Apache
/
nifi
mirror of https://github.com/apache/nifi.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

NIFI-10932 Changed PKCS12 KeyStore Type Provider to SunJSSE 

- Changed from Bouncy Castle to Sun JSSE Provider for Key Stores to improve reading and writing Trust Stores formatted in PKCS12
- Updated TLS Toolkit Key Password handling to remove setting null for PKCS12

Signed-off-by: Chris Sampson <chris.sampson82@gmail.com>

This closes #6881
This commit is contained in:
exceptionfactory 2023-01-23 21:24:49 -06:00 committed by Chris Sampson
parent 4700fed249
commit 4b97936d38
3 changed files with 11 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/KeyStoreUtils.java
View File

@ -83,7 +83,7 @@ public class KeyStoreUtils {
Security.addProvider(new BouncyCastleProvider()); Security.addProvider(new BouncyCastleProvider());
KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.BCFKS.getType(), BouncyCastleProvider.PROVIDER_NAME); KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.BCFKS.getType(), BouncyCastleProvider.PROVIDER_NAME);
KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.PKCS12.getType(), BouncyCastleProvider.PROVIDER_NAME); KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.PKCS12.getType(), SUN_JSSE_PROVIDER_NAME);
KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.JKS.getType(), SUN_PROVIDER_NAME); KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.JKS.getType(), SUN_PROVIDER_NAME);
SECRET_KEY_STORE_PROVIDERS.put(KeystoreType.BCFKS, BouncyCastleProvider.PROVIDER_NAME); SECRET_KEY_STORE_PROVIDERS.put(KeystoreType.BCFKS, BouncyCastleProvider.PROVIDER_NAME);

6
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/manager/BaseTlsManager.java
View File

@ -17,7 +17,6 @@
package org.apache.nifi.toolkit.tls.manager; package org.apache.nifi.toolkit.tls.manager;
import org.apache.nifi.security.util.KeystoreType;
import org.apache.nifi.security.util.KeyStoreUtils; import org.apache.nifi.security.util.KeyStoreUtils;
import org.apache.nifi.toolkit.tls.configuration.TlsConfig; import org.apache.nifi.toolkit.tls.configuration.TlsConfig;
import org.apache.nifi.toolkit.tls.manager.writer.ConfigurationWriter; import org.apache.nifi.toolkit.tls.manager.writer.ConfigurationWriter;
@ -108,10 +107,6 @@ public class BaseTlsManager {
} }
private String getKeyPassword() { private String getKeyPassword() {
if (keyStore.getType().equalsIgnoreCase(KeystoreType.PKCS12.toString())) {
tlsConfig.setKeyPassword(null);
return null;
} else {
String result = tlsConfig.getKeyPassword(); String result = tlsConfig.getKeyPassword();
if (StringUtils.isEmpty(result)) { if (StringUtils.isEmpty(result)) {
if (differentKeyAndKeyStorePassword) { if (differentKeyAndKeyStorePassword) {
@ -123,7 +118,6 @@ public class BaseTlsManager {
} }
return result; return result;
} }
}
private String getKeyStorePassword() { private String getKeyStorePassword() {
String result = tlsConfig.getKeyStorePassword(); String result = tlsConfig.getKeyStorePassword();

3
nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandaloneTest.java
View File

@ -200,8 +200,9 @@ public class TlsToolkitStandaloneTest {
@Test @Test
public void testKeyStoreTypeArg() throws Exception { public void testKeyStoreTypeArg() throws Exception {
final String certificateAuthorityHostname = "certificate-authority";
runAndAssertExitCode(ExitCode.SUCCESS, "-o", tempDir.getAbsolutePath(), "-n", TlsConfig.DEFAULT_HOSTNAME, "-T", KeystoreType.PKCS12.toString().toLowerCase(), runAndAssertExitCode(ExitCode.SUCCESS, "-o", tempDir.getAbsolutePath(), "-n", TlsConfig.DEFAULT_HOSTNAME, "-T", KeystoreType.PKCS12.toString().toLowerCase(),
"-K", "change", "-S", "change", "-P", "change"); "-K", "change", "-S", "change", "-P", "change", "-c", certificateAuthorityHostname);
X509Certificate x509Certificate = checkLoadCertPrivateKey(TlsConfig.DEFAULT_KEY_PAIR_ALGORITHM); X509Certificate x509Certificate = checkLoadCertPrivateKey(TlsConfig.DEFAULT_KEY_PAIR_ALGORITHM);
checkHostDirAndReturnNifiProperties(TlsConfig.DEFAULT_HOSTNAME, x509Certificate); checkHostDirAndReturnNifiProperties(TlsConfig.DEFAULT_HOSTNAME, x509Certificate);
} }