You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by brosander <gi...@git.apache.org> on 2016/10/27 21:32:50 UTC
[GitHub] nifi pull request #1165: NIFI-2943 - pkcs12 keystore improvements
GitHub user brosander opened a pull request:
https://github.com/apache/nifi/pull/1165
NIFI-2943 - pkcs12 keystore improvements
Thank you for submitting a contribution to Apache NiFi.
In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:
### For all changes:
- [x] Is there a JIRA ticket associated with this PR? Is it referenced
in the commit message?
- [x] Does your PR title start with NIFI-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
- [x] Has your PR been rebased against the latest commit within the target branch (typically master)?
- [x] Is your initial contribution a single, squashed commit?
### For code changes:
- [x] Have you ensured that the full suite of tests is executed via mvn -Pcontrib-check clean install at the root nifi folder?
- [x] Have you written or updated unit tests to verify your changes?
- [x] N/A - If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [x] N/A - If applicable, have you updated the LICENSE file, including the main LICENSE file under nifi-assembly?
- [x] N/A - If applicable, have you updated the NOTICE file, including the main NOTICE file found under nifi-assembly?
- [x] N/A - If adding new Properties, have you added .displayName in addition to .name (programmatic access) for each of the new properties?
### For documentation related changes:
- [x] Have you ensured that format looks appropriate for the output in which it is rendered?
### Note:
Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible.
1. loading pkcs12 keystores with bouncy castle everywhere
2. tls-toolkit client using jks truststore when keystore type is specified differently
3. tests
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/brosander/nifi NIFI-2943
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/nifi/pull/1165.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1165
----
commit ee6d791a87a875319e748a8cab05a0961d1ff561
Author: Bryan Rosander <br...@apache.org>
Date: 2016-10-27T14:27:06Z
NIFI-2943 - pkcs12 keystore improvements
1. loading pkcs12 keystores with bouncy castle everywhere
2. tls-toolkit client using jks truststore when keystore type is specified differently
3. tests
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi pull request #1165: NIFI-2943 - pkcs12 keystore improvements
Posted by brosander <gi...@git.apache.org>.
Github user brosander commented on a diff in the pull request:
https://github.com/apache/nifi/pull/1165#discussion_r88056091
--- Diff: nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/KeyStoreUtils.java ---
@@ -0,0 +1,62 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.security.util;
+
+import org.apache.commons.lang3.StringUtils;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.Security;
+
+public class KeyStoreUtils {
+ private static final Logger logger = LoggerFactory.getLogger(KeyStoreUtils.class);
+
+ static {
+ Security.addProvider(new BouncyCastleProvider());
+ }
+
+ public static String getKeyStoreProvider(String keyStoreType) {
+ if (KeystoreType.PKCS12.toString().equalsIgnoreCase(keyStoreType)) {
+ return BouncyCastleProvider.PROVIDER_NAME;
+ }
+ return null;
+ }
+
+ public static KeyStore getKeyStore(String keyStoreType) throws KeyStoreException {
+ String keyStoreProvider = getKeyStoreProvider(keyStoreType);
+ if (StringUtils.isNoneEmpty(keyStoreProvider)) {
--- End diff --
autocomplete fail, will address
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi pull request #1165: NIFI-2943 - pkcs12 keystore improvements
Posted by brosander <gi...@git.apache.org>.
Github user brosander commented on a diff in the pull request:
https://github.com/apache/nifi/pull/1165#discussion_r88102064
--- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/commandLine/BaseCommandLine.java ---
@@ -202,6 +206,10 @@ protected CommandLine doParse(String[] args) throws CommandLineParseException {
keySize = getIntValue(commandLine, KEY_SIZE_ARG, TlsConfig.DEFAULT_KEY_SIZE);
keyAlgorithm = commandLine.getOptionValue(KEY_ALGORITHM_ARG, TlsConfig.DEFAULT_KEY_PAIR_ALGORITHM);
keyStoreType = commandLine.getOptionValue(KEY_STORE_TYPE_ARG, getKeyStoreTypeDefault());
+ if (KeystoreType.PKCS12.toString().equalsIgnoreCase(keyStoreType)) {
+ logger.info("Command line argument --" + KEY_STORE_TYPE_ARG + "=" + keyStoreType + " only applies to keyStore, recommended trustStore type of " + KeystoreType.JKS.toString() +
--- End diff --
+1
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi pull request #1165: NIFI-2943 - pkcs12 keystore improvements
Posted by asfgit <gi...@git.apache.org>.
Github user asfgit closed the pull request at:
https://github.com/apache/nifi/pull/1165
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi pull request #1165: NIFI-2943 - pkcs12 keystore improvements
Posted by alopresto <gi...@git.apache.org>.
Github user alopresto commented on a diff in the pull request:
https://github.com/apache/nifi/pull/1165#discussion_r87859164
--- Diff: nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/KeyStoreUtils.java ---
@@ -0,0 +1,62 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.security.util;
+
+import org.apache.commons.lang3.StringUtils;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.Security;
+
+public class KeyStoreUtils {
+ private static final Logger logger = LoggerFactory.getLogger(KeyStoreUtils.class);
+
+ static {
+ Security.addProvider(new BouncyCastleProvider());
+ }
+
+ public static String getKeyStoreProvider(String keyStoreType) {
+ if (KeystoreType.PKCS12.toString().equalsIgnoreCase(keyStoreType)) {
+ return BouncyCastleProvider.PROVIDER_NAME;
+ }
+ return null;
+ }
+
+ public static KeyStore getKeyStore(String keyStoreType) throws KeyStoreException {
+ String keyStoreProvider = getKeyStoreProvider(keyStoreType);
+ if (StringUtils.isNoneEmpty(keyStoreProvider)) {
--- End diff --
I think this should be `StringUtils.isNotEmpty` -- the current method works but is designed to iterate over a number of `CharSequences`; hence the jarring name.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi pull request #1165: NIFI-2943 - pkcs12 keystore improvements
Posted by alopresto <gi...@git.apache.org>.
Github user alopresto commented on a diff in the pull request:
https://github.com/apache/nifi/pull/1165#discussion_r88094393
--- Diff: nifi-docs/src/main/asciidoc/administration-guide.adoc ---
@@ -174,6 +174,8 @@ TLS Generation Toolkit
In order to facilitate the secure setup of NiFi, you can use the `tls-toolkit` command line utility to automatically generate the required keystores, truststore, and relevant configuration files. This is especially useful for securing multiple NiFi nodes, which can be a tedious and error-prone process.
+Note: JKS keyStores and trustStores are recommended for NiFi. This tool allows the specification of other KeyStore types on the command line but will ignore a type of PKCS12 for use as the trustStore as that format has some compatibility issues between BouncyCastle and Oracle implementations.
--- End diff --
To be consistent with the rest of the documentation, "keystore" and "truststore" should be capitalized as such.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi issue #1165: NIFI-2943 - pkcs12 keystore improvements
Posted by alopresto <gi...@git.apache.org>.
Github user alopresto commented on the issue:
https://github.com/apache/nifi/pull/1165
Review on hold for tonight -- logging issues. I will investigate if libraries or paths changed in the morning.
```
hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT (pr1165) alopresto
\U0001f513 35s @ 18:59:45 $ ./bin/tls-toolkit.sh standalone -n 'localhost' -T PKCS12 -P password -S password
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/Users/alopresto/Workspace/nifi/nifi-toolkit/nifi-toolkit-assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT/lib/logback-classic-1.1.3.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/Users/alopresto/Workspace/nifi/nifi-toolkit/nifi-toolkit-assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT/lib/slf4j-log4j12-1.7.12.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [ch.qos.logback.classic.util.ContextSelectorStaticBinder]
hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT (pr1165) alopresto
\U0001f513 20s @ 19:00:06 $
```
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi issue #1165: NIFI-2943 - pkcs12 keystore improvements
Posted by brosander <gi...@git.apache.org>.
Github user brosander commented on the issue:
https://github.com/apache/nifi/pull/1165
Force push was a rebase for merge conflicts, addressing feedback now
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi pull request #1165: NIFI-2943 - pkcs12 keystore improvements
Posted by alopresto <gi...@git.apache.org>.
Github user alopresto commented on a diff in the pull request:
https://github.com/apache/nifi/pull/1165#discussion_r87947260
--- Diff: nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/KeyStoreUtils.java ---
@@ -0,0 +1,62 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.security.util;
+
+import org.apache.commons.lang3.StringUtils;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.Security;
+
+public class KeyStoreUtils {
+ private static final Logger logger = LoggerFactory.getLogger(KeyStoreUtils.class);
+
+ static {
+ Security.addProvider(new BouncyCastleProvider());
+ }
+
+ public static String getKeyStoreProvider(String keyStoreType) {
+ if (KeystoreType.PKCS12.toString().equalsIgnoreCase(keyStoreType)) {
+ return BouncyCastleProvider.PROVIDER_NAME;
+ }
+ return null;
+ }
+
+ public static KeyStore getKeyStore(String keyStoreType) throws KeyStoreException {
--- End diff --
We should add Javadoc comments on these methods to indicate that they do not return a specific instance, rather a new empty instance similar to `KeyStore.getInstance()`.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi issue #1165: NIFI-2943 - pkcs12 keystore improvements
Posted by alopresto <gi...@git.apache.org>.
Github user alopresto commented on the issue:
https://github.com/apache/nifi/pull/1165
The logging issue was resolved by [NIFI-3049](https://issues.apache.org/jira/browse/NIFI-3049) and [PR 1237](https://github.com/apache/nifi/pull/1237).
Verified `contrib-check` and all tests pass. Ran toolkit and logging output for PKCS12 truststore type is correct. Then ran application and was able to connect using client certificate as per usual.
```
hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT (pr1165) alopresto
\U0001f513 46s @ 16:23:25 $ ./bin/tls-toolkit.sh standalone -n 'localhost' -T PKCS12 -P password -S password
2016/11/16 16:29:40 INFO [main] org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine: Command line argument --keyStoreType=PKCS12 only applies to keystore, recommended truststore type of JKS unaffected.
2016/11/16 16:29:40 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No nifiPropertiesFile specified, using embedded one.
2016/11/16 16:29:41 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone certificate generation with output directory ../nifi-toolkit-1.1.0-SNAPSHOT
2016/11/16 16:29:41 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Generated new CA certificate ../nifi-toolkit-1.1.0-SNAPSHOT/nifi-cert.pem and key ../nifi-toolkit-1.1.0-SNAPSHOT/nifi-key.key
2016/11/16 16:29:41 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl configuration to ../nifi-toolkit-1.1.0-SNAPSHOT/localhost
2016/11/16 16:29:42 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for localhost 1 in ../nifi-toolkit-1.1.0-SNAPSHOT/localhost
2016/11/16 16:29:42 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No clientCertDn specified, not generating any client certificates.
2016/11/16 16:29:42 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit standalone completed successfully
hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT (pr1165) alopresto
\U0001f513 377s @ 16:29:43 $ ll localhost/
total 40
drwx------ 5 alopresto staff 170B Nov 16 16:29 ./
drwxr-xr-x 11 alopresto staff 374B Nov 16 16:29 ../
-rw------- 1 alopresto staff 3.4K Nov 16 16:29 keystore.pkcs12
-rw------- 1 alopresto staff 8.6K Nov 16 16:29 nifi.properties
-rw------- 1 alopresto staff 911B Nov 16 16:29 truststore.jks
hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT (pr1165) alopresto
\U0001f513 17s @ 16:30:01 $
```
Squashed, merged, and closed.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi issue #1165: NIFI-2943 - pkcs12 keystore improvements
Posted by alopresto <gi...@git.apache.org>.
Github user alopresto commented on the issue:
https://github.com/apache/nifi/pull/1165
I think we should provide log output indicating that the user's choice of PKCS12 is not used for truststores.
```
hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT (pr1165) alopresto
\U0001f513 46s @ 19:28:29 $ ./bin/tls-toolkit.sh standalone -n 'localhost' -T PKCS12 -P password -S password
2016-11-14 19:52:11,629 INFO [main] o.a.n.t.t.s.TlsToolkitStandaloneCommandLine No nifiPropertiesFile specified, using embedded one.
2016-11-14 19:52:11,956 INFO [main] o.a.n.t.t.s.TlsToolkitStandalone Running standalone certificate generation with output directory ../nifi-toolkit-1.1.0-SNAPSHOT
2016-11-14 19:52:12,407 INFO [main] o.a.n.t.t.s.TlsToolkitStandalone Generated new CA certificate ../nifi-toolkit-1.1.0-SNAPSHOT/nifi-cert.pem and key ../nifi-toolkit-1.1.0-SNAPSHOT/nifi-key.key
2016-11-14 19:52:12,408 INFO [main] o.a.n.t.t.s.TlsToolkitStandalone Writing new ssl configuration to ../nifi-toolkit-1.1.0-SNAPSHOT/localhost
2016-11-14 19:52:13,382 INFO [main] o.a.n.t.t.s.TlsToolkitStandalone Successfully generated TLS configuration for localhost 1 in ../nifi-toolkit-1.1.0-SNAPSHOT/localhost
2016-11-14 19:52:13,382 INFO [main] o.a.n.t.t.s.TlsToolkitStandalone No clientCertDn specified, not generating any client certificates.
2016-11-14 19:52:13,382 INFO [main] o.a.n.t.t.s.TlsToolkitStandalone tls-toolkit standalone completed successfully
hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT (pr1165) alopresto
\U0001f513 1424s @ 19:52:14 $ ll localhost/
total 40
drwx------ 5 alopresto staff 170B Nov 14 19:52 ./
drwxr-xr-x 11 alopresto staff 374B Nov 14 19:52 ../
-rw------- 1 alopresto staff 3.4K Nov 14 19:52 keystore.pkcs12
-rw------- 1 alopresto staff 8.5K Nov 14 19:52 nifi.properties
-rw------- 1 alopresto staff 911B Nov 14 19:52 truststore.jks
hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT (pr1165) alopresto
\U0001f513 196s @ 19:55:31 $
```
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi issue #1165: NIFI-2943 - pkcs12 keystore improvements
Posted by ishiyayu <gi...@git.apache.org>.
Github user ishiyayu commented on the issue:
https://github.com/apache/nifi/pull/1165
2016/10/28 \u5348\u524d6:32 "Bryan Rosander" <no...@github.com>:
> Thank you for submitting a contribution to Apache NiFi.
>
> In order to streamline the review of the contribution we ask you
> to ensure the following steps have been taken:
> For all changes:
>
> -
>
> Is there a JIRA ticket associated with this PR? Is it referenced
> in the commit message?
> -
>
> Does your PR title start with NIFI-XXXX where XXXX is the JIRA number
> you are trying to resolve? Pay particular attention to the hyphen "-"
> character.
> -
>
> Has your PR been rebased against the latest commit within the target
> branch (typically master)?
> -
>
> Is your initial contribution a single, squashed commit?
>
> For code changes:
>
> - Have you ensured that the full suite of tests is executed via mvn
> -Pcontrib-check clean install at the root nifi folder?
> - Have you written or updated unit tests to verify your changes?
> - N/A - If adding new dependencies to the code, are these dependencies
> licensed in a way that is compatible for inclusion under ASF 2.0
> <http://www.apache.org/legal/resolved.html#category-a>?
> - N/A - If applicable, have you updated the LICENSE file, including
> the main LICENSE file under nifi-assembly?
> - N/A - If applicable, have you updated the NOTICE file, including the
> main NOTICE file found under nifi-assembly?
> - N/A - If adding new Properties, have you added .displayName in
> addition to .name (programmatic access) for each of the new properties?
>
> For documentation related changes:
>
> - Have you ensured that format looks appropriate for the output in
> which it is rendered?
>
> Note:
>
> Please ensure that once the PR is submitted, you check travis-ci for build
> issues and submit an update to your PR as soon as possible.
>
> 1. loading pkcs12 keystores with bouncy castle everywhere
> 2. tls-toolkit client using jks truststore when keystore type is
> specified differently
> 3. tests
>
> ------------------------------
> You can view, comment on, or merge this pull request online at:
>
> https://github.com/apache/nifi/pull/1165
> Commit Summary
>
> - NIFI-2943 - pkcs12 keystore improvements
>
> File Changes
>
> - *M* nifi-commons/nifi-security-utils/src/main/java/org/
> apache/nifi/security/util/CertificateUtils.java
> <https://github.com/apache/nifi/pull/1165/files#diff-0> (7)
> - *A* nifi-commons/nifi-security-utils/src/main/java/org/
> apache/nifi/security/util/KeyStoreUtils.java
> <https://github.com/apache/nifi/pull/1165/files#diff-1> (62)
> - *M* nifi-commons/nifi-security-utils/src/main/java/org/
> apache/nifi/security/util/SslContextFactory.java
> <https://github.com/apache/nifi/pull/1165/files#diff-2> (8)
> - *M* nifi-commons/nifi-security-utils/src/test/groovy/org/
> apache/nifi/security/util/CertificateUtilsTest.groovy
> <https://github.com/apache/nifi/pull/1165/files#diff-3> (4)
> - *A* nifi-commons/nifi-security-utils/src/test/java/org/
> apache/nifi/security/util/KeyStoreUtilsTest.java
> <https://github.com/apache/nifi/pull/1165/files#diff-4> (139)
> - *M* nifi-commons/nifi-site-to-site-client/src/main/java/org/
> apache/nifi/remote/client/SiteToSiteClient.java
> <https://github.com/apache/nifi/pull/1165/files#diff-5> (5)
> - *M* nifi-commons/nifi-socket-utils/src/main/java/org/
> apache/nifi/io/socket/SSLContextFactory.java
> <https://github.com/apache/nifi/pull/1165/files#diff-6> (5)
> - *M* nifi-docs/src/main/asciidoc/administration-guide.adoc
> <https://github.com/apache/nifi/pull/1165/files#diff-7> (4)
> - *M* nifi-nar-bundles/nifi-framework-bundle/nifi-
> framework/nifi-security/src/main/java/org/apache/nifi/
> framework/security/util/SslContextFactory.java
> <https://github.com/apache/nifi/pull/1165/files#diff-8> (7)
> - *M* nifi-nar-bundles/nifi-framework-bundle/nifi-
> framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/
> web/server/JettyServer.java
> <https://github.com/apache/nifi/pull/1165/files#diff-9> (19)
> - *M* nifi-nar-bundles/nifi-framework-bundle/nifi-
> framework/nifi-web/nifi-jetty/src/test/java/org/apache/nifi/
> web/server/JettyServerTest.java
> <https://github.com/apache/nifi/pull/1165/files#diff-10> (62)
> - *M* nifi-nar-bundles/nifi-framework-bundle/nifi-
> framework/nifi-web/nifi-web-security/src/main/java/org/
> apache/nifi/web/security/x509/ocsp/OcspCertificateValidator.java
> <https://github.com/apache/nifi/pull/1165/files#diff-11> (3)
> - *M* nifi-nar-bundles/nifi-standard-bundle/nifi-standard-
> processors/src/main/java/org/apache/nifi/processors/
> standard/GetHTTP.java
> <https://github.com/apache/nifi/pull/1165/files#diff-12> (5)
> - *M* nifi-nar-bundles/nifi-standard-bundle/nifi-standard-
> processors/src/main/java/org/apache/nifi/processors/
> standard/PostHTTP.java
> <https://github.com/apache/nifi/pull/1165/files#diff-13> (5)
> - *M* nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/
> toolkit/tls/configuration/TlsClientConfig.java
> <https://github.com/apache/nifi/pull/1165/files#diff-14> (1)
> - *M* nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/
> toolkit/tls/manager/BaseTlsManager.java
> <https://github.com/apache/nifi/pull/1165/files#diff-15> (18)
> - *M* nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/
> toolkit/tls/service/client/TlsCertificateAuthorityClientC
> ommandLine.java
> <https://github.com/apache/nifi/pull/1165/files#diff-16> (5)
> - *M* nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/
> toolkit/tls/service/server/TlsCertificateAuthorityService
> CommandLine.java
> <https://github.com/apache/nifi/pull/1165/files#diff-17> (2)
> - *M* nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/
> toolkit/tls/standalone/TlsToolkitStandalone.java
> <https://github.com/apache/nifi/pull/1165/files#diff-18> (6)
> - *M* nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/
> toolkit/tls/standalone/TlsToolkitStandaloneCommandLine.java
> <https://github.com/apache/nifi/pull/1165/files#diff-19> (2)
> - *M* nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/
> toolkit/tls/util/TlsHelper.java
> <https://github.com/apache/nifi/pull/1165/files#diff-20> (5)
> - *M* nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/
> toolkit/tls/service/TlsCertificateAuthorityTest.java
> <https://github.com/apache/nifi/pull/1165/files#diff-21> (46)
> - *M* nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/
> toolkit/tls/service/client/TlsCertificateAuthorityClientC
> ommandLineTest.java
> <https://github.com/apache/nifi/pull/1165/files#diff-22> (6)
> - *M* nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/
> toolkit/tls/service/client/TlsCertificateSigningRequestPe
> rformerTest.java
> <https://github.com/apache/nifi/pull/1165/files#diff-23> (6)
> - *M* nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/
> toolkit/tls/service/server/TlsCertificateAuthorityService
> HandlerTest.java
> <https://github.com/apache/nifi/pull/1165/files#diff-24> (6)
> - *M* nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/
> toolkit/tls/standalone/TlsToolkitStandaloneTest.java
> <https://github.com/apache/nifi/pull/1165/files#diff-25> (29)
> - *M* nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/
> toolkit/tls/util/TlsHelperTest.java
> <https://github.com/apache/nifi/pull/1165/files#diff-26> (7)
>
> Patch Links:
>
> - https://github.com/apache/nifi/pull/1165.patch
> - https://github.com/apache/nifi/pull/1165.diff
>
> \u2014
> You are receiving this because you are subscribed to this thread.
> Reply to this email directly, view it on GitHub
> <https://github.com/apache/nifi/pull/1165>, or mute the thread
> <https://github.com/notifications/unsubscribe-auth/AEjw8-yOGAvv4Y2U1UOLHu26boUzUwdMks5q4RiBgaJpZM4Ki2XQ>
> .
>
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi pull request #1165: NIFI-2943 - pkcs12 keystore improvements
Posted by alopresto <gi...@git.apache.org>.
Github user alopresto commented on a diff in the pull request:
https://github.com/apache/nifi/pull/1165#discussion_r88095962
--- Diff: nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/commandLine/BaseCommandLine.java ---
@@ -202,6 +206,10 @@ protected CommandLine doParse(String[] args) throws CommandLineParseException {
keySize = getIntValue(commandLine, KEY_SIZE_ARG, TlsConfig.DEFAULT_KEY_SIZE);
keyAlgorithm = commandLine.getOptionValue(KEY_ALGORITHM_ARG, TlsConfig.DEFAULT_KEY_PAIR_ALGORITHM);
keyStoreType = commandLine.getOptionValue(KEY_STORE_TYPE_ARG, getKeyStoreTypeDefault());
+ if (KeystoreType.PKCS12.toString().equalsIgnoreCase(keyStoreType)) {
+ logger.info("Command line argument --" + KEY_STORE_TYPE_ARG + "=" + keyStoreType + " only applies to keyStore, recommended trustStore type of " + KeystoreType.JKS.toString() +
--- End diff --
Same minor comment on capitalization (of output message; variable names are fine).
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi issue #1165: NIFI-2943 - pkcs12 keystore improvements
Posted by alopresto <gi...@git.apache.org>.
Github user alopresto commented on the issue:
https://github.com/apache/nifi/pull/1165
I think the Admin Guide should also get an update indicating that the TLS Toolkit will ignore user requests to use PKCS12 format for truststores.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi issue #1165: NIFI-2943 - pkcs12 keystore improvements
Posted by alopresto <gi...@git.apache.org>.
Github user alopresto commented on the issue:
https://github.com/apache/nifi/pull/1165
Performing final review (contrib-check, etc.).
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---