subject:"\[jira\] \[Commented\] \(NIFI\-2193\) Command Line Keystore and Truststore utility"

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-03 Thread ASF subversion and git services (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407130#comment-15407130
 ] 

ASF subversion and git services commented on NIFI-2193:
---

Commit fa4c6ab03cae9dae98e41ac984901df90fdd1b2a in nifi's branch 
refs/heads/master from [~bryanrosan...@gmail.com]
[ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=fa4c6ab ]

NIFI-2193 - Added functionality to automate certificate generation, keystore 
and truststore generation, and nifi.properties keystore and truststore password 
population. Follow-on changes will be made under NIFI-2476.

This closes #695.

Signed-off-by: Andy LoPresto 

Defaulting to same keyStore, key password (+18 squashed commits)
Squashed commits:
[9d01ba0] NIFI-2193 - Fixing typo
[55440bc] NIFI-2193 - Standalone can run as long as there are no conflicting 
files/folders
[0ca34ed] NIFI-2193 - Fixing some filename, absolute path issues
[9d4f65b] NIFI-2193 - Incorporating feedback
[f7550b4] NIFI-2193 - Cleaning up imports
[59a7637] NIFI-2193 - Updating umask to allow owner to execute
[cf824e7] NIFI-2193 - Moving DN arg to CA service specific parent class
[921ee13] NIFI-2193 - Making keystore getInstance more consistent
[a283c4b] NIFI-2193 - Updating sample config files in assembly to reflect new 
structure
[8d3a21d] NIFI-2193 - Making TlsHelper static, adding option to use same 
password for Key, KeyStore
[b13d247] NIFI-2193 - Addressing PR feedback
[46ef8ed] NIFI-2193 - Removing commons-logging, log4j from notice
[d4cf41a] NIFI-2193 - Adding option to specify output file for CA certificate 
when using cli client
[b74bf25] NIFI-2193 - Removing Bouncy Castle from notice
[6e34f9a] NIFI-2193 - Adding CLI client for easier generation of client 
certificates
[2924fca] NIFI-2193 - nifi-toolkit-ssl -> nifi-toolkit-tls, removing unused 
constants
[886167e] NIFI-2193 - Adding slf4j to avoid runtime issue
[082de46] NIFI-2193 - Command line SSL config utility as well as certificate 
authority client/server


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>  Labels: certificate, security, tls
> Fix For: 1.0.0
>
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-03 Thread ASF subversion and git services (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407132#comment-15407132
 ] 

ASF subversion and git services commented on NIFI-2193:
---

Commit fa4c6ab03cae9dae98e41ac984901df90fdd1b2a in nifi's branch 
refs/heads/master from [~bryanrosan...@gmail.com]
[ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=fa4c6ab ]

NIFI-2193 - Added functionality to automate certificate generation, keystore 
and truststore generation, and nifi.properties keystore and truststore password 
population. Follow-on changes will be made under NIFI-2476.

This closes #695.

Signed-off-by: Andy LoPresto 

Defaulting to same keyStore, key password (+18 squashed commits)
Squashed commits:
[9d01ba0] NIFI-2193 - Fixing typo
[55440bc] NIFI-2193 - Standalone can run as long as there are no conflicting 
files/folders
[0ca34ed] NIFI-2193 - Fixing some filename, absolute path issues
[9d4f65b] NIFI-2193 - Incorporating feedback
[f7550b4] NIFI-2193 - Cleaning up imports
[59a7637] NIFI-2193 - Updating umask to allow owner to execute
[cf824e7] NIFI-2193 - Moving DN arg to CA service specific parent class
[921ee13] NIFI-2193 - Making keystore getInstance more consistent
[a283c4b] NIFI-2193 - Updating sample config files in assembly to reflect new 
structure
[8d3a21d] NIFI-2193 - Making TlsHelper static, adding option to use same 
password for Key, KeyStore
[b13d247] NIFI-2193 - Addressing PR feedback
[46ef8ed] NIFI-2193 - Removing commons-logging, log4j from notice
[d4cf41a] NIFI-2193 - Adding option to specify output file for CA certificate 
when using cli client
[b74bf25] NIFI-2193 - Removing Bouncy Castle from notice
[6e34f9a] NIFI-2193 - Adding CLI client for easier generation of client 
certificates
[2924fca] NIFI-2193 - nifi-toolkit-ssl -> nifi-toolkit-tls, removing unused 
constants
[886167e] NIFI-2193 - Adding slf4j to avoid runtime issue
[082de46] NIFI-2193 - Command line SSL config utility as well as certificate 
authority client/server


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>  Labels: certificate, security, tls
> Fix For: 1.0.0
>
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-03 Thread ASF subversion and git services (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407128#comment-15407128
 ] 

ASF subversion and git services commented on NIFI-2193:
---

Commit fa4c6ab03cae9dae98e41ac984901df90fdd1b2a in nifi's branch 
refs/heads/master from [~bryanrosan...@gmail.com]
[ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=fa4c6ab ]

NIFI-2193 - Added functionality to automate certificate generation, keystore 
and truststore generation, and nifi.properties keystore and truststore password 
population. Follow-on changes will be made under NIFI-2476.

This closes #695.

Signed-off-by: Andy LoPresto 

Defaulting to same keyStore, key password (+18 squashed commits)
Squashed commits:
[9d01ba0] NIFI-2193 - Fixing typo
[55440bc] NIFI-2193 - Standalone can run as long as there are no conflicting 
files/folders
[0ca34ed] NIFI-2193 - Fixing some filename, absolute path issues
[9d4f65b] NIFI-2193 - Incorporating feedback
[f7550b4] NIFI-2193 - Cleaning up imports
[59a7637] NIFI-2193 - Updating umask to allow owner to execute
[cf824e7] NIFI-2193 - Moving DN arg to CA service specific parent class
[921ee13] NIFI-2193 - Making keystore getInstance more consistent
[a283c4b] NIFI-2193 - Updating sample config files in assembly to reflect new 
structure
[8d3a21d] NIFI-2193 - Making TlsHelper static, adding option to use same 
password for Key, KeyStore
[b13d247] NIFI-2193 - Addressing PR feedback
[46ef8ed] NIFI-2193 - Removing commons-logging, log4j from notice
[d4cf41a] NIFI-2193 - Adding option to specify output file for CA certificate 
when using cli client
[b74bf25] NIFI-2193 - Removing Bouncy Castle from notice
[6e34f9a] NIFI-2193 - Adding CLI client for easier generation of client 
certificates
[2924fca] NIFI-2193 - nifi-toolkit-ssl -> nifi-toolkit-tls, removing unused 
constants
[886167e] NIFI-2193 - Adding slf4j to avoid runtime issue
[082de46] NIFI-2193 - Command line SSL config utility as well as certificate 
authority client/server


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>  Labels: certificate, security, tls
> Fix For: 1.0.0
>
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-03 Thread ASF subversion and git services (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407139#comment-15407139
 ] 

ASF subversion and git services commented on NIFI-2193:
---

Commit fa4c6ab03cae9dae98e41ac984901df90fdd1b2a in nifi's branch 
refs/heads/master from [~bryanrosan...@gmail.com]
[ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=fa4c6ab ]

NIFI-2193 - Added functionality to automate certificate generation, keystore 
and truststore generation, and nifi.properties keystore and truststore password 
population. Follow-on changes will be made under NIFI-2476.

This closes #695.

Signed-off-by: Andy LoPresto 

Defaulting to same keyStore, key password (+18 squashed commits)
Squashed commits:
[9d01ba0] NIFI-2193 - Fixing typo
[55440bc] NIFI-2193 - Standalone can run as long as there are no conflicting 
files/folders
[0ca34ed] NIFI-2193 - Fixing some filename, absolute path issues
[9d4f65b] NIFI-2193 - Incorporating feedback
[f7550b4] NIFI-2193 - Cleaning up imports
[59a7637] NIFI-2193 - Updating umask to allow owner to execute
[cf824e7] NIFI-2193 - Moving DN arg to CA service specific parent class
[921ee13] NIFI-2193 - Making keystore getInstance more consistent
[a283c4b] NIFI-2193 - Updating sample config files in assembly to reflect new 
structure
[8d3a21d] NIFI-2193 - Making TlsHelper static, adding option to use same 
password for Key, KeyStore
[b13d247] NIFI-2193 - Addressing PR feedback
[46ef8ed] NIFI-2193 - Removing commons-logging, log4j from notice
[d4cf41a] NIFI-2193 - Adding option to specify output file for CA certificate 
when using cli client
[b74bf25] NIFI-2193 - Removing Bouncy Castle from notice
[6e34f9a] NIFI-2193 - Adding CLI client for easier generation of client 
certificates
[2924fca] NIFI-2193 - nifi-toolkit-ssl -> nifi-toolkit-tls, removing unused 
constants
[886167e] NIFI-2193 - Adding slf4j to avoid runtime issue
[082de46] NIFI-2193 - Command line SSL config utility as well as certificate 
authority client/server


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>  Labels: certificate, security, tls
> Fix For: 1.0.0
>
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-03 Thread ASF subversion and git services (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407135#comment-15407135
 ] 

ASF subversion and git services commented on NIFI-2193:
---

Commit fa4c6ab03cae9dae98e41ac984901df90fdd1b2a in nifi's branch 
refs/heads/master from [~bryanrosan...@gmail.com]
[ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=fa4c6ab ]

NIFI-2193 - Added functionality to automate certificate generation, keystore 
and truststore generation, and nifi.properties keystore and truststore password 
population. Follow-on changes will be made under NIFI-2476.

This closes #695.

Signed-off-by: Andy LoPresto 

Defaulting to same keyStore, key password (+18 squashed commits)
Squashed commits:
[9d01ba0] NIFI-2193 - Fixing typo
[55440bc] NIFI-2193 - Standalone can run as long as there are no conflicting 
files/folders
[0ca34ed] NIFI-2193 - Fixing some filename, absolute path issues
[9d4f65b] NIFI-2193 - Incorporating feedback
[f7550b4] NIFI-2193 - Cleaning up imports
[59a7637] NIFI-2193 - Updating umask to allow owner to execute
[cf824e7] NIFI-2193 - Moving DN arg to CA service specific parent class
[921ee13] NIFI-2193 - Making keystore getInstance more consistent
[a283c4b] NIFI-2193 - Updating sample config files in assembly to reflect new 
structure
[8d3a21d] NIFI-2193 - Making TlsHelper static, adding option to use same 
password for Key, KeyStore
[b13d247] NIFI-2193 - Addressing PR feedback
[46ef8ed] NIFI-2193 - Removing commons-logging, log4j from notice
[d4cf41a] NIFI-2193 - Adding option to specify output file for CA certificate 
when using cli client
[b74bf25] NIFI-2193 - Removing Bouncy Castle from notice
[6e34f9a] NIFI-2193 - Adding CLI client for easier generation of client 
certificates
[2924fca] NIFI-2193 - nifi-toolkit-ssl -> nifi-toolkit-tls, removing unused 
constants
[886167e] NIFI-2193 - Adding slf4j to avoid runtime issue
[082de46] NIFI-2193 - Command line SSL config utility as well as certificate 
authority client/server


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>  Labels: certificate, security, tls
> Fix For: 1.0.0
>
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-03 Thread ASF subversion and git services (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407137#comment-15407137
 ] 

ASF subversion and git services commented on NIFI-2193:
---

Commit fa4c6ab03cae9dae98e41ac984901df90fdd1b2a in nifi's branch 
refs/heads/master from [~bryanrosan...@gmail.com]
[ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=fa4c6ab ]

NIFI-2193 - Added functionality to automate certificate generation, keystore 
and truststore generation, and nifi.properties keystore and truststore password 
population. Follow-on changes will be made under NIFI-2476.

This closes #695.

Signed-off-by: Andy LoPresto 

Defaulting to same keyStore, key password (+18 squashed commits)
Squashed commits:
[9d01ba0] NIFI-2193 - Fixing typo
[55440bc] NIFI-2193 - Standalone can run as long as there are no conflicting 
files/folders
[0ca34ed] NIFI-2193 - Fixing some filename, absolute path issues
[9d4f65b] NIFI-2193 - Incorporating feedback
[f7550b4] NIFI-2193 - Cleaning up imports
[59a7637] NIFI-2193 - Updating umask to allow owner to execute
[cf824e7] NIFI-2193 - Moving DN arg to CA service specific parent class
[921ee13] NIFI-2193 - Making keystore getInstance more consistent
[a283c4b] NIFI-2193 - Updating sample config files in assembly to reflect new 
structure
[8d3a21d] NIFI-2193 - Making TlsHelper static, adding option to use same 
password for Key, KeyStore
[b13d247] NIFI-2193 - Addressing PR feedback
[46ef8ed] NIFI-2193 - Removing commons-logging, log4j from notice
[d4cf41a] NIFI-2193 - Adding option to specify output file for CA certificate 
when using cli client
[b74bf25] NIFI-2193 - Removing Bouncy Castle from notice
[6e34f9a] NIFI-2193 - Adding CLI client for easier generation of client 
certificates
[2924fca] NIFI-2193 - nifi-toolkit-ssl -> nifi-toolkit-tls, removing unused 
constants
[886167e] NIFI-2193 - Adding slf4j to avoid runtime issue
[082de46] NIFI-2193 - Command line SSL config utility as well as certificate 
authority client/server


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>  Labels: certificate, security, tls
> Fix For: 1.0.0
>
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-03 Thread ASF subversion and git services (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407125#comment-15407125
 ] 

ASF subversion and git services commented on NIFI-2193:
---

Commit fa4c6ab03cae9dae98e41ac984901df90fdd1b2a in nifi's branch 
refs/heads/master from [~bryanrosan...@gmail.com]
[ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=fa4c6ab ]

NIFI-2193 - Added functionality to automate certificate generation, keystore 
and truststore generation, and nifi.properties keystore and truststore password 
population. Follow-on changes will be made under NIFI-2476.

This closes #695.

Signed-off-by: Andy LoPresto 

Defaulting to same keyStore, key password (+18 squashed commits)
Squashed commits:
[9d01ba0] NIFI-2193 - Fixing typo
[55440bc] NIFI-2193 - Standalone can run as long as there are no conflicting 
files/folders
[0ca34ed] NIFI-2193 - Fixing some filename, absolute path issues
[9d4f65b] NIFI-2193 - Incorporating feedback
[f7550b4] NIFI-2193 - Cleaning up imports
[59a7637] NIFI-2193 - Updating umask to allow owner to execute
[cf824e7] NIFI-2193 - Moving DN arg to CA service specific parent class
[921ee13] NIFI-2193 - Making keystore getInstance more consistent
[a283c4b] NIFI-2193 - Updating sample config files in assembly to reflect new 
structure
[8d3a21d] NIFI-2193 - Making TlsHelper static, adding option to use same 
password for Key, KeyStore
[b13d247] NIFI-2193 - Addressing PR feedback
[46ef8ed] NIFI-2193 - Removing commons-logging, log4j from notice
[d4cf41a] NIFI-2193 - Adding option to specify output file for CA certificate 
when using cli client
[b74bf25] NIFI-2193 - Removing Bouncy Castle from notice
[6e34f9a] NIFI-2193 - Adding CLI client for easier generation of client 
certificates
[2924fca] NIFI-2193 - nifi-toolkit-ssl -> nifi-toolkit-tls, removing unused 
constants
[886167e] NIFI-2193 - Adding slf4j to avoid runtime issue
[082de46] NIFI-2193 - Command line SSL config utility as well as certificate 
authority client/server


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>  Labels: certificate, security, tls
> Fix For: 1.0.0
>
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-03 Thread ASF subversion and git services (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407129#comment-15407129
 ] 

ASF subversion and git services commented on NIFI-2193:
---

Commit fa4c6ab03cae9dae98e41ac984901df90fdd1b2a in nifi's branch 
refs/heads/master from [~bryanrosan...@gmail.com]
[ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=fa4c6ab ]

NIFI-2193 - Added functionality to automate certificate generation, keystore 
and truststore generation, and nifi.properties keystore and truststore password 
population. Follow-on changes will be made under NIFI-2476.

This closes #695.

Signed-off-by: Andy LoPresto 

Defaulting to same keyStore, key password (+18 squashed commits)
Squashed commits:
[9d01ba0] NIFI-2193 - Fixing typo
[55440bc] NIFI-2193 - Standalone can run as long as there are no conflicting 
files/folders
[0ca34ed] NIFI-2193 - Fixing some filename, absolute path issues
[9d4f65b] NIFI-2193 - Incorporating feedback
[f7550b4] NIFI-2193 - Cleaning up imports
[59a7637] NIFI-2193 - Updating umask to allow owner to execute
[cf824e7] NIFI-2193 - Moving DN arg to CA service specific parent class
[921ee13] NIFI-2193 - Making keystore getInstance more consistent
[a283c4b] NIFI-2193 - Updating sample config files in assembly to reflect new 
structure
[8d3a21d] NIFI-2193 - Making TlsHelper static, adding option to use same 
password for Key, KeyStore
[b13d247] NIFI-2193 - Addressing PR feedback
[46ef8ed] NIFI-2193 - Removing commons-logging, log4j from notice
[d4cf41a] NIFI-2193 - Adding option to specify output file for CA certificate 
when using cli client
[b74bf25] NIFI-2193 - Removing Bouncy Castle from notice
[6e34f9a] NIFI-2193 - Adding CLI client for easier generation of client 
certificates
[2924fca] NIFI-2193 - nifi-toolkit-ssl -> nifi-toolkit-tls, removing unused 
constants
[886167e] NIFI-2193 - Adding slf4j to avoid runtime issue
[082de46] NIFI-2193 - Command line SSL config utility as well as certificate 
authority client/server


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>  Labels: certificate, security, tls
> Fix For: 1.0.0
>
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-03 Thread ASF subversion and git services (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407136#comment-15407136
 ] 

ASF subversion and git services commented on NIFI-2193:
---

Commit fa4c6ab03cae9dae98e41ac984901df90fdd1b2a in nifi's branch 
refs/heads/master from [~bryanrosan...@gmail.com]
[ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=fa4c6ab ]

NIFI-2193 - Added functionality to automate certificate generation, keystore 
and truststore generation, and nifi.properties keystore and truststore password 
population. Follow-on changes will be made under NIFI-2476.

This closes #695.

Signed-off-by: Andy LoPresto 

Defaulting to same keyStore, key password (+18 squashed commits)
Squashed commits:
[9d01ba0] NIFI-2193 - Fixing typo
[55440bc] NIFI-2193 - Standalone can run as long as there are no conflicting 
files/folders
[0ca34ed] NIFI-2193 - Fixing some filename, absolute path issues
[9d4f65b] NIFI-2193 - Incorporating feedback
[f7550b4] NIFI-2193 - Cleaning up imports
[59a7637] NIFI-2193 - Updating umask to allow owner to execute
[cf824e7] NIFI-2193 - Moving DN arg to CA service specific parent class
[921ee13] NIFI-2193 - Making keystore getInstance more consistent
[a283c4b] NIFI-2193 - Updating sample config files in assembly to reflect new 
structure
[8d3a21d] NIFI-2193 - Making TlsHelper static, adding option to use same 
password for Key, KeyStore
[b13d247] NIFI-2193 - Addressing PR feedback
[46ef8ed] NIFI-2193 - Removing commons-logging, log4j from notice
[d4cf41a] NIFI-2193 - Adding option to specify output file for CA certificate 
when using cli client
[b74bf25] NIFI-2193 - Removing Bouncy Castle from notice
[6e34f9a] NIFI-2193 - Adding CLI client for easier generation of client 
certificates
[2924fca] NIFI-2193 - nifi-toolkit-ssl -> nifi-toolkit-tls, removing unused 
constants
[886167e] NIFI-2193 - Adding slf4j to avoid runtime issue
[082de46] NIFI-2193 - Command line SSL config utility as well as certificate 
authority client/server


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>  Labels: certificate, security, tls
> Fix For: 1.0.0
>
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-03 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407138#comment-15407138
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user asfgit closed the pull request at:

https://github.com/apache/nifi/pull/695


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>  Labels: certificate, security, tls
> Fix For: 1.0.0
>
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-03 Thread ASF subversion and git services (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407131#comment-15407131
 ] 

ASF subversion and git services commented on NIFI-2193:
---

Commit fa4c6ab03cae9dae98e41ac984901df90fdd1b2a in nifi's branch 
refs/heads/master from [~bryanrosan...@gmail.com]
[ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=fa4c6ab ]

NIFI-2193 - Added functionality to automate certificate generation, keystore 
and truststore generation, and nifi.properties keystore and truststore password 
population. Follow-on changes will be made under NIFI-2476.

This closes #695.

Signed-off-by: Andy LoPresto 

Defaulting to same keyStore, key password (+18 squashed commits)
Squashed commits:
[9d01ba0] NIFI-2193 - Fixing typo
[55440bc] NIFI-2193 - Standalone can run as long as there are no conflicting 
files/folders
[0ca34ed] NIFI-2193 - Fixing some filename, absolute path issues
[9d4f65b] NIFI-2193 - Incorporating feedback
[f7550b4] NIFI-2193 - Cleaning up imports
[59a7637] NIFI-2193 - Updating umask to allow owner to execute
[cf824e7] NIFI-2193 - Moving DN arg to CA service specific parent class
[921ee13] NIFI-2193 - Making keystore getInstance more consistent
[a283c4b] NIFI-2193 - Updating sample config files in assembly to reflect new 
structure
[8d3a21d] NIFI-2193 - Making TlsHelper static, adding option to use same 
password for Key, KeyStore
[b13d247] NIFI-2193 - Addressing PR feedback
[46ef8ed] NIFI-2193 - Removing commons-logging, log4j from notice
[d4cf41a] NIFI-2193 - Adding option to specify output file for CA certificate 
when using cli client
[b74bf25] NIFI-2193 - Removing Bouncy Castle from notice
[6e34f9a] NIFI-2193 - Adding CLI client for easier generation of client 
certificates
[2924fca] NIFI-2193 - nifi-toolkit-ssl -> nifi-toolkit-tls, removing unused 
constants
[886167e] NIFI-2193 - Adding slf4j to avoid runtime issue
[082de46] NIFI-2193 - Command line SSL config utility as well as certificate 
authority client/server


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>  Labels: certificate, security, tls
> Fix For: 1.0.0
>
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-03 Thread ASF subversion and git services (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407133#comment-15407133
 ] 

ASF subversion and git services commented on NIFI-2193:
---

Commit fa4c6ab03cae9dae98e41ac984901df90fdd1b2a in nifi's branch 
refs/heads/master from [~bryanrosan...@gmail.com]
[ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=fa4c6ab ]

NIFI-2193 - Added functionality to automate certificate generation, keystore 
and truststore generation, and nifi.properties keystore and truststore password 
population. Follow-on changes will be made under NIFI-2476.

This closes #695.

Signed-off-by: Andy LoPresto 

Defaulting to same keyStore, key password (+18 squashed commits)
Squashed commits:
[9d01ba0] NIFI-2193 - Fixing typo
[55440bc] NIFI-2193 - Standalone can run as long as there are no conflicting 
files/folders
[0ca34ed] NIFI-2193 - Fixing some filename, absolute path issues
[9d4f65b] NIFI-2193 - Incorporating feedback
[f7550b4] NIFI-2193 - Cleaning up imports
[59a7637] NIFI-2193 - Updating umask to allow owner to execute
[cf824e7] NIFI-2193 - Moving DN arg to CA service specific parent class
[921ee13] NIFI-2193 - Making keystore getInstance more consistent
[a283c4b] NIFI-2193 - Updating sample config files in assembly to reflect new 
structure
[8d3a21d] NIFI-2193 - Making TlsHelper static, adding option to use same 
password for Key, KeyStore
[b13d247] NIFI-2193 - Addressing PR feedback
[46ef8ed] NIFI-2193 - Removing commons-logging, log4j from notice
[d4cf41a] NIFI-2193 - Adding option to specify output file for CA certificate 
when using cli client
[b74bf25] NIFI-2193 - Removing Bouncy Castle from notice
[6e34f9a] NIFI-2193 - Adding CLI client for easier generation of client 
certificates
[2924fca] NIFI-2193 - nifi-toolkit-ssl -> nifi-toolkit-tls, removing unused 
constants
[886167e] NIFI-2193 - Adding slf4j to avoid runtime issue
[082de46] NIFI-2193 - Command line SSL config utility as well as certificate 
authority client/server


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>  Labels: certificate, security, tls
> Fix For: 1.0.0
>
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-03 Thread ASF subversion and git services (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407124#comment-15407124
 ] 

ASF subversion and git services commented on NIFI-2193:
---

Commit fa4c6ab03cae9dae98e41ac984901df90fdd1b2a in nifi's branch 
refs/heads/master from [~bryanrosan...@gmail.com]
[ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=fa4c6ab ]

NIFI-2193 - Added functionality to automate certificate generation, keystore 
and truststore generation, and nifi.properties keystore and truststore password 
population. Follow-on changes will be made under NIFI-2476.

This closes #695.

Signed-off-by: Andy LoPresto 

Defaulting to same keyStore, key password (+18 squashed commits)
Squashed commits:
[9d01ba0] NIFI-2193 - Fixing typo
[55440bc] NIFI-2193 - Standalone can run as long as there are no conflicting 
files/folders
[0ca34ed] NIFI-2193 - Fixing some filename, absolute path issues
[9d4f65b] NIFI-2193 - Incorporating feedback
[f7550b4] NIFI-2193 - Cleaning up imports
[59a7637] NIFI-2193 - Updating umask to allow owner to execute
[cf824e7] NIFI-2193 - Moving DN arg to CA service specific parent class
[921ee13] NIFI-2193 - Making keystore getInstance more consistent
[a283c4b] NIFI-2193 - Updating sample config files in assembly to reflect new 
structure
[8d3a21d] NIFI-2193 - Making TlsHelper static, adding option to use same 
password for Key, KeyStore
[b13d247] NIFI-2193 - Addressing PR feedback
[46ef8ed] NIFI-2193 - Removing commons-logging, log4j from notice
[d4cf41a] NIFI-2193 - Adding option to specify output file for CA certificate 
when using cli client
[b74bf25] NIFI-2193 - Removing Bouncy Castle from notice
[6e34f9a] NIFI-2193 - Adding CLI client for easier generation of client 
certificates
[2924fca] NIFI-2193 - nifi-toolkit-ssl -> nifi-toolkit-tls, removing unused 
constants
[886167e] NIFI-2193 - Adding slf4j to avoid runtime issue
[082de46] NIFI-2193 - Command line SSL config utility as well as certificate 
authority client/server


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>  Labels: certificate, security, tls
> Fix For: 1.0.0
>
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-03 Thread ASF subversion and git services (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407142#comment-15407142
 ] 

ASF subversion and git services commented on NIFI-2193:
---

Commit fa4c6ab03cae9dae98e41ac984901df90fdd1b2a in nifi's branch 
refs/heads/master from [~bryanrosan...@gmail.com]
[ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=fa4c6ab ]

NIFI-2193 - Added functionality to automate certificate generation, keystore 
and truststore generation, and nifi.properties keystore and truststore password 
population. Follow-on changes will be made under NIFI-2476.

This closes #695.

Signed-off-by: Andy LoPresto 

Defaulting to same keyStore, key password (+18 squashed commits)
Squashed commits:
[9d01ba0] NIFI-2193 - Fixing typo
[55440bc] NIFI-2193 - Standalone can run as long as there are no conflicting 
files/folders
[0ca34ed] NIFI-2193 - Fixing some filename, absolute path issues
[9d4f65b] NIFI-2193 - Incorporating feedback
[f7550b4] NIFI-2193 - Cleaning up imports
[59a7637] NIFI-2193 - Updating umask to allow owner to execute
[cf824e7] NIFI-2193 - Moving DN arg to CA service specific parent class
[921ee13] NIFI-2193 - Making keystore getInstance more consistent
[a283c4b] NIFI-2193 - Updating sample config files in assembly to reflect new 
structure
[8d3a21d] NIFI-2193 - Making TlsHelper static, adding option to use same 
password for Key, KeyStore
[b13d247] NIFI-2193 - Addressing PR feedback
[46ef8ed] NIFI-2193 - Removing commons-logging, log4j from notice
[d4cf41a] NIFI-2193 - Adding option to specify output file for CA certificate 
when using cli client
[b74bf25] NIFI-2193 - Removing Bouncy Castle from notice
[6e34f9a] NIFI-2193 - Adding CLI client for easier generation of client 
certificates
[2924fca] NIFI-2193 - nifi-toolkit-ssl -> nifi-toolkit-tls, removing unused 
constants
[886167e] NIFI-2193 - Adding slf4j to avoid runtime issue
[082de46] NIFI-2193 - Command line SSL config utility as well as certificate 
authority client/server


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>  Labels: certificate, security, tls
> Fix For: 1.0.0
>
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-03 Thread ASF subversion and git services (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407122#comment-15407122
 ] 

ASF subversion and git services commented on NIFI-2193:
---

Commit fa4c6ab03cae9dae98e41ac984901df90fdd1b2a in nifi's branch 
refs/heads/master from [~bryanrosan...@gmail.com]
[ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=fa4c6ab ]

NIFI-2193 - Added functionality to automate certificate generation, keystore 
and truststore generation, and nifi.properties keystore and truststore password 
population. Follow-on changes will be made under NIFI-2476.

This closes #695.

Signed-off-by: Andy LoPresto 

Defaulting to same keyStore, key password (+18 squashed commits)
Squashed commits:
[9d01ba0] NIFI-2193 - Fixing typo
[55440bc] NIFI-2193 - Standalone can run as long as there are no conflicting 
files/folders
[0ca34ed] NIFI-2193 - Fixing some filename, absolute path issues
[9d4f65b] NIFI-2193 - Incorporating feedback
[f7550b4] NIFI-2193 - Cleaning up imports
[59a7637] NIFI-2193 - Updating umask to allow owner to execute
[cf824e7] NIFI-2193 - Moving DN arg to CA service specific parent class
[921ee13] NIFI-2193 - Making keystore getInstance more consistent
[a283c4b] NIFI-2193 - Updating sample config files in assembly to reflect new 
structure
[8d3a21d] NIFI-2193 - Making TlsHelper static, adding option to use same 
password for Key, KeyStore
[b13d247] NIFI-2193 - Addressing PR feedback
[46ef8ed] NIFI-2193 - Removing commons-logging, log4j from notice
[d4cf41a] NIFI-2193 - Adding option to specify output file for CA certificate 
when using cli client
[b74bf25] NIFI-2193 - Removing Bouncy Castle from notice
[6e34f9a] NIFI-2193 - Adding CLI client for easier generation of client 
certificates
[2924fca] NIFI-2193 - nifi-toolkit-ssl -> nifi-toolkit-tls, removing unused 
constants
[886167e] NIFI-2193 - Adding slf4j to avoid runtime issue
[082de46] NIFI-2193 - Command line SSL config utility as well as certificate 
authority client/server


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>  Labels: certificate, security, tls
> Fix For: 1.0.0
>
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-03 Thread ASF subversion and git services (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407127#comment-15407127
 ] 

ASF subversion and git services commented on NIFI-2193:
---

Commit fa4c6ab03cae9dae98e41ac984901df90fdd1b2a in nifi's branch 
refs/heads/master from [~bryanrosan...@gmail.com]
[ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=fa4c6ab ]

NIFI-2193 - Added functionality to automate certificate generation, keystore 
and truststore generation, and nifi.properties keystore and truststore password 
population. Follow-on changes will be made under NIFI-2476.

This closes #695.

Signed-off-by: Andy LoPresto 

Defaulting to same keyStore, key password (+18 squashed commits)
Squashed commits:
[9d01ba0] NIFI-2193 - Fixing typo
[55440bc] NIFI-2193 - Standalone can run as long as there are no conflicting 
files/folders
[0ca34ed] NIFI-2193 - Fixing some filename, absolute path issues
[9d4f65b] NIFI-2193 - Incorporating feedback
[f7550b4] NIFI-2193 - Cleaning up imports
[59a7637] NIFI-2193 - Updating umask to allow owner to execute
[cf824e7] NIFI-2193 - Moving DN arg to CA service specific parent class
[921ee13] NIFI-2193 - Making keystore getInstance more consistent
[a283c4b] NIFI-2193 - Updating sample config files in assembly to reflect new 
structure
[8d3a21d] NIFI-2193 - Making TlsHelper static, adding option to use same 
password for Key, KeyStore
[b13d247] NIFI-2193 - Addressing PR feedback
[46ef8ed] NIFI-2193 - Removing commons-logging, log4j from notice
[d4cf41a] NIFI-2193 - Adding option to specify output file for CA certificate 
when using cli client
[b74bf25] NIFI-2193 - Removing Bouncy Castle from notice
[6e34f9a] NIFI-2193 - Adding CLI client for easier generation of client 
certificates
[2924fca] NIFI-2193 - nifi-toolkit-ssl -> nifi-toolkit-tls, removing unused 
constants
[886167e] NIFI-2193 - Adding slf4j to avoid runtime issue
[082de46] NIFI-2193 - Command line SSL config utility as well as certificate 
authority client/server


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>  Labels: certificate, security, tls
> Fix For: 1.0.0
>
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-03 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407115#comment-15407115
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user alopresto commented on the issue:

https://github.com/apache/nifi/pull/695
  
I am merging this for the beta release tomorrow. There are still some rough 
edges, and those are being captured in 
[NIFI-2476](https://issues.apache.org/jira/browse/NIFI-2476). The documentation 
for using the tools here is temporarily provided in the original Jira 
[NIFI-2193](https://issues.apache.org/jira/browse/NIFI-2193) until it can be 
properly reviewed and merged into the User Guide and Admin Guide 
[NIFI-2477](https://issues.apache.org/jira/browse/NIFI-2477). 

I will run contrib-check, rebase, squash, and merge. 


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-03 Thread Bryan Rosander (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15407111#comment-15407111
 ] 

Bryan Rosander commented on NIFI-2193:
--

Here is a rough draft of the documentation

Admin Guide:

The tls-toolkit has two primary modes of operation:
Standalone -- generates the certificate authority, keystores, truststores, and 
nifi.properties files in one command.
Client/Server mode -- uses a Certificate Authority Server that accepts 
Certificate Signing Requests from clients, signs them, and sends the resulting 
certificates back.  Both client and server validate the other’s identity 
through a shared secret.

Standalone:
Standalone mode can be invoked by running “tls-toolkit.sh standalone -h” which 
will print the usage information along with descriptions of options that can be 
specified.

The most common options to specify are:
-n (or --hostnames) a comma-separated list of hostnames that you’d like to 
generate certificates for
-f (or --nifiPropertiesFile) a base nifi.properties file that the tool will 
update for each host
-o (or --outputDirectory) the directory to use for the resulting Certificate 
Authority files and NiFi configurations.  A subdirectory will be made for each 
host.
-R (or --sameKeyAndKeyStorePassword) use the same value when generating 
KeyStore and TrustStore passwords which is currently needed
-p (or --httpsPort) the https port in nifi.properties and enable secure 
site-to-site.  This is optional and not necessary if you’ve provided a template 
nifi.properties.

Client/Server:

Server:
Client/Server mode relies on a long-running CA (Certificate Authority) (that 
can be stopped when you’re not bringing nodes online) to issue certificates.  
The CA server can be invoked by running “tls-toolkit server -h” which will 
print the usage information.

The most likely options to be specified are:
-f (or --configJson) the location of the json config (written after first run)
-F (or --useConfigJson) load all relevant configuration from the config json 
(if using, configJson is the only other argument necessary)
-t (or --token) the token used to prevent man in the middle attacks (this 
should be a long, random value and needs to be known when invoking the client)
-D (or --dn) the dn for the CA

Client:
The client can be used to request new Certificates from the CA.  The client 
utility will generate a keypair and CSR (Certificate Signing Request) and send 
the CSR to the certificate authority.  The client can be invoked by running 
“tls-toolkit.sh client -h” which will print usage information.

The most likely options to be specified are:
-f (or --configJson) the json config file
-c (or --certificateAuthorityHostname) the hostname of the CA
-D (or --DN) the dn for the CSR (and Certificate)
-t (or --token) the token used to prevent man in the middle attacks (this 
should be a long, random value and needs to be known when invoking the client)
-T (or --keyStoreType) the type of keystore to create (specify jks for NiFi 
nodes, leave default to create client cert)

After running the client you will have the CA’s certificate, a keystore, a 
truststore, and a config.json with information about them as well as their 
passwords.

If you leave -T (or --keyStoreType) as its default value, PKCS12 will be used 
in order to make it easy to import into a browser (for client certificates).


Developer Guide:

This is a developer-oriented document, for the tls-toolkit.  For the usage 
information, please consult the Admin Guide.

The Client/Server mode of operation came about from the desire to be able to 
autogenerate required TLS configuration artifacts without needing to perform 
that generation in a centralized place.  This simplifies configuration in a 
clustered environment.  Since we don’t necessarily have a central place to run 
the generation logic or a trusted Certificate Authority, a shared secret is 
used to authenticate the clients and server to each other.

The tls-toolkit prevents man in the middle attacks using HMAC verification of 
the public keys of the CA server and the CSR the client sends, using a shared 
secret (the token) as the HMAC key.

The basic process goes as follows:
The client generates a KeyPair.
The client generates a request json payload containing a CSR and an HMAC with 
the token as the key and the CSR’s public key fingerprint as the data.
The client connects to the CA Hostname at the https port specified and 
validates that the CN of the CA’s certificate matches the hostname (NOTE: 
because we don’t trust the CA at this point, this adds NO security, it is just 
a way to error out early if possible)
The server validates the HMAC from the client payload using the token as the 
key and the CSR’s public key fingerprint as the data.  This proves that the 
client knows the shared secret and that it wanted a CSR with that public key to 
be signed.  (A man in the middle could forward

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-03 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15406301#comment-15406301
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user alopresto commented on the issue:

https://github.com/apache/nifi/pull/695
  
Ok I will build locally, smoke test, run contrib check, and if all pass, 
rebase/squash and merge into `master`. 


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-03 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15406081#comment-15406081
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on the issue:

https://github.com/apache/nifi/pull/695
  
the newly failing test from last commit is in the snmp processor, not sure 
that it applies to anything I touched


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-03 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15406076#comment-15406076
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on the issue:

https://github.com/apache/nifi/pull/695
  
@alopresto I think I've incorporated your feedback, please let me know if 
you see anything else that needs addressing before the beta, otherwise I agree 
that as people use it, we'll get more information on what could/should be 
improved


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405236#comment-15405236
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on the issue:

https://github.com/apache/nifi/pull/695
  
Improving logging, making client and server both error instead of 
overwriting


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405205#comment-15405205
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r73272771
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/manager/TlsClientManager.java
 ---
@@ -0,0 +1,116 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.manager;
+
+import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig;
+import org.apache.nifi.toolkit.tls.manager.writer.ConfigurationWriter;
+import org.apache.nifi.toolkit.tls.util.InputStreamFactory;
+import org.apache.nifi.toolkit.tls.util.OutputStreamFactory;
+import org.apache.nifi.toolkit.tls.util.PasswordUtil;
+import org.apache.nifi.util.StringUtils;
+import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
+import org.bouncycastle.util.io.pem.PemWriter;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.io.OutputStreamWriter;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableEntryException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+public class TlsClientManager extends BaseTlsManager {
+private final TlsClientConfig tlsClientConfig;
+private final KeyStore trustStore;
+private final List 
configurationWriters;
+private final Set certificateAliases;
+private File certificateAuthorityDirectory;
+
+public TlsClientManager(TlsClientConfig tlsClientConfig) throws 
GeneralSecurityException, IOException {
+this(tlsClientConfig, new PasswordUtil(), FileInputStream::new);
+}
+
+public TlsClientManager(TlsClientConfig tlsClientConfig, PasswordUtil 
passwordUtil, InputStreamFactory inputStreamFactory) throws 
GeneralSecurityException, IOException {
+super(tlsClientConfig, passwordUtil, inputStreamFactory);
+this.trustStore = loadKeystore(tlsClientConfig.getTrustStore(), 
tlsClientConfig.getTrustStoreType(), tlsClientConfig.getTrustStorePassword());
+this.tlsClientConfig = tlsClientConfig;
+this.configurationWriters = new ArrayList<>();
+this.certificateAliases = new HashSet<>();
+}
+
+public void setCertificateEntry(String alias, Certificate cert) throws 
KeyStoreException {
+trustStore.setCertificateEntry(alias, cert);
+certificateAliases.add(alias);
+}
+
+public void setCertificateAuthorityDirectory(File 
certificateAuthorityDirectory) {
+this.certificateAuthorityDirectory = certificateAuthorityDirectory;
+}
+
+@Override
+public void write(OutputStreamFactory outputStreamFactory) throws 
IOException, CertificateException, NoSuchAlgorithmException, KeyStoreException {
+super.write(outputStreamFactory);
+
+String trustStorePassword = 
tlsClientConfig.getTrustStorePassword();
+if (StringUtils.isEmpty(trustStorePassword)) {
+trustStorePassword = getPasswordUtil().generatePassword();
+tlsClientConfig.setTrustStorePassword(trustStorePassword);
+}
+
+try (OutputStream outputStream = outputStreamFactory.create(new 
File(tlsClientConfig.getTrustStore( {
+trustStore.store(outputStream, 
trustStorePassword.toCharArray());
+}
+
+for (ConfigurationWriter

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405185#comment-15405185
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r73271149
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/BaseCertificateAuthorityCommandLine.java
 ---
@@ -0,0 +1,87 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.service;
+
+import org.apache.commons.cli.CommandLine;
+import org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine;
+import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException;
+import org.apache.nifi.toolkit.tls.commandLine.ExitCode;
+import org.apache.nifi.toolkit.tls.configuration.TlsConfig;
+import org.apache.nifi.util.StringUtils;
+
+import java.io.File;
+
+public class BaseCertificateAuthorityCommandLine extends BaseCommandLine {
+public static final String TOKEN_ARG = "token";
+public static final String CONFIG_JSON_ARG = "configJson";
+public static final String USE_CONFIG_JSON_ARG = "useConfigJson";
+public static final String PORT_ARG = "PORT";
+
+public static final String DEFAULT_CONFIG_JSON = new 
File("config.json").getAbsolutePath();
+
+private String token;
+private String configJson;
+private boolean onlyUseConfigJson;
+private int port;
+private String dn;
+
+public BaseCertificateAuthorityCommandLine(String header) {
+super(header);
+addOptionWithArg("t", TOKEN_ARG, "The token to use to prevent MITM 
(required and must be same as one used by CA)");
+addOptionWithArg("f", CONFIG_JSON_ARG, "The place to write 
configuration info", DEFAULT_CONFIG_JSON);
+addOptionNoArg("F", USE_CONFIG_JSON_ARG, "Flag specifying that all 
configuration is read from " + CONFIG_JSON_ARG + " to facilitate automated use 
(otherwise "
++ CONFIG_JSON_ARG + " will only be written to.");
+addOptionWithArg("p", PORT_ARG, "The port to use to communicate 
with the Certificate Authority", TlsConfig.DEFAULT_PORT);
+addOptionWithArg("D", DN_ARG, "The dn to use for the certificate", 
TlsConfig.calcDefaultDn(TlsConfig.DEFAULT_HOSTNAME));
+}
+
+@Override
+protected CommandLine doParse(String[] args) throws 
CommandLineParseException {
+CommandLine commandLine = super.doParse(args);
+
+token = commandLine.getOptionValue(TOKEN_ARG);
+onlyUseConfigJson = commandLine.hasOption(USE_CONFIG_JSON_ARG);
+if (StringUtils.isEmpty(token) && !onlyUseConfigJson) {
+printUsageAndThrow(TOKEN_ARG + " argument must not be empty 
unless " + USE_CONFIG_JSON_ARG + " set", ExitCode.ERROR_TOKEN_ARG_EMPTY);
+}
+configJson = commandLine.getOptionValue(CONFIG_JSON_ARG, 
DEFAULT_CONFIG_JSON);
+port = getIntValue(commandLine, PORT_ARG, TlsConfig.DEFAULT_PORT);
+dn = commandLine.getOptionValue(DN_ARG, 
TlsConfig.calcDefaultDn(getCertificateAuthorityHostname()));
--- End diff --

Usage:
The dn to use for the CA certificate (default: CN=localhost,OU=NIFI)

is there an implication that you can specify just a hostname for DN?

Trying to clarify by changing default to say CA_HOSTNAME and HOSTNAME for 
CA and client respectively, this shouldn't be mandatory


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405179#comment-15405179
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r73270811
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/BaseCertificateAuthorityCommandLine.java
 ---
@@ -0,0 +1,87 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.service;
+
+import org.apache.commons.cli.CommandLine;
+import org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine;
+import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException;
+import org.apache.nifi.toolkit.tls.commandLine.ExitCode;
+import org.apache.nifi.toolkit.tls.configuration.TlsConfig;
+import org.apache.nifi.util.StringUtils;
+
+import java.io.File;
+
+public class BaseCertificateAuthorityCommandLine extends BaseCommandLine {
+public static final String TOKEN_ARG = "token";
+public static final String CONFIG_JSON_ARG = "configJson";
+public static final String USE_CONFIG_JSON_ARG = "useConfigJson";
+public static final String PORT_ARG = "PORT";
+
+public static final String DEFAULT_CONFIG_JSON = new 
File("config.json").getAbsolutePath();
+
+private String token;
+private String configJson;
+private boolean onlyUseConfigJson;
+private int port;
+private String dn;
+
+public BaseCertificateAuthorityCommandLine(String header) {
+super(header);
+addOptionWithArg("t", TOKEN_ARG, "The token to use to prevent MITM 
(required and must be same as one used by CA)");
--- End diff --

This is a common parent class for both client and server, I can add 
distinct messages by making it an abstract method


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405178#comment-15405178
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r73270744
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/BaseCertificateAuthorityCommandLine.java
 ---
@@ -0,0 +1,87 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.service;
+
+import org.apache.commons.cli.CommandLine;
+import org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine;
+import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException;
+import org.apache.nifi.toolkit.tls.commandLine.ExitCode;
+import org.apache.nifi.toolkit.tls.configuration.TlsConfig;
+import org.apache.nifi.util.StringUtils;
+
+import java.io.File;
+
+public class BaseCertificateAuthorityCommandLine extends BaseCommandLine {
+public static final String TOKEN_ARG = "token";
+public static final String CONFIG_JSON_ARG = "configJson";
+public static final String USE_CONFIG_JSON_ARG = "useConfigJson";
+public static final String PORT_ARG = "PORT";
+
+public static final String DEFAULT_CONFIG_JSON = new 
File("config.json").getAbsolutePath();
--- End diff --

using getPath


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405175#comment-15405175
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r73270563
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/BaseCertificateAuthorityCommandLine.java
 ---
@@ -0,0 +1,87 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.service;
+
+import org.apache.commons.cli.CommandLine;
+import org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine;
+import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException;
+import org.apache.nifi.toolkit.tls.commandLine.ExitCode;
+import org.apache.nifi.toolkit.tls.configuration.TlsConfig;
+import org.apache.nifi.util.StringUtils;
+
+import java.io.File;
+
+public class BaseCertificateAuthorityCommandLine extends BaseCommandLine {
+public static final String TOKEN_ARG = "token";
+public static final String CONFIG_JSON_ARG = "configJson";
+public static final String USE_CONFIG_JSON_ARG = "useConfigJson";
+public static final String PORT_ARG = "PORT";
+
+public static final String DEFAULT_CONFIG_JSON = new 
File("config.json").getAbsolutePath();
+
+private String token;
+private String configJson;
+private boolean onlyUseConfigJson;
+private int port;
+private String dn;
+
+public BaseCertificateAuthorityCommandLine(String header) {
+super(header);
+addOptionWithArg("t", TOKEN_ARG, "The token to use to prevent MITM 
(required and must be same as one used by CA)");
+addOptionWithArg("f", CONFIG_JSON_ARG, "The place to write 
configuration info", DEFAULT_CONFIG_JSON);
+addOptionNoArg("F", USE_CONFIG_JSON_ARG, "Flag specifying that all 
configuration is read from " + CONFIG_JSON_ARG + " to facilitate automated use 
(otherwise "
++ CONFIG_JSON_ARG + " will only be written to.");
+addOptionWithArg("p", PORT_ARG, "The port to use to communicate 
with the Certificate Authority", TlsConfig.DEFAULT_PORT);
+addOptionWithArg("D", DN_ARG, "The dn to use for the certificate", 
TlsConfig.calcDefaultDn(TlsConfig.DEFAULT_HOSTNAME));
--- End diff --

Also same message for both client and server, will change to abstract 
method here and override


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405117#comment-15405117
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r73265781
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/BaseCertificateAuthorityCommandLine.java
 ---
@@ -0,0 +1,87 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.service;
+
+import org.apache.commons.cli.CommandLine;
+import org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine;
+import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException;
+import org.apache.nifi.toolkit.tls.commandLine.ExitCode;
+import org.apache.nifi.toolkit.tls.configuration.TlsConfig;
+import org.apache.nifi.util.StringUtils;
+
+import java.io.File;
+
+public class BaseCertificateAuthorityCommandLine extends BaseCommandLine {
+public static final String TOKEN_ARG = "token";
+public static final String CONFIG_JSON_ARG = "configJson";
+public static final String USE_CONFIG_JSON_ARG = "useConfigJson";
+public static final String PORT_ARG = "PORT";
+
+public static final String DEFAULT_CONFIG_JSON = new 
File("config.json").getAbsolutePath();
+
+private String token;
+private String configJson;
+private boolean onlyUseConfigJson;
+private int port;
+private String dn;
+
+public BaseCertificateAuthorityCommandLine(String header) {
+super(header);
+addOptionWithArg("t", TOKEN_ARG, "The token to use to prevent MITM 
(required and must be same as one used by CA)");
+addOptionWithArg("f", CONFIG_JSON_ARG, "The place to write 
configuration info", DEFAULT_CONFIG_JSON);
+addOptionNoArg("F", USE_CONFIG_JSON_ARG, "Flag specifying that all 
configuration is read from " + CONFIG_JSON_ARG + " to facilitate automated use 
(otherwise "
++ CONFIG_JSON_ARG + " will only be written to.");
+addOptionWithArg("p", PORT_ARG, "The port to use to communicate 
with the Certificate Authority", TlsConfig.DEFAULT_PORT);
--- End diff --

message is generic because it's being used by both client and server, I can 
add specific messages for both though


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405101#comment-15405101
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user alopresto commented on the issue:

https://github.com/apache/nifi/pull/695
  
@brosander I understand the direction of this PR and I think as it is 
functional, and I'd like to see it included in the beta vote on Thursday to 
increase the coverage of community testing. If you can fix the quick issues 
outlined above, we can merge this as is. I would propose we then raise a Jira 
to evaluate refactoring to see where we might streamline it for the general 
availability release. That can include more documentation and edge case/input 
validation. 


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405097#comment-15405097
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user alopresto commented on the issue:

https://github.com/apache/nifi/pull/695
  
Running the client script multiple times in the same directory silently 
overwrites the same keystore file. It should warn the user and fail, or require 
a force flag to overwrite. 


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405085#comment-15405085
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r73263071
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/client/TlsCertificateAuthorityClientCommandLine.java
 ---
@@ -0,0 +1,125 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.service.client;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.commons.cli.CommandLine;
+import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException;
+import org.apache.nifi.toolkit.tls.commandLine.ExitCode;
+import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig;
+import 
org.apache.nifi.toolkit.tls.service.BaseCertificateAuthorityCommandLine;
+import org.apache.nifi.toolkit.tls.util.InputStreamFactory;
+import org.apache.nifi.toolkit.tls.util.TlsHelper;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+
+public class TlsCertificateAuthorityClientCommandLine extends 
BaseCertificateAuthorityCommandLine {
+public static final String DESCRIPTION = "Generates a private key and 
gets it signed by the certificate authority.";
+public static final String PKCS_12 = "PKCS12";
+public static final String CERTIFICATE_DIRECTORY = 
"certificateDirectory";
+public static final String DEFAULT_CERTIFICATE_DIRECTORY = ".";
+public static final String SAME_KEY_AND_KEY_STORE_PASSWORD_ARG = 
"sameKeyAndKeyStorePassword";
+
+private final InputStreamFactory inputStreamFactory;
+
+private String certificateDirectory;
+private boolean sameKeyAndKeyStorePassword;
+
+public TlsCertificateAuthorityClientCommandLine() {
+this(FileInputStream::new);
+}
+
+public TlsCertificateAuthorityClientCommandLine(InputStreamFactory 
inputStreamFactory) {
+super(DESCRIPTION);
+this.inputStreamFactory = inputStreamFactory;
+addOptionWithArg("C", CERTIFICATE_DIRECTORY, "The file to write 
the CA certificate to", DEFAULT_CERTIFICATE_DIRECTORY);
+addOptionNoArg("S", SAME_KEY_AND_KEY_STORE_PASSWORD_ARG, "When 
generating passwords, use the same one for KeyStore and Key");
+}
+
+public static void main(String[] args) throws Exception {
+TlsHelper.addBouncyCastleProvider();
+TlsCertificateAuthorityClientCommandLine 
tlsCertificateAuthorityClientCommandLine = new 
TlsCertificateAuthorityClientCommandLine();
+try {
+tlsCertificateAuthorityClientCommandLine.parse(args);
+} catch (CommandLineParseException e) {
+System.exit(e.getExitCode());
+}
+new 
TlsCertificateAuthorityClient().generateCertificateAndGetItSigned(tlsCertificateAuthorityClientCommandLine.createClientConfig(),
+
tlsCertificateAuthorityClientCommandLine.getCertificateDirectory(), 
tlsCertificateAuthorityClientCommandLine.getConfigJson(),
+
tlsCertificateAuthorityClientCommandLine.sameKeyAndKeyStorePassword());
+System.exit(ExitCode.SUCCESS.ordinal());
+}
+
+@Override
+protected boolean shouldAddDaysArg() {
+return false;
+}
+
+@Override
+protected boolean shouldAddSigningAlgorithmArg() {
+return false;
+}
+
+@Override
+protected String getKeyStoreTypeDefault() {
+return PKCS_12;
+}
+
+@Override
+protected CommandLine doParse(String[] args) throws 
CommandLineParseException {
+CommandLine commandLine = super.doParse(args);
+certificateDirectory =

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405075#comment-15405075
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r73262290
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandaloneCommandLine.java
 ---
@@ -0,0 +1,188 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.standalone;
+
+import org.apache.commons.cli.CommandLine;
+import org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine;
+import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException;
+import org.apache.nifi.toolkit.tls.commandLine.ExitCode;
+import org.apache.nifi.toolkit.tls.configuration.TlsConfig;
+import org.apache.nifi.toolkit.tls.properties.NiFiPropertiesWriterFactory;
+import org.apache.nifi.toolkit.tls.util.PasswordUtil;
+import org.apache.nifi.toolkit.tls.util.TlsHelper;
+import org.apache.nifi.util.StringUtils;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+import java.util.stream.Collectors;
+import java.util.stream.IntStream;
+
+public class TlsToolkitStandaloneCommandLine extends BaseCommandLine {
+public static final String OUTPUT_DIRECTORY_ARG = "outputDirectory";
+public static final String NIFI_PROPERTIES_FILE_ARG = 
"nifiPropertiesFile";
+public static final String KEY_STORE_PASSWORD_ARG = "keyStorePassword";
+public static final String TRUST_STORE_PASSWORD_ARG = 
"trustStorePassword";
+public static final String KEY_PASSWORD_ARG = "keyPassword";
+public static final String SAME_KEY_AND_KEY_STORE_PASSWORD_ARG = 
"sameKeyAndKeyStorePassword";
+public static final String HOSTNAMES_ARG = "hostnames";
+public static final String HTTPS_PORT_ARG = "httpsPort";
+
+public static final String DEFAULT_OUTPUT_DIRECTORY = new 
File(".").getAbsolutePath();
+
+public static final String DESCRIPTION = "Creates certificates and 
config files for nifi cluster.";
+
+private final PasswordUtil passwordUtil;
+private File baseDir;
+private List hostnames;
+private String httpsPort;
+private NiFiPropertiesWriterFactory niFiPropertiesWriterFactory;
+private List keyStorePasswords;
+private List keyPasswords;
+private List trustStorePasswords;
+
+public TlsToolkitStandaloneCommandLine() {
+this(new PasswordUtil());
+}
+
+protected TlsToolkitStandaloneCommandLine(PasswordUtil passwordUtil) {
+super(DESCRIPTION);
+this.passwordUtil = passwordUtil;
+addOptionWithArg("o", OUTPUT_DIRECTORY_ARG, "The directory to 
output keystores, truststore, config files.", DEFAULT_OUTPUT_DIRECTORY);
+addOptionWithArg("n", HOSTNAMES_ARG, "Comma separated list of 
hostnames.", TlsConfig.DEFAULT_HOSTNAME);
--- End diff --

@alopresto good point, I'd left blank because it will use the machine's 
hostname if blank but your way is definitely better in the ssl case


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405029#comment-15405029
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r73258286
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/manager/TlsClientManager.java
 ---
@@ -0,0 +1,116 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.manager;
+
+import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig;
+import org.apache.nifi.toolkit.tls.manager.writer.ConfigurationWriter;
+import org.apache.nifi.toolkit.tls.util.InputStreamFactory;
+import org.apache.nifi.toolkit.tls.util.OutputStreamFactory;
+import org.apache.nifi.toolkit.tls.util.PasswordUtil;
+import org.apache.nifi.util.StringUtils;
+import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
+import org.bouncycastle.util.io.pem.PemWriter;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.io.OutputStreamWriter;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableEntryException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+public class TlsClientManager extends BaseTlsManager {
+private final TlsClientConfig tlsClientConfig;
+private final KeyStore trustStore;
+private final List 
configurationWriters;
+private final Set certificateAliases;
+private File certificateAuthorityDirectory;
+
+public TlsClientManager(TlsClientConfig tlsClientConfig) throws 
GeneralSecurityException, IOException {
+this(tlsClientConfig, new PasswordUtil(), FileInputStream::new);
+}
+
+public TlsClientManager(TlsClientConfig tlsClientConfig, PasswordUtil 
passwordUtil, InputStreamFactory inputStreamFactory) throws 
GeneralSecurityException, IOException {
+super(tlsClientConfig, passwordUtil, inputStreamFactory);
+this.trustStore = loadKeystore(tlsClientConfig.getTrustStore(), 
tlsClientConfig.getTrustStoreType(), tlsClientConfig.getTrustStorePassword());
+this.tlsClientConfig = tlsClientConfig;
+this.configurationWriters = new ArrayList<>();
+this.certificateAliases = new HashSet<>();
+}
+
+public void setCertificateEntry(String alias, Certificate cert) throws 
KeyStoreException {
+trustStore.setCertificateEntry(alias, cert);
+certificateAliases.add(alias);
+}
+
+public void setCertificateAuthorityDirectory(File 
certificateAuthorityDirectory) {
+this.certificateAuthorityDirectory = certificateAuthorityDirectory;
+}
+
+@Override
+public void write(OutputStreamFactory outputStreamFactory) throws 
IOException, CertificateException, NoSuchAlgorithmException, KeyStoreException {
+super.write(outputStreamFactory);
+
+String trustStorePassword = 
tlsClientConfig.getTrustStorePassword();
+if (StringUtils.isEmpty(trustStorePassword)) {
+trustStorePassword = getPasswordUtil().generatePassword();
+tlsClientConfig.setTrustStorePassword(trustStorePassword);
+}
+
+try (OutputStream outputStream = outputStreamFactory.create(new 
File(tlsClientConfig.getTrustStore( {
+trustStore.store(outputStream, 
trustStorePassword.toCharArray());
+}
+
+for (ConfigurationWriter

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405016#comment-15405016
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r73257593
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandalone.java
 ---
@@ -0,0 +1,101 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.standalone;
+
+import org.apache.nifi.security.util.CertificateUtils;
+import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig;
+import org.apache.nifi.toolkit.tls.configuration.TlsConfig;
+import org.apache.nifi.toolkit.tls.manager.TlsCertificateAuthorityManager;
+import org.apache.nifi.toolkit.tls.manager.TlsClientManager;
+import 
org.apache.nifi.toolkit.tls.manager.writer.NifiPropertiesTlsClientConfigWriter;
+import org.apache.nifi.toolkit.tls.properties.NiFiPropertiesWriterFactory;
+import org.apache.nifi.toolkit.tls.util.OutputStreamFactory;
+import org.apache.nifi.toolkit.tls.util.TlsHelper;
+import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
+import org.bouncycastle.util.io.pem.PemWriter;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.OutputStreamWriter;
+import java.security.GeneralSecurityException;
+import java.security.KeyPair;
+import java.security.KeyStore;
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+public class TlsToolkitStandalone {
+public static final String NIFI_KEY = "nifi-key";
+public static final String NIFI_CERT = "nifi-cert";
--- End diff --

This should have a `.pem` extension to inform the user of the PEM encoding. 


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405017#comment-15405017
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r73257620
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandalone.java
 ---
@@ -0,0 +1,101 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.standalone;
+
+import org.apache.nifi.security.util.CertificateUtils;
+import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig;
+import org.apache.nifi.toolkit.tls.configuration.TlsConfig;
+import org.apache.nifi.toolkit.tls.manager.TlsCertificateAuthorityManager;
+import org.apache.nifi.toolkit.tls.manager.TlsClientManager;
+import 
org.apache.nifi.toolkit.tls.manager.writer.NifiPropertiesTlsClientConfigWriter;
+import org.apache.nifi.toolkit.tls.properties.NiFiPropertiesWriterFactory;
+import org.apache.nifi.toolkit.tls.util.OutputStreamFactory;
+import org.apache.nifi.toolkit.tls.util.TlsHelper;
+import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
+import org.bouncycastle.util.io.pem.PemWriter;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.OutputStreamWriter;
+import java.security.GeneralSecurityException;
+import java.security.KeyPair;
+import java.security.KeyStore;
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+public class TlsToolkitStandalone {
+public static final String NIFI_KEY = "nifi-key";
--- End diff --

This should have a `.key` extension. 


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405014#comment-15405014
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r73257442
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/BaseCertificateAuthorityCommandLine.java
 ---
@@ -0,0 +1,87 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.service;
+
+import org.apache.commons.cli.CommandLine;
+import org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine;
+import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException;
+import org.apache.nifi.toolkit.tls.commandLine.ExitCode;
+import org.apache.nifi.toolkit.tls.configuration.TlsConfig;
+import org.apache.nifi.util.StringUtils;
+
+import java.io.File;
+
+public class BaseCertificateAuthorityCommandLine extends BaseCommandLine {
+public static final String TOKEN_ARG = "token";
+public static final String CONFIG_JSON_ARG = "configJson";
+public static final String USE_CONFIG_JSON_ARG = "useConfigJson";
+public static final String PORT_ARG = "PORT";
+
+public static final String DEFAULT_CONFIG_JSON = new 
File("config.json").getAbsolutePath();
+
+private String token;
+private String configJson;
+private boolean onlyUseConfigJson;
+private int port;
+private String dn;
+
+public BaseCertificateAuthorityCommandLine(String header) {
+super(header);
+addOptionWithArg("t", TOKEN_ARG, "The token to use to prevent MITM 
(required and must be same as one used by CA)");
+addOptionWithArg("f", CONFIG_JSON_ARG, "The place to write 
configuration info", DEFAULT_CONFIG_JSON);
+addOptionNoArg("F", USE_CONFIG_JSON_ARG, "Flag specifying that all 
configuration is read from " + CONFIG_JSON_ARG + " to facilitate automated use 
(otherwise "
++ CONFIG_JSON_ARG + " will only be written to.");
+addOptionWithArg("p", PORT_ARG, "The port to use to communicate 
with the Certificate Authority", TlsConfig.DEFAULT_PORT);
+addOptionWithArg("D", DN_ARG, "The dn to use for the certificate", 
TlsConfig.calcDefaultDn(TlsConfig.DEFAULT_HOSTNAME));
+}
+
+@Override
+protected CommandLine doParse(String[] args) throws 
CommandLineParseException {
+CommandLine commandLine = super.doParse(args);
+
+token = commandLine.getOptionValue(TOKEN_ARG);
+onlyUseConfigJson = commandLine.hasOption(USE_CONFIG_JSON_ARG);
+if (StringUtils.isEmpty(token) && !onlyUseConfigJson) {
+printUsageAndThrow(TOKEN_ARG + " argument must not be empty 
unless " + USE_CONFIG_JSON_ARG + " set", ExitCode.ERROR_TOKEN_ARG_EMPTY);
+}
+configJson = commandLine.getOptionValue(CONFIG_JSON_ARG, 
DEFAULT_CONFIG_JSON);
+port = getIntValue(commandLine, PORT_ARG, TlsConfig.DEFAULT_PORT);
+dn = commandLine.getOptionValue(DN_ARG, 
TlsConfig.calcDefaultDn(getCertificateAuthorityHostname()));
--- End diff --

If the user enters only the hostname here (as is the format for the CA 
hostname), the tool throws an exception. 

Example:

```bash

hw12203:...assembly/target/nifi-toolkit-1.0.0-SNAPSHOT-bin/nifi-toolkit-1.0.0-SNAPSHOT
 (pr695) alopresto
 166s @ 15:58:03 $ ./bin/tls-toolkit.sh server -c rootca.nifi.apache.org 
-D client.nifi.apache.org -t shorttoken
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405006#comment-15405006
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r73256631
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/BaseCertificateAuthorityCommandLine.java
 ---
@@ -0,0 +1,87 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.service;
+
+import org.apache.commons.cli.CommandLine;
+import org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine;
+import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException;
+import org.apache.nifi.toolkit.tls.commandLine.ExitCode;
+import org.apache.nifi.toolkit.tls.configuration.TlsConfig;
+import org.apache.nifi.util.StringUtils;
+
+import java.io.File;
+
+public class BaseCertificateAuthorityCommandLine extends BaseCommandLine {
+public static final String TOKEN_ARG = "token";
+public static final String CONFIG_JSON_ARG = "configJson";
+public static final String USE_CONFIG_JSON_ARG = "useConfigJson";
+public static final String PORT_ARG = "PORT";
+
+public static final String DEFAULT_CONFIG_JSON = new 
File("config.json").getAbsolutePath();
+
+private String token;
+private String configJson;
+private boolean onlyUseConfigJson;
+private int port;
+private String dn;
+
+public BaseCertificateAuthorityCommandLine(String header) {
+super(header);
+addOptionWithArg("t", TOKEN_ARG, "The token to use to prevent MITM 
(required and must be same as one used by CA)");
--- End diff --

I think this message was copied from the client. This is the CA, so it 
should read "clients must use this token to authenticate". 


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405004#comment-15405004
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r73256427
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/BaseCertificateAuthorityCommandLine.java
 ---
@@ -0,0 +1,87 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.service;
+
+import org.apache.commons.cli.CommandLine;
+import org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine;
+import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException;
+import org.apache.nifi.toolkit.tls.commandLine.ExitCode;
+import org.apache.nifi.toolkit.tls.configuration.TlsConfig;
+import org.apache.nifi.util.StringUtils;
+
+import java.io.File;
+
+public class BaseCertificateAuthorityCommandLine extends BaseCommandLine {
+public static final String TOKEN_ARG = "token";
+public static final String CONFIG_JSON_ARG = "configJson";
+public static final String USE_CONFIG_JSON_ARG = "useConfigJson";
+public static final String PORT_ARG = "PORT";
+
+public static final String DEFAULT_CONFIG_JSON = new 
File("config.json").getAbsolutePath();
--- End diff --

The absolute path is often very long (when running from inside the built 
location, it is at least 114 characters). 

Example:

```bash
-f,--configJson  The place to write configuration 
info (default:
   
/Users/alopresto/Workspace/nifi/nifi-toolkit/nifi-toolkit-assembly/target/nifi-toolkit-1.0.0-SNAPSHOT-bin/nifi-toolkit-1.0.0-SNAPSHOT/config.json)
```


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15405000#comment-15405000
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r73256120
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/BaseCertificateAuthorityCommandLine.java
 ---
@@ -0,0 +1,87 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.service;
+
+import org.apache.commons.cli.CommandLine;
+import org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine;
+import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException;
+import org.apache.nifi.toolkit.tls.commandLine.ExitCode;
+import org.apache.nifi.toolkit.tls.configuration.TlsConfig;
+import org.apache.nifi.util.StringUtils;
+
+import java.io.File;
+
+public class BaseCertificateAuthorityCommandLine extends BaseCommandLine {
+public static final String TOKEN_ARG = "token";
+public static final String CONFIG_JSON_ARG = "configJson";
+public static final String USE_CONFIG_JSON_ARG = "useConfigJson";
+public static final String PORT_ARG = "PORT";
+
+public static final String DEFAULT_CONFIG_JSON = new 
File("config.json").getAbsolutePath();
+
+private String token;
+private String configJson;
+private boolean onlyUseConfigJson;
+private int port;
+private String dn;
+
+public BaseCertificateAuthorityCommandLine(String header) {
+super(header);
+addOptionWithArg("t", TOKEN_ARG, "The token to use to prevent MITM 
(required and must be same as one used by CA)");
+addOptionWithArg("f", CONFIG_JSON_ARG, "The place to write 
configuration info", DEFAULT_CONFIG_JSON);
+addOptionNoArg("F", USE_CONFIG_JSON_ARG, "Flag specifying that all 
configuration is read from " + CONFIG_JSON_ARG + " to facilitate automated use 
(otherwise "
++ CONFIG_JSON_ARG + " will only be written to.");
+addOptionWithArg("p", PORT_ARG, "The port to use to communicate 
with the Certificate Authority", TlsConfig.DEFAULT_PORT);
+addOptionWithArg("D", DN_ARG, "The dn to use for the certificate", 
TlsConfig.calcDefaultDn(TlsConfig.DEFAULT_HOSTNAME));
--- End diff --

This is ambiguous -- is it the DN of the certificate authority certificate?


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15404999#comment-15404999
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r73256049
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/BaseCertificateAuthorityCommandLine.java
 ---
@@ -0,0 +1,87 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.service;
+
+import org.apache.commons.cli.CommandLine;
+import org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine;
+import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException;
+import org.apache.nifi.toolkit.tls.commandLine.ExitCode;
+import org.apache.nifi.toolkit.tls.configuration.TlsConfig;
+import org.apache.nifi.util.StringUtils;
+
+import java.io.File;
+
+public class BaseCertificateAuthorityCommandLine extends BaseCommandLine {
+public static final String TOKEN_ARG = "token";
+public static final String CONFIG_JSON_ARG = "configJson";
+public static final String USE_CONFIG_JSON_ARG = "useConfigJson";
+public static final String PORT_ARG = "PORT";
+
+public static final String DEFAULT_CONFIG_JSON = new 
File("config.json").getAbsolutePath();
+
+private String token;
+private String configJson;
+private boolean onlyUseConfigJson;
+private int port;
+private String dn;
+
+public BaseCertificateAuthorityCommandLine(String header) {
+super(header);
+addOptionWithArg("t", TOKEN_ARG, "The token to use to prevent MITM 
(required and must be same as one used by CA)");
+addOptionWithArg("f", CONFIG_JSON_ARG, "The place to write 
configuration info", DEFAULT_CONFIG_JSON);
+addOptionNoArg("F", USE_CONFIG_JSON_ARG, "Flag specifying that all 
configuration is read from " + CONFIG_JSON_ARG + " to facilitate automated use 
(otherwise "
++ CONFIG_JSON_ARG + " will only be written to.");
+addOptionWithArg("p", PORT_ARG, "The port to use to communicate 
with the Certificate Authority", TlsConfig.DEFAULT_PORT);
--- End diff --

The default HTTPS port is `8443` but if this is running on the same 
instance as a secured NiFi instance, it will collide with the default HTTPS 
port there as well. 


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15404995#comment-15404995
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user alopresto commented on the issue:

https://github.com/apache/nifi/pull/695
  
Running the bash scripts only provides console output when an exception 
occurs. Especially for the standalone, but also the client/server scripts, 
could we please provide positive output explaining what was accomplished?

In addition, there are Log4J warnings printed.

Example:

```bash

hw12203:...assembly/target/nifi-toolkit-1.0.0-SNAPSHOT-bin/nifi-toolkit-1.0.0-SNAPSHOT
 (pr695) alopresto
 7s @ 16:00:40 $ ./bin/tls-toolkit.sh server -D CN=rootca.nifi.apache.org 
-t shorttoken
log4j:WARN No appenders could be found for logger 
(org.eclipse.jetty.util.log).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for 
more info.
Server Started
^C
```

```bash

hw12203:...assembly/target/nifi-toolkit-1.0.0-SNAPSHOT-bin/nifi-toolkit-1.0.0-SNAPSHOT
 (pr695) alopresto
 113s @ 16:01:50 $ ./bin/tls-toolkit.sh client -D 
CN=client.nifi.apache.org -t shorttoken
log4j:WARN No appenders could be found for logger 
(org.apache.http.client.protocol.RequestAddCookies).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for 
more info.

hw12203:...assembly/target/nifi-toolkit-1.0.0-SNAPSHOT-bin/nifi-toolkit-1.0.0-SNAPSHOT
 (pr695) alopresto
 43s @ 16:02:33 $
```


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15404990#comment-15404990
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r73255485
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/client/TlsCertificateAuthorityClientCommandLine.java
 ---
@@ -0,0 +1,125 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.service.client;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.commons.cli.CommandLine;
+import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException;
+import org.apache.nifi.toolkit.tls.commandLine.ExitCode;
+import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig;
+import 
org.apache.nifi.toolkit.tls.service.BaseCertificateAuthorityCommandLine;
+import org.apache.nifi.toolkit.tls.util.InputStreamFactory;
+import org.apache.nifi.toolkit.tls.util.TlsHelper;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+
+public class TlsCertificateAuthorityClientCommandLine extends 
BaseCertificateAuthorityCommandLine {
+public static final String DESCRIPTION = "Generates a private key and 
gets it signed by the certificate authority.";
+public static final String PKCS_12 = "PKCS12";
+public static final String CERTIFICATE_DIRECTORY = 
"certificateDirectory";
+public static final String DEFAULT_CERTIFICATE_DIRECTORY = ".";
+public static final String SAME_KEY_AND_KEY_STORE_PASSWORD_ARG = 
"sameKeyAndKeyStorePassword";
+
+private final InputStreamFactory inputStreamFactory;
+
+private String certificateDirectory;
+private boolean sameKeyAndKeyStorePassword;
+
+public TlsCertificateAuthorityClientCommandLine() {
+this(FileInputStream::new);
+}
+
+public TlsCertificateAuthorityClientCommandLine(InputStreamFactory 
inputStreamFactory) {
+super(DESCRIPTION);
+this.inputStreamFactory = inputStreamFactory;
+addOptionWithArg("C", CERTIFICATE_DIRECTORY, "The file to write 
the CA certificate to", DEFAULT_CERTIFICATE_DIRECTORY);
+addOptionNoArg("S", SAME_KEY_AND_KEY_STORE_PASSWORD_ARG, "When 
generating passwords, use the same one for KeyStore and Key");
+}
+
+public static void main(String[] args) throws Exception {
+TlsHelper.addBouncyCastleProvider();
+TlsCertificateAuthorityClientCommandLine 
tlsCertificateAuthorityClientCommandLine = new 
TlsCertificateAuthorityClientCommandLine();
+try {
+tlsCertificateAuthorityClientCommandLine.parse(args);
+} catch (CommandLineParseException e) {
+System.exit(e.getExitCode());
+}
+new 
TlsCertificateAuthorityClient().generateCertificateAndGetItSigned(tlsCertificateAuthorityClientCommandLine.createClientConfig(),
+
tlsCertificateAuthorityClientCommandLine.getCertificateDirectory(), 
tlsCertificateAuthorityClientCommandLine.getConfigJson(),
+
tlsCertificateAuthorityClientCommandLine.sameKeyAndKeyStorePassword());
+System.exit(ExitCode.SUCCESS.ordinal());
+}
+
+@Override
+protected boolean shouldAddDaysArg() {
+return false;
+}
+
+@Override
+protected boolean shouldAddSigningAlgorithmArg() {
+return false;
+}
+
+@Override
+protected String getKeyStoreTypeDefault() {
+return PKCS_12;
+}
+
+@Override
+protected CommandLine doParse(String[] args) throws 
CommandLineParseException {
+CommandLine commandLine = super.doParse(args);
+certificateDirectory =

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15404953#comment-15404953
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r73253303
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandaloneCommandLine.java
 ---
@@ -0,0 +1,188 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.standalone;
+
+import org.apache.commons.cli.CommandLine;
+import org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine;
+import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException;
+import org.apache.nifi.toolkit.tls.commandLine.ExitCode;
+import org.apache.nifi.toolkit.tls.configuration.TlsConfig;
+import org.apache.nifi.toolkit.tls.properties.NiFiPropertiesWriterFactory;
+import org.apache.nifi.toolkit.tls.util.PasswordUtil;
+import org.apache.nifi.toolkit.tls.util.TlsHelper;
+import org.apache.nifi.util.StringUtils;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+import java.util.stream.Collectors;
+import java.util.stream.IntStream;
+
+public class TlsToolkitStandaloneCommandLine extends BaseCommandLine {
+public static final String OUTPUT_DIRECTORY_ARG = "outputDirectory";
+public static final String NIFI_PROPERTIES_FILE_ARG = 
"nifiPropertiesFile";
+public static final String KEY_STORE_PASSWORD_ARG = "keyStorePassword";
+public static final String TRUST_STORE_PASSWORD_ARG = 
"trustStorePassword";
+public static final String KEY_PASSWORD_ARG = "keyPassword";
+public static final String SAME_KEY_AND_KEY_STORE_PASSWORD_ARG = 
"sameKeyAndKeyStorePassword";
+public static final String HOSTNAMES_ARG = "hostnames";
+public static final String HTTPS_PORT_ARG = "httpsPort";
+
+public static final String DEFAULT_OUTPUT_DIRECTORY = new 
File(".").getAbsolutePath();
+
+public static final String DESCRIPTION = "Creates certificates and 
config files for nifi cluster.";
+
+private final PasswordUtil passwordUtil;
+private File baseDir;
+private List hostnames;
+private String httpsPort;
+private NiFiPropertiesWriterFactory niFiPropertiesWriterFactory;
+private List keyStorePasswords;
+private List keyPasswords;
+private List trustStorePasswords;
+
+public TlsToolkitStandaloneCommandLine() {
+this(new PasswordUtil());
+}
+
+protected TlsToolkitStandaloneCommandLine(PasswordUtil passwordUtil) {
+super(DESCRIPTION);
+this.passwordUtil = passwordUtil;
+addOptionWithArg("o", OUTPUT_DIRECTORY_ARG, "The directory to 
output keystores, truststore, config files.", DEFAULT_OUTPUT_DIRECTORY);
+addOptionWithArg("n", HOSTNAMES_ARG, "Comma separated list of 
hostnames.", TlsConfig.DEFAULT_HOSTNAME);
--- End diff --

If `-p` is set, the HTTPS port will be set, but the HTTPS hostname is not. 
It should be available from this list, so it should be populated. 


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15404937#comment-15404937
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r73251864
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandalone.java
 ---
@@ -0,0 +1,101 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.standalone;
+
+import org.apache.nifi.security.util.CertificateUtils;
+import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig;
+import org.apache.nifi.toolkit.tls.configuration.TlsConfig;
+import org.apache.nifi.toolkit.tls.manager.TlsCertificateAuthorityManager;
+import org.apache.nifi.toolkit.tls.manager.TlsClientManager;
+import 
org.apache.nifi.toolkit.tls.manager.writer.NifiPropertiesTlsClientConfigWriter;
+import org.apache.nifi.toolkit.tls.properties.NiFiPropertiesWriterFactory;
+import org.apache.nifi.toolkit.tls.util.OutputStreamFactory;
+import org.apache.nifi.toolkit.tls.util.TlsHelper;
+import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
+import org.bouncycastle.util.io.pem.PemWriter;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.OutputStreamWriter;
+import java.security.GeneralSecurityException;
+import java.security.KeyPair;
+import java.security.KeyStore;
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+public class TlsToolkitStandalone {
+public static final String NIFI_KEY = "nifi-key";
+public static final String NIFI_CERT = "nifi-cert";
+public static final String ROOT_CERT_PRIVATE_KEY = "rootCert.key";
+public static final String ROOT_CERT_CRT = "rootCert.crt";
+public static final String NIFI_PROPERTIES = "nifi.properties";
+
+private final OutputStreamFactory outputStreamFactory;
+
+public TlsToolkitStandalone() {
+this(FileOutputStream::new);
+}
+
+public TlsToolkitStandalone(OutputStreamFactory outputStreamFactory) {
+this.outputStreamFactory = outputStreamFactory;
+}
+
+public void createNifiKeystoresAndTrustStores(File baseDir, TlsConfig 
tlsConfig, NiFiPropertiesWriterFactory niFiPropertiesWriterFactory, 
List hostnames, List keyStorePasswords,
+  List 
keyPasswords, List trustStorePasswords, String httpsPort) throws 
GeneralSecurityException, IOException {
+String signingAlgorithm = tlsConfig.getSigningAlgorithm();
+int days = tlsConfig.getDays();
+String keyPairAlgorithm = tlsConfig.getKeyPairAlgorithm();
+int keySize = tlsConfig.getKeySize();
+TlsCertificateAuthorityManager tlsCertificateAuthorityManager = 
new TlsCertificateAuthorityManager(tlsConfig);
+KeyStore.PrivateKeyEntry privateKeyEntry = 
tlsCertificateAuthorityManager.getOrGenerateCertificateAuthority();
+X509Certificate certificate = (X509Certificate) 
privateKeyEntry.getCertificateChain()[0];
+KeyPair caKeyPair = new KeyPair(certificate.getPublicKey(), 
privateKeyEntry.getPrivateKey());
+
+try (PemWriter pemWriter = new PemWriter(new 
OutputStreamWriter(outputStreamFactory.create(new File(baseDir, 
ROOT_CERT_CRT) {
+pemWriter.writeObject(new JcaMiscPEMGenerator(certificate));
+}
+
+try (PemWriter pemWriter = new PemWriter(new 
OutputStreamWriter(outputStreamFactory.create(new File(baseDir, 
ROOT_CERT_PRIVATE_KEY) {
+pemWriter.writeObject(new JcaMiscPEMGenerator(caKeyPair));
+}
+
+for (int i = 0; i < hostnames.size(); i++) {
+String hostname = hostnames.get(i);
+File hostDir = new File(baseDir,

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15404380#comment-15404380
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r73194331
  
--- Diff: 
nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/CertificateUtilsTest.groovy
 ---
@@ -53,6 +54,21 @@ import java.security.SignatureException
 import java.security.cert.Certificate
 import java.security.cert.CertificateException
 import java.security.cert.X509Certificate
+import java.util.concurrent.TimeUnit
+
+import static org.junit.Assert.assertEquals
--- End diff --

maybe auto import fail? will fix


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15404315#comment-15404315
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r73189115
  
--- Diff: 
nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/CertificateUtilsTest.groovy
 ---
@@ -53,6 +54,21 @@ import java.security.SignatureException
 import java.security.cert.Certificate
 import java.security.cert.CertificateException
 import java.security.cert.X509Certificate
+import java.util.concurrent.TimeUnit
+
+import static org.junit.Assert.assertEquals
--- End diff --

Is this a bug? Why are the same two static methods imported 5-8 times each?


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-08-01 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15402293#comment-15402293
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r73004076
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java
 ---
@@ -0,0 +1,177 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.util;
+
+import org.apache.nifi.security.util.CertificateUtils;
+import org.apache.nifi.toolkit.tls.commandLine.TlsToolkitCommandLine;
+import org.apache.nifi.toolkit.tls.configuration.TlsHelperConfig;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cert.crmf.CRMFException;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
+import org.bouncycastle.eac.EACException;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.bouncycastle.pkcs.PKCS10CertificationRequest;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
+import org.bouncycastle.util.io.pem.PemWriter;
+
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+import javax.security.auth.x500.X500Principal;
+import java.io.IOException;
+import java.io.StringReader;
+import java.io.StringWriter;
+import java.nio.charset.StandardCharsets;
+import java.security.GeneralSecurityException;
+import java.security.InvalidKeyException;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PublicKey;
+import java.security.Security;
+import java.security.SignatureException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.security.spec.InvalidKeySpecException;
+
+public class TlsHelper {
+public static final String PROVIDER = 
BouncyCastleProvider.PROVIDER_NAME;
+public static final String PKCS12 = "PKCS12";
+private final KeyPairGenerator keyPairGenerator;
+private final int days;
+private final String signingAlgorithm;
+
+public TlsHelper(TlsHelperConfig tlsHelperConfig) throws 
NoSuchAlgorithmException {
+this(tlsHelperConfig.getDays(), tlsHelperConfig.getKeySize(), 
tlsHelperConfig.getKeyPairAlgorithm(), tlsHelperConfig.getSigningAlgorithm());
+}
+
+public TlsHelper(TlsToolkitCommandLine tlsToolkitCommandLine) throws 
NoSuchAlgorithmException {
+this(tlsToolkitCommandLine.getTlsHelperConfig());
+}
+
+public TlsHelper(int days, int keySize, String keyPairAlgorithm, 
String signingAlgorithm) throws NoSuchAlgorithmException {
+this(createKeyPairGenerator(keyPairAlgorithm, keySize), days, 
signingAlgorithm);
+}
+
+protected TlsHelper(KeyPairGenerator keyPairGenerator, int days, 
String signingAlgorithm) {
+this.keyPairGenerator = keyPairGenerator;
+this.days = days;
+this.signingAlgorithm = signingAlgorithm;
+}
+
+public static void addBouncyCastleProvider() {
+Security.addProvider(new BouncyCastleProvider());
+}
+
+private static KeyPairGenerator

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-30 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15400907#comment-15400907
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on the issue:

https://github.com/apache/nifi/pull/695
  
As far as Documentation goes, I believe standard practice is to create a 
separate Jira to update the guides.


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-30 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15400906#comment-15400906
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72896762
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java
 ---
@@ -0,0 +1,177 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.util;
+
+import org.apache.nifi.security.util.CertificateUtils;
+import org.apache.nifi.toolkit.tls.commandLine.TlsToolkitCommandLine;
+import org.apache.nifi.toolkit.tls.configuration.TlsHelperConfig;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cert.crmf.CRMFException;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
+import org.bouncycastle.eac.EACException;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.bouncycastle.pkcs.PKCS10CertificationRequest;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
+import org.bouncycastle.util.io.pem.PemWriter;
+
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+import javax.security.auth.x500.X500Principal;
+import java.io.IOException;
+import java.io.StringReader;
+import java.io.StringWriter;
+import java.nio.charset.StandardCharsets;
+import java.security.GeneralSecurityException;
+import java.security.InvalidKeyException;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PublicKey;
+import java.security.Security;
+import java.security.SignatureException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.security.spec.InvalidKeySpecException;
+
+public class TlsHelper {
+public static final String PROVIDER = 
BouncyCastleProvider.PROVIDER_NAME;
+public static final String PKCS12 = "PKCS12";
+private final KeyPairGenerator keyPairGenerator;
+private final int days;
+private final String signingAlgorithm;
+
+public TlsHelper(TlsHelperConfig tlsHelperConfig) throws 
NoSuchAlgorithmException {
+this(tlsHelperConfig.getDays(), tlsHelperConfig.getKeySize(), 
tlsHelperConfig.getKeyPairAlgorithm(), tlsHelperConfig.getSigningAlgorithm());
+}
+
+public TlsHelper(TlsToolkitCommandLine tlsToolkitCommandLine) throws 
NoSuchAlgorithmException {
+this(tlsToolkitCommandLine.getTlsHelperConfig());
+}
+
+public TlsHelper(int days, int keySize, String keyPairAlgorithm, 
String signingAlgorithm) throws NoSuchAlgorithmException {
+this(createKeyPairGenerator(keyPairAlgorithm, keySize), days, 
signingAlgorithm);
+}
+
+protected TlsHelper(KeyPairGenerator keyPairGenerator, int days, 
String signingAlgorithm) {
+this.keyPairGenerator = keyPairGenerator;
+this.days = days;
+this.signingAlgorithm = signingAlgorithm;
+}
+
+public static void addBouncyCastleProvider() {
+Security.addProvider(new BouncyCastleProvider());
+}
+
+private static KeyPairGenerator

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-30 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15400904#comment-15400904
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72896746
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateSigningRequestPerformer.java
 ---
@@ -0,0 +1,144 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.service;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.commons.io.IOUtils;
+import org.apache.commons.io.input.BoundedInputStream;
+import org.apache.http.HttpHost;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
+import org.apache.http.entity.ByteArrayEntity;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClientBuilder;
+import org.apache.http.ssl.SSLContextBuilder;
+import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig;
+import org.apache.nifi.toolkit.tls.util.TlsHelper;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest;
+import org.eclipse.jetty.server.Response;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.security.KeyPair;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.function.Supplier;
+
+public class TlsCertificateSigningRequestPerformer {
+public static final String RECEIVED_RESPONSE_CODE = "Received response 
code ";
+public static final String EXPECTED_ONE_CERTIFICATE = "Expected one 
certificate";
+public static final String EXPECTED_RESPONSE_TO_CONTAIN_HMAC = 
"Expected response to contain hmac";
+public static final String 
UNEXPECTED_HMAC_RECEIVED_POSSIBLE_MAN_IN_THE_MIDDLE = "Unexpected hmac 
received, possible man in the middle";
+public static final String EXPECTED_RESPONSE_TO_CONTAIN_CERTIFICATE = 
"Expected response to contain certificate";
+private final Supplier httpClientBuilderSupplier;
+private final String caHostname;
+private final String dn;
+private final String token;
+private final int port;
+private final TlsHelper tlsHelper;
+
+public TlsCertificateSigningRequestPerformer(TlsClientConfig 
tlsClientConfig) throws NoSuchAlgorithmException {
+this(HttpClientBuilder::create, tlsClientConfig.getCaHostname(), 
tlsClientConfig.getDn(), tlsClientConfig.getToken(), tlsClientConfig.getPort(), 
tlsClientConfig.createTlsHelper());
+}
+
+public 
TlsCertificateSigningRequestPerformer(Supplier 
httpClientBuilderSupplier, TlsClientConfig tlsClientConfig) throws 
NoSuchAlgorithmException {
+this(httpClientBuilderSupplier, tlsClientConfig.getCaHostname(), 
tlsClientConfig.getDn(), tlsClientConfig.getToken(), tlsClientConfig.getPort(), 
tlsClientConfig.createTlsHelper());
+}
+
+public 
TlsCertificateSigningRequestPerformer(Supplier 
httpClientBuilderSupplier, String caHostname, String dn, String token, int 
port, TlsHelper tlsHelper) {
+this.httpClientBuilderSupplier = httpClientBuilderSupplier;
+this.caHostname = caHostname;
+this.dn = dn;
+this.token = token;
+this.port = port;
+this.tlsHelper = tlsHelper;
+}
+
+public static String getDn(String hostname) {
+return "CN=" + hostname + ",OU=NIFI";
+}
+
+/**
+ * Submits a CSR to the Certificate authority, checks the resulting 
hmac, and returns the chain if everything succeeds
+ *
+ * @param objectMapper for

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-30 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15400897#comment-15400897
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72896574
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java
 ---
@@ -0,0 +1,177 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.util;
+
+import org.apache.nifi.security.util.CertificateUtils;
+import org.apache.nifi.toolkit.tls.commandLine.TlsToolkitCommandLine;
+import org.apache.nifi.toolkit.tls.configuration.TlsHelperConfig;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cert.crmf.CRMFException;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
+import org.bouncycastle.eac.EACException;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.bouncycastle.pkcs.PKCS10CertificationRequest;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
+import org.bouncycastle.util.io.pem.PemWriter;
+
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+import javax.security.auth.x500.X500Principal;
+import java.io.IOException;
+import java.io.StringReader;
+import java.io.StringWriter;
+import java.nio.charset.StandardCharsets;
+import java.security.GeneralSecurityException;
+import java.security.InvalidKeyException;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PublicKey;
+import java.security.Security;
+import java.security.SignatureException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.security.spec.InvalidKeySpecException;
+
+public class TlsHelper {
+public static final String PROVIDER = 
BouncyCastleProvider.PROVIDER_NAME;
+public static final String PKCS12 = "PKCS12";
+private final KeyPairGenerator keyPairGenerator;
+private final int days;
+private final String signingAlgorithm;
+
+public TlsHelper(TlsHelperConfig tlsHelperConfig) throws 
NoSuchAlgorithmException {
+this(tlsHelperConfig.getDays(), tlsHelperConfig.getKeySize(), 
tlsHelperConfig.getKeyPairAlgorithm(), tlsHelperConfig.getSigningAlgorithm());
+}
+
+public TlsHelper(TlsToolkitCommandLine tlsToolkitCommandLine) throws 
NoSuchAlgorithmException {
+this(tlsToolkitCommandLine.getTlsHelperConfig());
+}
+
+public TlsHelper(int days, int keySize, String keyPairAlgorithm, 
String signingAlgorithm) throws NoSuchAlgorithmException {
+this(createKeyPairGenerator(keyPairAlgorithm, keySize), days, 
signingAlgorithm);
+}
+
+protected TlsHelper(KeyPairGenerator keyPairGenerator, int days, 
String signingAlgorithm) {
+this.keyPairGenerator = keyPairGenerator;
+this.days = days;
+this.signingAlgorithm = signingAlgorithm;
+}
+
+public static void addBouncyCastleProvider() {
+Security.addProvider(new BouncyCastleProvider());
+}
+
+private static KeyPairGenerator

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-29 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15400467#comment-15400467
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72882326
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateAuthorityServiceHandler.java
 ---
@@ -0,0 +1,97 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.service;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.commons.io.input.BoundedReader;
+import org.apache.nifi.toolkit.tls.util.TlsHelper;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest;
+import org.eclipse.jetty.server.Request;
+import org.eclipse.jetty.server.Response;
+import org.eclipse.jetty.server.handler.AbstractHandler;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.security.KeyPair;
+import java.security.cert.X509Certificate;
+
+/**
+ * Jetty service handler that validates the hmac of a CSR and issues a 
certificate if it checks out
+ */
+public class TlsCertificateAuthorityServiceHandler extends AbstractHandler 
{
+public static final String CSR_FIELD_MUST_BE_SET = "csr field must be 
set";
+public static final String HMAC_FIELD_MUST_BE_SET = "hmac field must 
be set";
+public static final String FORBIDDEN = "forbidden";
+private final TlsHelper tlsHelper;
+private final String token;
+private final X509Certificate caCert;
+private final KeyPair keyPair;
+private final ObjectMapper objectMapper;
+
+public TlsCertificateAuthorityServiceHandler(TlsHelper tlsHelper, 
String token, X509Certificate caCert, KeyPair keyPair, ObjectMapper 
objectMapper) {
+this.tlsHelper = tlsHelper;
+this.token = token;
+this.caCert = caCert;
+this.keyPair = keyPair;
+this.objectMapper = objectMapper;
+}
+
+@Override
+public void handle(String target, Request baseRequest, 
HttpServletRequest request, HttpServletResponse response) throws IOException, 
ServletException {
+try {
+TlsCertificateAuthorityRequest tlsCertificateAuthorityRequest 
= objectMapper.readValue(new BoundedReader(request.getReader(), 1024 * 1024), 
TlsCertificateAuthorityRequest.class);
+
+if (!tlsCertificateAuthorityRequest.hasCsr()) {
+writeResponse(objectMapper, response, new 
TlsCertificateAuthorityResponse(CSR_FIELD_MUST_BE_SET), 
Response.SC_BAD_REQUEST);
+return;
+}
+
+if (!tlsCertificateAuthorityRequest.hasHmac()) {
--- End diff --

We need both a csr and hmac from the client in order to do the validation


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-29 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15400466#comment-15400466
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72882314
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateAuthorityClientSocketFactory.java
 ---
@@ -0,0 +1,77 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.service;
+
+import org.apache.http.HttpHost;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
+import org.apache.http.protocol.HttpContext;
+import org.bouncycastle.asn1.x500.style.BCStyle;
+import org.bouncycastle.asn1.x500.style.IETFUtils;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
+import java.io.IOException;
+import java.net.InetSocketAddress;
+import java.net.Socket;
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+/**
+ * Socket Factory validates that it is talking to a RootCa claiming to 
have the given hostname.  It adds the certificate
+ * to a list for later validation against the payload's hmac
+ */
+public class TlsCertificateAuthorityClientSocketFactory extends 
SSLConnectionSocketFactory {
+private final String caHostname;
+private final List certificates;
+
+public TlsCertificateAuthorityClientSocketFactory(SSLContext 
sslContext, String caHostname, List certificates) {
--- End diff --

will do


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-29 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15400465#comment-15400465
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72882313
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateAuthorityClientSocketFactory.java
 ---
@@ -0,0 +1,77 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.service;
+
+import org.apache.http.HttpHost;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
+import org.apache.http.protocol.HttpContext;
+import org.bouncycastle.asn1.x500.style.BCStyle;
+import org.bouncycastle.asn1.x500.style.IETFUtils;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
+import java.io.IOException;
+import java.net.InetSocketAddress;
+import java.net.Socket;
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+/**
+ * Socket Factory validates that it is talking to a RootCa claiming to 
have the given hostname.  It adds the certificate
+ * to a list for later validation against the payload's hmac
+ */
+public class TlsCertificateAuthorityClientSocketFactory extends 
SSLConnectionSocketFactory {
+private final String caHostname;
+private final List certificates;
+
+public TlsCertificateAuthorityClientSocketFactory(SSLContext 
sslContext, String caHostname, List certificates) {
+super(sslContext);
+this.caHostname = caHostname;
+this.certificates = certificates;
+}
+
+@Override
+public synchronized Socket connectSocket(int connectTimeout, Socket 
socket, HttpHost host, InetSocketAddress remoteAddress,
+ InetSocketAddress 
localAddress, HttpContext context) throws IOException {
+Socket result = super.connectSocket(connectTimeout, socket, host, 
remoteAddress, localAddress, context);
+if (!SSLSocket.class.isInstance(result)) {
+throw new IOException("Expected tls socket");
+}
+SSLSocket sslSocket = (SSLSocket) result;
+java.security.cert.Certificate[] peerCertificateChain = 
sslSocket.getSession().getPeerCertificates();
+if (peerCertificateChain.length != 1) {
+throw new IOException("Expected root ca cert");
+}
+if (!X509Certificate.class.isInstance(peerCertificateChain[0])) {
+throw new IOException("Expected root ca cert in X509 format");
+}
+String cn;
+try {
+X509Certificate certificate = (X509Certificate) 
peerCertificateChain[0];
+cn = IETFUtils.valueToString(new 
JcaX509CertificateHolder(certificate).getSubject().getRDNs(BCStyle.CN)[0].getFirst().getValue());
--- End diff --

I'm not really interested in the whole dn, only the cn to let the client 
check the the CA at least claims to be the right one.


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
>

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-29 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15400462#comment-15400462
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72882248
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/PasswordUtil.java
 ---
@@ -0,0 +1,34 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.util;
+
+import java.math.BigInteger;
+import java.security.SecureRandom;
+
+public class PasswordUtil {
+private final SecureRandom secureRandom;
+
+public PasswordUtil(SecureRandom secureRandom) {
--- End diff --

mostly for testing, added default no-arg constructor


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-29 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15400456#comment-15400456
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72882165
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/PasswordUtil.java
 ---
@@ -0,0 +1,34 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.util;
+
+import java.math.BigInteger;
+import java.security.SecureRandom;
+
+public class PasswordUtil {
+private final SecureRandom secureRandom;
+
+public PasswordUtil(SecureRandom secureRandom) {
+this.secureRandom = secureRandom;
+}
+
+public String generatePassword() {
+// [see 
http://stackoverflow.com/questions/41107/how-to-generate-a-random-alpha-numeric-string#answer-41156]
+return new BigInteger(1024, secureRandom).toString(36);
--- End diff --

reducing to 256 bits, base64 encoding the output and stripping the = or == 
off end


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-29 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15400454#comment-15400454
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72882158
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateSigningRequestPerformer.java
 ---
@@ -0,0 +1,144 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.service;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.commons.io.IOUtils;
+import org.apache.commons.io.input.BoundedInputStream;
+import org.apache.http.HttpHost;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
+import org.apache.http.entity.ByteArrayEntity;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClientBuilder;
+import org.apache.http.ssl.SSLContextBuilder;
+import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig;
+import org.apache.nifi.toolkit.tls.util.TlsHelper;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest;
+import org.eclipse.jetty.server.Response;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.security.KeyPair;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.function.Supplier;
+
+public class TlsCertificateSigningRequestPerformer {
+public static final String RECEIVED_RESPONSE_CODE = "Received response 
code ";
+public static final String EXPECTED_ONE_CERTIFICATE = "Expected one 
certificate";
+public static final String EXPECTED_RESPONSE_TO_CONTAIN_HMAC = 
"Expected response to contain hmac";
+public static final String 
UNEXPECTED_HMAC_RECEIVED_POSSIBLE_MAN_IN_THE_MIDDLE = "Unexpected hmac 
received, possible man in the middle";
+public static final String EXPECTED_RESPONSE_TO_CONTAIN_CERTIFICATE = 
"Expected response to contain certificate";
+private final Supplier httpClientBuilderSupplier;
+private final String caHostname;
+private final String dn;
+private final String token;
+private final int port;
+private final TlsHelper tlsHelper;
+
+public TlsCertificateSigningRequestPerformer(TlsClientConfig 
tlsClientConfig) throws NoSuchAlgorithmException {
+this(HttpClientBuilder::create, tlsClientConfig.getCaHostname(), 
tlsClientConfig.getDn(), tlsClientConfig.getToken(), tlsClientConfig.getPort(), 
tlsClientConfig.createTlsHelper());
+}
+
+public 
TlsCertificateSigningRequestPerformer(Supplier 
httpClientBuilderSupplier, TlsClientConfig tlsClientConfig) throws 
NoSuchAlgorithmException {
+this(httpClientBuilderSupplier, tlsClientConfig.getCaHostname(), 
tlsClientConfig.getDn(), tlsClientConfig.getToken(), tlsClientConfig.getPort(), 
tlsClientConfig.createTlsHelper());
+}
+
+public 
TlsCertificateSigningRequestPerformer(Supplier 
httpClientBuilderSupplier, String caHostname, String dn, String token, int 
port, TlsHelper tlsHelper) {
+this.httpClientBuilderSupplier = httpClientBuilderSupplier;
+this.caHostname = caHostname;
+this.dn = dn;
+this.token = token;
+this.port = port;
+this.tlsHelper = tlsHelper;
+}
+
+public static String getDn(String hostname) {
+return "CN=" + hostname + ",OU=NIFI";
+}
+
+/**
+ * Submits a CSR to the Certificate authority, checks the resulting 
hmac, and returns the chain if everything succeeds
+ *
+ * @param objectMapper for

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-29 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15400450#comment-15400450
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72882113
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java
 ---
@@ -0,0 +1,177 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.util;
+
+import org.apache.nifi.security.util.CertificateUtils;
+import org.apache.nifi.toolkit.tls.commandLine.TlsToolkitCommandLine;
+import org.apache.nifi.toolkit.tls.configuration.TlsHelperConfig;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cert.crmf.CRMFException;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
+import org.bouncycastle.eac.EACException;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.bouncycastle.pkcs.PKCS10CertificationRequest;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
+import org.bouncycastle.util.io.pem.PemWriter;
+
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+import javax.security.auth.x500.X500Principal;
+import java.io.IOException;
+import java.io.StringReader;
+import java.io.StringWriter;
+import java.nio.charset.StandardCharsets;
+import java.security.GeneralSecurityException;
+import java.security.InvalidKeyException;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PublicKey;
+import java.security.Security;
+import java.security.SignatureException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.security.spec.InvalidKeySpecException;
+
+public class TlsHelper {
+public static final String PROVIDER = 
BouncyCastleProvider.PROVIDER_NAME;
+public static final String PKCS12 = "PKCS12";
+private final KeyPairGenerator keyPairGenerator;
+private final int days;
+private final String signingAlgorithm;
+
+public TlsHelper(TlsHelperConfig tlsHelperConfig) throws 
NoSuchAlgorithmException {
+this(tlsHelperConfig.getDays(), tlsHelperConfig.getKeySize(), 
tlsHelperConfig.getKeyPairAlgorithm(), tlsHelperConfig.getSigningAlgorithm());
+}
+
+public TlsHelper(TlsToolkitCommandLine tlsToolkitCommandLine) throws 
NoSuchAlgorithmException {
+this(tlsToolkitCommandLine.getTlsHelperConfig());
+}
+
+public TlsHelper(int days, int keySize, String keyPairAlgorithm, 
String signingAlgorithm) throws NoSuchAlgorithmException {
+this(createKeyPairGenerator(keyPairAlgorithm, keySize), days, 
signingAlgorithm);
+}
+
+protected TlsHelper(KeyPairGenerator keyPairGenerator, int days, 
String signingAlgorithm) {
+this.keyPairGenerator = keyPairGenerator;
+this.days = days;
+this.signingAlgorithm = signingAlgorithm;
+}
+
+public static void addBouncyCastleProvider() {
+Security.addProvider(new BouncyCastleProvider());
+}
+
+private static KeyPairGenerator

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-29 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15400448#comment-15400448
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72882057
  
--- Diff: 
nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/CertificateUtilsTest.groovy
 ---
@@ -116,53 +132,7 @@ class CertificateUtilsTest extends GroovyTestCase {
 private
 static X509Certificate generateCertificate(String dn) throws 
IOException, NoSuchAlgorithmException, CertificateException, 
NoSuchProviderException, SignatureException, InvalidKeyException, 
OperatorCreationException {
 KeyPair keyPair = generateKeyPair();
-return generateCertificate(dn, keyPair);
-}
-
-/**
- * Generates a signed certificate with a specific keypair.
- *
- * @param dn the DN
- * @param keyPair the public key will be included in the certificate 
and the the private key is used to sign the certificate
- * @return the certificate
- * @throws IOException
- * @throws NoSuchAlgorithmException
- * @throws CertificateException
- * @throws NoSuchProviderException
- * @throws SignatureException
- * @throws InvalidKeyException
- * @throws OperatorCreationException
- */
-private
-static X509Certificate generateCertificate(String dn, KeyPair keyPair) 
throws IOException, NoSuchAlgorithmException, CertificateException, 
NoSuchProviderException, SignatureException, InvalidKeyException, 
OperatorCreationException {
-PrivateKey privateKey = keyPair.getPrivate();
-ContentSigner sigGen = new 
JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(PROVIDER).build(privateKey);
-SubjectPublicKeyInfo subPubKeyInfo = 
SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded());
-Date startDate = new Date(YESTERDAY);
-Date endDate = new Date(ONE_YEAR_FROM_NOW);
-
-X509v3CertificateBuilder certBuilder = new 
X509v3CertificateBuilder(
-new X500Name(dn),
-BigInteger.valueOf(System.currentTimeMillis()),
-startDate, endDate,
-new X500Name(dn),
-subPubKeyInfo);
-
-// Set certificate extensions
-// (1) digitalSignature extension
-certBuilder.addExtension(X509Extension.keyUsage, true,
-new KeyUsage(KeyUsage.digitalSignature | 
KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.keyAgreement));
-
-// (2) extendedKeyUsage extension
-Vector ekUsages = new Vector<>();
-ekUsages.add(KeyPurposeId.id_kp_clientAuth);
-ekUsages.add(KeyPurposeId.id_kp_serverAuth);
-certBuilder.addExtension(X509Extension.extendedKeyUsage, false, 
new ExtendedKeyUsage(ekUsages));
-
-// Sign the certificate
-X509CertificateHolder certificateHolder = 
certBuilder.build(sigGen);
-return new JcaX509CertificateConverter().setProvider(PROVIDER)
-.getCertificate(certificateHolder);
+return CertificateUtils.generateSelfSignedX509Certificate(keyPair, 
dn, SIGNATURE_ALGORITHM, 365);
--- End diff --

Upping default valid duration to 3 years


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-29 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15400446#comment-15400446
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72882052
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateAuthorityClient.java
 ---
@@ -0,0 +1,158 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.service;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.nifi.toolkit.tls.TlsToolkitMain;
+import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig;
+import org.apache.nifi.toolkit.tls.configuration.TlsConfig;
+import org.apache.nifi.toolkit.tls.util.InputStreamFactory;
+import org.apache.nifi.toolkit.tls.util.OutputStreamFactory;
+import org.apache.nifi.toolkit.tls.util.PasswordUtil;
+import org.apache.nifi.toolkit.tls.util.TlsHelper;
+import org.apache.nifi.util.StringUtils;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.io.OutputStreamWriter;
+import java.io.Writer;
+import java.security.KeyPair;
+import java.security.KeyStore;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.security.cert.X509Certificate;
+
+/**
+ * Client that will generate a CSR and submit to a CA, writing out the 
results to a keystore and truststore along with a config file if successful
+ */
+public class TlsCertificateAuthorityClient {
+private final File configFile;
+private final TlsHelper tlsHelper;
+private final PasswordUtil passwordUtil;
+private final TlsClientConfig tlsClientConfig;
+private final OutputStreamFactory outputStreamFactory;
+private final ObjectMapper objectMapper;
+private final TlsCertificateSigningRequestPerformer 
tlsCertificateSigningRequestPerformer;
+
+public TlsCertificateAuthorityClient(File configFile) throws 
IOException, NoSuchAlgorithmException {
+this(configFile, FileInputStream::new, FileOutputStream::new);
+}
+
+public TlsCertificateAuthorityClient(File configFile, 
InputStreamFactory inputStreamFactory, OutputStreamFactory outputStreamFactory)
+throws IOException, NoSuchAlgorithmException {
+this(configFile, outputStreamFactory, new 
ObjectMapper().readValue(inputStreamFactory.create(configFile), 
TlsClientConfig.class));
+}
+
+public TlsCertificateAuthorityClient(File configFile, 
OutputStreamFactory outputStreamFactory, TlsClientConfig tlsClientConfig)
+throws NoSuchAlgorithmException {
+this.configFile = configFile;
+this.objectMapper = new ObjectMapper();
+this.tlsClientConfig = tlsClientConfig;
+this.tlsHelper = tlsClientConfig.createTlsHelper();
+this.passwordUtil = new PasswordUtil(new SecureRandom());
+this.outputStreamFactory = outputStreamFactory;
+this.tlsCertificateSigningRequestPerformer = 
tlsClientConfig.createCertificateSigningRequestPerformer();
+}
+
+public static void main(String[] args) throws Exception {
+TlsHelper.addBouncyCastleProvider();
+if (args.length != 1 || StringUtils.isEmpty(args[0])) {
+throw new Exception("Expected config file as only argument");
+}
+TlsCertificateAuthorityClient tlsCertificateAuthorityClient = new 
TlsCertificateAuthorityClient(new File(args[0]));
+if (tlsCertificateAuthorityClient.needsRun()) {
+
tlsCertificateAuthorityClient.generateCertificateAndGetItSigned();
+}
+}
+
+public boolean needsRun() {
+return !(new

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-29 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15400445#comment-15400445
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72882041
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateSigningRequestPerformer.java
 ---
@@ -0,0 +1,144 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.service;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.commons.io.IOUtils;
+import org.apache.commons.io.input.BoundedInputStream;
+import org.apache.http.HttpHost;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
+import org.apache.http.entity.ByteArrayEntity;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClientBuilder;
+import org.apache.http.ssl.SSLContextBuilder;
+import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig;
+import org.apache.nifi.toolkit.tls.util.TlsHelper;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest;
+import org.eclipse.jetty.server.Response;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.security.KeyPair;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.function.Supplier;
+
+public class TlsCertificateSigningRequestPerformer {
+public static final String RECEIVED_RESPONSE_CODE = "Received response 
code ";
+public static final String EXPECTED_ONE_CERTIFICATE = "Expected one 
certificate";
+public static final String EXPECTED_RESPONSE_TO_CONTAIN_HMAC = 
"Expected response to contain hmac";
+public static final String 
UNEXPECTED_HMAC_RECEIVED_POSSIBLE_MAN_IN_THE_MIDDLE = "Unexpected hmac 
received, possible man in the middle";
+public static final String EXPECTED_RESPONSE_TO_CONTAIN_CERTIFICATE = 
"Expected response to contain certificate";
+private final Supplier httpClientBuilderSupplier;
+private final String caHostname;
+private final String dn;
+private final String token;
+private final int port;
+private final TlsHelper tlsHelper;
+
+public TlsCertificateSigningRequestPerformer(TlsClientConfig 
tlsClientConfig) throws NoSuchAlgorithmException {
+this(HttpClientBuilder::create, tlsClientConfig.getCaHostname(), 
tlsClientConfig.getDn(), tlsClientConfig.getToken(), tlsClientConfig.getPort(), 
tlsClientConfig.createTlsHelper());
+}
+
+public 
TlsCertificateSigningRequestPerformer(Supplier 
httpClientBuilderSupplier, TlsClientConfig tlsClientConfig) throws 
NoSuchAlgorithmException {
--- End diff --

reducing visibility, it was for testing


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-29 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15400444#comment-15400444
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72882026
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateAuthorityServiceHandler.java
 ---
@@ -0,0 +1,97 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.service;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.commons.io.input.BoundedReader;
+import org.apache.nifi.toolkit.tls.util.TlsHelper;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest;
+import org.eclipse.jetty.server.Request;
+import org.eclipse.jetty.server.Response;
+import org.eclipse.jetty.server.handler.AbstractHandler;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.security.KeyPair;
+import java.security.cert.X509Certificate;
+
+/**
+ * Jetty service handler that validates the hmac of a CSR and issues a 
certificate if it checks out
+ */
+public class TlsCertificateAuthorityServiceHandler extends AbstractHandler 
{
+public static final String CSR_FIELD_MUST_BE_SET = "csr field must be 
set";
+public static final String HMAC_FIELD_MUST_BE_SET = "hmac field must 
be set";
+public static final String FORBIDDEN = "forbidden";
+private final TlsHelper tlsHelper;
+private final String token;
+private final X509Certificate caCert;
+private final KeyPair keyPair;
+private final ObjectMapper objectMapper;
+
+public TlsCertificateAuthorityServiceHandler(TlsHelper tlsHelper, 
String token, X509Certificate caCert, KeyPair keyPair, ObjectMapper 
objectMapper) {
+this.tlsHelper = tlsHelper;
+this.token = token;
+this.caCert = caCert;
+this.keyPair = keyPair;
+this.objectMapper = objectMapper;
+}
+
+@Override
+public void handle(String target, Request baseRequest, 
HttpServletRequest request, HttpServletResponse response) throws IOException, 
ServletException {
+try {
+TlsCertificateAuthorityRequest tlsCertificateAuthorityRequest 
= objectMapper.readValue(new BoundedReader(request.getReader(), 1024 * 1024), 
TlsCertificateAuthorityRequest.class);
+
+if (!tlsCertificateAuthorityRequest.hasCsr()) {
+writeResponse(objectMapper, response, new 
TlsCertificateAuthorityResponse(CSR_FIELD_MUST_BE_SET), 
Response.SC_BAD_REQUEST);
+return;
+}
+
+if (!tlsCertificateAuthorityRequest.hasHmac()) {
+writeResponse(objectMapper, response, new 
TlsCertificateAuthorityResponse(HMAC_FIELD_MUST_BE_SET), 
Response.SC_BAD_REQUEST);
+return;
+}
+
+JcaPKCS10CertificationRequest jcaPKCS10CertificationRequest = 
tlsHelper.parseCsr(tlsCertificateAuthorityRequest.getCsr());
+
+if 
(tlsHelper.checkHMac(tlsCertificateAuthorityRequest.getHmac(), token, 
jcaPKCS10CertificationRequest.getPublicKey())) {
--- End diff --

Noted, removing


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-28 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15398707#comment-15398707
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72741316
  
--- Diff: 
nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/CertificateUtilsTest.groovy
 ---
@@ -116,53 +132,7 @@ class CertificateUtilsTest extends GroovyTestCase {
 private
 static X509Certificate generateCertificate(String dn) throws 
IOException, NoSuchAlgorithmException, CertificateException, 
NoSuchProviderException, SignatureException, InvalidKeyException, 
OperatorCreationException {
 KeyPair keyPair = generateKeyPair();
-return generateCertificate(dn, keyPair);
-}
-
-/**
- * Generates a signed certificate with a specific keypair.
- *
- * @param dn the DN
- * @param keyPair the public key will be included in the certificate 
and the the private key is used to sign the certificate
- * @return the certificate
- * @throws IOException
- * @throws NoSuchAlgorithmException
- * @throws CertificateException
- * @throws NoSuchProviderException
- * @throws SignatureException
- * @throws InvalidKeyException
- * @throws OperatorCreationException
- */
-private
-static X509Certificate generateCertificate(String dn, KeyPair keyPair) 
throws IOException, NoSuchAlgorithmException, CertificateException, 
NoSuchProviderException, SignatureException, InvalidKeyException, 
OperatorCreationException {
-PrivateKey privateKey = keyPair.getPrivate();
-ContentSigner sigGen = new 
JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(PROVIDER).build(privateKey);
-SubjectPublicKeyInfo subPubKeyInfo = 
SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded());
-Date startDate = new Date(YESTERDAY);
-Date endDate = new Date(ONE_YEAR_FROM_NOW);
-
-X509v3CertificateBuilder certBuilder = new 
X509v3CertificateBuilder(
-new X500Name(dn),
-BigInteger.valueOf(System.currentTimeMillis()),
-startDate, endDate,
-new X500Name(dn),
-subPubKeyInfo);
-
-// Set certificate extensions
-// (1) digitalSignature extension
-certBuilder.addExtension(X509Extension.keyUsage, true,
-new KeyUsage(KeyUsage.digitalSignature | 
KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.keyAgreement));
-
-// (2) extendedKeyUsage extension
-Vector ekUsages = new Vector<>();
-ekUsages.add(KeyPurposeId.id_kp_clientAuth);
-ekUsages.add(KeyPurposeId.id_kp_serverAuth);
-certBuilder.addExtension(X509Extension.extendedKeyUsage, false, 
new ExtendedKeyUsage(ekUsages));
-
-// Sign the certificate
-X509CertificateHolder certificateHolder = 
certBuilder.build(sigGen);
-return new JcaX509CertificateConverter().setProvider(PROVIDER)
-.getCertificate(certificateHolder);
+return CertificateUtils.generateSelfSignedX509Certificate(keyPair, 
dn, SIGNATURE_ALGORITHM, 365);
--- End diff --

@brosander and I discussed the need for certificate migration, especially 
for the CA, and handling the trust chain amongst the nodes. I think if this 
value (throughout the tool) is increased for now, the additional use cases and 
logic to handle key/cert rollover can be addressed in a `x.1.x` release. Not 
ideal, but it is not an easy problem to tackle so close to the current release 
deadline. 


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-28 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15398704#comment-15398704
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72741196
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateAuthorityClient.java
 ---
@@ -0,0 +1,158 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.service;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.nifi.toolkit.tls.TlsToolkitMain;
+import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig;
+import org.apache.nifi.toolkit.tls.configuration.TlsConfig;
+import org.apache.nifi.toolkit.tls.util.InputStreamFactory;
+import org.apache.nifi.toolkit.tls.util.OutputStreamFactory;
+import org.apache.nifi.toolkit.tls.util.PasswordUtil;
+import org.apache.nifi.toolkit.tls.util.TlsHelper;
+import org.apache.nifi.util.StringUtils;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.io.OutputStreamWriter;
+import java.io.Writer;
+import java.security.KeyPair;
+import java.security.KeyStore;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.security.cert.X509Certificate;
+
+/**
+ * Client that will generate a CSR and submit to a CA, writing out the 
results to a keystore and truststore along with a config file if successful
+ */
+public class TlsCertificateAuthorityClient {
+private final File configFile;
+private final TlsHelper tlsHelper;
+private final PasswordUtil passwordUtil;
+private final TlsClientConfig tlsClientConfig;
+private final OutputStreamFactory outputStreamFactory;
+private final ObjectMapper objectMapper;
+private final TlsCertificateSigningRequestPerformer 
tlsCertificateSigningRequestPerformer;
+
+public TlsCertificateAuthorityClient(File configFile) throws 
IOException, NoSuchAlgorithmException {
+this(configFile, FileInputStream::new, FileOutputStream::new);
+}
+
+public TlsCertificateAuthorityClient(File configFile, 
InputStreamFactory inputStreamFactory, OutputStreamFactory outputStreamFactory)
+throws IOException, NoSuchAlgorithmException {
+this(configFile, outputStreamFactory, new 
ObjectMapper().readValue(inputStreamFactory.create(configFile), 
TlsClientConfig.class));
+}
+
+public TlsCertificateAuthorityClient(File configFile, 
OutputStreamFactory outputStreamFactory, TlsClientConfig tlsClientConfig)
+throws NoSuchAlgorithmException {
+this.configFile = configFile;
+this.objectMapper = new ObjectMapper();
+this.tlsClientConfig = tlsClientConfig;
+this.tlsHelper = tlsClientConfig.createTlsHelper();
+this.passwordUtil = new PasswordUtil(new SecureRandom());
+this.outputStreamFactory = outputStreamFactory;
+this.tlsCertificateSigningRequestPerformer = 
tlsClientConfig.createCertificateSigningRequestPerformer();
+}
+
+public static void main(String[] args) throws Exception {
+TlsHelper.addBouncyCastleProvider();
+if (args.length != 1 || StringUtils.isEmpty(args[0])) {
+throw new Exception("Expected config file as only argument");
+}
+TlsCertificateAuthorityClient tlsCertificateAuthorityClient = new 
TlsCertificateAuthorityClient(new File(args[0]));
+if (tlsCertificateAuthorityClient.needsRun()) {
+
tlsCertificateAuthorityClient.generateCertificateAndGetItSigned();
+}
+}
+
+public boolean needsRun() {
+return !(new

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-28 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15398703#comment-15398703
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72741115
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateSigningRequestPerformer.java
 ---
@@ -0,0 +1,144 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.service;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.commons.io.IOUtils;
+import org.apache.commons.io.input.BoundedInputStream;
+import org.apache.http.HttpHost;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
+import org.apache.http.entity.ByteArrayEntity;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClientBuilder;
+import org.apache.http.ssl.SSLContextBuilder;
+import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig;
+import org.apache.nifi.toolkit.tls.util.TlsHelper;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest;
+import org.eclipse.jetty.server.Response;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.security.KeyPair;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.function.Supplier;
+
+public class TlsCertificateSigningRequestPerformer {
+public static final String RECEIVED_RESPONSE_CODE = "Received response 
code ";
+public static final String EXPECTED_ONE_CERTIFICATE = "Expected one 
certificate";
+public static final String EXPECTED_RESPONSE_TO_CONTAIN_HMAC = 
"Expected response to contain hmac";
+public static final String 
UNEXPECTED_HMAC_RECEIVED_POSSIBLE_MAN_IN_THE_MIDDLE = "Unexpected hmac 
received, possible man in the middle";
+public static final String EXPECTED_RESPONSE_TO_CONTAIN_CERTIFICATE = 
"Expected response to contain certificate";
+private final Supplier httpClientBuilderSupplier;
+private final String caHostname;
+private final String dn;
+private final String token;
+private final int port;
+private final TlsHelper tlsHelper;
+
+public TlsCertificateSigningRequestPerformer(TlsClientConfig 
tlsClientConfig) throws NoSuchAlgorithmException {
+this(HttpClientBuilder::create, tlsClientConfig.getCaHostname(), 
tlsClientConfig.getDn(), tlsClientConfig.getToken(), tlsClientConfig.getPort(), 
tlsClientConfig.createTlsHelper());
+}
+
+public 
TlsCertificateSigningRequestPerformer(Supplier 
httpClientBuilderSupplier, TlsClientConfig tlsClientConfig) throws 
NoSuchAlgorithmException {
+this(httpClientBuilderSupplier, tlsClientConfig.getCaHostname(), 
tlsClientConfig.getDn(), tlsClientConfig.getToken(), tlsClientConfig.getPort(), 
tlsClientConfig.createTlsHelper());
+}
+
+public 
TlsCertificateSigningRequestPerformer(Supplier 
httpClientBuilderSupplier, String caHostname, String dn, String token, int 
port, TlsHelper tlsHelper) {
+this.httpClientBuilderSupplier = httpClientBuilderSupplier;
+this.caHostname = caHostname;
+this.dn = dn;
+this.token = token;
+this.port = port;
+this.tlsHelper = tlsHelper;
+}
+
+public static String getDn(String hostname) {
+return "CN=" + hostname + ",OU=NIFI";
+}
+
+/**
+ * Submits a CSR to the Certificate authority, checks the resulting 
hmac, and returns the chain if everything succeeds
+ *
+ * @param objectMapper for

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-28 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15398695#comment-15398695
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72740653
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateAuthorityClientSocketFactory.java
 ---
@@ -0,0 +1,77 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.service;
+
+import org.apache.http.HttpHost;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
+import org.apache.http.protocol.HttpContext;
+import org.bouncycastle.asn1.x500.style.BCStyle;
+import org.bouncycastle.asn1.x500.style.IETFUtils;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
+import java.io.IOException;
+import java.net.InetSocketAddress;
+import java.net.Socket;
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+/**
+ * Socket Factory validates that it is talking to a RootCa claiming to 
have the given hostname.  It adds the certificate
+ * to a list for later validation against the payload's hmac
+ */
+public class TlsCertificateAuthorityClientSocketFactory extends 
SSLConnectionSocketFactory {
+private final String caHostname;
+private final List certificates;
+
+public TlsCertificateAuthorityClientSocketFactory(SSLContext 
sslContext, String caHostname, List certificates) {
--- End diff --

Because we are only using this for direct communication between NiFi nodes 
and NiFi CAs, we don't have to worry about legacy compatibility, so we can 
restrict the TLS protocol version to `TLSv1.2` to enforce a strong protocol 
with strong and fast cipher suites. 


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-28 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15398692#comment-15398692
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72740552
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateAuthorityClientSocketFactory.java
 ---
@@ -0,0 +1,77 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.service;
+
+import org.apache.http.HttpHost;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
+import org.apache.http.protocol.HttpContext;
+import org.bouncycastle.asn1.x500.style.BCStyle;
+import org.bouncycastle.asn1.x500.style.IETFUtils;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
+import java.io.IOException;
+import java.net.InetSocketAddress;
+import java.net.Socket;
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+/**
+ * Socket Factory validates that it is talking to a RootCa claiming to 
have the given hostname.  It adds the certificate
+ * to a list for later validation against the payload's hmac
+ */
+public class TlsCertificateAuthorityClientSocketFactory extends 
SSLConnectionSocketFactory {
+private final String caHostname;
+private final List certificates;
+
+public TlsCertificateAuthorityClientSocketFactory(SSLContext 
sslContext, String caHostname, List certificates) {
+super(sslContext);
+this.caHostname = caHostname;
+this.certificates = certificates;
+}
+
+@Override
+public synchronized Socket connectSocket(int connectTimeout, Socket 
socket, HttpHost host, InetSocketAddress remoteAddress,
+ InetSocketAddress 
localAddress, HttpContext context) throws IOException {
+Socket result = super.connectSocket(connectTimeout, socket, host, 
remoteAddress, localAddress, context);
+if (!SSLSocket.class.isInstance(result)) {
+throw new IOException("Expected tls socket");
+}
+SSLSocket sslSocket = (SSLSocket) result;
+java.security.cert.Certificate[] peerCertificateChain = 
sslSocket.getSession().getPeerCertificates();
+if (peerCertificateChain.length != 1) {
+throw new IOException("Expected root ca cert");
+}
+if (!X509Certificate.class.isInstance(peerCertificateChain[0])) {
+throw new IOException("Expected root ca cert in X509 format");
+}
+String cn;
+try {
+X509Certificate certificate = (X509Certificate) 
peerCertificateChain[0];
+cn = IETFUtils.valueToString(new 
JcaX509CertificateHolder(certificate).getSubject().getRDNs(BCStyle.CN)[0].getFirst().getValue());
--- End diff --

I'd recommend looking at `CertificateUtils.extractPeerDNFromSSLSocket()` 
for this operation as it handles a bit more validation. 


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
>

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-28 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15398458#comment-15398458
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72723924
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/PasswordUtil.java
 ---
@@ -0,0 +1,34 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.util;
+
+import java.math.BigInteger;
+import java.security.SecureRandom;
+
+public class PasswordUtil {
+private final SecureRandom secureRandom;
+
+public PasswordUtil(SecureRandom secureRandom) {
--- End diff --

Is the `SecureRandom` initialized externally for a reason? Is this just to 
make testing easier?


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-28 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15398456#comment-15398456
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72723879
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/PasswordUtil.java
 ---
@@ -0,0 +1,34 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.util;
+
+import java.math.BigInteger;
+import java.security.SecureRandom;
+
+public class PasswordUtil {
+private final SecureRandom secureRandom;
+
+public PasswordUtil(SecureRandom secureRandom) {
+this.secureRandom = secureRandom;
+}
+
+public String generatePassword() {
+// [see 
http://stackoverflow.com/questions/41107/how-to-generate-a-random-alpha-numeric-string#answer-41156]
+return new BigInteger(1024, secureRandom).toString(36);
--- End diff --

I appreciate the *strong* entropy here, but 1024 bits in base 36  
198 characters. Something that provides more than 128 bits is sufficient here; 
256 will be more than enough for a number of years. I might have commented 
off-hand about the base earlier, but base 32 makes sense because it uses a 
"round" number of bits  ( `2^5 = 32` ) to fully express its alphabet, while 
base 36 (`0-9a-f`) needs 6 ( `2^6 = 64` ) but wastes a number of those bits. 


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-28 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15398344#comment-15398344
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72715741
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateSigningRequestPerformer.java
 ---
@@ -0,0 +1,144 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.service;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.commons.io.IOUtils;
+import org.apache.commons.io.input.BoundedInputStream;
+import org.apache.http.HttpHost;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
+import org.apache.http.entity.ByteArrayEntity;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClientBuilder;
+import org.apache.http.ssl.SSLContextBuilder;
+import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig;
+import org.apache.nifi.toolkit.tls.util.TlsHelper;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest;
+import org.eclipse.jetty.server.Response;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.security.KeyPair;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.function.Supplier;
+
+public class TlsCertificateSigningRequestPerformer {
+public static final String RECEIVED_RESPONSE_CODE = "Received response 
code ";
+public static final String EXPECTED_ONE_CERTIFICATE = "Expected one 
certificate";
+public static final String EXPECTED_RESPONSE_TO_CONTAIN_HMAC = 
"Expected response to contain hmac";
+public static final String 
UNEXPECTED_HMAC_RECEIVED_POSSIBLE_MAN_IN_THE_MIDDLE = "Unexpected hmac 
received, possible man in the middle";
+public static final String EXPECTED_RESPONSE_TO_CONTAIN_CERTIFICATE = 
"Expected response to contain certificate";
+private final Supplier httpClientBuilderSupplier;
+private final String caHostname;
+private final String dn;
+private final String token;
+private final int port;
+private final TlsHelper tlsHelper;
+
+public TlsCertificateSigningRequestPerformer(TlsClientConfig 
tlsClientConfig) throws NoSuchAlgorithmException {
+this(HttpClientBuilder::create, tlsClientConfig.getCaHostname(), 
tlsClientConfig.getDn(), tlsClientConfig.getToken(), tlsClientConfig.getPort(), 
tlsClientConfig.createTlsHelper());
+}
+
+public 
TlsCertificateSigningRequestPerformer(Supplier 
httpClientBuilderSupplier, TlsClientConfig tlsClientConfig) throws 
NoSuchAlgorithmException {
+this(httpClientBuilderSupplier, tlsClientConfig.getCaHostname(), 
tlsClientConfig.getDn(), tlsClientConfig.getToken(), tlsClientConfig.getPort(), 
tlsClientConfig.createTlsHelper());
+}
+
+public 
TlsCertificateSigningRequestPerformer(Supplier 
httpClientBuilderSupplier, String caHostname, String dn, String token, int 
port, TlsHelper tlsHelper) {
+this.httpClientBuilderSupplier = httpClientBuilderSupplier;
+this.caHostname = caHostname;
+this.dn = dn;
+this.token = token;
+this.port = port;
+this.tlsHelper = tlsHelper;
+}
+
+public static String getDn(String hostname) {
+return "CN=" + hostname + ",OU=NIFI";
+}
+
+/**
+ * Submits a CSR to the Certificate authority, checks the resulting 
hmac, and returns the chain if everything succeeds
+ *
+ * @param objectMapper for

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-28 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15398333#comment-15398333
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72715250
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java
 ---
@@ -0,0 +1,177 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.util;
+
+import org.apache.nifi.security.util.CertificateUtils;
+import org.apache.nifi.toolkit.tls.commandLine.TlsToolkitCommandLine;
+import org.apache.nifi.toolkit.tls.configuration.TlsHelperConfig;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cert.crmf.CRMFException;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
+import org.bouncycastle.eac.EACException;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.bouncycastle.pkcs.PKCS10CertificationRequest;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
+import org.bouncycastle.util.io.pem.PemWriter;
+
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+import javax.security.auth.x500.X500Principal;
+import java.io.IOException;
+import java.io.StringReader;
+import java.io.StringWriter;
+import java.nio.charset.StandardCharsets;
+import java.security.GeneralSecurityException;
+import java.security.InvalidKeyException;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PublicKey;
+import java.security.Security;
+import java.security.SignatureException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.security.spec.InvalidKeySpecException;
+
+public class TlsHelper {
+public static final String PROVIDER = 
BouncyCastleProvider.PROVIDER_NAME;
+public static final String PKCS12 = "PKCS12";
+private final KeyPairGenerator keyPairGenerator;
+private final int days;
+private final String signingAlgorithm;
+
+public TlsHelper(TlsHelperConfig tlsHelperConfig) throws 
NoSuchAlgorithmException {
+this(tlsHelperConfig.getDays(), tlsHelperConfig.getKeySize(), 
tlsHelperConfig.getKeyPairAlgorithm(), tlsHelperConfig.getSigningAlgorithm());
+}
+
+public TlsHelper(TlsToolkitCommandLine tlsToolkitCommandLine) throws 
NoSuchAlgorithmException {
+this(tlsToolkitCommandLine.getTlsHelperConfig());
+}
+
+public TlsHelper(int days, int keySize, String keyPairAlgorithm, 
String signingAlgorithm) throws NoSuchAlgorithmException {
+this(createKeyPairGenerator(keyPairAlgorithm, keySize), days, 
signingAlgorithm);
+}
+
+protected TlsHelper(KeyPairGenerator keyPairGenerator, int days, 
String signingAlgorithm) {
+this.keyPairGenerator = keyPairGenerator;
+this.days = days;
+this.signingAlgorithm = signingAlgorithm;
+}
+
+public static void addBouncyCastleProvider() {
+Security.addProvider(new BouncyCastleProvider());
+}
+
+private static KeyPairGenerator

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-28 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15398319#comment-15398319
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72714290
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/TlsCertificateSigningRequestPerformer.java
 ---
@@ -0,0 +1,144 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.service;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.commons.io.IOUtils;
+import org.apache.commons.io.input.BoundedInputStream;
+import org.apache.http.HttpHost;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
+import org.apache.http.entity.ByteArrayEntity;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClientBuilder;
+import org.apache.http.ssl.SSLContextBuilder;
+import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig;
+import org.apache.nifi.toolkit.tls.util.TlsHelper;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest;
+import org.eclipse.jetty.server.Response;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.security.KeyPair;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.function.Supplier;
+
+public class TlsCertificateSigningRequestPerformer {
+public static final String RECEIVED_RESPONSE_CODE = "Received response 
code ";
+public static final String EXPECTED_ONE_CERTIFICATE = "Expected one 
certificate";
+public static final String EXPECTED_RESPONSE_TO_CONTAIN_HMAC = 
"Expected response to contain hmac";
+public static final String 
UNEXPECTED_HMAC_RECEIVED_POSSIBLE_MAN_IN_THE_MIDDLE = "Unexpected hmac 
received, possible man in the middle";
+public static final String EXPECTED_RESPONSE_TO_CONTAIN_CERTIFICATE = 
"Expected response to contain certificate";
+private final Supplier httpClientBuilderSupplier;
+private final String caHostname;
+private final String dn;
+private final String token;
+private final int port;
+private final TlsHelper tlsHelper;
+
+public TlsCertificateSigningRequestPerformer(TlsClientConfig 
tlsClientConfig) throws NoSuchAlgorithmException {
+this(HttpClientBuilder::create, tlsClientConfig.getCaHostname(), 
tlsClientConfig.getDn(), tlsClientConfig.getToken(), tlsClientConfig.getPort(), 
tlsClientConfig.createTlsHelper());
+}
+
+public 
TlsCertificateSigningRequestPerformer(Supplier 
httpClientBuilderSupplier, TlsClientConfig tlsClientConfig) throws 
NoSuchAlgorithmException {
--- End diff --

I don't see any external invocations of the two constructors that pass the 
`Supplier` argument. I'm all for dependency injection, but 
is this something that needs to be provided externally?


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-28 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15398305#comment-15398305
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user alopresto commented on the issue:

https://github.com/apache/nifi/pull/695
  
Had a discussion with @brosander and I believe he is re-organizing the 
structure of the classes. I will continue adding comments on this iteration but 
I expect a new push is coming soon. 


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-28 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15397766#comment-15397766
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72655092
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java
 ---
@@ -0,0 +1,177 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.util;
+
+import org.apache.nifi.security.util.CertificateUtils;
+import org.apache.nifi.toolkit.tls.commandLine.TlsToolkitCommandLine;
+import org.apache.nifi.toolkit.tls.configuration.TlsHelperConfig;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cert.crmf.CRMFException;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
+import org.bouncycastle.eac.EACException;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.bouncycastle.pkcs.PKCS10CertificationRequest;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
+import org.bouncycastle.util.io.pem.PemWriter;
+
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+import javax.security.auth.x500.X500Principal;
+import java.io.IOException;
+import java.io.StringReader;
+import java.io.StringWriter;
+import java.nio.charset.StandardCharsets;
+import java.security.GeneralSecurityException;
+import java.security.InvalidKeyException;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PublicKey;
+import java.security.Security;
+import java.security.SignatureException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.security.spec.InvalidKeySpecException;
+
+public class TlsHelper {
+public static final String PROVIDER = 
BouncyCastleProvider.PROVIDER_NAME;
+public static final String PKCS12 = "PKCS12";
+private final KeyPairGenerator keyPairGenerator;
+private final int days;
+private final String signingAlgorithm;
+
+public TlsHelper(TlsHelperConfig tlsHelperConfig) throws 
NoSuchAlgorithmException {
+this(tlsHelperConfig.getDays(), tlsHelperConfig.getKeySize(), 
tlsHelperConfig.getKeyPairAlgorithm(), tlsHelperConfig.getSigningAlgorithm());
+}
+
+public TlsHelper(TlsToolkitCommandLine tlsToolkitCommandLine) throws 
NoSuchAlgorithmException {
+this(tlsToolkitCommandLine.getTlsHelperConfig());
+}
+
+public TlsHelper(int days, int keySize, String keyPairAlgorithm, 
String signingAlgorithm) throws NoSuchAlgorithmException {
+this(createKeyPairGenerator(keyPairAlgorithm, keySize), days, 
signingAlgorithm);
+}
+
+protected TlsHelper(KeyPairGenerator keyPairGenerator, int days, 
String signingAlgorithm) {
+this.keyPairGenerator = keyPairGenerator;
+this.days = days;
+this.signingAlgorithm = signingAlgorithm;
+}
+
+public static void addBouncyCastleProvider() {
+Security.addProvider(new BouncyCastleProvider());
+}
+
+private static KeyPairGenerator

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-27 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15396758#comment-15396758
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on the issue:

https://github.com/apache/nifi/pull/695
  
@alopresto I agree with your concerns about the different entry points, 
I'll try to unify them and get down to a single shell script with the main 
method and argument parsing determining the action


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-27 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15396754#comment-15396754
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72551782
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java
 ---
@@ -0,0 +1,177 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.util;
+
+import org.apache.nifi.security.util.CertificateUtils;
+import org.apache.nifi.toolkit.tls.commandLine.TlsToolkitCommandLine;
+import org.apache.nifi.toolkit.tls.configuration.TlsHelperConfig;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cert.crmf.CRMFException;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
+import org.bouncycastle.eac.EACException;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.bouncycastle.pkcs.PKCS10CertificationRequest;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
+import org.bouncycastle.util.io.pem.PemWriter;
+
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+import javax.security.auth.x500.X500Principal;
+import java.io.IOException;
+import java.io.StringReader;
+import java.io.StringWriter;
+import java.nio.charset.StandardCharsets;
+import java.security.GeneralSecurityException;
+import java.security.InvalidKeyException;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PublicKey;
+import java.security.Security;
+import java.security.SignatureException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.security.spec.InvalidKeySpecException;
+
+public class TlsHelper {
+public static final String PROVIDER = 
BouncyCastleProvider.PROVIDER_NAME;
+public static final String PKCS12 = "PKCS12";
+private final KeyPairGenerator keyPairGenerator;
+private final int days;
+private final String signingAlgorithm;
+
+public TlsHelper(TlsHelperConfig tlsHelperConfig) throws 
NoSuchAlgorithmException {
+this(tlsHelperConfig.getDays(), tlsHelperConfig.getKeySize(), 
tlsHelperConfig.getKeyPairAlgorithm(), tlsHelperConfig.getSigningAlgorithm());
+}
+
+public TlsHelper(TlsToolkitCommandLine tlsToolkitCommandLine) throws 
NoSuchAlgorithmException {
+this(tlsToolkitCommandLine.getTlsHelperConfig());
+}
+
+public TlsHelper(int days, int keySize, String keyPairAlgorithm, 
String signingAlgorithm) throws NoSuchAlgorithmException {
+this(createKeyPairGenerator(keyPairAlgorithm, keySize), days, 
signingAlgorithm);
+}
+
+protected TlsHelper(KeyPairGenerator keyPairGenerator, int days, 
String signingAlgorithm) {
+this.keyPairGenerator = keyPairGenerator;
+this.days = days;
+this.signingAlgorithm = signingAlgorithm;
+}
+
+public static void addBouncyCastleProvider() {
+Security.addProvider(new BouncyCastleProvider());
+}
+
+private static KeyPairGenerator

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-27 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15396726#comment-15396726
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72548970
  
--- Diff: 
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java
 ---
@@ -0,0 +1,177 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.util;
+
+import org.apache.nifi.security.util.CertificateUtils;
+import org.apache.nifi.toolkit.tls.commandLine.TlsToolkitCommandLine;
+import org.apache.nifi.toolkit.tls.configuration.TlsHelperConfig;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cert.crmf.CRMFException;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
+import org.bouncycastle.eac.EACException;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.bouncycastle.pkcs.PKCS10CertificationRequest;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
+import org.bouncycastle.util.io.pem.PemWriter;
+
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+import javax.security.auth.x500.X500Principal;
+import java.io.IOException;
+import java.io.StringReader;
+import java.io.StringWriter;
+import java.nio.charset.StandardCharsets;
+import java.security.GeneralSecurityException;
+import java.security.InvalidKeyException;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PublicKey;
+import java.security.Security;
+import java.security.SignatureException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.security.spec.InvalidKeySpecException;
+
+public class TlsHelper {
+public static final String PROVIDER = 
BouncyCastleProvider.PROVIDER_NAME;
+public static final String PKCS12 = "PKCS12";
+private final KeyPairGenerator keyPairGenerator;
+private final int days;
+private final String signingAlgorithm;
+
+public TlsHelper(TlsHelperConfig tlsHelperConfig) throws 
NoSuchAlgorithmException {
+this(tlsHelperConfig.getDays(), tlsHelperConfig.getKeySize(), 
tlsHelperConfig.getKeyPairAlgorithm(), tlsHelperConfig.getSigningAlgorithm());
+}
+
+public TlsHelper(TlsToolkitCommandLine tlsToolkitCommandLine) throws 
NoSuchAlgorithmException {
+this(tlsToolkitCommandLine.getTlsHelperConfig());
+}
+
+public TlsHelper(int days, int keySize, String keyPairAlgorithm, 
String signingAlgorithm) throws NoSuchAlgorithmException {
+this(createKeyPairGenerator(keyPairAlgorithm, keySize), days, 
signingAlgorithm);
+}
+
+protected TlsHelper(KeyPairGenerator keyPairGenerator, int days, 
String signingAlgorithm) {
+this.keyPairGenerator = keyPairGenerator;
+this.days = days;
+this.signingAlgorithm = signingAlgorithm;
+}
+
+public static void addBouncyCastleProvider() {
+Security.addProvider(new BouncyCastleProvider());
+}
+
+private static KeyPairGenerator

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-27 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15396558#comment-15396558
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user alopresto commented on the issue:

https://github.com/apache/nifi/pull/695
  
I am reviewing, focusing on the cryptographic code in here as well as the 
token signing for communication between the nodes and CA over an untrusted 
channel. 

@brosander can you please provide some documentation/admin guide? The only 
thing I have seen so far is the usage in the NiFiToolkitTLS class. 


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-27 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15396057#comment-15396057
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user JPercivall commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72488748
  
--- Diff: nifi-toolkit/nifi-toolkit-assembly/NOTICE ---
@@ -0,0 +1,112 @@
+Apache NiFi Toolkit
+Copyright 2014-2016 The Apache Software Foundation
+
+This product includes software developed at
+The Apache Software Foundation (http://www.apache.org/).
+
+===
+Apache Software License v2
+===
+
+The following binary components are provided under the Apache Software 
License v2
+
+  (ASLv2) Apache NiFi
+The following NOTICE information applies:
+  Apache NiFi
+  Copyright 2014-2016 The Apache Software Foundation
+
+  This product includes software developed at
+  The Apache Software Foundation (http://www.apache.org/).
+
+  This product includes the following work from the Apache Hadoop 
project:
+
+  BoundedByteArrayOutputStream.java adapted to 
SoftLimitBoundedByteArrayOutputStream.java
+
+  (ASLv2) Apache Commons CLI
+The following NOTICE information applies:
+  Apache Commons IO
+  Copyright 2001-2015 The Apache Software Foundation
+
+  (ASLv2) Apache Commons Codec
+The following NOTICE information applies:
+  Apache Commons Codec
+  Copyright 2002-2014 The Apache Software Foundation
+
+  src/test/org/apache/commons/codec/language/DoubleMetaphoneTest.java
+  contains test data from http://aspell.net/test/orig/batch0.tab.
+  Copyright (C) 2002 Kevin Atkinson (kev...@gnu.org)
+
+  
===
+
+  The content of package org.apache.commons.codec.language.bm has been 
translated
+  from the original php source code available at 
http://stevemorse.org/phoneticinfo.htm
+  with permission from the original authors.
+  Original source copyright:
+  Copyright (c) 2008 Alexander Beider & Stephen P. Morse.
+
+  (ASLv2) Apache Commons IO
+The following NOTICE information applies:
+  Apache Commons IO
+  Copyright 2002-2012 The Apache Software Foundation
+
+  (ASLv2) Apache Commons Lang
+The following NOTICE information applies:
+  Apache Commons Lang
+  Copyright 2001-2015 The Apache Software Foundation
+
+  (ASLv2) Apache Commons Logging
--- End diff --

Right it contains all the license and notice information for all the direct 
dependencies that make their way into the distribution. It is on those 
dependencies to make sure their license and notice files accurately reflect the 
dependencies they bundle and it is on us to properly reflect those license and 
notice files in our own files.

This way we don't have to drill all the way down into all transitive deps 
of all the direct deps we import, we just have to reflect the license and 
notice information of the direct deps.


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-27 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15396056#comment-15396056
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72488752
  
--- Diff: nifi-assembly/pom.xml ---
@@ -363,147 +363,6 @@ language governing permissions and limitations under 
the License. -->
 
 
 
-
--- End diff --

@JPercivall still seeing a resolved nifi.properties in the nifi-assembly 
output


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-27 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15396047#comment-15396047
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user JPercivall commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72487873
  
--- Diff: nifi-assembly/pom.xml ---
@@ -363,147 +363,6 @@ language governing permissions and limitations under 
the License. -->
 
 
 
-
--- End diff --

Yup I did mean the toolkit assembly, sorry for the confusion. 

Ah that is cool, sounds good.


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-27 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15396036#comment-15396036
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72485755
  
--- Diff: nifi-toolkit/nifi-toolkit-assembly/NOTICE ---
@@ -0,0 +1,112 @@
+Apache NiFi Toolkit
+Copyright 2014-2016 The Apache Software Foundation
+
+This product includes software developed at
+The Apache Software Foundation (http://www.apache.org/).
+
+===
+Apache Software License v2
+===
+
+The following binary components are provided under the Apache Software 
License v2
+
+  (ASLv2) Apache NiFi
+The following NOTICE information applies:
+  Apache NiFi
+  Copyright 2014-2016 The Apache Software Foundation
+
+  This product includes software developed at
+  The Apache Software Foundation (http://www.apache.org/).
+
+  This product includes the following work from the Apache Hadoop 
project:
+
+  BoundedByteArrayOutputStream.java adapted to 
SoftLimitBoundedByteArrayOutputStream.java
+
+  (ASLv2) Apache Commons CLI
+The following NOTICE information applies:
+  Apache Commons IO
+  Copyright 2001-2015 The Apache Software Foundation
+
+  (ASLv2) Apache Commons Codec
+The following NOTICE information applies:
+  Apache Commons Codec
+  Copyright 2002-2014 The Apache Software Foundation
+
+  src/test/org/apache/commons/codec/language/DoubleMetaphoneTest.java
+  contains test data from http://aspell.net/test/orig/batch0.tab.
+  Copyright (C) 2002 Kevin Atkinson (kev...@gnu.org)
+
+  
===
+
+  The content of package org.apache.commons.codec.language.bm has been 
translated
+  from the original php source code available at 
http://stevemorse.org/phoneticinfo.htm
+  with permission from the original authors.
+  Original source copyright:
+  Copyright (c) 2008 Alexander Beider & Stephen P. Morse.
+
+  (ASLv2) Apache Commons IO
+The following NOTICE information applies:
+  Apache Commons IO
+  Copyright 2002-2012 The Apache Software Foundation
+
+  (ASLv2) Apache Commons Lang
+The following NOTICE information applies:
+  Apache Commons Lang
+  Copyright 2001-2015 The Apache Software Foundation
+
+  (ASLv2) Apache Commons Logging
--- End diff --

@JPercivall I would think the LICENSE and NOTICE files for an assembly 
should contain needed info for any/all artifacts that make their way into the 
distribution.  If that's not the case, I can remove.


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-27 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15396033#comment-15396033
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72485517
  
--- Diff: nifi-assembly/pom.xml ---
@@ -363,147 +363,6 @@ language governing permissions and limitations under 
the License. -->
 
 
 
-
--- End diff --

@JPercivall rebuilding from top now, I did check and am pretty sure that 
nifi.properties still winds up in nifi-assembly.

If you meant that it's not in the toolkit assembly, that's correct, it is 
built into the ssl toolkit jar.  The ssl toolkit is capable of generating a 
nifi.properties updated with the correct ssl values.  If the user does not 
specify a base file to use, it uses the embedded one.


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-27 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15395986#comment-15395986
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user JPercivall commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72478817
  
--- Diff: nifi-toolkit/nifi-toolkit-assembly/NOTICE ---
@@ -0,0 +1,112 @@
+Apache NiFi Toolkit
+Copyright 2014-2016 The Apache Software Foundation
+
+This product includes software developed at
+The Apache Software Foundation (http://www.apache.org/).
+
+===
+Apache Software License v2
+===
+
+The following binary components are provided under the Apache Software 
License v2
+
+  (ASLv2) Apache NiFi
+The following NOTICE information applies:
+  Apache NiFi
+  Copyright 2014-2016 The Apache Software Foundation
+
+  This product includes software developed at
+  The Apache Software Foundation (http://www.apache.org/).
+
+  This product includes the following work from the Apache Hadoop 
project:
+
+  BoundedByteArrayOutputStream.java adapted to 
SoftLimitBoundedByteArrayOutputStream.java
+
+  (ASLv2) Apache Commons CLI
+The following NOTICE information applies:
+  Apache Commons IO
+  Copyright 2001-2015 The Apache Software Foundation
+
+  (ASLv2) Apache Commons Codec
+The following NOTICE information applies:
+  Apache Commons Codec
+  Copyright 2002-2014 The Apache Software Foundation
+
+  src/test/org/apache/commons/codec/language/DoubleMetaphoneTest.java
+  contains test data from http://aspell.net/test/orig/batch0.tab.
+  Copyright (C) 2002 Kevin Atkinson (kev...@gnu.org)
+
+  
===
+
+  The content of package org.apache.commons.codec.language.bm has been 
translated
+  from the original php source code available at 
http://stevemorse.org/phoneticinfo.htm
+  with permission from the original authors.
+  Original source copyright:
+  Copyright (c) 2008 Alexander Beider & Stephen P. Morse.
+
+  (ASLv2) Apache Commons IO
+The following NOTICE information applies:
+  Apache Commons IO
+  Copyright 2002-2012 The Apache Software Foundation
+
+  (ASLv2) Apache Commons Lang
+The following NOTICE information applies:
+  Apache Commons Lang
+  Copyright 2001-2015 The Apache Software Foundation
+
+  (ASLv2) Apache Commons Logging
--- End diff --

It's my understanding that you don't need to put LICENSE and NOTICE 
information for transitive dependencies (except for deps we created in this 
project like nifi-security-utils). I believe what is needed is to look at the 
deps you have and just see what license they have. For strong licenses, like 
ASLv2 http components uses, you only need to add any NOTICE information that 
the dep lists. You already have the NOTICE information for httpcomponents so 
you don't need to pass any other transitive licensing/notice. 


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-27 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15395979#comment-15395979
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user JPercivall commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72478228
  
--- Diff: nifi-toolkit/nifi-toolkit-assembly/NOTICE ---
@@ -0,0 +1,112 @@
+Apache NiFi Toolkit
+Copyright 2014-2016 The Apache Software Foundation
+
+This product includes software developed at
+The Apache Software Foundation (http://www.apache.org/).
+
+===
+Apache Software License v2
+===
+
+The following binary components are provided under the Apache Software 
License v2
+
+  (ASLv2) Apache NiFi
+The following NOTICE information applies:
+  Apache NiFi
+  Copyright 2014-2016 The Apache Software Foundation
+
+  This product includes software developed at
+  The Apache Software Foundation (http://www.apache.org/).
+
+  This product includes the following work from the Apache Hadoop 
project:
+
+  BoundedByteArrayOutputStream.java adapted to 
SoftLimitBoundedByteArrayOutputStream.java
+
+  (ASLv2) Apache Commons CLI
+The following NOTICE information applies:
+  Apache Commons IO
+  Copyright 2001-2015 The Apache Software Foundation
+
+  (ASLv2) Apache Commons Codec
+The following NOTICE information applies:
+  Apache Commons Codec
+  Copyright 2002-2014 The Apache Software Foundation
+
+  src/test/org/apache/commons/codec/language/DoubleMetaphoneTest.java
+  contains test data from http://aspell.net/test/orig/batch0.tab.
+  Copyright (C) 2002 Kevin Atkinson (kev...@gnu.org)
+
+  
===
+
+  The content of package org.apache.commons.codec.language.bm has been 
translated
+  from the original php source code available at 
http://stevemorse.org/phoneticinfo.htm
+  with permission from the original authors.
+  Original source copyright:
+  Copyright (c) 2008 Alexander Beider & Stephen P. Morse.
+
+  (ASLv2) Apache Commons IO
+The following NOTICE information applies:
+  Apache Commons IO
+  Copyright 2002-2012 The Apache Software Foundation
+
+  (ASLv2) Apache Commons Lang
--- End diff --

Ah ok, good call.


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-27 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15395927#comment-15395927
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on the issue:

https://github.com/apache/nifi/pull/695
  
@JPercivall I think I've addressed your assembly and license concerns, 
please let me know if you're satisfied with the answers/changes.


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-27 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15395914#comment-15395914
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72470842
  
--- Diff: nifi-toolkit/nifi-toolkit-assembly/pom.xml ---
@@ -0,0 +1,89 @@
+
+
+http://maven.apache.org/POM/4.0.0; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; 
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 
http://maven.apache.org/maven-v4_0_0.xsd;>
+4.0.0
+
+org.apache.nifi
+nifi-toolkit
+1.0.0-SNAPSHOT
+
+nifi-toolkit-assembly
+pom
+This is the assembly Apache NiFi Toolkit
+
+
+
+org.apache.rat
+apache-rat-plugin
+
+
+
src/main/resources/conf/config-client.json
+
src/main/resources/conf/config-server.json
+
+
+
+
+maven-assembly-plugin
+
+nifi-toolkit-${project.version}
+
+
+
+make shared resource
+
+single
+
+package
+
+
+
0755
+0755
+0644
+
+
+
src/main/assembly/dependencies.xml
+
+posix
+
+
+
+
+
+
+
+
+org.apache.nifi
+nifi-toolkit-tls
+
+
+org.slf4j
+slf4j-api
+compile
+1.7.12
+
+
+org.eclipse.jetty
+jetty-server
+compile
+
+
+javax.servlet
+javax.servlet-api
+compile
+
+
+commons-io
+commons-io
--- End diff --

If I remove it, it the assembly doesn't honor the 2.5 version from 
nifi-toolkit-tls, instead pulling in version 2.4.

I'm mainly using it for its BoundedReader functionality (to prevent a 
malicious client from sending an arbitrarily large payload) which isn't 
available until 2.5.


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-27 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15395905#comment-15395905
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72469932
  
--- Diff: nifi-toolkit/nifi-toolkit-assembly/NOTICE ---
@@ -0,0 +1,112 @@
+Apache NiFi Toolkit
+Copyright 2014-2016 The Apache Software Foundation
+
+This product includes software developed at
+The Apache Software Foundation (http://www.apache.org/).
+
+===
+Apache Software License v2
+===
+
+The following binary components are provided under the Apache Software 
License v2
+
+  (ASLv2) Apache NiFi
+The following NOTICE information applies:
+  Apache NiFi
+  Copyright 2014-2016 The Apache Software Foundation
+
+  This product includes software developed at
+  The Apache Software Foundation (http://www.apache.org/).
+
+  This product includes the following work from the Apache Hadoop 
project:
+
+  BoundedByteArrayOutputStream.java adapted to 
SoftLimitBoundedByteArrayOutputStream.java
+
+  (ASLv2) Apache Commons CLI
+The following NOTICE information applies:
+  Apache Commons IO
+  Copyright 2001-2015 The Apache Software Foundation
+
+  (ASLv2) Apache Commons Codec
+The following NOTICE information applies:
+  Apache Commons Codec
+  Copyright 2002-2014 The Apache Software Foundation
+
+  src/test/org/apache/commons/codec/language/DoubleMetaphoneTest.java
+  contains test data from http://aspell.net/test/orig/batch0.tab.
+  Copyright (C) 2002 Kevin Atkinson (kev...@gnu.org)
+
+  
===
+
+  The content of package org.apache.commons.codec.language.bm has been 
translated
+  from the original php source code available at 
http://stevemorse.org/phoneticinfo.htm
+  with permission from the original authors.
+  Original source copyright:
+  Copyright (c) 2008 Alexander Beider & Stephen P. Morse.
+
+  (ASLv2) Apache Commons IO
+The following NOTICE information applies:
+  Apache Commons IO
+  Copyright 2002-2012 The Apache Software Foundation
+
+  (ASLv2) Apache Commons Lang
+The following NOTICE information applies:
+  Apache Commons Lang
+  Copyright 2001-2015 The Apache Software Foundation
+
+  (ASLv2) Apache Commons Logging
+The following NOTICE information applies:
+  Apache Commons Logging
+  Copyright 2003-2014 The Apache Software Foundation
+
+  (ASLv2) Apache HttpComponents
+The following NOTICE information applies:
+  Apache HttpClient
+  Copyright 1999-2015 The Apache Software Foundation
+
+  Apache HttpCore
+  Copyright 2005-2015 The Apache Software Foundation
+
+  This project contains annotations derived from JCIP-ANNOTATIONS
+  Copyright (c) 2005 Brian Goetz and Tim Peierls. See 
http://www.jcip.net
+
+  (ASLv2) Jackson JSON processor
+The following NOTICE information applies:
+  # Jackson JSON processor
+
+  Jackson is a high-performance, Free/Open Source JSON processing 
library.
+  It was originally written by Tatu Saloranta (tatu.salora...@iki.fi), 
and has
+  been in development since 2007.
+  It is currently developed by a community of developers, as well as 
supported
+  commercially by FasterXML.com.
+
+  ## Licensing
+
+  Jackson core and extension components may licensed under different 
licenses.
+  To find the details that apply to this artifact see the accompanying 
LICENSE file.
+  For more information, including possible other licensing options, 
contact
+  FasterXML.com (http://fasterxml.com).
+
+  ## Credits
+
+  A list of contributors may be found from CREDITS file, which is 
included
+  in some artifacts (usually source distributions); but is always 
available
+  from the source code management (SCM) system project uses.
+
+  (ASLv2) Jetty
+The following NOTICE information applies:
+   Jetty Web Container
+   Copyright 1995-2015 Mort Bay Consulting Pty Ltd.
+
+  (ASLv2) Apache log4j
+The following NOTICE information applies:
+  Apache log4j
+  Copyright 2007 The Apache Software Foundation
+
+===
+MIT License
+===
+

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-27 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15395900#comment-15395900
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72469101
  
--- Diff: nifi-toolkit/nifi-toolkit-assembly/NOTICE ---
@@ -0,0 +1,112 @@
+Apache NiFi Toolkit
+Copyright 2014-2016 The Apache Software Foundation
+
+This product includes software developed at
+The Apache Software Foundation (http://www.apache.org/).
+
+===
+Apache Software License v2
+===
+
+The following binary components are provided under the Apache Software 
License v2
+
+  (ASLv2) Apache NiFi
+The following NOTICE information applies:
+  Apache NiFi
+  Copyright 2014-2016 The Apache Software Foundation
+
+  This product includes software developed at
+  The Apache Software Foundation (http://www.apache.org/).
+
+  This product includes the following work from the Apache Hadoop 
project:
+
+  BoundedByteArrayOutputStream.java adapted to 
SoftLimitBoundedByteArrayOutputStream.java
+
+  (ASLv2) Apache Commons CLI
+The following NOTICE information applies:
+  Apache Commons IO
+  Copyright 2001-2015 The Apache Software Foundation
+
+  (ASLv2) Apache Commons Codec
+The following NOTICE information applies:
+  Apache Commons Codec
+  Copyright 2002-2014 The Apache Software Foundation
+
+  src/test/org/apache/commons/codec/language/DoubleMetaphoneTest.java
+  contains test data from http://aspell.net/test/orig/batch0.tab.
+  Copyright (C) 2002 Kevin Atkinson (kev...@gnu.org)
+
+  
===
+
+  The content of package org.apache.commons.codec.language.bm has been 
translated
+  from the original php source code available at 
http://stevemorse.org/phoneticinfo.htm
+  with permission from the original authors.
+  Original source copyright:
+  Copyright (c) 2008 Alexander Beider & Stephen P. Morse.
+
+  (ASLv2) Apache Commons IO
+The following NOTICE information applies:
+  Apache Commons IO
+  Copyright 2002-2012 The Apache Software Foundation
+
+  (ASLv2) Apache Commons Lang
+The following NOTICE information applies:
+  Apache Commons Lang
+  Copyright 2001-2015 The Apache Software Foundation
+
+  (ASLv2) Apache Commons Logging
--- End diff --

Transitive from org.apache.httpcomponents:httpclient:jar:4.5.2:compile


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-27 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15395895#comment-15395895
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72468924
  
--- Diff: nifi-toolkit/nifi-toolkit-assembly/NOTICE ---
@@ -0,0 +1,112 @@
+Apache NiFi Toolkit
+Copyright 2014-2016 The Apache Software Foundation
+
+This product includes software developed at
+The Apache Software Foundation (http://www.apache.org/).
+
+===
+Apache Software License v2
+===
+
+The following binary components are provided under the Apache Software 
License v2
+
+  (ASLv2) Apache NiFi
+The following NOTICE information applies:
+  Apache NiFi
+  Copyright 2014-2016 The Apache Software Foundation
+
+  This product includes software developed at
+  The Apache Software Foundation (http://www.apache.org/).
+
+  This product includes the following work from the Apache Hadoop 
project:
+
+  BoundedByteArrayOutputStream.java adapted to 
SoftLimitBoundedByteArrayOutputStream.java
+
+  (ASLv2) Apache Commons CLI
+The following NOTICE information applies:
+  Apache Commons IO
+  Copyright 2001-2015 The Apache Software Foundation
+
+  (ASLv2) Apache Commons Codec
+The following NOTICE information applies:
+  Apache Commons Codec
+  Copyright 2002-2014 The Apache Software Foundation
+
+  src/test/org/apache/commons/codec/language/DoubleMetaphoneTest.java
+  contains test data from http://aspell.net/test/orig/batch0.tab.
+  Copyright (C) 2002 Kevin Atkinson (kev...@gnu.org)
+
+  
===
+
+  The content of package org.apache.commons.codec.language.bm has been 
translated
+  from the original php source code available at 
http://stevemorse.org/phoneticinfo.htm
+  with permission from the original authors.
+  Original source copyright:
+  Copyright (c) 2008 Alexander Beider & Stephen P. Morse.
+
+  (ASLv2) Apache Commons IO
+The following NOTICE information applies:
+  Apache Commons IO
+  Copyright 2002-2012 The Apache Software Foundation
+
+  (ASLv2) Apache Commons Lang
--- End diff --

Transitive from 
org.apache.nifi:nifi-security-utils:jar:1.0.0-SNAPSHOT:compile


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-27 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15395893#comment-15395893
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72468676
  
--- Diff: nifi-toolkit/nifi-toolkit-assembly/pom.xml ---
@@ -0,0 +1,89 @@
+
+
+http://maven.apache.org/POM/4.0.0; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; 
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 
http://maven.apache.org/maven-v4_0_0.xsd;>
+4.0.0
+
+org.apache.nifi
+nifi-toolkit
+1.0.0-SNAPSHOT
+
+nifi-toolkit-assembly
+pom
+This is the assembly Apache NiFi Toolkit
+
+
+
+org.apache.rat
+apache-rat-plugin
+
+
+
src/main/resources/conf/config-client.json
+
src/main/resources/conf/config-server.json
+
+
+
+
+maven-assembly-plugin
+
+nifi-toolkit-${project.version}
+
+
+
+make shared resource
+
+single
+
+package
+
+
+
0755
+0755
+0644
+
+
+
src/main/assembly/dependencies.xml
+
+posix
+
+
+
+
+
+
+
+
+org.apache.nifi
+nifi-toolkit-tls
+
+
+org.slf4j
+slf4j-api
+compile
+1.7.12
+
+
+org.eclipse.jetty
+jetty-server
+compile
+
+
+javax.servlet
+javax.servlet-api
+compile
+
+
+commons-io
+commons-io
--- End diff --

It was being marked provided before, I can dig in more


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-27 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15395891#comment-15395891
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72468172
  
--- Diff: nifi-toolkit/nifi-toolkit-tls/pom.xml ---
@@ -0,0 +1,115 @@
+
+
+http://maven.apache.org/POM/4.0.0; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; 
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 
http://maven.apache.org/maven-v4_0_0.xsd;>
+4.0.0
+
+org.apache.nifi
+nifi-toolkit
+1.0.0-SNAPSHOT
+
+nifi-toolkit-tls
+Tooling to make tls configuration easier
+
+
+org.apache.nifi
+nifi-properties
+
+
+org.apache.nifi
+nifi-security-utils
+
+
+org.slf4j
+slf4j-api
+
+
+org.slf4j
+slf4j-log4j12
+1.7.12
+
+
+org.bouncycastle
+bcpkix-jdk15on
+
+
+org.bouncycastle
+bcprov-jdk15on
+
+
+commons-cli
+commons-cli
+1.3.1
+
+
+commons-io
+commons-io
+2.5
+
+
+org.eclipse.jetty
+jetty-server
+
+
+com.fasterxml.jackson.core
+jackson-databind
+
+
+org.apache.httpcomponents
+httpclient
+4.5.2
+
+
+
+
+
+org.apache.maven.plugins
+maven-dependency-plugin
+
+
+unpack
+process-resources
+
+unpack
+
+
+
+
+org.apache.nifi
+nifi-resources
+zip
+resources
+true
+
${project.build.directory}/classes
+**/nifi.properties
+
+
+
+
+
--- End diff --

@JPercivall It pulls in the nifi.properties from the nifi-resources project 
so that we have a reasonable default template embedded in the jar.


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-27 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15395861#comment-15395861
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user JPercivall commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72464516
  
--- Diff: nifi-toolkit/nifi-toolkit-assembly/NOTICE ---
@@ -0,0 +1,112 @@
+Apache NiFi Toolkit
+Copyright 2014-2016 The Apache Software Foundation
+
+This product includes software developed at
+The Apache Software Foundation (http://www.apache.org/).
+
+===
+Apache Software License v2
+===
+
+The following binary components are provided under the Apache Software 
License v2
+
+  (ASLv2) Apache NiFi
+The following NOTICE information applies:
+  Apache NiFi
+  Copyright 2014-2016 The Apache Software Foundation
+
+  This product includes software developed at
+  The Apache Software Foundation (http://www.apache.org/).
+
+  This product includes the following work from the Apache Hadoop 
project:
+
+  BoundedByteArrayOutputStream.java adapted to 
SoftLimitBoundedByteArrayOutputStream.java
+
+  (ASLv2) Apache Commons CLI
+The following NOTICE information applies:
+  Apache Commons IO
+  Copyright 2001-2015 The Apache Software Foundation
+
+  (ASLv2) Apache Commons Codec
+The following NOTICE information applies:
+  Apache Commons Codec
+  Copyright 2002-2014 The Apache Software Foundation
+
+  src/test/org/apache/commons/codec/language/DoubleMetaphoneTest.java
+  contains test data from http://aspell.net/test/orig/batch0.tab.
+  Copyright (C) 2002 Kevin Atkinson (kev...@gnu.org)
+
+  
===
+
+  The content of package org.apache.commons.codec.language.bm has been 
translated
+  from the original php source code available at 
http://stevemorse.org/phoneticinfo.htm
+  with permission from the original authors.
+  Original source copyright:
+  Copyright (c) 2008 Alexander Beider & Stephen P. Morse.
+
+  (ASLv2) Apache Commons IO
+The following NOTICE information applies:
+  Apache Commons IO
+  Copyright 2002-2012 The Apache Software Foundation
+
+  (ASLv2) Apache Commons Lang
+The following NOTICE information applies:
+  Apache Commons Lang
+  Copyright 2001-2015 The Apache Software Foundation
+
+  (ASLv2) Apache Commons Logging
+The following NOTICE information applies:
+  Apache Commons Logging
+  Copyright 2003-2014 The Apache Software Foundation
+
+  (ASLv2) Apache HttpComponents
+The following NOTICE information applies:
+  Apache HttpClient
+  Copyright 1999-2015 The Apache Software Foundation
+
+  Apache HttpCore
+  Copyright 2005-2015 The Apache Software Foundation
+
+  This project contains annotations derived from JCIP-ANNOTATIONS
+  Copyright (c) 2005 Brian Goetz and Tim Peierls. See 
http://www.jcip.net
+
+  (ASLv2) Jackson JSON processor
+The following NOTICE information applies:
+  # Jackson JSON processor
+
+  Jackson is a high-performance, Free/Open Source JSON processing 
library.
+  It was originally written by Tatu Saloranta (tatu.salora...@iki.fi), 
and has
+  been in development since 2007.
+  It is currently developed by a community of developers, as well as 
supported
+  commercially by FasterXML.com.
+
+  ## Licensing
+
+  Jackson core and extension components may licensed under different 
licenses.
+  To find the details that apply to this artifact see the accompanying 
LICENSE file.
+  For more information, including possible other licensing options, 
contact
+  FasterXML.com (http://fasterxml.com).
+
+  ## Credits
+
+  A list of contributors may be found from CREDITS file, which is 
included
+  in some artifacts (usually source distributions); but is always 
available
+  from the source code management (SCM) system project uses.
+
+  (ASLv2) Jetty
+The following NOTICE information applies:
+   Jetty Web Container
+   Copyright 1995-2015 Mort Bay Consulting Pty Ltd.
+
+  (ASLv2) Apache log4j
--- End diff --

I don't see log4j used but I do SLF4J deps in the nifi-toolkit-tls pom. I 
think the SLF4J license should be added: http://www.slf4j.org/license.html


> Command Line Keystore and Truststore utility
>

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-27 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15395845#comment-15395845
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user JPercivall commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72462023
  
--- Diff: nifi-toolkit/nifi-toolkit-assembly/NOTICE ---
@@ -0,0 +1,112 @@
+Apache NiFi Toolkit
+Copyright 2014-2016 The Apache Software Foundation
+
+This product includes software developed at
+The Apache Software Foundation (http://www.apache.org/).
+
+===
+Apache Software License v2
+===
+
+The following binary components are provided under the Apache Software 
License v2
+
+  (ASLv2) Apache NiFi
+The following NOTICE information applies:
+  Apache NiFi
+  Copyright 2014-2016 The Apache Software Foundation
+
+  This product includes software developed at
+  The Apache Software Foundation (http://www.apache.org/).
+
+  This product includes the following work from the Apache Hadoop 
project:
+
+  BoundedByteArrayOutputStream.java adapted to 
SoftLimitBoundedByteArrayOutputStream.java
+
+  (ASLv2) Apache Commons CLI
+The following NOTICE information applies:
+  Apache Commons IO
+  Copyright 2001-2015 The Apache Software Foundation
+
+  (ASLv2) Apache Commons Codec
+The following NOTICE information applies:
+  Apache Commons Codec
+  Copyright 2002-2014 The Apache Software Foundation
+
+  src/test/org/apache/commons/codec/language/DoubleMetaphoneTest.java
+  contains test data from http://aspell.net/test/orig/batch0.tab.
+  Copyright (C) 2002 Kevin Atkinson (kev...@gnu.org)
+
+  
===
+
+  The content of package org.apache.commons.codec.language.bm has been 
translated
+  from the original php source code available at 
http://stevemorse.org/phoneticinfo.htm
+  with permission from the original authors.
+  Original source copyright:
+  Copyright (c) 2008 Alexander Beider & Stephen P. Morse.
+
+  (ASLv2) Apache Commons IO
+The following NOTICE information applies:
+  Apache Commons IO
+  Copyright 2002-2012 The Apache Software Foundation
+
+  (ASLv2) Apache Commons Lang
--- End diff --

I don't see where this is brought in as a dependency.


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-27 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15395842#comment-15395842
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user JPercivall commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72461496
  
--- Diff: nifi-toolkit/nifi-toolkit-assembly/pom.xml ---
@@ -0,0 +1,89 @@
+
+
+http://maven.apache.org/POM/4.0.0; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; 
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 
http://maven.apache.org/maven-v4_0_0.xsd;>
+4.0.0
+
+org.apache.nifi
+nifi-toolkit
+1.0.0-SNAPSHOT
+
+nifi-toolkit-assembly
+pom
+This is the assembly Apache NiFi Toolkit
+
+
+
+org.apache.rat
+apache-rat-plugin
+
+
+
src/main/resources/conf/config-client.json
+
src/main/resources/conf/config-server.json
+
+
+
+
+maven-assembly-plugin
+
+nifi-toolkit-${project.version}
+
+
+
+make shared resource
+
+single
+
+package
+
+
+
0755
+0755
+0644
+
+
+
src/main/assembly/dependencies.xml
+
+posix
+
+
+
+
+
+
+
+
+org.apache.nifi
+nifi-toolkit-tls
+
+
+org.slf4j
+slf4j-api
+compile
+1.7.12
+
+
+org.eclipse.jetty
+jetty-server
+compile
+
+
+javax.servlet
+javax.servlet-api
+compile
+
+
+commons-io
+commons-io
--- End diff --

This is already brought in by "nifi-toolkit-tls" does this need to be 
duplicated?


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-27 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15395834#comment-15395834
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user JPercivall commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72460515
  
--- Diff: nifi-assembly/pom.xml ---
@@ -363,147 +363,6 @@ language governing permissions and limitations under 
the License. -->
 
 
 
-
--- End diff --

I just built it and there was no "nifi.properties" bundled in the assembly.


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-27 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15395832#comment-15395832
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user JPercivall commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72460359
  
--- Diff: nifi-toolkit/nifi-toolkit-tls/pom.xml ---
@@ -0,0 +1,115 @@
+
+
+http://maven.apache.org/POM/4.0.0; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; 
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 
http://maven.apache.org/maven-v4_0_0.xsd;>
+4.0.0
+
+org.apache.nifi
+nifi-toolkit
+1.0.0-SNAPSHOT
+
+nifi-toolkit-tls
+Tooling to make tls configuration easier
+
+
+org.apache.nifi
+nifi-properties
+
+
+org.apache.nifi
+nifi-security-utils
+
+
+org.slf4j
+slf4j-api
+
+
+org.slf4j
+slf4j-log4j12
+1.7.12
+
+
+org.bouncycastle
+bcpkix-jdk15on
+
+
+org.bouncycastle
+bcprov-jdk15on
+
+
+commons-cli
+commons-cli
+1.3.1
+
+
+commons-io
+commons-io
+2.5
+
+
+org.eclipse.jetty
+jetty-server
+
+
+com.fasterxml.jackson.core
+jackson-databind
+
+
+org.apache.httpcomponents
+httpclient
+4.5.2
+
+
+
+
+
+org.apache.maven.plugins
+maven-dependency-plugin
+
+
+unpack
+process-resources
+
+unpack
+
+
+
+
+org.apache.nifi
+nifi-resources
+zip
+resources
+true
+
${project.build.directory}/classes
+**/nifi.properties
+
+
+
+
+
--- End diff --

What does this section of the nifi-toolkit-tls pom do? The 
maven-dependency-plugin is otherwise only used in the nifi-assembly.


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-26 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15394363#comment-15394363
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user brosander commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72317301
  
--- Diff: nifi-assembly/pom.xml ---
@@ -363,147 +363,6 @@ language governing permissions and limitations under 
the License. -->
 
 
 
-
--- End diff --

@JPercivall I moved them into the pom of nifi-resources so that the 
filtering could happen before the files are packaged.  This kept me from 
needing to duplicate them so that the toolkit could bundle a valid 
nifi.properties, instead I can just resolve an up to date one.


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-26 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15394323#comment-15394323
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

Github user JPercivall commented on a diff in the pull request:

https://github.com/apache/nifi/pull/695#discussion_r72313026
  
--- Diff: nifi-assembly/pom.xml ---
@@ -363,147 +363,6 @@ language governing permissions and limitations under 
the License. -->
 
 
 
-
--- End diff --

Why are all of these properties being removed from the assembly pom?


> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2193) Command Line Keystore and Truststore utility

2016-07-20 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15386611#comment-15386611
 ] 

ASF GitHub Bot commented on NIFI-2193:
--

GitHub user brosander opened a pull request:

https://github.com/apache/nifi/pull/695

NIFI-2193 - Command line SSL config utility as well as certificate au…

…thority client/server

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/brosander/nifi NIFI-2193-pr

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/nifi/pull/695.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #695


commit 496f4f9cdc3cfee43e34684814c72f674261940d
Author: Bryan Rosander 
Date:   2016-07-06T20:56:08Z

NIFI-2193 - Command line SSL config utility as well as certificate 
authority client/server




> Command Line Keystore and Truststore utility
> 
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
>  Issue Type: New Feature
>Reporter: Bryan Rosander
>Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a 
> command line utility capable of generating the required keystores, 
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that 
> they all use, and relevant passwords and configuration files for using the 
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based 
> certificate authority with corresponding client will allow for each NiFi 
> instance to generate its own keypair and then request signing by the CA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

1 2 >

100 matches

Mail list logo