mirror of https://github.com/apache/nifi.git
NIFI-2466: Added option to provide separate key password to StandardSSLContextService.
Fixed NPE (+2 squashed commits) Squashed commits: [c5d521a
] NIFI-2466: Added unit test to verify changes; fixed validation [aa4d418
] NIFI-2446: Add option to specify key password when different than keystore password This closes #776. Signed-off-by: Andy LoPresto <alopresto@apache.org>
This commit is contained in:
parent
1511887a68
commit
83a23f90d4
|
@ -48,7 +48,9 @@ public final class SslContextFactory {
|
|||
}
|
||||
|
||||
/**
|
||||
* Creates a SSLContext instance using the given information.
|
||||
* Creates a SSLContext instance using the given information. The password for the key is assumed to be the same
|
||||
* as the password for the keystore. If this is not the case, the {@link #createSslContext(String, char[], chart[], String, String, char[], String, ClientAuth, String)}
|
||||
* method should be used instead
|
||||
*
|
||||
* @param keystore the full path to the keystore
|
||||
* @param keystorePasswd the keystore password
|
||||
|
@ -74,13 +76,48 @@ public final class SslContextFactory {
|
|||
throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException,
|
||||
UnrecoverableKeyException, KeyManagementException {
|
||||
|
||||
// Pass the keystore password as both the keystore password and the key password.
|
||||
return createSslContext(keystore, keystorePasswd, keystorePasswd, keystoreType, truststore, truststorePasswd, truststoreType, clientAuth, protocol);
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates a SSLContext instance using the given information.
|
||||
*
|
||||
* @param keystore the full path to the keystore
|
||||
* @param keystorePasswd the keystore password
|
||||
* @param keystoreType the type of keystore (e.g., PKCS12, JKS)
|
||||
* @param truststore the full path to the truststore
|
||||
* @param truststorePasswd the truststore password
|
||||
* @param truststoreType the type of truststore (e.g., PKCS12, JKS)
|
||||
* @param clientAuth the type of client authentication
|
||||
* @param protocol the protocol to use for the SSL connection
|
||||
*
|
||||
* @return a SSLContext instance
|
||||
* @throws java.security.KeyStoreException if any issues accessing the keystore
|
||||
* @throws java.io.IOException for any problems loading the keystores
|
||||
* @throws java.security.NoSuchAlgorithmException if an algorithm is found to be used but is unknown
|
||||
* @throws java.security.cert.CertificateException if there is an issue with the certificate
|
||||
* @throws java.security.UnrecoverableKeyException if the key is insufficient
|
||||
* @throws java.security.KeyManagementException if unable to manage the key
|
||||
*/
|
||||
public static SSLContext createSslContext(
|
||||
final String keystore, final char[] keystorePasswd, final char[] keyPasswd, final String keystoreType,
|
||||
final String truststore, final char[] truststorePasswd, final String truststoreType,
|
||||
final ClientAuth clientAuth, final String protocol)
|
||||
throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException,
|
||||
UnrecoverableKeyException, KeyManagementException {
|
||||
|
||||
// prepare the keystore
|
||||
final KeyStore keyStore = KeyStore.getInstance(keystoreType);
|
||||
try (final InputStream keyStoreStream = new FileInputStream(keystore)) {
|
||||
keyStore.load(keyStoreStream, keystorePasswd);
|
||||
}
|
||||
final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
|
||||
if (keyPasswd == null) {
|
||||
keyManagerFactory.init(keyStore, keystorePasswd);
|
||||
} else {
|
||||
keyManagerFactory.init(keyStore, keyPasswd);
|
||||
}
|
||||
|
||||
// prepare the truststore
|
||||
final KeyStore trustStore = KeyStore.getInstance(truststoreType);
|
||||
|
@ -106,7 +143,9 @@ public final class SslContextFactory {
|
|||
}
|
||||
|
||||
/**
|
||||
* Creates a SSLContext instance using the given information.
|
||||
* Creates a SSLContext instance using the given information. This method assumes that the key password is
|
||||
* the same as the keystore password. If this is not the case, use the {@link #createSslContext(String, char[], char[], String, String)}
|
||||
* method instead.
|
||||
*
|
||||
* @param keystore the full path to the keystore
|
||||
* @param keystorePasswd the keystore password
|
||||
|
@ -126,13 +165,42 @@ public final class SslContextFactory {
|
|||
throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException,
|
||||
UnrecoverableKeyException, KeyManagementException {
|
||||
|
||||
// create SSL Context passing keystore password as the key password
|
||||
return createSslContext(keystore, keystorePasswd, keystorePasswd, keystoreType, protocol);
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates a SSLContext instance using the given information.
|
||||
*
|
||||
* @param keystore the full path to the keystore
|
||||
* @param keystorePasswd the keystore password
|
||||
* @param keystoreType the type of keystore (e.g., PKCS12, JKS)
|
||||
* @param protocol the protocol to use for the SSL connection
|
||||
*
|
||||
* @return a SSLContext instance
|
||||
* @throws java.security.KeyStoreException if any issues accessing the keystore
|
||||
* @throws java.io.IOException for any problems loading the keystores
|
||||
* @throws java.security.NoSuchAlgorithmException if an algorithm is found to be used but is unknown
|
||||
* @throws java.security.cert.CertificateException if there is an issue with the certificate
|
||||
* @throws java.security.UnrecoverableKeyException if the key is insufficient
|
||||
* @throws java.security.KeyManagementException if unable to manage the key
|
||||
*/
|
||||
public static SSLContext createSslContext(
|
||||
final String keystore, final char[] keystorePasswd, final char[] keyPasswd, final String keystoreType, final String protocol)
|
||||
throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException,
|
||||
UnrecoverableKeyException, KeyManagementException {
|
||||
|
||||
// prepare the keystore
|
||||
final KeyStore keyStore = KeyStore.getInstance(keystoreType);
|
||||
try (final InputStream keyStoreStream = new FileInputStream(keystore)) {
|
||||
keyStore.load(keyStoreStream, keystorePasswd);
|
||||
}
|
||||
final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
|
||||
if (keyPasswd == null) {
|
||||
keyManagerFactory.init(keyStore, keystorePasswd);
|
||||
} else {
|
||||
keyManagerFactory.init(keyStore, keyPasswd);
|
||||
}
|
||||
|
||||
// initialize the ssl context
|
||||
final SSLContext ctx = SSLContext.getInstance(protocol);
|
||||
|
|
|
@ -21,6 +21,7 @@ import org.apache.nifi.annotation.documentation.Tags;
|
|||
import org.apache.nifi.annotation.lifecycle.OnEnabled;
|
||||
import org.apache.nifi.components.AllowableValue;
|
||||
import org.apache.nifi.components.PropertyDescriptor;
|
||||
import org.apache.nifi.components.PropertyValue;
|
||||
import org.apache.nifi.components.ValidationContext;
|
||||
import org.apache.nifi.components.ValidationResult;
|
||||
import org.apache.nifi.components.Validator;
|
||||
|
@ -96,6 +97,15 @@ public class StandardSSLContextService extends AbstractControllerService impleme
|
|||
.addValidator(StandardValidators.NON_EMPTY_VALIDATOR)
|
||||
.sensitive(true)
|
||||
.build();
|
||||
static final PropertyDescriptor KEY_PASSWORD = new PropertyDescriptor.Builder()
|
||||
.name("key-password")
|
||||
.displayName("Key Password")
|
||||
.description("The password for the key. If this is not specified, but the Keystore Filename, Password, and Type are specified, "
|
||||
+ "then the Keystore Password will be assumed to be the same as the Key Password.")
|
||||
.addValidator(StandardValidators.NON_EMPTY_VALIDATOR)
|
||||
.sensitive(true)
|
||||
.required(false)
|
||||
.build();
|
||||
public static final PropertyDescriptor SSL_ALGORITHM = new PropertyDescriptor.Builder()
|
||||
.name("SSL Protocol")
|
||||
.defaultValue("TLS")
|
||||
|
@ -113,6 +123,7 @@ public class StandardSSLContextService extends AbstractControllerService impleme
|
|||
List<PropertyDescriptor> props = new ArrayList<>();
|
||||
props.add(KEYSTORE);
|
||||
props.add(KEYSTORE_PASSWORD);
|
||||
props.add(KEY_PASSWORD);
|
||||
props.add(KEYSTORE_TYPE);
|
||||
props.add(TRUSTSTORE);
|
||||
props.add(TRUSTSTORE_PASSWORD);
|
||||
|
@ -223,6 +234,9 @@ public class StandardSSLContextService extends AbstractControllerService impleme
|
|||
private void verifySslConfig(final ValidationContext validationContext) throws ProcessException {
|
||||
final String protocol = validationContext.getProperty(SSL_ALGORITHM).getValue();
|
||||
try {
|
||||
final PropertyValue keyPasswdProp = validationContext.getProperty(KEY_PASSWORD);
|
||||
final char[] keyPassword = keyPasswdProp.isSet() ? keyPasswdProp.getValue().toCharArray() : null;
|
||||
|
||||
final String keystoreFile = validationContext.getProperty(KEYSTORE).getValue();
|
||||
if (keystoreFile == null) {
|
||||
SslContextFactory.createTrustSslContext(
|
||||
|
@ -237,6 +251,7 @@ public class StandardSSLContextService extends AbstractControllerService impleme
|
|||
SslContextFactory.createSslContext(
|
||||
validationContext.getProperty(KEYSTORE).getValue(),
|
||||
validationContext.getProperty(KEYSTORE_PASSWORD).getValue().toCharArray(),
|
||||
keyPassword,
|
||||
validationContext.getProperty(KEYSTORE_TYPE).getValue(),
|
||||
protocol);
|
||||
return;
|
||||
|
@ -245,6 +260,7 @@ public class StandardSSLContextService extends AbstractControllerService impleme
|
|||
SslContextFactory.createSslContext(
|
||||
validationContext.getProperty(KEYSTORE).getValue(),
|
||||
validationContext.getProperty(KEYSTORE_PASSWORD).getValue().toCharArray(),
|
||||
keyPassword,
|
||||
validationContext.getProperty(KEYSTORE_TYPE).getValue(),
|
||||
validationContext.getProperty(TRUSTSTORE).getValue(),
|
||||
validationContext.getProperty(TRUSTSTORE_PASSWORD).getValue().toCharArray(),
|
||||
|
@ -260,19 +276,26 @@ public class StandardSSLContextService extends AbstractControllerService impleme
|
|||
public SSLContext createSSLContext(final ClientAuth clientAuth) throws ProcessException {
|
||||
final String protocol = configContext.getProperty(SSL_ALGORITHM).getValue();
|
||||
try {
|
||||
final PropertyValue keyPasswdProp = configContext.getProperty(KEY_PASSWORD);
|
||||
final char[] keyPassword = keyPasswdProp.isSet() ? keyPasswdProp.getValue().toCharArray() : null;
|
||||
|
||||
final String keystoreFile = configContext.getProperty(KEYSTORE).getValue();
|
||||
if (keystoreFile == null) {
|
||||
// If keystore not specified, create SSL Context based only on trust store.
|
||||
return SslContextFactory.createTrustSslContext(
|
||||
configContext.getProperty(TRUSTSTORE).getValue(),
|
||||
configContext.getProperty(TRUSTSTORE_PASSWORD).getValue().toCharArray(),
|
||||
configContext.getProperty(TRUSTSTORE_TYPE).getValue(),
|
||||
protocol);
|
||||
}
|
||||
|
||||
final String truststoreFile = configContext.getProperty(TRUSTSTORE).getValue();
|
||||
if (truststoreFile == null) {
|
||||
// If truststore not specified, create SSL Context based only on key store.
|
||||
return SslContextFactory.createSslContext(
|
||||
configContext.getProperty(KEYSTORE).getValue(),
|
||||
configContext.getProperty(KEYSTORE_PASSWORD).getValue().toCharArray(),
|
||||
keyPassword,
|
||||
configContext.getProperty(KEYSTORE_TYPE).getValue(),
|
||||
protocol);
|
||||
}
|
||||
|
@ -280,6 +303,7 @@ public class StandardSSLContextService extends AbstractControllerService impleme
|
|||
return SslContextFactory.createSslContext(
|
||||
configContext.getProperty(KEYSTORE).getValue(),
|
||||
configContext.getProperty(KEYSTORE_PASSWORD).getValue().toCharArray(),
|
||||
keyPassword,
|
||||
configContext.getProperty(KEYSTORE_TYPE).getValue(),
|
||||
configContext.getProperty(TRUSTSTORE).getValue(),
|
||||
configContext.getProperty(TRUSTSTORE_PASSWORD).getValue().toCharArray(),
|
||||
|
@ -326,6 +350,11 @@ public class StandardSSLContextService extends AbstractControllerService impleme
|
|||
return configContext.getProperty(KEYSTORE_PASSWORD).getValue();
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getKeyPassword() {
|
||||
return configContext.getProperty(KEY_PASSWORD).getValue();
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isKeyStoreConfigured() {
|
||||
return getKeyStoreFile() != null && getKeyStorePassword() != null && getKeyStoreType() != null;
|
||||
|
@ -371,8 +400,7 @@ public class StandardSSLContextService extends AbstractControllerService impleme
|
|||
.build());
|
||||
} else {
|
||||
try {
|
||||
final boolean storeValid = CertificateUtils
|
||||
.isStoreValid(file.toURI().toURL(), KeystoreType.valueOf(type), password.toCharArray());
|
||||
final boolean storeValid = CertificateUtils.isStoreValid(file.toURI().toURL(), KeystoreType.valueOf(type), password.toCharArray());
|
||||
if (!storeValid) {
|
||||
results.add(new ValidationResult.Builder()
|
||||
.subject(keystoreDesc + " Properties")
|
||||
|
|
|
@ -109,7 +109,7 @@ public class SSLContextServiceTest {
|
|||
runner.assertValid(service);
|
||||
service = (SSLContextService) runner.getProcessContext().getControllerServiceLookup().getControllerService("test-good1");
|
||||
Assert.assertNotNull(service);
|
||||
SSLContextService sslService = (SSLContextService) service;
|
||||
SSLContextService sslService = service;
|
||||
sslService.createSSLContext(ClientAuth.REQUIRED);
|
||||
sslService.createSSLContext(ClientAuth.WANT);
|
||||
sslService.createSSLContext(ClientAuth.NONE);
|
||||
|
@ -160,4 +160,46 @@ public class SSLContextServiceTest {
|
|||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testDifferentKeyPassword() {
|
||||
try {
|
||||
final TestRunner runner = TestRunners.newTestRunner(TestProcessor.class);
|
||||
final SSLContextService service = new StandardSSLContextService();
|
||||
final Map<String, String> properties = new HashMap<String, String>();
|
||||
properties.put(StandardSSLContextService.KEYSTORE.getName(), "src/test/resources/diffpass-ks.jks");
|
||||
properties.put(StandardSSLContextService.KEYSTORE_PASSWORD.getName(), "storepassword");
|
||||
properties.put(StandardSSLContextService.KEY_PASSWORD.getName(), "keypassword");
|
||||
properties.put(StandardSSLContextService.KEYSTORE_TYPE.getName(), "JKS");
|
||||
runner.addControllerService("test-diff-keys", service, properties);
|
||||
runner.enableControllerService(service);
|
||||
|
||||
runner.setProperty("SSL Context Svc ID", "test-diff-keys");
|
||||
runner.assertValid();
|
||||
Assert.assertNotNull(service);
|
||||
Assert.assertTrue(service instanceof StandardSSLContextService);
|
||||
SSLContextService sslService = service;
|
||||
sslService.createSSLContext(ClientAuth.NONE);
|
||||
} catch (Exception e) {
|
||||
System.out.println(e);
|
||||
Assert.fail("Should not have thrown a exception " + e.getMessage());
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testDifferentKeyPasswordWithoutSpecifyingPassword() {
|
||||
try {
|
||||
final TestRunner runner = TestRunners.newTestRunner(TestProcessor.class);
|
||||
final SSLContextService service = new StandardSSLContextService();
|
||||
final Map<String, String> properties = new HashMap<String, String>();
|
||||
properties.put(StandardSSLContextService.KEYSTORE.getName(), "src/test/resources/diffpass-ks.jks");
|
||||
properties.put(StandardSSLContextService.KEYSTORE_PASSWORD.getName(), "storepassword");
|
||||
properties.put(StandardSSLContextService.KEYSTORE_TYPE.getName(), "JKS");
|
||||
runner.addControllerService("test-diff-keys", service, properties);
|
||||
|
||||
runner.assertNotValid(service);
|
||||
} catch (Exception e) {
|
||||
System.out.println(e);
|
||||
Assert.fail("Should not have thrown a exception " + e.getMessage());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Binary file not shown.
|
@ -55,6 +55,8 @@ public interface SSLContextService extends ControllerService {
|
|||
|
||||
public String getKeyStorePassword();
|
||||
|
||||
public String getKeyPassword();
|
||||
|
||||
public boolean isKeyStoreConfigured();
|
||||
|
||||
String getSslAlgorithm();
|
||||
|
|
Loading…
Reference in New Issue