You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by al...@apache.org on 2017/03/07 00:50:51 UTC
nifi git commit: NIFI-3490 added SAN option for TLS toolkit in
standalone mode
Repository: nifi
Updated Branches:
refs/heads/master b7f946e84 -> bf112d065
NIFI-3490 added SAN option for TLS toolkit in standalone mode
This closes #1530.
Signed-off-by: Andy LoPresto <al...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/nifi/repo
Commit: http://git-wip-us.apache.org/repos/asf/nifi/commit/bf112d06
Tree: http://git-wip-us.apache.org/repos/asf/nifi/tree/bf112d06
Diff: http://git-wip-us.apache.org/repos/asf/nifi/diff/bf112d06
Branch: refs/heads/master
Commit: bf112d065434ed536fff10b7aaa5eb3b70bc4b9d
Parents: b7f946e
Author: Pierre Villard <pi...@gmail.com>
Authored: Wed Feb 22 22:28:13 2017 +0100
Committer: Andy LoPresto <al...@apache.org>
Committed: Mon Mar 6 16:50:18 2017 -0800
----------------------------------------------------------------------
.../tls/configuration/TlsClientConfig.java | 1 +
...lsCertificateAuthorityClientCommandLine.java | 2 +-
.../tls/standalone/TlsToolkitStandalone.java | 6 ++++-
.../TlsToolkitStandaloneCommandLine.java | 6 +++++
.../apache/nifi/toolkit/tls/util/TlsHelper.java | 26 +++++++++++++-------
.../TlsToolkitStandaloneCommandLineTest.java | 7 ++++++
6 files changed, 37 insertions(+), 11 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/nifi/blob/bf112d06/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/configuration/TlsClientConfig.java
----------------------------------------------------------------------
diff --git a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/configuration/TlsClientConfig.java b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/configuration/TlsClientConfig.java
index c885d84..6e030f6 100644
--- a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/configuration/TlsClientConfig.java
+++ b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/configuration/TlsClientConfig.java
@@ -44,6 +44,7 @@ public class TlsClientConfig extends TlsConfig {
setDnPrefix(tlsConfig.getDnPrefix());
setDnSuffix(tlsConfig.getDnSuffix());
setReorderDn(tlsConfig.getReorderDn());
+ setDomainAlternativeNames(tlsConfig.getDomainAlternativeNames());
}
http://git-wip-us.apache.org/repos/asf/nifi/blob/bf112d06/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/client/TlsCertificateAuthorityClientCommandLine.java
----------------------------------------------------------------------
diff --git a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/client/TlsCertificateAuthorityClientCommandLine.java b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/client/TlsCertificateAuthorityClientCommandLine.java
index db73b41..dde1ff7 100644
--- a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/client/TlsCertificateAuthorityClientCommandLine.java
+++ b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/client/TlsCertificateAuthorityClientCommandLine.java
@@ -57,7 +57,7 @@ public class TlsCertificateAuthorityClientCommandLine extends BaseCertificateAut
super(DESCRIPTION);
this.inputStreamFactory = inputStreamFactory;
addOptionWithArg("C", CERTIFICATE_DIRECTORY, "The file to write the CA certificate to", DEFAULT_CERTIFICATE_DIRECTORY);
- addOptionWithArg("S", SUBJECT_ALTERNATIVE_NAMES, "Comma-separated list of domains to use as Subject Alternative Names in the certificate");
+ addOptionWithArg(null, SUBJECT_ALTERNATIVE_NAMES, "Comma-separated list of domains to use as Subject Alternative Names in the certificate");
}
public static void main(String[] args) throws Exception {
http://git-wip-us.apache.org/repos/asf/nifi/blob/bf112d06/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandalone.java
----------------------------------------------------------------------
diff --git a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandalone.java b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandalone.java
index aa619da..fdfaeed 100644
--- a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandalone.java
+++ b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandalone.java
@@ -17,6 +17,7 @@
package org.apache.nifi.toolkit.tls.standalone;
+import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.security.util.CertificateUtils;
import org.apache.nifi.security.util.KeystoreType;
import org.apache.nifi.security.util.KeyStoreUtils;
@@ -29,6 +30,7 @@ import org.apache.nifi.toolkit.tls.manager.writer.NifiPropertiesTlsClientConfigW
import org.apache.nifi.toolkit.tls.properties.NiFiPropertiesWriterFactory;
import org.apache.nifi.toolkit.tls.util.OutputStreamFactory;
import org.apache.nifi.toolkit.tls.util.TlsHelper;
+import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
import org.bouncycastle.util.io.pem.PemWriter;
import org.slf4j.Logger;
@@ -179,8 +181,10 @@ public class TlsToolkitStandalone {
tlsClientConfig.setTrustStorePassword(instanceDefinition.getTrustStorePassword());
TlsClientManager tlsClientManager = new TlsClientManager(tlsClientConfig);
KeyPair keyPair = TlsHelper.generateKeyPair(keyPairAlgorithm, keySize);
+ Extensions sanDnsExtensions = StringUtils.isBlank(tlsClientConfig.getDomainAlternativeNames())
+ ? null : TlsHelper.createDomainAlternativeNamesExtensions(tlsClientConfig.getDomainAlternativeNames());
tlsClientManager.addPrivateKeyToKeyStore(keyPair, NIFI_KEY, CertificateUtils.generateIssuedCertificate(tlsClientConfig.calcDefaultDn(hostname),
- keyPair.getPublic(), null, certificate, caKeyPair, signingAlgorithm, days), certificate);
+ keyPair.getPublic(), sanDnsExtensions, certificate, caKeyPair, signingAlgorithm, days), certificate);
tlsClientManager.setCertificateEntry(NIFI_CERT, certificate);
tlsClientManager.addClientConfigurationWriter(new NifiPropertiesTlsClientConfigWriter(niFiPropertiesWriterFactory, new File(hostDir, "nifi.properties"),
hostname, instanceDefinition.getNumber()));
http://git-wip-us.apache.org/repos/asf/nifi/blob/bf112d06/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandaloneCommandLine.java
----------------------------------------------------------------------
diff --git a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandaloneCommandLine.java b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandaloneCommandLine.java
index fbfe782..159b1d3 100644
--- a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandaloneCommandLine.java
+++ b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandaloneCommandLine.java
@@ -29,6 +29,7 @@ import java.util.function.Supplier;
import java.util.stream.Collectors;
import java.util.stream.IntStream;
import java.util.stream.Stream;
+
import org.apache.commons.cli.CommandLine;
import org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine;
import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException;
@@ -58,6 +59,7 @@ public class TlsToolkitStandaloneCommandLine extends BaseCommandLine {
public static final String GLOBAL_PORT_SEQUENCE_ARG = "globalPortSequence";
public static final String NIFI_DN_PREFIX_ARG = "nifiDnPrefix";
public static final String NIFI_DN_SUFFIX_ARG = "nifiDnSuffix";
+ public static final String SUBJECT_ALTERNATIVE_NAMES = "subjectAlternativeNames";
public static final String DEFAULT_OUTPUT_DIRECTORY = calculateDefaultOutputDirectory(Paths.get("."));
@@ -86,6 +88,7 @@ public class TlsToolkitStandaloneCommandLine extends BaseCommandLine {
private boolean overwrite;
private String dnPrefix;
private String dnSuffix;
+ private String domainAlternativeNames;
public TlsToolkitStandaloneCommandLine() {
this(new PasswordUtil());
@@ -104,6 +107,7 @@ public class TlsToolkitStandaloneCommandLine extends BaseCommandLine {
addOptionWithArg("B", CLIENT_CERT_PASSWORD_ARG, "Password for client certificate. Must either be one value or one for each client DN. (autogenerate if not specified)");
addOptionWithArg("G", GLOBAL_PORT_SEQUENCE_ARG, "Use sequential ports that are calculated for all hosts according to the provided hostname expressions. " +
"(Can be specified multiple times, MUST BE SAME FROM RUN TO RUN.)");
+ addOptionWithArg(null, SUBJECT_ALTERNATIVE_NAMES, "Comma-separated list of domains to use as Subject Alternative Names in the certificate");
addOptionWithArg(null, NIFI_DN_PREFIX_ARG, "String to prepend to hostname(s) when determining DN.", TlsConfig.DEFAULT_DN_PREFIX);
addOptionWithArg(null, NIFI_DN_SUFFIX_ARG, "String to append to hostname(s) when determining DN.", TlsConfig.DEFAULT_DN_SUFFIX);
addOptionNoArg("O", OVERWRITE_ARG, "Overwrite existing host output.");
@@ -133,6 +137,7 @@ public class TlsToolkitStandaloneCommandLine extends BaseCommandLine {
dnPrefix = commandLine.getOptionValue(NIFI_DN_PREFIX_ARG, TlsConfig.DEFAULT_DN_PREFIX);
dnSuffix = commandLine.getOptionValue(NIFI_DN_SUFFIX_ARG, TlsConfig.DEFAULT_DN_SUFFIX);
+ domainAlternativeNames = commandLine.getOptionValue(SUBJECT_ALTERNATIVE_NAMES);
Stream<String> globalOrderExpressions = null;
if (commandLine.hasOption(GLOBAL_PORT_SEQUENCE_ARG)) {
@@ -228,6 +233,7 @@ public class TlsToolkitStandaloneCommandLine extends BaseCommandLine {
standaloneConfig.setDays(getDays());
standaloneConfig.setDnPrefix(dnPrefix);
standaloneConfig.setDnSuffix(dnSuffix);
+ standaloneConfig.setDomainAlternativeNames(domainAlternativeNames);
standaloneConfig.initDefaults();
return standaloneConfig;
http://git-wip-us.apache.org/repos/asf/nifi/blob/bf112d06/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java
----------------------------------------------------------------------
diff --git a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java
index 7465714..c244f07 100644
--- a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java
+++ b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java
@@ -34,13 +34,16 @@ import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
+
import javax.crypto.Cipher;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
+
import org.apache.commons.lang3.StringUtils;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.Extension;
+import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.ExtensionsGenerator;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
@@ -198,15 +201,7 @@ public class TlsHelper {
// add Subject Alternative Name(s)
if(StringUtils.isNotBlank(domainAlternativeNames)) {
try {
- List<GeneralName> namesList = new ArrayList<>();
- for(String alternativeName : domainAlternativeNames.split(",")) {
- namesList.add(new GeneralName(GeneralName.dNSName, alternativeName));
- }
-
- GeneralNames subjectAltNames = new GeneralNames(namesList.toArray(new GeneralName [] {}));
- ExtensionsGenerator extGen = new ExtensionsGenerator();
- extGen.addExtension(Extension.subjectAlternativeName, false, subjectAltNames);
- jcaPKCS10CertificationRequestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extGen.generate());
+ jcaPKCS10CertificationRequestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, createDomainAlternativeNamesExtensions(domainAlternativeNames));
} catch (IOException e) {
throw new OperatorCreationException("Error while adding " + domainAlternativeNames + " as Subject Alternative Name.", e);
}
@@ -215,4 +210,17 @@ public class TlsHelper {
JcaContentSignerBuilder jcaContentSignerBuilder = new JcaContentSignerBuilder(signingAlgorithm);
return new JcaPKCS10CertificationRequest(jcaPKCS10CertificationRequestBuilder.build(jcaContentSignerBuilder.build(keyPair.getPrivate())));
}
+
+ public static Extensions createDomainAlternativeNamesExtensions(String domainAlternativeNames) throws IOException {
+ List<GeneralName> namesList = new ArrayList<>();
+ for(String alternativeName : domainAlternativeNames.split(",")) {
+ namesList.add(new GeneralName(GeneralName.dNSName, alternativeName));
+ }
+
+ GeneralNames subjectAltNames = new GeneralNames(namesList.toArray(new GeneralName [] {}));
+ ExtensionsGenerator extGen = new ExtensionsGenerator();
+ extGen.addExtension(Extension.subjectAlternativeName, false, subjectAltNames);
+ return extGen.generate();
+ }
+
}
http://git-wip-us.apache.org/repos/asf/nifi/blob/bf112d06/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandaloneCommandLineTest.java
----------------------------------------------------------------------
diff --git a/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandaloneCommandLineTest.java b/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandaloneCommandLineTest.java
index 7437b84..0fe004a 100644
--- a/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandaloneCommandLineTest.java
+++ b/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandaloneCommandLineTest.java
@@ -117,6 +117,13 @@ public class TlsToolkitStandaloneCommandLineTest {
}
@Test
+ public void testSAN() throws CommandLineParseException, IOException {
+ String dnsSAN = "nifi.apache.org";
+ tlsToolkitStandaloneCommandLine.parse("--subjectAlternativeNames", dnsSAN);
+ assertEquals(dnsSAN, tlsToolkitStandaloneCommandLine.createConfig().getDomainAlternativeNames());
+ }
+
+ @Test
public void testDaysNotInteger() {
try {
tlsToolkitStandaloneCommandLine.parse("-d", "badVal");