You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by pvillard31 <gi...@git.apache.org> on 2017/07/29 10:38:53 UTC
[GitHub] nifi pull request #2042: NIFI-4222 - Adding CN by default in SANs for genera...
GitHub user pvillard31 opened a pull request:
https://github.com/apache/nifi/pull/2042
NIFI-4222 - Adding CN by default in SANs for generated certificates wβ¦
β¦ith tls-toolkit
Thank you for submitting a contribution to Apache NiFi.
In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:
### For all changes:
- [ ] Is there a JIRA ticket associated with this PR? Is it referenced
in the commit message?
- [ ] Does your PR title start with NIFI-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
- [ ] Has your PR been rebased against the latest commit within the target branch (typically master)?
- [ ] Is your initial contribution a single, squashed commit?
### For code changes:
- [ ] Have you ensured that the full suite of tests is executed via mvn -Pcontrib-check clean install at the root nifi folder?
- [ ] Have you written or updated unit tests to verify your changes?
- [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [ ] If applicable, have you updated the LICENSE file, including the main LICENSE file under nifi-assembly?
- [ ] If applicable, have you updated the NOTICE file, including the main NOTICE file found under nifi-assembly?
- [ ] If adding new Properties, have you added .displayName in addition to .name (programmatic access) for each of the new properties?
### For documentation related changes:
- [ ] Have you ensured that format looks appropriate for the output in which it is rendered?
### Note:
Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/pvillard31/nifi NIFI-4222
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/nifi/pull/2042.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #2042
----
commit fa447d3f641214bbe05e936fd9259640b48af4b9
Author: Pierre Villard <pi...@gmail.com>
Date: 2017-07-29T10:38:14Z
NIFI-4222 - Adding CN by default in SANs for generated certificates with tls-toolkit
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi issue #2042: NIFI-4222 - Adding CN by default in SANs for generated cer...
Posted by alopresto <gi...@git.apache.org>.
Github user alopresto commented on the issue:
https://github.com/apache/nifi/pull/2042
Reviewing...
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi issue #2042: NIFI-4222 - Adding CN by default in SANs for generated cer...
Posted by alopresto <gi...@git.apache.org>.
Github user alopresto commented on the issue:
https://github.com/apache/nifi/pull/2042
Verified that all tests and contrib-check pass. When run with no SAN arguments, the CN is present as a SAN. When run with additional SAN arguments, all are present. +1, merging.
No SAN:
```
hw12203:...assembly/target/nifi-toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT (pr2042) alopresto
π 186058s @ 18:43:33 $ ./bin/tls-toolkit.sh standalone -n 'nifi.nifi.apache.org' -P password -S password -f ../../../../../nifi-assembly/target/nifi-1.4.0-SNAPSHOT-bin/nifi-1.4.0-SNAPSHOT/conf/nifi.properties
2017/08/09 18:58:45 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: Using ../../../../../nifi-assembly/target/nifi-1.4.0-SNAPSHOT-bin/nifi-1.4.0-SNAPSHOT/conf/nifi.properties as template.
2017/08/09 18:58:46 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone certificate generation with output directory ../nifi-toolkit-1.4.0-SNAPSHOT
2017/08/09 18:58:46 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Generated new CA certificate ../nifi-toolkit-1.4.0-SNAPSHOT/nifi-cert.pem and key ../nifi-toolkit-1.4.0-SNAPSHOT/nifi-key.key
2017/08/09 18:58:46 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl configuration to ../nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org
2017/08/09 18:58:46 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for nifi.nifi.apache.org 1 in ../nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org
2017/08/09 18:58:46 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No clientCertDn specified, not generating any client certificates.
2017/08/09 18:58:46 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit standalone completed successfully
hw12203:...assembly/target/nifi-toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT (pr2042) alopresto
π 186980s @ 18:58:55 $ cd nifi.nifi.apache.org/
hw12203:...toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org (pr2042) alopresto
π 186988s @ 18:59:03 $ keytool -list -v -keystore keystore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: nifi-key
Creation date: Aug 9, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=nifi.nifi.apache.org, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: 15dc9dd8f3900000000
Valid from: Wed Aug 09 18:58:46 PDT 2017 until: Sat Aug 08 18:58:46 PDT 2020
Certificate fingerprints:
MD5: E4:E8:C4:19:C1:06:86:17:C8:E5:13:F6:6F:54:0F:AE
SHA1: 92:6B:FD:9D:89:55:A5:48:AD:31:A3:FD:A3:A6:6C:A5:C4:A8:31:0E
SHA256: 54:8D:30:D2:ED:9A:B0:AE:8C:37:40:9F:2F:80:2D:4A:DC:5D:14:2E:15:57:4C:71:CF:77:D6:F0:3F:92:6D:04
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 6B 65 AB 68 5A 0A CB 59 A2 B9 0B 9E 36 2D 60 47 ke.hZ..Y....6-`G
0010: 21 08 08 25 !..%
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
Key_Agreement
]
#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: nifi.nifi.apache.org
]
#6: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D9 18 43 B3 38 24 18 89 E6 1B 62 D7 AB 35 C5 14 ..C.8$....b..5..
0010: 88 E9 19 E3 ....
]
]
Certificate[2]:
Owner: CN=localhost, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: 15dc9dd8d4c00000000
Valid from: Wed Aug 09 18:58:46 PDT 2017 until: Sat Aug 08 18:58:46 PDT 2020
Certificate fingerprints:
MD5: A1:9E:4A:7C:65:F1:B7:E9:8F:4D:D0:18:74:E8:AA:2E
SHA1: CD:31:8B:74:85:C7:21:4A:DB:F6:58:34:69:B7:19:6C:3B:9E:CE:00
SHA256: A9:AB:C5:73:9D:B3:ED:C3:D5:79:BD:4B:E0:14:1D:0F:DC:68:41:BC:09:70:5B:2D:BD:E0:AB:49:55:14:79:3B
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 6B 65 AB 68 5A 0A CB 59 A2 B9 0B 9E 36 2D 60 47 ke.hZ..Y....6-`G
0010: 21 08 08 25 !..%
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
Key_Agreement
Key_CertSign
Crl_Sign
]
#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 6B 65 AB 68 5A 0A CB 59 A2 B9 0B 9E 36 2D 60 47 ke.hZ..Y....6-`G
0010: 21 08 08 25 !..%
]
]
*******************************************
*******************************************
hw12203:...toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org (pr2042) alopresto
π 186999s @ 18:59:14 $
```
Additional SAN:
```
hw12203:...assembly/target/nifi-toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT (pr2042) alopresto
π 187123s @ 19:01:18 $ ./bin/tls-toolkit.sh standalone -n 'nifi.nifi.apache.org' -P password -S password -f ../../../../../nifi-assembly/target/nifi-1.4.0-SNAPSHOT-bin/nifi-1.4.0-SNAPSHOT/conf/nifi.properties -O --subjectAlternativeNames '127.0.0.1,localhost'
2017/08/09 19:01:43 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: Using ../../../../../nifi-assembly/target/nifi-1.4.0-SNAPSHOT-bin/nifi-1.4.0-SNAPSHOT/conf/nifi.properties as template.
2017/08/09 19:01:43 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone certificate generation with output directory ../nifi-toolkit-1.4.0-SNAPSHOT
2017/08/09 19:01:44 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing CA certificate ../nifi-toolkit-1.4.0-SNAPSHOT/nifi-cert.pem and key ../nifi-toolkit-1.4.0-SNAPSHOT/nifi-key.key
2017/08/09 19:01:44 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Overwriting any existing ssl configuration in ../nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org
2017/08/09 19:01:44 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for nifi.nifi.apache.org 1 in ../nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org
2017/08/09 19:01:44 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No clientCertDn specified, not generating any client certificates.
2017/08/09 19:01:44 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit standalone completed successfully
hw12203:...assembly/target/nifi-toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT (pr2042) alopresto
π 187150s @ 19:01:45 $ cd nifi.nifi.apache.org/
hw12203:...toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org (pr2042) alopresto
π 187156s @ 19:01:51 $ keytool -list -v -keystore keystore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: nifi-key
Creation date: Aug 9, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=nifi.nifi.apache.org, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: 15dc9e0465100000000
Valid from: Wed Aug 09 19:01:44 PDT 2017 until: Sat Aug 08 19:01:44 PDT 2020
Certificate fingerprints:
MD5: AA:D1:5F:CC:BA:BE:ED:4D:5E:08:DB:2E:6D:E6:95:57
SHA1: F3:8B:A5:41:28:69:8F:0C:91:08:70:EB:F6:BE:B1:58:EE:F4:7B:8D
SHA256: B1:78:8C:05:11:F1:A8:BD:A7:33:EA:8D:9C:B2:FC:A2:C2:94:7D:30:48:77:0A:05:0F:CB:C1:FD:5D:A2:94:66
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 6B 65 AB 68 5A 0A CB 59 A2 B9 0B 9E 36 2D 60 47 ke.hZ..Y....6-`G
0010: 21 08 08 25 !..%
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
Key_Agreement
]
#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: nifi.nifi.apache.org
DNSName: 127.0.0.1
DNSName: localhost
]
#6: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 8F 4B 1A 98 92 C5 17 70 B7 C8 F6 9D 5D D3 66 4C .K.....p....].fL
0010: 8F F9 3C 19 ..<.
]
]
Certificate[2]:
Owner: CN=localhost, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: 15dc9dd8d4c00000000
Valid from: Wed Aug 09 18:58:46 PDT 2017 until: Sat Aug 08 18:58:46 PDT 2020
Certificate fingerprints:
MD5: A1:9E:4A:7C:65:F1:B7:E9:8F:4D:D0:18:74:E8:AA:2E
SHA1: CD:31:8B:74:85:C7:21:4A:DB:F6:58:34:69:B7:19:6C:3B:9E:CE:00
SHA256: A9:AB:C5:73:9D:B3:ED:C3:D5:79:BD:4B:E0:14:1D:0F:DC:68:41:BC:09:70:5B:2D:BD:E0:AB:49:55:14:79:3B
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 6B 65 AB 68 5A 0A CB 59 A2 B9 0B 9E 36 2D 60 47 ke.hZ..Y....6-`G
0010: 21 08 08 25 !..%
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
Key_Agreement
Key_CertSign
Crl_Sign
]
#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 6B 65 AB 68 5A 0A CB 59 A2 B9 0B 9E 36 2D 60 47 ke.hZ..Y....6-`G
0010: 21 08 08 25 !..%
]
]
*******************************************
*******************************************
hw12203:...toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org (pr2042) alopresto
π 187163s @ 19:01:57 $
```
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi pull request #2042: NIFI-4222 - Adding CN by default in SANs for genera...
Posted by asfgit <gi...@git.apache.org>.
Github user asfgit closed the pull request at:
https://github.com/apache/nifi/pull/2042
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---