +import org.bouncycastle.util.io.pem.PemWriter; + +import javax.crypto.Mac; +import javax.crypto.spec.SecretKeySpec; +import javax.security.auth.x500.X500Principal; +import java.io.IOException; +import java.io.StringReader; +import java.io.StringWriter; +import java.nio.charset.StandardCharsets; +import java.security.GeneralSecurityException; +import java.security.InvalidKeyException; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.PublicKey; +import java.security.Security; +import java.security.SignatureException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.security.spec.InvalidKeySpecException; + +public class TlsHelper { +public static final String PROVIDER = BouncyCastleProvider.PROVIDER_NAME; +public static final String PKCS12 = "PKCS12"; +private final KeyPairGenerator keyPairGenerator; +private final int days; +private final String signingAlgorithm; + +public TlsHelper(TlsHelperConfig tlsHelperConfig) throws NoSuchAlgorithmException { +this(tlsHelperConfig.getDays(), tlsHelperConfig.getKeySize(), tlsHelperConfig.getKeyPairAlgorithm(), tlsHelperConfig.getSigningAlgorithm()); +} + +public TlsHelper(TlsToolkitCommandLine tlsToolkitCommandLine) throws NoSuchAlgorithmException { +this(tlsToolkitCommandLine.getTlsHelperConfig()); +} + +public TlsHelper(int days, int keySize, String keyPairAlgorithm, String signingAlgorithm) throws NoSuchAlgorithmException { +this(createKeyPairGenerator(keyPairAlgorithm, keySize), days, signingAlgorithm); +} + +protected TlsHelper(KeyPairGenerator keyPairGenerator, int days, String signingAlgorithm) { +this.keyPairGenerator = keyPairGenerator; +this.days = days; +this.signingAlgorithm = signingAlgorithm; +} + +public static void addBouncyCastleProvider() { +Security.addProvider(new BouncyCastleProvider()); +} + +private static KeyPairGenerator
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15400467#comment-15400467 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72882326 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateAuthorityServiceHandler.java --- @@ -0,0 +1,97 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.service; + +import com.fasterxml.jackson.databind.ObjectMapper; +import org.apache.commons.io.input.BoundedReader; +import org.apache.nifi.toolkit.tls.util.TlsHelper; +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest; +import org.eclipse.jetty.server.Request; +import org.eclipse.jetty.server.Response; +import org.eclipse.jetty.server.handler.AbstractHandler; + +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; +import java.security.KeyPair; +import java.security.cert.X509Certificate; + +/** + * Jetty service handler that validates the hmac of a CSR and issues a certificate if it checks out + */ +public class TlsCertificateAuthorityServiceHandler extends AbstractHandler { +public static final String CSR_FIELD_MUST_BE_SET = "csr field must be set"; +public static final String HMAC_FIELD_MUST_BE_SET = "hmac field must be set"; +public static final String FORBIDDEN = "forbidden"; +private final TlsHelper tlsHelper; +private final String token; +private final X509Certificate caCert; +private final KeyPair keyPair; +private final ObjectMapper objectMapper; + +public TlsCertificateAuthorityServiceHandler(TlsHelper tlsHelper, String token, X509Certificate caCert, KeyPair keyPair, ObjectMapper objectMapper) { +this.tlsHelper = tlsHelper; +this.token = token; +this.caCert = caCert; +this.keyPair = keyPair; +this.objectMapper = objectMapper; +} + +@Override +public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { +try { +TlsCertificateAuthorityRequest tlsCertificateAuthorityRequest = objectMapper.readValue(new BoundedReader(request.getReader(), 1024 * 1024), TlsCertificateAuthorityRequest.class); + +if (!tlsCertificateAuthorityRequest.hasCsr()) { +writeResponse(objectMapper, response, new TlsCertificateAuthorityResponse(CSR_FIELD_MUST_BE_SET), Response.SC_BAD_REQUEST); +return; +} + +if (!tlsCertificateAuthorityRequest.hasHmac()) { --- End diff -- We need both a csr and hmac from the client in order to do the validation > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15400466#comment-15400466 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72882314 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateAuthorityClientSocketFactory.java --- @@ -0,0 +1,77 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.service; + +import org.apache.http.HttpHost; +import org.apache.http.conn.ssl.SSLConnectionSocketFactory; +import org.apache.http.protocol.HttpContext; +import org.bouncycastle.asn1.x500.style.BCStyle; +import org.bouncycastle.asn1.x500.style.IETFUtils; +import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder; + +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocket; +import java.io.IOException; +import java.net.InetSocketAddress; +import java.net.Socket; +import java.security.cert.X509Certificate; +import java.util.List; + +/** + * Socket Factory validates that it is talking to a RootCa claiming to have the given hostname. It adds the certificate + * to a list for later validation against the payload's hmac + */ +public class TlsCertificateAuthorityClientSocketFactory extends SSLConnectionSocketFactory { +private final String caHostname; +private final List certificates; + +public TlsCertificateAuthorityClientSocketFactory(SSLContext sslContext, String caHostname, List certificates) { --- End diff -- will do > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15400465#comment-15400465 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72882313 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateAuthorityClientSocketFactory.java --- @@ -0,0 +1,77 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.service; + +import org.apache.http.HttpHost; +import org.apache.http.conn.ssl.SSLConnectionSocketFactory; +import org.apache.http.protocol.HttpContext; +import org.bouncycastle.asn1.x500.style.BCStyle; +import org.bouncycastle.asn1.x500.style.IETFUtils; +import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder; + +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocket; +import java.io.IOException; +import java.net.InetSocketAddress; +import java.net.Socket; +import java.security.cert.X509Certificate; +import java.util.List; + +/** + * Socket Factory validates that it is talking to a RootCa claiming to have the given hostname. It adds the certificate + * to a list for later validation against the payload's hmac + */ +public class TlsCertificateAuthorityClientSocketFactory extends SSLConnectionSocketFactory { +private final String caHostname; +private final List certificates; + +public TlsCertificateAuthorityClientSocketFactory(SSLContext sslContext, String caHostname, List certificates) { +super(sslContext); +this.caHostname = caHostname; +this.certificates = certificates; +} + +@Override +public synchronized Socket connectSocket(int connectTimeout, Socket socket, HttpHost host, InetSocketAddress remoteAddress, + InetSocketAddress localAddress, HttpContext context) throws IOException { +Socket result = super.connectSocket(connectTimeout, socket, host, remoteAddress, localAddress, context); +if (!SSLSocket.class.isInstance(result)) { +throw new IOException("Expected tls socket"); +} +SSLSocket sslSocket = (SSLSocket) result; +java.security.cert.Certificate[] peerCertificateChain = sslSocket.getSession().getPeerCertificates(); +if (peerCertificateChain.length != 1) { +throw new IOException("Expected root ca cert"); +} +if (!X509Certificate.class.isInstance(peerCertificateChain[0])) { +throw new IOException("Expected root ca cert in X509 format"); +} +String cn; +try { +X509Certificate certificate = (X509Certificate) peerCertificateChain[0]; +cn = IETFUtils.valueToString(new JcaX509CertificateHolder(certificate).getSubject().getRDNs(BCStyle.CN)[0].getFirst().getValue()); --- End diff -- I'm not really interested in the whole dn, only the cn to let the client check the the CA at least claims to be the right one. > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based >
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15400462#comment-15400462 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72882248 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/PasswordUtil.java --- @@ -0,0 +1,34 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.util; + +import java.math.BigInteger; +import java.security.SecureRandom; + +public class PasswordUtil { +private final SecureRandom secureRandom; + +public PasswordUtil(SecureRandom secureRandom) { --- End diff -- mostly for testing, added default no-arg constructor > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15400456#comment-15400456 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72882165 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/PasswordUtil.java --- @@ -0,0 +1,34 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.util; + +import java.math.BigInteger; +import java.security.SecureRandom; + +public class PasswordUtil { +private final SecureRandom secureRandom; + +public PasswordUtil(SecureRandom secureRandom) { +this.secureRandom = secureRandom; +} + +public String generatePassword() { +// [see http://stackoverflow.com/questions/41107/how-to-generate-a-random-alpha-numeric-string#answer-41156] +return new BigInteger(1024, secureRandom).toString(36); --- End diff -- reducing to 256 bits, base64 encoding the output and stripping the = or == off end > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15400454#comment-15400454 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72882158 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateSigningRequestPerformer.java --- @@ -0,0 +1,144 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.service; + +import com.fasterxml.jackson.databind.ObjectMapper; +import org.apache.commons.io.IOUtils; +import org.apache.commons.io.input.BoundedInputStream; +import org.apache.http.HttpHost; +import org.apache.http.client.methods.CloseableHttpResponse; +import org.apache.http.client.methods.HttpPost; +import org.apache.http.conn.ssl.TrustSelfSignedStrategy; +import org.apache.http.entity.ByteArrayEntity; +import org.apache.http.impl.client.CloseableHttpClient; +import org.apache.http.impl.client.HttpClientBuilder; +import org.apache.http.ssl.SSLContextBuilder; +import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig; +import org.apache.nifi.toolkit.tls.util.TlsHelper; +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest; +import org.eclipse.jetty.server.Response; + +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.security.KeyPair; +import java.security.NoSuchAlgorithmException; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.List; +import java.util.function.Supplier; + +public class TlsCertificateSigningRequestPerformer { +public static final String RECEIVED_RESPONSE_CODE = "Received response code "; +public static final String EXPECTED_ONE_CERTIFICATE = "Expected one certificate"; +public static final String EXPECTED_RESPONSE_TO_CONTAIN_HMAC = "Expected response to contain hmac"; +public static final String UNEXPECTED_HMAC_RECEIVED_POSSIBLE_MAN_IN_THE_MIDDLE = "Unexpected hmac received, possible man in the middle"; +public static final String EXPECTED_RESPONSE_TO_CONTAIN_CERTIFICATE = "Expected response to contain certificate"; +private final Supplier httpClientBuilderSupplier; +private final String caHostname; +private final String dn; +private final String token; +private final int port; +private final TlsHelper tlsHelper; + +public TlsCertificateSigningRequestPerformer(TlsClientConfig tlsClientConfig) throws NoSuchAlgorithmException { +this(HttpClientBuilder::create, tlsClientConfig.getCaHostname(), tlsClientConfig.getDn(), tlsClientConfig.getToken(), tlsClientConfig.getPort(), tlsClientConfig.createTlsHelper()); +} + +public TlsCertificateSigningRequestPerformer(Supplier httpClientBuilderSupplier, TlsClientConfig tlsClientConfig) throws NoSuchAlgorithmException { +this(httpClientBuilderSupplier, tlsClientConfig.getCaHostname(), tlsClientConfig.getDn(), tlsClientConfig.getToken(), tlsClientConfig.getPort(), tlsClientConfig.createTlsHelper()); +} + +public TlsCertificateSigningRequestPerformer(Supplier httpClientBuilderSupplier, String caHostname, String dn, String token, int port, TlsHelper tlsHelper) { +this.httpClientBuilderSupplier = httpClientBuilderSupplier; +this.caHostname = caHostname; +this.dn = dn; +this.token = token; +this.port = port; +this.tlsHelper = tlsHelper; +} + +public static String getDn(String hostname) { +return "CN=" + hostname + ",OU=NIFI"; +} + +/** + * Submits a CSR to the Certificate authority, checks the resulting hmac, and returns the chain if everything succeeds + * + * @param objectMapper for
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15400450#comment-15400450 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72882113 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java --- @@ -0,0 +1,177 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.util; + +import org.apache.nifi.security.util.CertificateUtils; +import org.apache.nifi.toolkit.tls.commandLine.TlsToolkitCommandLine; +import org.apache.nifi.toolkit.tls.configuration.TlsHelperConfig; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.crmf.CRMFException; +import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; +import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils; +import org.bouncycastle.eac.EACException; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.openssl.PEMParser; +import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator; +import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; +import org.bouncycastle.pkcs.PKCS10CertificationRequest; +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest; +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder; +import org.bouncycastle.util.io.pem.PemWriter; + +import javax.crypto.Mac; +import javax.crypto.spec.SecretKeySpec; +import javax.security.auth.x500.X500Principal; +import java.io.IOException; +import java.io.StringReader; +import java.io.StringWriter; +import java.nio.charset.StandardCharsets; +import java.security.GeneralSecurityException; +import java.security.InvalidKeyException; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.PublicKey; +import java.security.Security; +import java.security.SignatureException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.security.spec.InvalidKeySpecException; + +public class TlsHelper { +public static final String PROVIDER = BouncyCastleProvider.PROVIDER_NAME; +public static final String PKCS12 = "PKCS12"; +private final KeyPairGenerator keyPairGenerator; +private final int days; +private final String signingAlgorithm; + +public TlsHelper(TlsHelperConfig tlsHelperConfig) throws NoSuchAlgorithmException { +this(tlsHelperConfig.getDays(), tlsHelperConfig.getKeySize(), tlsHelperConfig.getKeyPairAlgorithm(), tlsHelperConfig.getSigningAlgorithm()); +} + +public TlsHelper(TlsToolkitCommandLine tlsToolkitCommandLine) throws NoSuchAlgorithmException { +this(tlsToolkitCommandLine.getTlsHelperConfig()); +} + +public TlsHelper(int days, int keySize, String keyPairAlgorithm, String signingAlgorithm) throws NoSuchAlgorithmException { +this(createKeyPairGenerator(keyPairAlgorithm, keySize), days, signingAlgorithm); +} + +protected TlsHelper(KeyPairGenerator keyPairGenerator, int days, String signingAlgorithm) { +this.keyPairGenerator = keyPairGenerator; +this.days = days; +this.signingAlgorithm = signingAlgorithm; +} + +public static void addBouncyCastleProvider() { +Security.addProvider(new BouncyCastleProvider()); +} + +private static KeyPairGenerator
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15400448#comment-15400448 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72882057 --- Diff: nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/CertificateUtilsTest.groovy --- @@ -116,53 +132,7 @@ class CertificateUtilsTest extends GroovyTestCase { private static X509Certificate generateCertificate(String dn) throws IOException, NoSuchAlgorithmException, CertificateException, NoSuchProviderException, SignatureException, InvalidKeyException, OperatorCreationException { KeyPair keyPair = generateKeyPair(); -return generateCertificate(dn, keyPair); -} - -/** - * Generates a signed certificate with a specific keypair. - * - * @param dn the DN - * @param keyPair the public key will be included in the certificate and the the private key is used to sign the certificate - * @return the certificate - * @throws IOException - * @throws NoSuchAlgorithmException - * @throws CertificateException - * @throws NoSuchProviderException - * @throws SignatureException - * @throws InvalidKeyException - * @throws OperatorCreationException - */ -private -static X509Certificate generateCertificate(String dn, KeyPair keyPair) throws IOException, NoSuchAlgorithmException, CertificateException, NoSuchProviderException, SignatureException, InvalidKeyException, OperatorCreationException { -PrivateKey privateKey = keyPair.getPrivate(); -ContentSigner sigGen = new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(PROVIDER).build(privateKey); -SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded()); -Date startDate = new Date(YESTERDAY); -Date endDate = new Date(ONE_YEAR_FROM_NOW); - -X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder( -new X500Name(dn), -BigInteger.valueOf(System.currentTimeMillis()), -startDate, endDate, -new X500Name(dn), -subPubKeyInfo); - -// Set certificate extensions -// (1) digitalSignature extension -certBuilder.addExtension(X509Extension.keyUsage, true, -new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.keyAgreement)); - -// (2) extendedKeyUsage extension -Vector ekUsages = new Vector<>(); -ekUsages.add(KeyPurposeId.id_kp_clientAuth); -ekUsages.add(KeyPurposeId.id_kp_serverAuth); -certBuilder.addExtension(X509Extension.extendedKeyUsage, false, new ExtendedKeyUsage(ekUsages)); - -// Sign the certificate -X509CertificateHolder certificateHolder = certBuilder.build(sigGen); -return new JcaX509CertificateConverter().setProvider(PROVIDER) -.getCertificate(certificateHolder); +return CertificateUtils.generateSelfSignedX509Certificate(keyPair, dn, SIGNATURE_ALGORITHM, 365); --- End diff -- Upping default valid duration to 3 years > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15400446#comment-15400446 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72882052 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateAuthorityClient.java --- @@ -0,0 +1,158 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.service; + +import com.fasterxml.jackson.databind.ObjectMapper; +import org.apache.nifi.toolkit.tls.TlsToolkitMain; +import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig; +import org.apache.nifi.toolkit.tls.configuration.TlsConfig; +import org.apache.nifi.toolkit.tls.util.InputStreamFactory; +import org.apache.nifi.toolkit.tls.util.OutputStreamFactory; +import org.apache.nifi.toolkit.tls.util.PasswordUtil; +import org.apache.nifi.toolkit.tls.util.TlsHelper; +import org.apache.nifi.util.StringUtils; + +import java.io.File; +import java.io.FileInputStream; +import java.io.FileOutputStream; +import java.io.IOException; +import java.io.OutputStream; +import java.io.OutputStreamWriter; +import java.io.Writer; +import java.security.KeyPair; +import java.security.KeyStore; +import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; +import java.security.cert.X509Certificate; + +/** + * Client that will generate a CSR and submit to a CA, writing out the results to a keystore and truststore along with a config file if successful + */ +public class TlsCertificateAuthorityClient { +private final File configFile; +private final TlsHelper tlsHelper; +private final PasswordUtil passwordUtil; +private final TlsClientConfig tlsClientConfig; +private final OutputStreamFactory outputStreamFactory; +private final ObjectMapper objectMapper; +private final TlsCertificateSigningRequestPerformer tlsCertificateSigningRequestPerformer; + +public TlsCertificateAuthorityClient(File configFile) throws IOException, NoSuchAlgorithmException { +this(configFile, FileInputStream::new, FileOutputStream::new); +} + +public TlsCertificateAuthorityClient(File configFile, InputStreamFactory inputStreamFactory, OutputStreamFactory outputStreamFactory) +throws IOException, NoSuchAlgorithmException { +this(configFile, outputStreamFactory, new ObjectMapper().readValue(inputStreamFactory.create(configFile), TlsClientConfig.class)); +} + +public TlsCertificateAuthorityClient(File configFile, OutputStreamFactory outputStreamFactory, TlsClientConfig tlsClientConfig) +throws NoSuchAlgorithmException { +this.configFile = configFile; +this.objectMapper = new ObjectMapper(); +this.tlsClientConfig = tlsClientConfig; +this.tlsHelper = tlsClientConfig.createTlsHelper(); +this.passwordUtil = new PasswordUtil(new SecureRandom()); +this.outputStreamFactory = outputStreamFactory; +this.tlsCertificateSigningRequestPerformer = tlsClientConfig.createCertificateSigningRequestPerformer(); +} + +public static void main(String[] args) throws Exception { +TlsHelper.addBouncyCastleProvider(); +if (args.length != 1 || StringUtils.isEmpty(args[0])) { +throw new Exception("Expected config file as only argument"); +} +TlsCertificateAuthorityClient tlsCertificateAuthorityClient = new TlsCertificateAuthorityClient(new File(args[0])); +if (tlsCertificateAuthorityClient.needsRun()) { + tlsCertificateAuthorityClient.generateCertificateAndGetItSigned(); +} +} + +public boolean needsRun() { +return !(new
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15400445#comment-15400445 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72882041 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateSigningRequestPerformer.java --- @@ -0,0 +1,144 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.service; + +import com.fasterxml.jackson.databind.ObjectMapper; +import org.apache.commons.io.IOUtils; +import org.apache.commons.io.input.BoundedInputStream; +import org.apache.http.HttpHost; +import org.apache.http.client.methods.CloseableHttpResponse; +import org.apache.http.client.methods.HttpPost; +import org.apache.http.conn.ssl.TrustSelfSignedStrategy; +import org.apache.http.entity.ByteArrayEntity; +import org.apache.http.impl.client.CloseableHttpClient; +import org.apache.http.impl.client.HttpClientBuilder; +import org.apache.http.ssl.SSLContextBuilder; +import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig; +import org.apache.nifi.toolkit.tls.util.TlsHelper; +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest; +import org.eclipse.jetty.server.Response; + +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.security.KeyPair; +import java.security.NoSuchAlgorithmException; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.List; +import java.util.function.Supplier; + +public class TlsCertificateSigningRequestPerformer { +public static final String RECEIVED_RESPONSE_CODE = "Received response code "; +public static final String EXPECTED_ONE_CERTIFICATE = "Expected one certificate"; +public static final String EXPECTED_RESPONSE_TO_CONTAIN_HMAC = "Expected response to contain hmac"; +public static final String UNEXPECTED_HMAC_RECEIVED_POSSIBLE_MAN_IN_THE_MIDDLE = "Unexpected hmac received, possible man in the middle"; +public static final String EXPECTED_RESPONSE_TO_CONTAIN_CERTIFICATE = "Expected response to contain certificate"; +private final Supplier httpClientBuilderSupplier; +private final String caHostname; +private final String dn; +private final String token; +private final int port; +private final TlsHelper tlsHelper; + +public TlsCertificateSigningRequestPerformer(TlsClientConfig tlsClientConfig) throws NoSuchAlgorithmException { +this(HttpClientBuilder::create, tlsClientConfig.getCaHostname(), tlsClientConfig.getDn(), tlsClientConfig.getToken(), tlsClientConfig.getPort(), tlsClientConfig.createTlsHelper()); +} + +public TlsCertificateSigningRequestPerformer(Supplier httpClientBuilderSupplier, TlsClientConfig tlsClientConfig) throws NoSuchAlgorithmException { --- End diff -- reducing visibility, it was for testing > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15400444#comment-15400444 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72882026 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateAuthorityServiceHandler.java --- @@ -0,0 +1,97 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.service; + +import com.fasterxml.jackson.databind.ObjectMapper; +import org.apache.commons.io.input.BoundedReader; +import org.apache.nifi.toolkit.tls.util.TlsHelper; +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest; +import org.eclipse.jetty.server.Request; +import org.eclipse.jetty.server.Response; +import org.eclipse.jetty.server.handler.AbstractHandler; + +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; +import java.security.KeyPair; +import java.security.cert.X509Certificate; + +/** + * Jetty service handler that validates the hmac of a CSR and issues a certificate if it checks out + */ +public class TlsCertificateAuthorityServiceHandler extends AbstractHandler { +public static final String CSR_FIELD_MUST_BE_SET = "csr field must be set"; +public static final String HMAC_FIELD_MUST_BE_SET = "hmac field must be set"; +public static final String FORBIDDEN = "forbidden"; +private final TlsHelper tlsHelper; +private final String token; +private final X509Certificate caCert; +private final KeyPair keyPair; +private final ObjectMapper objectMapper; + +public TlsCertificateAuthorityServiceHandler(TlsHelper tlsHelper, String token, X509Certificate caCert, KeyPair keyPair, ObjectMapper objectMapper) { +this.tlsHelper = tlsHelper; +this.token = token; +this.caCert = caCert; +this.keyPair = keyPair; +this.objectMapper = objectMapper; +} + +@Override +public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { +try { +TlsCertificateAuthorityRequest tlsCertificateAuthorityRequest = objectMapper.readValue(new BoundedReader(request.getReader(), 1024 * 1024), TlsCertificateAuthorityRequest.class); + +if (!tlsCertificateAuthorityRequest.hasCsr()) { +writeResponse(objectMapper, response, new TlsCertificateAuthorityResponse(CSR_FIELD_MUST_BE_SET), Response.SC_BAD_REQUEST); +return; +} + +if (!tlsCertificateAuthorityRequest.hasHmac()) { +writeResponse(objectMapper, response, new TlsCertificateAuthorityResponse(HMAC_FIELD_MUST_BE_SET), Response.SC_BAD_REQUEST); +return; +} + +JcaPKCS10CertificationRequest jcaPKCS10CertificationRequest = tlsHelper.parseCsr(tlsCertificateAuthorityRequest.getCsr()); + +if (tlsHelper.checkHMac(tlsCertificateAuthorityRequest.getHmac(), token, jcaPKCS10CertificationRequest.getPublicKey())) { --- End diff -- Noted, removing > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15398707#comment-15398707 ] ASF GitHub Bot commented on NIFI-2193: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72741316 --- Diff: nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/CertificateUtilsTest.groovy --- @@ -116,53 +132,7 @@ class CertificateUtilsTest extends GroovyTestCase { private static X509Certificate generateCertificate(String dn) throws IOException, NoSuchAlgorithmException, CertificateException, NoSuchProviderException, SignatureException, InvalidKeyException, OperatorCreationException { KeyPair keyPair = generateKeyPair(); -return generateCertificate(dn, keyPair); -} - -/** - * Generates a signed certificate with a specific keypair. - * - * @param dn the DN - * @param keyPair the public key will be included in the certificate and the the private key is used to sign the certificate - * @return the certificate - * @throws IOException - * @throws NoSuchAlgorithmException - * @throws CertificateException - * @throws NoSuchProviderException - * @throws SignatureException - * @throws InvalidKeyException - * @throws OperatorCreationException - */ -private -static X509Certificate generateCertificate(String dn, KeyPair keyPair) throws IOException, NoSuchAlgorithmException, CertificateException, NoSuchProviderException, SignatureException, InvalidKeyException, OperatorCreationException { -PrivateKey privateKey = keyPair.getPrivate(); -ContentSigner sigGen = new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(PROVIDER).build(privateKey); -SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded()); -Date startDate = new Date(YESTERDAY); -Date endDate = new Date(ONE_YEAR_FROM_NOW); - -X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder( -new X500Name(dn), -BigInteger.valueOf(System.currentTimeMillis()), -startDate, endDate, -new X500Name(dn), -subPubKeyInfo); - -// Set certificate extensions -// (1) digitalSignature extension -certBuilder.addExtension(X509Extension.keyUsage, true, -new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.keyAgreement)); - -// (2) extendedKeyUsage extension -Vector ekUsages = new Vector<>(); -ekUsages.add(KeyPurposeId.id_kp_clientAuth); -ekUsages.add(KeyPurposeId.id_kp_serverAuth); -certBuilder.addExtension(X509Extension.extendedKeyUsage, false, new ExtendedKeyUsage(ekUsages)); - -// Sign the certificate -X509CertificateHolder certificateHolder = certBuilder.build(sigGen); -return new JcaX509CertificateConverter().setProvider(PROVIDER) -.getCertificate(certificateHolder); +return CertificateUtils.generateSelfSignedX509Certificate(keyPair, dn, SIGNATURE_ALGORITHM, 365); --- End diff -- @brosander and I discussed the need for certificate migration, especially for the CA, and handling the trust chain amongst the nodes. I think if this value (throughout the tool) is increased for now, the additional use cases and logic to handle key/cert rollover can be addressed in a `x.1.x` release. Not ideal, but it is not an easy problem to tackle so close to the current release deadline. > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15398704#comment-15398704 ] ASF GitHub Bot commented on NIFI-2193: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72741196 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateAuthorityClient.java --- @@ -0,0 +1,158 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.service; + +import com.fasterxml.jackson.databind.ObjectMapper; +import org.apache.nifi.toolkit.tls.TlsToolkitMain; +import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig; +import org.apache.nifi.toolkit.tls.configuration.TlsConfig; +import org.apache.nifi.toolkit.tls.util.InputStreamFactory; +import org.apache.nifi.toolkit.tls.util.OutputStreamFactory; +import org.apache.nifi.toolkit.tls.util.PasswordUtil; +import org.apache.nifi.toolkit.tls.util.TlsHelper; +import org.apache.nifi.util.StringUtils; + +import java.io.File; +import java.io.FileInputStream; +import java.io.FileOutputStream; +import java.io.IOException; +import java.io.OutputStream; +import java.io.OutputStreamWriter; +import java.io.Writer; +import java.security.KeyPair; +import java.security.KeyStore; +import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; +import java.security.cert.X509Certificate; + +/** + * Client that will generate a CSR and submit to a CA, writing out the results to a keystore and truststore along with a config file if successful + */ +public class TlsCertificateAuthorityClient { +private final File configFile; +private final TlsHelper tlsHelper; +private final PasswordUtil passwordUtil; +private final TlsClientConfig tlsClientConfig; +private final OutputStreamFactory outputStreamFactory; +private final ObjectMapper objectMapper; +private final TlsCertificateSigningRequestPerformer tlsCertificateSigningRequestPerformer; + +public TlsCertificateAuthorityClient(File configFile) throws IOException, NoSuchAlgorithmException { +this(configFile, FileInputStream::new, FileOutputStream::new); +} + +public TlsCertificateAuthorityClient(File configFile, InputStreamFactory inputStreamFactory, OutputStreamFactory outputStreamFactory) +throws IOException, NoSuchAlgorithmException { +this(configFile, outputStreamFactory, new ObjectMapper().readValue(inputStreamFactory.create(configFile), TlsClientConfig.class)); +} + +public TlsCertificateAuthorityClient(File configFile, OutputStreamFactory outputStreamFactory, TlsClientConfig tlsClientConfig) +throws NoSuchAlgorithmException { +this.configFile = configFile; +this.objectMapper = new ObjectMapper(); +this.tlsClientConfig = tlsClientConfig; +this.tlsHelper = tlsClientConfig.createTlsHelper(); +this.passwordUtil = new PasswordUtil(new SecureRandom()); +this.outputStreamFactory = outputStreamFactory; +this.tlsCertificateSigningRequestPerformer = tlsClientConfig.createCertificateSigningRequestPerformer(); +} + +public static void main(String[] args) throws Exception { +TlsHelper.addBouncyCastleProvider(); +if (args.length != 1 || StringUtils.isEmpty(args[0])) { +throw new Exception("Expected config file as only argument"); +} +TlsCertificateAuthorityClient tlsCertificateAuthorityClient = new TlsCertificateAuthorityClient(new File(args[0])); +if (tlsCertificateAuthorityClient.needsRun()) { + tlsCertificateAuthorityClient.generateCertificateAndGetItSigned(); +} +} + +public boolean needsRun() { +return !(new
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15398703#comment-15398703 ] ASF GitHub Bot commented on NIFI-2193: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72741115 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateSigningRequestPerformer.java --- @@ -0,0 +1,144 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.service; + +import com.fasterxml.jackson.databind.ObjectMapper; +import org.apache.commons.io.IOUtils; +import org.apache.commons.io.input.BoundedInputStream; +import org.apache.http.HttpHost; +import org.apache.http.client.methods.CloseableHttpResponse; +import org.apache.http.client.methods.HttpPost; +import org.apache.http.conn.ssl.TrustSelfSignedStrategy; +import org.apache.http.entity.ByteArrayEntity; +import org.apache.http.impl.client.CloseableHttpClient; +import org.apache.http.impl.client.HttpClientBuilder; +import org.apache.http.ssl.SSLContextBuilder; +import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig; +import org.apache.nifi.toolkit.tls.util.TlsHelper; +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest; +import org.eclipse.jetty.server.Response; + +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.security.KeyPair; +import java.security.NoSuchAlgorithmException; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.List; +import java.util.function.Supplier; + +public class TlsCertificateSigningRequestPerformer { +public static final String RECEIVED_RESPONSE_CODE = "Received response code "; +public static final String EXPECTED_ONE_CERTIFICATE = "Expected one certificate"; +public static final String EXPECTED_RESPONSE_TO_CONTAIN_HMAC = "Expected response to contain hmac"; +public static final String UNEXPECTED_HMAC_RECEIVED_POSSIBLE_MAN_IN_THE_MIDDLE = "Unexpected hmac received, possible man in the middle"; +public static final String EXPECTED_RESPONSE_TO_CONTAIN_CERTIFICATE = "Expected response to contain certificate"; +private final Supplier httpClientBuilderSupplier; +private final String caHostname; +private final String dn; +private final String token; +private final int port; +private final TlsHelper tlsHelper; + +public TlsCertificateSigningRequestPerformer(TlsClientConfig tlsClientConfig) throws NoSuchAlgorithmException { +this(HttpClientBuilder::create, tlsClientConfig.getCaHostname(), tlsClientConfig.getDn(), tlsClientConfig.getToken(), tlsClientConfig.getPort(), tlsClientConfig.createTlsHelper()); +} + +public TlsCertificateSigningRequestPerformer(Supplier httpClientBuilderSupplier, TlsClientConfig tlsClientConfig) throws NoSuchAlgorithmException { +this(httpClientBuilderSupplier, tlsClientConfig.getCaHostname(), tlsClientConfig.getDn(), tlsClientConfig.getToken(), tlsClientConfig.getPort(), tlsClientConfig.createTlsHelper()); +} + +public TlsCertificateSigningRequestPerformer(Supplier httpClientBuilderSupplier, String caHostname, String dn, String token, int port, TlsHelper tlsHelper) { +this.httpClientBuilderSupplier = httpClientBuilderSupplier; +this.caHostname = caHostname; +this.dn = dn; +this.token = token; +this.port = port; +this.tlsHelper = tlsHelper; +} + +public static String getDn(String hostname) { +return "CN=" + hostname + ",OU=NIFI"; +} + +/** + * Submits a CSR to the Certificate authority, checks the resulting hmac, and returns the chain if everything succeeds + * + * @param objectMapper for
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15398695#comment-15398695 ] ASF GitHub Bot commented on NIFI-2193: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72740653 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateAuthorityClientSocketFactory.java --- @@ -0,0 +1,77 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.service; + +import org.apache.http.HttpHost; +import org.apache.http.conn.ssl.SSLConnectionSocketFactory; +import org.apache.http.protocol.HttpContext; +import org.bouncycastle.asn1.x500.style.BCStyle; +import org.bouncycastle.asn1.x500.style.IETFUtils; +import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder; + +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocket; +import java.io.IOException; +import java.net.InetSocketAddress; +import java.net.Socket; +import java.security.cert.X509Certificate; +import java.util.List; + +/** + * Socket Factory validates that it is talking to a RootCa claiming to have the given hostname. It adds the certificate + * to a list for later validation against the payload's hmac + */ +public class TlsCertificateAuthorityClientSocketFactory extends SSLConnectionSocketFactory { +private final String caHostname; +private final List certificates; + +public TlsCertificateAuthorityClientSocketFactory(SSLContext sslContext, String caHostname, List certificates) { --- End diff -- Because we are only using this for direct communication between NiFi nodes and NiFi CAs, we don't have to worry about legacy compatibility, so we can restrict the TLS protocol version to `TLSv1.2` to enforce a strong protocol with strong and fast cipher suites. > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15398692#comment-15398692 ] ASF GitHub Bot commented on NIFI-2193: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72740552 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateAuthorityClientSocketFactory.java --- @@ -0,0 +1,77 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.service; + +import org.apache.http.HttpHost; +import org.apache.http.conn.ssl.SSLConnectionSocketFactory; +import org.apache.http.protocol.HttpContext; +import org.bouncycastle.asn1.x500.style.BCStyle; +import org.bouncycastle.asn1.x500.style.IETFUtils; +import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder; + +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocket; +import java.io.IOException; +import java.net.InetSocketAddress; +import java.net.Socket; +import java.security.cert.X509Certificate; +import java.util.List; + +/** + * Socket Factory validates that it is talking to a RootCa claiming to have the given hostname. It adds the certificate + * to a list for later validation against the payload's hmac + */ +public class TlsCertificateAuthorityClientSocketFactory extends SSLConnectionSocketFactory { +private final String caHostname; +private final List certificates; + +public TlsCertificateAuthorityClientSocketFactory(SSLContext sslContext, String caHostname, List certificates) { +super(sslContext); +this.caHostname = caHostname; +this.certificates = certificates; +} + +@Override +public synchronized Socket connectSocket(int connectTimeout, Socket socket, HttpHost host, InetSocketAddress remoteAddress, + InetSocketAddress localAddress, HttpContext context) throws IOException { +Socket result = super.connectSocket(connectTimeout, socket, host, remoteAddress, localAddress, context); +if (!SSLSocket.class.isInstance(result)) { +throw new IOException("Expected tls socket"); +} +SSLSocket sslSocket = (SSLSocket) result; +java.security.cert.Certificate[] peerCertificateChain = sslSocket.getSession().getPeerCertificates(); +if (peerCertificateChain.length != 1) { +throw new IOException("Expected root ca cert"); +} +if (!X509Certificate.class.isInstance(peerCertificateChain[0])) { +throw new IOException("Expected root ca cert in X509 format"); +} +String cn; +try { +X509Certificate certificate = (X509Certificate) peerCertificateChain[0]; +cn = IETFUtils.valueToString(new JcaX509CertificateHolder(certificate).getSubject().getRDNs(BCStyle.CN)[0].getFirst().getValue()); --- End diff -- I'd recommend looking at `CertificateUtils.extractPeerDNFromSSLSocket()` for this operation as it handles a bit more validation. > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based >
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15398458#comment-15398458 ] ASF GitHub Bot commented on NIFI-2193: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72723924 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/PasswordUtil.java --- @@ -0,0 +1,34 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.util; + +import java.math.BigInteger; +import java.security.SecureRandom; + +public class PasswordUtil { +private final SecureRandom secureRandom; + +public PasswordUtil(SecureRandom secureRandom) { --- End diff -- Is the `SecureRandom` initialized externally for a reason? Is this just to make testing easier? > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15398456#comment-15398456 ] ASF GitHub Bot commented on NIFI-2193: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72723879 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/PasswordUtil.java --- @@ -0,0 +1,34 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.util; + +import java.math.BigInteger; +import java.security.SecureRandom; + +public class PasswordUtil { +private final SecureRandom secureRandom; + +public PasswordUtil(SecureRandom secureRandom) { +this.secureRandom = secureRandom; +} + +public String generatePassword() { +// [see http://stackoverflow.com/questions/41107/how-to-generate-a-random-alpha-numeric-string#answer-41156] +return new BigInteger(1024, secureRandom).toString(36); --- End diff -- I appreciate the *strong* entropy here, but 1024 bits in base 36 198 characters. Something that provides more than 128 bits is sufficient here; 256 will be more than enough for a number of years. I might have commented off-hand about the base earlier, but base 32 makes sense because it uses a "round" number of bits ( `2^5 = 32` ) to fully express its alphabet, while base 36 (`0-9a-f`) needs 6 ( `2^6 = 64` ) but wastes a number of those bits. > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15398344#comment-15398344 ] ASF GitHub Bot commented on NIFI-2193: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72715741 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateSigningRequestPerformer.java --- @@ -0,0 +1,144 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.service; + +import com.fasterxml.jackson.databind.ObjectMapper; +import org.apache.commons.io.IOUtils; +import org.apache.commons.io.input.BoundedInputStream; +import org.apache.http.HttpHost; +import org.apache.http.client.methods.CloseableHttpResponse; +import org.apache.http.client.methods.HttpPost; +import org.apache.http.conn.ssl.TrustSelfSignedStrategy; +import org.apache.http.entity.ByteArrayEntity; +import org.apache.http.impl.client.CloseableHttpClient; +import org.apache.http.impl.client.HttpClientBuilder; +import org.apache.http.ssl.SSLContextBuilder; +import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig; +import org.apache.nifi.toolkit.tls.util.TlsHelper; +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest; +import org.eclipse.jetty.server.Response; + +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.security.KeyPair; +import java.security.NoSuchAlgorithmException; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.List; +import java.util.function.Supplier; + +public class TlsCertificateSigningRequestPerformer { +public static final String RECEIVED_RESPONSE_CODE = "Received response code "; +public static final String EXPECTED_ONE_CERTIFICATE = "Expected one certificate"; +public static final String EXPECTED_RESPONSE_TO_CONTAIN_HMAC = "Expected response to contain hmac"; +public static final String UNEXPECTED_HMAC_RECEIVED_POSSIBLE_MAN_IN_THE_MIDDLE = "Unexpected hmac received, possible man in the middle"; +public static final String EXPECTED_RESPONSE_TO_CONTAIN_CERTIFICATE = "Expected response to contain certificate"; +private final Supplier httpClientBuilderSupplier; +private final String caHostname; +private final String dn; +private final String token; +private final int port; +private final TlsHelper tlsHelper; + +public TlsCertificateSigningRequestPerformer(TlsClientConfig tlsClientConfig) throws NoSuchAlgorithmException { +this(HttpClientBuilder::create, tlsClientConfig.getCaHostname(), tlsClientConfig.getDn(), tlsClientConfig.getToken(), tlsClientConfig.getPort(), tlsClientConfig.createTlsHelper()); +} + +public TlsCertificateSigningRequestPerformer(Supplier httpClientBuilderSupplier, TlsClientConfig tlsClientConfig) throws NoSuchAlgorithmException { +this(httpClientBuilderSupplier, tlsClientConfig.getCaHostname(), tlsClientConfig.getDn(), tlsClientConfig.getToken(), tlsClientConfig.getPort(), tlsClientConfig.createTlsHelper()); +} + +public TlsCertificateSigningRequestPerformer(Supplier httpClientBuilderSupplier, String caHostname, String dn, String token, int port, TlsHelper tlsHelper) { +this.httpClientBuilderSupplier = httpClientBuilderSupplier; +this.caHostname = caHostname; +this.dn = dn; +this.token = token; +this.port = port; +this.tlsHelper = tlsHelper; +} + +public static String getDn(String hostname) { +return "CN=" + hostname + ",OU=NIFI"; +} + +/** + * Submits a CSR to the Certificate authority, checks the resulting hmac, and returns the chain if everything succeeds + * + * @param objectMapper for
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15398333#comment-15398333 ] ASF GitHub Bot commented on NIFI-2193: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72715250 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java --- @@ -0,0 +1,177 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.util; + +import org.apache.nifi.security.util.CertificateUtils; +import org.apache.nifi.toolkit.tls.commandLine.TlsToolkitCommandLine; +import org.apache.nifi.toolkit.tls.configuration.TlsHelperConfig; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.crmf.CRMFException; +import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; +import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils; +import org.bouncycastle.eac.EACException; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.openssl.PEMParser; +import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator; +import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; +import org.bouncycastle.pkcs.PKCS10CertificationRequest; +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest; +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder; +import org.bouncycastle.util.io.pem.PemWriter; + +import javax.crypto.Mac; +import javax.crypto.spec.SecretKeySpec; +import javax.security.auth.x500.X500Principal; +import java.io.IOException; +import java.io.StringReader; +import java.io.StringWriter; +import java.nio.charset.StandardCharsets; +import java.security.GeneralSecurityException; +import java.security.InvalidKeyException; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.PublicKey; +import java.security.Security; +import java.security.SignatureException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.security.spec.InvalidKeySpecException; + +public class TlsHelper { +public static final String PROVIDER = BouncyCastleProvider.PROVIDER_NAME; +public static final String PKCS12 = "PKCS12"; +private final KeyPairGenerator keyPairGenerator; +private final int days; +private final String signingAlgorithm; + +public TlsHelper(TlsHelperConfig tlsHelperConfig) throws NoSuchAlgorithmException { +this(tlsHelperConfig.getDays(), tlsHelperConfig.getKeySize(), tlsHelperConfig.getKeyPairAlgorithm(), tlsHelperConfig.getSigningAlgorithm()); +} + +public TlsHelper(TlsToolkitCommandLine tlsToolkitCommandLine) throws NoSuchAlgorithmException { +this(tlsToolkitCommandLine.getTlsHelperConfig()); +} + +public TlsHelper(int days, int keySize, String keyPairAlgorithm, String signingAlgorithm) throws NoSuchAlgorithmException { +this(createKeyPairGenerator(keyPairAlgorithm, keySize), days, signingAlgorithm); +} + +protected TlsHelper(KeyPairGenerator keyPairGenerator, int days, String signingAlgorithm) { +this.keyPairGenerator = keyPairGenerator; +this.days = days; +this.signingAlgorithm = signingAlgorithm; +} + +public static void addBouncyCastleProvider() { +Security.addProvider(new BouncyCastleProvider()); +} + +private static KeyPairGenerator
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15398319#comment-15398319 ] ASF GitHub Bot commented on NIFI-2193: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72714290 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateSigningRequestPerformer.java --- @@ -0,0 +1,144 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.service; + +import com.fasterxml.jackson.databind.ObjectMapper; +import org.apache.commons.io.IOUtils; +import org.apache.commons.io.input.BoundedInputStream; +import org.apache.http.HttpHost; +import org.apache.http.client.methods.CloseableHttpResponse; +import org.apache.http.client.methods.HttpPost; +import org.apache.http.conn.ssl.TrustSelfSignedStrategy; +import org.apache.http.entity.ByteArrayEntity; +import org.apache.http.impl.client.CloseableHttpClient; +import org.apache.http.impl.client.HttpClientBuilder; +import org.apache.http.ssl.SSLContextBuilder; +import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig; +import org.apache.nifi.toolkit.tls.util.TlsHelper; +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest; +import org.eclipse.jetty.server.Response; + +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.security.KeyPair; +import java.security.NoSuchAlgorithmException; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.List; +import java.util.function.Supplier; + +public class TlsCertificateSigningRequestPerformer { +public static final String RECEIVED_RESPONSE_CODE = "Received response code "; +public static final String EXPECTED_ONE_CERTIFICATE = "Expected one certificate"; +public static final String EXPECTED_RESPONSE_TO_CONTAIN_HMAC = "Expected response to contain hmac"; +public static final String UNEXPECTED_HMAC_RECEIVED_POSSIBLE_MAN_IN_THE_MIDDLE = "Unexpected hmac received, possible man in the middle"; +public static final String EXPECTED_RESPONSE_TO_CONTAIN_CERTIFICATE = "Expected response to contain certificate"; +private final Supplier httpClientBuilderSupplier; +private final String caHostname; +private final String dn; +private final String token; +private final int port; +private final TlsHelper tlsHelper; + +public TlsCertificateSigningRequestPerformer(TlsClientConfig tlsClientConfig) throws NoSuchAlgorithmException { +this(HttpClientBuilder::create, tlsClientConfig.getCaHostname(), tlsClientConfig.getDn(), tlsClientConfig.getToken(), tlsClientConfig.getPort(), tlsClientConfig.createTlsHelper()); +} + +public TlsCertificateSigningRequestPerformer(Supplier httpClientBuilderSupplier, TlsClientConfig tlsClientConfig) throws NoSuchAlgorithmException { --- End diff -- I don't see any external invocations of the two constructors that pass the `Supplier` argument. I'm all for dependency injection, but is this something that needs to be provided externally? > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15398305#comment-15398305 ] ASF GitHub Bot commented on NIFI-2193: -- Github user alopresto commented on the issue: https://github.com/apache/nifi/pull/695 Had a discussion with @brosander and I believe he is re-organizing the structure of the classes. I will continue adding comments on this iteration but I expect a new push is coming soon. > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15397766#comment-15397766 ] ASF GitHub Bot commented on NIFI-2193: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72655092 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java --- @@ -0,0 +1,177 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.util; + +import org.apache.nifi.security.util.CertificateUtils; +import org.apache.nifi.toolkit.tls.commandLine.TlsToolkitCommandLine; +import org.apache.nifi.toolkit.tls.configuration.TlsHelperConfig; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.crmf.CRMFException; +import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; +import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils; +import org.bouncycastle.eac.EACException; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.openssl.PEMParser; +import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator; +import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; +import org.bouncycastle.pkcs.PKCS10CertificationRequest; +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest; +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder; +import org.bouncycastle.util.io.pem.PemWriter; + +import javax.crypto.Mac; +import javax.crypto.spec.SecretKeySpec; +import javax.security.auth.x500.X500Principal; +import java.io.IOException; +import java.io.StringReader; +import java.io.StringWriter; +import java.nio.charset.StandardCharsets; +import java.security.GeneralSecurityException; +import java.security.InvalidKeyException; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.PublicKey; +import java.security.Security; +import java.security.SignatureException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.security.spec.InvalidKeySpecException; + +public class TlsHelper { +public static final String PROVIDER = BouncyCastleProvider.PROVIDER_NAME; +public static final String PKCS12 = "PKCS12"; +private final KeyPairGenerator keyPairGenerator; +private final int days; +private final String signingAlgorithm; + +public TlsHelper(TlsHelperConfig tlsHelperConfig) throws NoSuchAlgorithmException { +this(tlsHelperConfig.getDays(), tlsHelperConfig.getKeySize(), tlsHelperConfig.getKeyPairAlgorithm(), tlsHelperConfig.getSigningAlgorithm()); +} + +public TlsHelper(TlsToolkitCommandLine tlsToolkitCommandLine) throws NoSuchAlgorithmException { +this(tlsToolkitCommandLine.getTlsHelperConfig()); +} + +public TlsHelper(int days, int keySize, String keyPairAlgorithm, String signingAlgorithm) throws NoSuchAlgorithmException { +this(createKeyPairGenerator(keyPairAlgorithm, keySize), days, signingAlgorithm); +} + +protected TlsHelper(KeyPairGenerator keyPairGenerator, int days, String signingAlgorithm) { +this.keyPairGenerator = keyPairGenerator; +this.days = days; +this.signingAlgorithm = signingAlgorithm; +} + +public static void addBouncyCastleProvider() { +Security.addProvider(new BouncyCastleProvider()); +} + +private static KeyPairGenerator
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15396758#comment-15396758 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on the issue: https://github.com/apache/nifi/pull/695 @alopresto I agree with your concerns about the different entry points, I'll try to unify them and get down to a single shell script with the main method and argument parsing determining the action > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15396754#comment-15396754 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72551782 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java --- @@ -0,0 +1,177 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.util; + +import org.apache.nifi.security.util.CertificateUtils; +import org.apache.nifi.toolkit.tls.commandLine.TlsToolkitCommandLine; +import org.apache.nifi.toolkit.tls.configuration.TlsHelperConfig; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.crmf.CRMFException; +import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; +import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils; +import org.bouncycastle.eac.EACException; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.openssl.PEMParser; +import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator; +import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; +import org.bouncycastle.pkcs.PKCS10CertificationRequest; +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest; +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder; +import org.bouncycastle.util.io.pem.PemWriter; + +import javax.crypto.Mac; +import javax.crypto.spec.SecretKeySpec; +import javax.security.auth.x500.X500Principal; +import java.io.IOException; +import java.io.StringReader; +import java.io.StringWriter; +import java.nio.charset.StandardCharsets; +import java.security.GeneralSecurityException; +import java.security.InvalidKeyException; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.PublicKey; +import java.security.Security; +import java.security.SignatureException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.security.spec.InvalidKeySpecException; + +public class TlsHelper { +public static final String PROVIDER = BouncyCastleProvider.PROVIDER_NAME; +public static final String PKCS12 = "PKCS12"; +private final KeyPairGenerator keyPairGenerator; +private final int days; +private final String signingAlgorithm; + +public TlsHelper(TlsHelperConfig tlsHelperConfig) throws NoSuchAlgorithmException { +this(tlsHelperConfig.getDays(), tlsHelperConfig.getKeySize(), tlsHelperConfig.getKeyPairAlgorithm(), tlsHelperConfig.getSigningAlgorithm()); +} + +public TlsHelper(TlsToolkitCommandLine tlsToolkitCommandLine) throws NoSuchAlgorithmException { +this(tlsToolkitCommandLine.getTlsHelperConfig()); +} + +public TlsHelper(int days, int keySize, String keyPairAlgorithm, String signingAlgorithm) throws NoSuchAlgorithmException { +this(createKeyPairGenerator(keyPairAlgorithm, keySize), days, signingAlgorithm); +} + +protected TlsHelper(KeyPairGenerator keyPairGenerator, int days, String signingAlgorithm) { +this.keyPairGenerator = keyPairGenerator; +this.days = days; +this.signingAlgorithm = signingAlgorithm; +} + +public static void addBouncyCastleProvider() { +Security.addProvider(new BouncyCastleProvider()); +} + +private static KeyPairGenerator
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15396726#comment-15396726 ] ASF GitHub Bot commented on NIFI-2193: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72548970 --- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java --- @@ -0,0 +1,177 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.toolkit.tls.util; + +import org.apache.nifi.security.util.CertificateUtils; +import org.apache.nifi.toolkit.tls.commandLine.TlsToolkitCommandLine; +import org.apache.nifi.toolkit.tls.configuration.TlsHelperConfig; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.crmf.CRMFException; +import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; +import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils; +import org.bouncycastle.eac.EACException; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.openssl.PEMParser; +import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator; +import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; +import org.bouncycastle.pkcs.PKCS10CertificationRequest; +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest; +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder; +import org.bouncycastle.util.io.pem.PemWriter; + +import javax.crypto.Mac; +import javax.crypto.spec.SecretKeySpec; +import javax.security.auth.x500.X500Principal; +import java.io.IOException; +import java.io.StringReader; +import java.io.StringWriter; +import java.nio.charset.StandardCharsets; +import java.security.GeneralSecurityException; +import java.security.InvalidKeyException; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.PublicKey; +import java.security.Security; +import java.security.SignatureException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.security.spec.InvalidKeySpecException; + +public class TlsHelper { +public static final String PROVIDER = BouncyCastleProvider.PROVIDER_NAME; +public static final String PKCS12 = "PKCS12"; +private final KeyPairGenerator keyPairGenerator; +private final int days; +private final String signingAlgorithm; + +public TlsHelper(TlsHelperConfig tlsHelperConfig) throws NoSuchAlgorithmException { +this(tlsHelperConfig.getDays(), tlsHelperConfig.getKeySize(), tlsHelperConfig.getKeyPairAlgorithm(), tlsHelperConfig.getSigningAlgorithm()); +} + +public TlsHelper(TlsToolkitCommandLine tlsToolkitCommandLine) throws NoSuchAlgorithmException { +this(tlsToolkitCommandLine.getTlsHelperConfig()); +} + +public TlsHelper(int days, int keySize, String keyPairAlgorithm, String signingAlgorithm) throws NoSuchAlgorithmException { +this(createKeyPairGenerator(keyPairAlgorithm, keySize), days, signingAlgorithm); +} + +protected TlsHelper(KeyPairGenerator keyPairGenerator, int days, String signingAlgorithm) { +this.keyPairGenerator = keyPairGenerator; +this.days = days; +this.signingAlgorithm = signingAlgorithm; +} + +public static void addBouncyCastleProvider() { +Security.addProvider(new BouncyCastleProvider()); +} + +private static KeyPairGenerator
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15396558#comment-15396558 ] ASF GitHub Bot commented on NIFI-2193: -- Github user alopresto commented on the issue: https://github.com/apache/nifi/pull/695 I am reviewing, focusing on the cryptographic code in here as well as the token signing for communication between the nodes and CA over an untrusted channel. @brosander can you please provide some documentation/admin guide? The only thing I have seen so far is the usage in the NiFiToolkitTLS class. > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15396057#comment-15396057 ] ASF GitHub Bot commented on NIFI-2193: -- Github user JPercivall commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72488748 --- Diff: nifi-toolkit/nifi-toolkit-assembly/NOTICE --- @@ -0,0 +1,112 @@ +Apache NiFi Toolkit +Copyright 2014-2016 The Apache Software Foundation + +This product includes software developed at +The Apache Software Foundation (http://www.apache.org/). + +=== +Apache Software License v2 +=== + +The following binary components are provided under the Apache Software License v2 + + (ASLv2) Apache NiFi +The following NOTICE information applies: + Apache NiFi + Copyright 2014-2016 The Apache Software Foundation + + This product includes software developed at + The Apache Software Foundation (http://www.apache.org/). + + This product includes the following work from the Apache Hadoop project: + + BoundedByteArrayOutputStream.java adapted to SoftLimitBoundedByteArrayOutputStream.java + + (ASLv2) Apache Commons CLI +The following NOTICE information applies: + Apache Commons IO + Copyright 2001-2015 The Apache Software Foundation + + (ASLv2) Apache Commons Codec +The following NOTICE information applies: + Apache Commons Codec + Copyright 2002-2014 The Apache Software Foundation + + src/test/org/apache/commons/codec/language/DoubleMetaphoneTest.java + contains test data from http://aspell.net/test/orig/batch0.tab. + Copyright (C) 2002 Kevin Atkinson (kev...@gnu.org) + + === + + The content of package org.apache.commons.codec.language.bm has been translated + from the original php source code available at http://stevemorse.org/phoneticinfo.htm + with permission from the original authors. + Original source copyright: + Copyright (c) 2008 Alexander Beider & Stephen P. Morse. + + (ASLv2) Apache Commons IO +The following NOTICE information applies: + Apache Commons IO + Copyright 2002-2012 The Apache Software Foundation + + (ASLv2) Apache Commons Lang +The following NOTICE information applies: + Apache Commons Lang + Copyright 2001-2015 The Apache Software Foundation + + (ASLv2) Apache Commons Logging --- End diff -- Right it contains all the license and notice information for all the direct dependencies that make their way into the distribution. It is on those dependencies to make sure their license and notice files accurately reflect the dependencies they bundle and it is on us to properly reflect those license and notice files in our own files. This way we don't have to drill all the way down into all transitive deps of all the direct deps we import, we just have to reflect the license and notice information of the direct deps. > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15396056#comment-15396056 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72488752 --- Diff: nifi-assembly/pom.xml --- @@ -363,147 +363,6 @@ language governing permissions and limitations under the License. --> - --- End diff -- @JPercivall still seeing a resolved nifi.properties in the nifi-assembly output > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15396047#comment-15396047 ] ASF GitHub Bot commented on NIFI-2193: -- Github user JPercivall commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72487873 --- Diff: nifi-assembly/pom.xml --- @@ -363,147 +363,6 @@ language governing permissions and limitations under the License. --> - --- End diff -- Yup I did mean the toolkit assembly, sorry for the confusion. Ah that is cool, sounds good. > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15396036#comment-15396036 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72485755 --- Diff: nifi-toolkit/nifi-toolkit-assembly/NOTICE --- @@ -0,0 +1,112 @@ +Apache NiFi Toolkit +Copyright 2014-2016 The Apache Software Foundation + +This product includes software developed at +The Apache Software Foundation (http://www.apache.org/). + +=== +Apache Software License v2 +=== + +The following binary components are provided under the Apache Software License v2 + + (ASLv2) Apache NiFi +The following NOTICE information applies: + Apache NiFi + Copyright 2014-2016 The Apache Software Foundation + + This product includes software developed at + The Apache Software Foundation (http://www.apache.org/). + + This product includes the following work from the Apache Hadoop project: + + BoundedByteArrayOutputStream.java adapted to SoftLimitBoundedByteArrayOutputStream.java + + (ASLv2) Apache Commons CLI +The following NOTICE information applies: + Apache Commons IO + Copyright 2001-2015 The Apache Software Foundation + + (ASLv2) Apache Commons Codec +The following NOTICE information applies: + Apache Commons Codec + Copyright 2002-2014 The Apache Software Foundation + + src/test/org/apache/commons/codec/language/DoubleMetaphoneTest.java + contains test data from http://aspell.net/test/orig/batch0.tab. + Copyright (C) 2002 Kevin Atkinson (kev...@gnu.org) + + === + + The content of package org.apache.commons.codec.language.bm has been translated + from the original php source code available at http://stevemorse.org/phoneticinfo.htm + with permission from the original authors. + Original source copyright: + Copyright (c) 2008 Alexander Beider & Stephen P. Morse. + + (ASLv2) Apache Commons IO +The following NOTICE information applies: + Apache Commons IO + Copyright 2002-2012 The Apache Software Foundation + + (ASLv2) Apache Commons Lang +The following NOTICE information applies: + Apache Commons Lang + Copyright 2001-2015 The Apache Software Foundation + + (ASLv2) Apache Commons Logging --- End diff -- @JPercivall I would think the LICENSE and NOTICE files for an assembly should contain needed info for any/all artifacts that make their way into the distribution. If that's not the case, I can remove. > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15396033#comment-15396033 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72485517 --- Diff: nifi-assembly/pom.xml --- @@ -363,147 +363,6 @@ language governing permissions and limitations under the License. --> - --- End diff -- @JPercivall rebuilding from top now, I did check and am pretty sure that nifi.properties still winds up in nifi-assembly. If you meant that it's not in the toolkit assembly, that's correct, it is built into the ssl toolkit jar. The ssl toolkit is capable of generating a nifi.properties updated with the correct ssl values. If the user does not specify a base file to use, it uses the embedded one. > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15395986#comment-15395986 ] ASF GitHub Bot commented on NIFI-2193: -- Github user JPercivall commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72478817 --- Diff: nifi-toolkit/nifi-toolkit-assembly/NOTICE --- @@ -0,0 +1,112 @@ +Apache NiFi Toolkit +Copyright 2014-2016 The Apache Software Foundation + +This product includes software developed at +The Apache Software Foundation (http://www.apache.org/). + +=== +Apache Software License v2 +=== + +The following binary components are provided under the Apache Software License v2 + + (ASLv2) Apache NiFi +The following NOTICE information applies: + Apache NiFi + Copyright 2014-2016 The Apache Software Foundation + + This product includes software developed at + The Apache Software Foundation (http://www.apache.org/). + + This product includes the following work from the Apache Hadoop project: + + BoundedByteArrayOutputStream.java adapted to SoftLimitBoundedByteArrayOutputStream.java + + (ASLv2) Apache Commons CLI +The following NOTICE information applies: + Apache Commons IO + Copyright 2001-2015 The Apache Software Foundation + + (ASLv2) Apache Commons Codec +The following NOTICE information applies: + Apache Commons Codec + Copyright 2002-2014 The Apache Software Foundation + + src/test/org/apache/commons/codec/language/DoubleMetaphoneTest.java + contains test data from http://aspell.net/test/orig/batch0.tab. + Copyright (C) 2002 Kevin Atkinson (kev...@gnu.org) + + === + + The content of package org.apache.commons.codec.language.bm has been translated + from the original php source code available at http://stevemorse.org/phoneticinfo.htm + with permission from the original authors. + Original source copyright: + Copyright (c) 2008 Alexander Beider & Stephen P. Morse. + + (ASLv2) Apache Commons IO +The following NOTICE information applies: + Apache Commons IO + Copyright 2002-2012 The Apache Software Foundation + + (ASLv2) Apache Commons Lang +The following NOTICE information applies: + Apache Commons Lang + Copyright 2001-2015 The Apache Software Foundation + + (ASLv2) Apache Commons Logging --- End diff -- It's my understanding that you don't need to put LICENSE and NOTICE information for transitive dependencies (except for deps we created in this project like nifi-security-utils). I believe what is needed is to look at the deps you have and just see what license they have. For strong licenses, like ASLv2 http components uses, you only need to add any NOTICE information that the dep lists. You already have the NOTICE information for httpcomponents so you don't need to pass any other transitive licensing/notice. > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15395979#comment-15395979 ] ASF GitHub Bot commented on NIFI-2193: -- Github user JPercivall commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72478228 --- Diff: nifi-toolkit/nifi-toolkit-assembly/NOTICE --- @@ -0,0 +1,112 @@ +Apache NiFi Toolkit +Copyright 2014-2016 The Apache Software Foundation + +This product includes software developed at +The Apache Software Foundation (http://www.apache.org/). + +=== +Apache Software License v2 +=== + +The following binary components are provided under the Apache Software License v2 + + (ASLv2) Apache NiFi +The following NOTICE information applies: + Apache NiFi + Copyright 2014-2016 The Apache Software Foundation + + This product includes software developed at + The Apache Software Foundation (http://www.apache.org/). + + This product includes the following work from the Apache Hadoop project: + + BoundedByteArrayOutputStream.java adapted to SoftLimitBoundedByteArrayOutputStream.java + + (ASLv2) Apache Commons CLI +The following NOTICE information applies: + Apache Commons IO + Copyright 2001-2015 The Apache Software Foundation + + (ASLv2) Apache Commons Codec +The following NOTICE information applies: + Apache Commons Codec + Copyright 2002-2014 The Apache Software Foundation + + src/test/org/apache/commons/codec/language/DoubleMetaphoneTest.java + contains test data from http://aspell.net/test/orig/batch0.tab. + Copyright (C) 2002 Kevin Atkinson (kev...@gnu.org) + + === + + The content of package org.apache.commons.codec.language.bm has been translated + from the original php source code available at http://stevemorse.org/phoneticinfo.htm + with permission from the original authors. + Original source copyright: + Copyright (c) 2008 Alexander Beider & Stephen P. Morse. + + (ASLv2) Apache Commons IO +The following NOTICE information applies: + Apache Commons IO + Copyright 2002-2012 The Apache Software Foundation + + (ASLv2) Apache Commons Lang --- End diff -- Ah ok, good call. > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15395927#comment-15395927 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on the issue: https://github.com/apache/nifi/pull/695 @JPercivall I think I've addressed your assembly and license concerns, please let me know if you're satisfied with the answers/changes. > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15395914#comment-15395914 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72470842 --- Diff: nifi-toolkit/nifi-toolkit-assembly/pom.xml --- @@ -0,0 +1,89 @@ + + +http://maven.apache.org/POM/4.0.0; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd;> +4.0.0 + +org.apache.nifi +nifi-toolkit +1.0.0-SNAPSHOT + +nifi-toolkit-assembly +pom +This is the assembly Apache NiFi Toolkit + + + +org.apache.rat +apache-rat-plugin + + + src/main/resources/conf/config-client.json + src/main/resources/conf/config-server.json + + + + +maven-assembly-plugin + +nifi-toolkit-${project.version} + + + +make shared resource + +single + +package + + + 0755 +0755 +0644 + + + src/main/assembly/dependencies.xml + +posix + + + + + + + + +org.apache.nifi +nifi-toolkit-tls + + +org.slf4j +slf4j-api +compile +1.7.12 + + +org.eclipse.jetty +jetty-server +compile + + +javax.servlet +javax.servlet-api +compile + + +commons-io +commons-io --- End diff -- If I remove it, it the assembly doesn't honor the 2.5 version from nifi-toolkit-tls, instead pulling in version 2.4. I'm mainly using it for its BoundedReader functionality (to prevent a malicious client from sending an arbitrarily large payload) which isn't available until 2.5. > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15395905#comment-15395905 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72469932 --- Diff: nifi-toolkit/nifi-toolkit-assembly/NOTICE --- @@ -0,0 +1,112 @@ +Apache NiFi Toolkit +Copyright 2014-2016 The Apache Software Foundation + +This product includes software developed at +The Apache Software Foundation (http://www.apache.org/). + +=== +Apache Software License v2 +=== + +The following binary components are provided under the Apache Software License v2 + + (ASLv2) Apache NiFi +The following NOTICE information applies: + Apache NiFi + Copyright 2014-2016 The Apache Software Foundation + + This product includes software developed at + The Apache Software Foundation (http://www.apache.org/). + + This product includes the following work from the Apache Hadoop project: + + BoundedByteArrayOutputStream.java adapted to SoftLimitBoundedByteArrayOutputStream.java + + (ASLv2) Apache Commons CLI +The following NOTICE information applies: + Apache Commons IO + Copyright 2001-2015 The Apache Software Foundation + + (ASLv2) Apache Commons Codec +The following NOTICE information applies: + Apache Commons Codec + Copyright 2002-2014 The Apache Software Foundation + + src/test/org/apache/commons/codec/language/DoubleMetaphoneTest.java + contains test data from http://aspell.net/test/orig/batch0.tab. + Copyright (C) 2002 Kevin Atkinson (kev...@gnu.org) + + === + + The content of package org.apache.commons.codec.language.bm has been translated + from the original php source code available at http://stevemorse.org/phoneticinfo.htm + with permission from the original authors. + Original source copyright: + Copyright (c) 2008 Alexander Beider & Stephen P. Morse. + + (ASLv2) Apache Commons IO +The following NOTICE information applies: + Apache Commons IO + Copyright 2002-2012 The Apache Software Foundation + + (ASLv2) Apache Commons Lang +The following NOTICE information applies: + Apache Commons Lang + Copyright 2001-2015 The Apache Software Foundation + + (ASLv2) Apache Commons Logging +The following NOTICE information applies: + Apache Commons Logging + Copyright 2003-2014 The Apache Software Foundation + + (ASLv2) Apache HttpComponents +The following NOTICE information applies: + Apache HttpClient + Copyright 1999-2015 The Apache Software Foundation + + Apache HttpCore + Copyright 2005-2015 The Apache Software Foundation + + This project contains annotations derived from JCIP-ANNOTATIONS + Copyright (c) 2005 Brian Goetz and Tim Peierls. See http://www.jcip.net + + (ASLv2) Jackson JSON processor +The following NOTICE information applies: + # Jackson JSON processor + + Jackson is a high-performance, Free/Open Source JSON processing library. + It was originally written by Tatu Saloranta (tatu.salora...@iki.fi), and has + been in development since 2007. + It is currently developed by a community of developers, as well as supported + commercially by FasterXML.com. + + ## Licensing + + Jackson core and extension components may licensed under different licenses. + To find the details that apply to this artifact see the accompanying LICENSE file. + For more information, including possible other licensing options, contact + FasterXML.com (http://fasterxml.com). + + ## Credits + + A list of contributors may be found from CREDITS file, which is included + in some artifacts (usually source distributions); but is always available + from the source code management (SCM) system project uses. + + (ASLv2) Jetty +The following NOTICE information applies: + Jetty Web Container + Copyright 1995-2015 Mort Bay Consulting Pty Ltd. + + (ASLv2) Apache log4j +The following NOTICE information applies: + Apache log4j + Copyright 2007 The Apache Software Foundation + +=== +MIT License +=== +
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15395900#comment-15395900 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72469101 --- Diff: nifi-toolkit/nifi-toolkit-assembly/NOTICE --- @@ -0,0 +1,112 @@ +Apache NiFi Toolkit +Copyright 2014-2016 The Apache Software Foundation + +This product includes software developed at +The Apache Software Foundation (http://www.apache.org/). + +=== +Apache Software License v2 +=== + +The following binary components are provided under the Apache Software License v2 + + (ASLv2) Apache NiFi +The following NOTICE information applies: + Apache NiFi + Copyright 2014-2016 The Apache Software Foundation + + This product includes software developed at + The Apache Software Foundation (http://www.apache.org/). + + This product includes the following work from the Apache Hadoop project: + + BoundedByteArrayOutputStream.java adapted to SoftLimitBoundedByteArrayOutputStream.java + + (ASLv2) Apache Commons CLI +The following NOTICE information applies: + Apache Commons IO + Copyright 2001-2015 The Apache Software Foundation + + (ASLv2) Apache Commons Codec +The following NOTICE information applies: + Apache Commons Codec + Copyright 2002-2014 The Apache Software Foundation + + src/test/org/apache/commons/codec/language/DoubleMetaphoneTest.java + contains test data from http://aspell.net/test/orig/batch0.tab. + Copyright (C) 2002 Kevin Atkinson (kev...@gnu.org) + + === + + The content of package org.apache.commons.codec.language.bm has been translated + from the original php source code available at http://stevemorse.org/phoneticinfo.htm + with permission from the original authors. + Original source copyright: + Copyright (c) 2008 Alexander Beider & Stephen P. Morse. + + (ASLv2) Apache Commons IO +The following NOTICE information applies: + Apache Commons IO + Copyright 2002-2012 The Apache Software Foundation + + (ASLv2) Apache Commons Lang +The following NOTICE information applies: + Apache Commons Lang + Copyright 2001-2015 The Apache Software Foundation + + (ASLv2) Apache Commons Logging --- End diff -- Transitive from org.apache.httpcomponents:httpclient:jar:4.5.2:compile > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15395895#comment-15395895 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72468924 --- Diff: nifi-toolkit/nifi-toolkit-assembly/NOTICE --- @@ -0,0 +1,112 @@ +Apache NiFi Toolkit +Copyright 2014-2016 The Apache Software Foundation + +This product includes software developed at +The Apache Software Foundation (http://www.apache.org/). + +=== +Apache Software License v2 +=== + +The following binary components are provided under the Apache Software License v2 + + (ASLv2) Apache NiFi +The following NOTICE information applies: + Apache NiFi + Copyright 2014-2016 The Apache Software Foundation + + This product includes software developed at + The Apache Software Foundation (http://www.apache.org/). + + This product includes the following work from the Apache Hadoop project: + + BoundedByteArrayOutputStream.java adapted to SoftLimitBoundedByteArrayOutputStream.java + + (ASLv2) Apache Commons CLI +The following NOTICE information applies: + Apache Commons IO + Copyright 2001-2015 The Apache Software Foundation + + (ASLv2) Apache Commons Codec +The following NOTICE information applies: + Apache Commons Codec + Copyright 2002-2014 The Apache Software Foundation + + src/test/org/apache/commons/codec/language/DoubleMetaphoneTest.java + contains test data from http://aspell.net/test/orig/batch0.tab. + Copyright (C) 2002 Kevin Atkinson (kev...@gnu.org) + + === + + The content of package org.apache.commons.codec.language.bm has been translated + from the original php source code available at http://stevemorse.org/phoneticinfo.htm + with permission from the original authors. + Original source copyright: + Copyright (c) 2008 Alexander Beider & Stephen P. Morse. + + (ASLv2) Apache Commons IO +The following NOTICE information applies: + Apache Commons IO + Copyright 2002-2012 The Apache Software Foundation + + (ASLv2) Apache Commons Lang --- End diff -- Transitive from org.apache.nifi:nifi-security-utils:jar:1.0.0-SNAPSHOT:compile > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15395893#comment-15395893 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72468676 --- Diff: nifi-toolkit/nifi-toolkit-assembly/pom.xml --- @@ -0,0 +1,89 @@ + + +http://maven.apache.org/POM/4.0.0; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd;> +4.0.0 + +org.apache.nifi +nifi-toolkit +1.0.0-SNAPSHOT + +nifi-toolkit-assembly +pom +This is the assembly Apache NiFi Toolkit + + + +org.apache.rat +apache-rat-plugin + + + src/main/resources/conf/config-client.json + src/main/resources/conf/config-server.json + + + + +maven-assembly-plugin + +nifi-toolkit-${project.version} + + + +make shared resource + +single + +package + + + 0755 +0755 +0644 + + + src/main/assembly/dependencies.xml + +posix + + + + + + + + +org.apache.nifi +nifi-toolkit-tls + + +org.slf4j +slf4j-api +compile +1.7.12 + + +org.eclipse.jetty +jetty-server +compile + + +javax.servlet +javax.servlet-api +compile + + +commons-io +commons-io --- End diff -- It was being marked provided before, I can dig in more > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15395891#comment-15395891 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72468172 --- Diff: nifi-toolkit/nifi-toolkit-tls/pom.xml --- @@ -0,0 +1,115 @@ + + +http://maven.apache.org/POM/4.0.0; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd;> +4.0.0 + +org.apache.nifi +nifi-toolkit +1.0.0-SNAPSHOT + +nifi-toolkit-tls +Tooling to make tls configuration easier + + +org.apache.nifi +nifi-properties + + +org.apache.nifi +nifi-security-utils + + +org.slf4j +slf4j-api + + +org.slf4j +slf4j-log4j12 +1.7.12 + + +org.bouncycastle +bcpkix-jdk15on + + +org.bouncycastle +bcprov-jdk15on + + +commons-cli +commons-cli +1.3.1 + + +commons-io +commons-io +2.5 + + +org.eclipse.jetty +jetty-server + + +com.fasterxml.jackson.core +jackson-databind + + +org.apache.httpcomponents +httpclient +4.5.2 + + + + + +org.apache.maven.plugins +maven-dependency-plugin + + +unpack +process-resources + +unpack + + + + +org.apache.nifi +nifi-resources +zip +resources +true + ${project.build.directory}/classes +**/nifi.properties + + + + + --- End diff -- @JPercivall It pulls in the nifi.properties from the nifi-resources project so that we have a reasonable default template embedded in the jar. > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15395861#comment-15395861 ] ASF GitHub Bot commented on NIFI-2193: -- Github user JPercivall commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72464516 --- Diff: nifi-toolkit/nifi-toolkit-assembly/NOTICE --- @@ -0,0 +1,112 @@ +Apache NiFi Toolkit +Copyright 2014-2016 The Apache Software Foundation + +This product includes software developed at +The Apache Software Foundation (http://www.apache.org/). + +=== +Apache Software License v2 +=== + +The following binary components are provided under the Apache Software License v2 + + (ASLv2) Apache NiFi +The following NOTICE information applies: + Apache NiFi + Copyright 2014-2016 The Apache Software Foundation + + This product includes software developed at + The Apache Software Foundation (http://www.apache.org/). + + This product includes the following work from the Apache Hadoop project: + + BoundedByteArrayOutputStream.java adapted to SoftLimitBoundedByteArrayOutputStream.java + + (ASLv2) Apache Commons CLI +The following NOTICE information applies: + Apache Commons IO + Copyright 2001-2015 The Apache Software Foundation + + (ASLv2) Apache Commons Codec +The following NOTICE information applies: + Apache Commons Codec + Copyright 2002-2014 The Apache Software Foundation + + src/test/org/apache/commons/codec/language/DoubleMetaphoneTest.java + contains test data from http://aspell.net/test/orig/batch0.tab. + Copyright (C) 2002 Kevin Atkinson (kev...@gnu.org) + + === + + The content of package org.apache.commons.codec.language.bm has been translated + from the original php source code available at http://stevemorse.org/phoneticinfo.htm + with permission from the original authors. + Original source copyright: + Copyright (c) 2008 Alexander Beider & Stephen P. Morse. + + (ASLv2) Apache Commons IO +The following NOTICE information applies: + Apache Commons IO + Copyright 2002-2012 The Apache Software Foundation + + (ASLv2) Apache Commons Lang +The following NOTICE information applies: + Apache Commons Lang + Copyright 2001-2015 The Apache Software Foundation + + (ASLv2) Apache Commons Logging +The following NOTICE information applies: + Apache Commons Logging + Copyright 2003-2014 The Apache Software Foundation + + (ASLv2) Apache HttpComponents +The following NOTICE information applies: + Apache HttpClient + Copyright 1999-2015 The Apache Software Foundation + + Apache HttpCore + Copyright 2005-2015 The Apache Software Foundation + + This project contains annotations derived from JCIP-ANNOTATIONS + Copyright (c) 2005 Brian Goetz and Tim Peierls. See http://www.jcip.net + + (ASLv2) Jackson JSON processor +The following NOTICE information applies: + # Jackson JSON processor + + Jackson is a high-performance, Free/Open Source JSON processing library. + It was originally written by Tatu Saloranta (tatu.salora...@iki.fi), and has + been in development since 2007. + It is currently developed by a community of developers, as well as supported + commercially by FasterXML.com. + + ## Licensing + + Jackson core and extension components may licensed under different licenses. + To find the details that apply to this artifact see the accompanying LICENSE file. + For more information, including possible other licensing options, contact + FasterXML.com (http://fasterxml.com). + + ## Credits + + A list of contributors may be found from CREDITS file, which is included + in some artifacts (usually source distributions); but is always available + from the source code management (SCM) system project uses. + + (ASLv2) Jetty +The following NOTICE information applies: + Jetty Web Container + Copyright 1995-2015 Mort Bay Consulting Pty Ltd. + + (ASLv2) Apache log4j --- End diff -- I don't see log4j used but I do SLF4J deps in the nifi-toolkit-tls pom. I think the SLF4J license should be added: http://www.slf4j.org/license.html > Command Line Keystore and Truststore utility >
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15395845#comment-15395845 ] ASF GitHub Bot commented on NIFI-2193: -- Github user JPercivall commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72462023 --- Diff: nifi-toolkit/nifi-toolkit-assembly/NOTICE --- @@ -0,0 +1,112 @@ +Apache NiFi Toolkit +Copyright 2014-2016 The Apache Software Foundation + +This product includes software developed at +The Apache Software Foundation (http://www.apache.org/). + +=== +Apache Software License v2 +=== + +The following binary components are provided under the Apache Software License v2 + + (ASLv2) Apache NiFi +The following NOTICE information applies: + Apache NiFi + Copyright 2014-2016 The Apache Software Foundation + + This product includes software developed at + The Apache Software Foundation (http://www.apache.org/). + + This product includes the following work from the Apache Hadoop project: + + BoundedByteArrayOutputStream.java adapted to SoftLimitBoundedByteArrayOutputStream.java + + (ASLv2) Apache Commons CLI +The following NOTICE information applies: + Apache Commons IO + Copyright 2001-2015 The Apache Software Foundation + + (ASLv2) Apache Commons Codec +The following NOTICE information applies: + Apache Commons Codec + Copyright 2002-2014 The Apache Software Foundation + + src/test/org/apache/commons/codec/language/DoubleMetaphoneTest.java + contains test data from http://aspell.net/test/orig/batch0.tab. + Copyright (C) 2002 Kevin Atkinson (kev...@gnu.org) + + === + + The content of package org.apache.commons.codec.language.bm has been translated + from the original php source code available at http://stevemorse.org/phoneticinfo.htm + with permission from the original authors. + Original source copyright: + Copyright (c) 2008 Alexander Beider & Stephen P. Morse. + + (ASLv2) Apache Commons IO +The following NOTICE information applies: + Apache Commons IO + Copyright 2002-2012 The Apache Software Foundation + + (ASLv2) Apache Commons Lang --- End diff -- I don't see where this is brought in as a dependency. > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15395842#comment-15395842 ] ASF GitHub Bot commented on NIFI-2193: -- Github user JPercivall commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72461496 --- Diff: nifi-toolkit/nifi-toolkit-assembly/pom.xml --- @@ -0,0 +1,89 @@ + + +http://maven.apache.org/POM/4.0.0; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd;> +4.0.0 + +org.apache.nifi +nifi-toolkit +1.0.0-SNAPSHOT + +nifi-toolkit-assembly +pom +This is the assembly Apache NiFi Toolkit + + + +org.apache.rat +apache-rat-plugin + + + src/main/resources/conf/config-client.json + src/main/resources/conf/config-server.json + + + + +maven-assembly-plugin + +nifi-toolkit-${project.version} + + + +make shared resource + +single + +package + + + 0755 +0755 +0644 + + + src/main/assembly/dependencies.xml + +posix + + + + + + + + +org.apache.nifi +nifi-toolkit-tls + + +org.slf4j +slf4j-api +compile +1.7.12 + + +org.eclipse.jetty +jetty-server +compile + + +javax.servlet +javax.servlet-api +compile + + +commons-io +commons-io --- End diff -- This is already brought in by "nifi-toolkit-tls" does this need to be duplicated? > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15395834#comment-15395834 ] ASF GitHub Bot commented on NIFI-2193: -- Github user JPercivall commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72460515 --- Diff: nifi-assembly/pom.xml --- @@ -363,147 +363,6 @@ language governing permissions and limitations under the License. --> - --- End diff -- I just built it and there was no "nifi.properties" bundled in the assembly. > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15395832#comment-15395832 ] ASF GitHub Bot commented on NIFI-2193: -- Github user JPercivall commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72460359 --- Diff: nifi-toolkit/nifi-toolkit-tls/pom.xml --- @@ -0,0 +1,115 @@ + + +http://maven.apache.org/POM/4.0.0; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd;> +4.0.0 + +org.apache.nifi +nifi-toolkit +1.0.0-SNAPSHOT + +nifi-toolkit-tls +Tooling to make tls configuration easier + + +org.apache.nifi +nifi-properties + + +org.apache.nifi +nifi-security-utils + + +org.slf4j +slf4j-api + + +org.slf4j +slf4j-log4j12 +1.7.12 + + +org.bouncycastle +bcpkix-jdk15on + + +org.bouncycastle +bcprov-jdk15on + + +commons-cli +commons-cli +1.3.1 + + +commons-io +commons-io +2.5 + + +org.eclipse.jetty +jetty-server + + +com.fasterxml.jackson.core +jackson-databind + + +org.apache.httpcomponents +httpclient +4.5.2 + + + + + +org.apache.maven.plugins +maven-dependency-plugin + + +unpack +process-resources + +unpack + + + + +org.apache.nifi +nifi-resources +zip +resources +true + ${project.build.directory}/classes +**/nifi.properties + + + + + --- End diff -- What does this section of the nifi-toolkit-tls pom do? The maven-dependency-plugin is otherwise only used in the nifi-assembly. > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15394363#comment-15394363 ] ASF GitHub Bot commented on NIFI-2193: -- Github user brosander commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72317301 --- Diff: nifi-assembly/pom.xml --- @@ -363,147 +363,6 @@ language governing permissions and limitations under the License. --> - --- End diff -- @JPercivall I moved them into the pom of nifi-resources so that the filtering could happen before the files are packaged. This kept me from needing to duplicate them so that the toolkit could bundle a valid nifi.properties, instead I can just resolve an up to date one. > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15394323#comment-15394323 ] ASF GitHub Bot commented on NIFI-2193: -- Github user JPercivall commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72313026 --- Diff: nifi-assembly/pom.xml --- @@ -363,147 +363,6 @@ language governing permissions and limitations under the License. --> - --- End diff -- Why are all of these properties being removed from the assembly pom? > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility
[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15386611#comment-15386611 ] ASF GitHub Bot commented on NIFI-2193: -- GitHub user brosander opened a pull request: https://github.com/apache/nifi/pull/695 NIFI-2193 - Command line SSL config utility as well as certificate au… …thority client/server You can merge this pull request into a Git repository by running: $ git pull https://github.com/brosander/nifi NIFI-2193-pr Alternatively you can review and apply these changes as the patch at: https://github.com/apache/nifi/pull/695.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #695 commit 496f4f9cdc3cfee43e34684814c72f674261940d Author: Bryan RosanderDate: 2016-07-06T20:56:08Z NIFI-2193 - Command line SSL config utility as well as certificate authority client/server > Command Line Keystore and Truststore utility > > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature >Reporter: Bryan Rosander >Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)