mirror of https://github.com/apache/nifi.git
NIFI-10932 Changed PKCS12 KeyStore Type Provider to SunJSSE
- Changed from Bouncy Castle to Sun JSSE Provider for Key Stores to improve reading and writing Trust Stores formatted in PKCS12 - Updated TLS Toolkit Key Password handling to remove setting null for PKCS12 Signed-off-by: Chris Sampson <chris.sampson82@gmail.com> This closes #6881
This commit is contained in:
parent
4700fed249
commit
4b97936d38
|
@ -83,7 +83,7 @@ public class KeyStoreUtils {
|
||||||
Security.addProvider(new BouncyCastleProvider());
|
Security.addProvider(new BouncyCastleProvider());
|
||||||
|
|
||||||
KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.BCFKS.getType(), BouncyCastleProvider.PROVIDER_NAME);
|
KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.BCFKS.getType(), BouncyCastleProvider.PROVIDER_NAME);
|
||||||
KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.PKCS12.getType(), BouncyCastleProvider.PROVIDER_NAME);
|
KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.PKCS12.getType(), SUN_JSSE_PROVIDER_NAME);
|
||||||
KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.JKS.getType(), SUN_PROVIDER_NAME);
|
KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.JKS.getType(), SUN_PROVIDER_NAME);
|
||||||
|
|
||||||
SECRET_KEY_STORE_PROVIDERS.put(KeystoreType.BCFKS, BouncyCastleProvider.PROVIDER_NAME);
|
SECRET_KEY_STORE_PROVIDERS.put(KeystoreType.BCFKS, BouncyCastleProvider.PROVIDER_NAME);
|
||||||
|
|
|
@ -17,7 +17,6 @@
|
||||||
|
|
||||||
package org.apache.nifi.toolkit.tls.manager;
|
package org.apache.nifi.toolkit.tls.manager;
|
||||||
|
|
||||||
import org.apache.nifi.security.util.KeystoreType;
|
|
||||||
import org.apache.nifi.security.util.KeyStoreUtils;
|
import org.apache.nifi.security.util.KeyStoreUtils;
|
||||||
import org.apache.nifi.toolkit.tls.configuration.TlsConfig;
|
import org.apache.nifi.toolkit.tls.configuration.TlsConfig;
|
||||||
import org.apache.nifi.toolkit.tls.manager.writer.ConfigurationWriter;
|
import org.apache.nifi.toolkit.tls.manager.writer.ConfigurationWriter;
|
||||||
|
@ -108,21 +107,16 @@ public class BaseTlsManager {
|
||||||
}
|
}
|
||||||
|
|
||||||
private String getKeyPassword() {
|
private String getKeyPassword() {
|
||||||
if (keyStore.getType().equalsIgnoreCase(KeystoreType.PKCS12.toString())) {
|
String result = tlsConfig.getKeyPassword();
|
||||||
tlsConfig.setKeyPassword(null);
|
if (StringUtils.isEmpty(result)) {
|
||||||
return null;
|
if (differentKeyAndKeyStorePassword) {
|
||||||
} else {
|
result = passwordUtil.generatePassword();
|
||||||
String result = tlsConfig.getKeyPassword();
|
} else {
|
||||||
if (StringUtils.isEmpty(result)) {
|
result = getKeyStorePassword();
|
||||||
if (differentKeyAndKeyStorePassword) {
|
|
||||||
result = passwordUtil.generatePassword();
|
|
||||||
} else {
|
|
||||||
result = getKeyStorePassword();
|
|
||||||
}
|
|
||||||
tlsConfig.setKeyPassword(result);
|
|
||||||
}
|
}
|
||||||
return result;
|
tlsConfig.setKeyPassword(result);
|
||||||
}
|
}
|
||||||
|
return result;
|
||||||
}
|
}
|
||||||
|
|
||||||
private String getKeyStorePassword() {
|
private String getKeyStorePassword() {
|
||||||
|
|
|
@ -200,8 +200,9 @@ public class TlsToolkitStandaloneTest {
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testKeyStoreTypeArg() throws Exception {
|
public void testKeyStoreTypeArg() throws Exception {
|
||||||
|
final String certificateAuthorityHostname = "certificate-authority";
|
||||||
runAndAssertExitCode(ExitCode.SUCCESS, "-o", tempDir.getAbsolutePath(), "-n", TlsConfig.DEFAULT_HOSTNAME, "-T", KeystoreType.PKCS12.toString().toLowerCase(),
|
runAndAssertExitCode(ExitCode.SUCCESS, "-o", tempDir.getAbsolutePath(), "-n", TlsConfig.DEFAULT_HOSTNAME, "-T", KeystoreType.PKCS12.toString().toLowerCase(),
|
||||||
"-K", "change", "-S", "change", "-P", "change");
|
"-K", "change", "-S", "change", "-P", "change", "-c", certificateAuthorityHostname);
|
||||||
X509Certificate x509Certificate = checkLoadCertPrivateKey(TlsConfig.DEFAULT_KEY_PAIR_ALGORITHM);
|
X509Certificate x509Certificate = checkLoadCertPrivateKey(TlsConfig.DEFAULT_KEY_PAIR_ALGORITHM);
|
||||||
checkHostDirAndReturnNifiProperties(TlsConfig.DEFAULT_HOSTNAME, x509Certificate);
|
checkHostDirAndReturnNifiProperties(TlsConfig.DEFAULT_HOSTNAME, x509Certificate);
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue