NIFI-10932 Changed PKCS12 KeyStore Type Provider to SunJSSE

- Changed from Bouncy Castle to Sun JSSE Provider for Key Stores to improve reading and writing Trust Stores formatted in PKCS12 - Updated TLS Toolkit Key Password handling to remove setting null for PKCS12 Signed-off-by: Chris Sampson <chris.sampson82@gmail.com> This closes #6881
2023-01-23 21:24:49 -06:00 · 2023-01-23 21:24:49 -06:00 · 4b97936d38
parent 4700fed249
commit 4b97936d38
3 changed files with 11 additions and 16 deletions
--- a/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/KeyStoreUtils.java
+++ b/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/KeyStoreUtils.java
@ -83,7 +83,7 @@ public class KeyStoreUtils {
        Security.addProvider(new BouncyCastleProvider());

        KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.BCFKS.getType(), BouncyCastleProvider.PROVIDER_NAME);
-        KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.PKCS12.getType(), BouncyCastleProvider.PROVIDER_NAME);
+        KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.PKCS12.getType(), SUN_JSSE_PROVIDER_NAME);
        KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.JKS.getType(), SUN_PROVIDER_NAME);

        SECRET_KEY_STORE_PROVIDERS.put(KeystoreType.BCFKS, BouncyCastleProvider.PROVIDER_NAME);
--- a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/manager/BaseTlsManager.java
+++ b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/manager/BaseTlsManager.java
@ -17,7 +17,6 @@

 package org.apache.nifi.toolkit.tls.manager;

-import org.apache.nifi.security.util.KeystoreType;
 import org.apache.nifi.security.util.KeyStoreUtils;
 import org.apache.nifi.toolkit.tls.configuration.TlsConfig;
 import org.apache.nifi.toolkit.tls.manager.writer.ConfigurationWriter;
@ -108,21 +107,16 @@ public class BaseTlsManager {
    }

    private String getKeyPassword() {
-        if (keyStore.getType().equalsIgnoreCase(KeystoreType.PKCS12.toString())) {
-            tlsConfig.setKeyPassword(null);
-            return null;
-        } else {
-            String result = tlsConfig.getKeyPassword();
-            if (StringUtils.isEmpty(result)) {
-                if (differentKeyAndKeyStorePassword) {
-                    result = passwordUtil.generatePassword();
-                } else {
-                    result = getKeyStorePassword();
-                }
-                tlsConfig.setKeyPassword(result);
+        String result = tlsConfig.getKeyPassword();
+        if (StringUtils.isEmpty(result)) {
+            if (differentKeyAndKeyStorePassword) {
+                result = passwordUtil.generatePassword();
+            } else {
+                result = getKeyStorePassword();
            }
-            return result;
+            tlsConfig.setKeyPassword(result);
        }
+        return result;
    }

    private String getKeyStorePassword() {
--- a/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandaloneTest.java
+++ b/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandaloneTest.java
@ -200,8 +200,9 @@ public class TlsToolkitStandaloneTest {

    @Test
    public void testKeyStoreTypeArg() throws Exception {
+        final String certificateAuthorityHostname = "certificate-authority";
        runAndAssertExitCode(ExitCode.SUCCESS, "-o", tempDir.getAbsolutePath(), "-n", TlsConfig.DEFAULT_HOSTNAME, "-T", KeystoreType.PKCS12.toString().toLowerCase(),
-                "-K", "change", "-S", "change", "-P", "change");
+                "-K", "change", "-S", "change", "-P", "change", "-c", certificateAuthorityHostname);
        X509Certificate x509Certificate = checkLoadCertPrivateKey(TlsConfig.DEFAULT_KEY_PAIR_ALGORITHM);
        checkHostDirAndReturnNifiProperties(TlsConfig.DEFAULT_HOSTNAME, x509Certificate);
    }