mirror of https://github.com/apache/nifi.git
NIFI-4222 - Adding CN by default in SANs for generated certificates with tls-toolkit
This closes #2042. Signed-off-by: Andy LoPresto <alopresto@apache.org>
This commit is contained in:
Pierre Villard
Andy LoPresto
parent
9c4fdd4ef3
commit
9f1267e949
|
|
@ -17,7 +17,6 @@
|
|||
|
||||
package org.apache.nifi.toolkit.tls.standalone;
|
||||
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.apache.nifi.security.util.CertificateUtils;
|
||||
import org.apache.nifi.security.util.KeystoreType;
|
||||
import org.apache.nifi.security.util.KeyStoreUtils;
|
||||
|
|
@ -181,8 +180,7 @@ public class TlsToolkitStandalone {
|
|||
tlsClientConfig.setTrustStorePassword(instanceDefinition.getTrustStorePassword());
|
||||
TlsClientManager tlsClientManager = new TlsClientManager(tlsClientConfig);
|
||||
KeyPair keyPair = TlsHelper.generateKeyPair(keyPairAlgorithm, keySize);
|
||||
Extensions sanDnsExtensions = StringUtils.isBlank(tlsClientConfig.getDomainAlternativeNames())
|
||||
? null : TlsHelper.createDomainAlternativeNamesExtensions(tlsClientConfig.getDomainAlternativeNames());
|
||||
Extensions sanDnsExtensions = TlsHelper.createDomainAlternativeNamesExtensions(tlsClientConfig.getDomainAlternativeNames(), tlsClientConfig.calcDefaultDn(hostname));
|
||||
tlsClientManager.addPrivateKeyToKeyStore(keyPair, NIFI_KEY, CertificateUtils.generateIssuedCertificate(tlsClientConfig.calcDefaultDn(hostname),
|
||||
keyPair.getPublic(), sanDnsExtensions, certificate, caKeyPair, signingAlgorithm, days), certificate);
|
||||
tlsClientManager.setCertificateEntry(NIFI_CERT, certificate);
|
||||
|
|
|
|||
|
|
@ -42,6 +42,8 @@ import javax.crypto.spec.SecretKeySpec;
|
|||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
|
||||
import org.bouncycastle.asn1.x500.X500Name;
|
||||
import org.bouncycastle.asn1.x500.style.BCStyle;
|
||||
import org.bouncycastle.asn1.x500.style.IETFUtils;
|
||||
import org.bouncycastle.asn1.x509.Extension;
|
||||
import org.bouncycastle.asn1.x509.Extensions;
|
||||
import org.bouncycastle.asn1.x509.ExtensionsGenerator;
|
||||
|
|
@ -199,22 +201,30 @@ public class TlsHelper {
|
|||
JcaPKCS10CertificationRequestBuilder jcaPKCS10CertificationRequestBuilder = new JcaPKCS10CertificationRequestBuilder(new X500Name(requestedDn), keyPair.getPublic());
|
||||
|
||||
// add Subject Alternative Name(s)
|
||||
if(StringUtils.isNotBlank(domainAlternativeNames)) {
|
||||
try {
|
||||
jcaPKCS10CertificationRequestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, createDomainAlternativeNamesExtensions(domainAlternativeNames));
|
||||
} catch (IOException e) {
|
||||
throw new OperatorCreationException("Error while adding " + domainAlternativeNames + " as Subject Alternative Name.", e);
|
||||
}
|
||||
try {
|
||||
jcaPKCS10CertificationRequestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, createDomainAlternativeNamesExtensions(domainAlternativeNames, requestedDn));
|
||||
} catch (IOException e) {
|
||||
throw new OperatorCreationException("Error while adding " + domainAlternativeNames + " as Subject Alternative Name.", e);
|
||||
}
|
||||
|
||||
JcaContentSignerBuilder jcaContentSignerBuilder = new JcaContentSignerBuilder(signingAlgorithm);
|
||||
return new JcaPKCS10CertificationRequest(jcaPKCS10CertificationRequestBuilder.build(jcaContentSignerBuilder.build(keyPair.getPrivate())));
|
||||
}
|
||||
|
||||
public static Extensions createDomainAlternativeNamesExtensions(String domainAlternativeNames) throws IOException {
|
||||
public static Extensions createDomainAlternativeNamesExtensions(String domainAlternativeNames, String requestedDn) throws IOException {
|
||||
List<GeneralName> namesList = new ArrayList<>();
|
||||
for(String alternativeName : domainAlternativeNames.split(",")) {
|
||||
namesList.add(new GeneralName(GeneralName.dNSName, alternativeName));
|
||||
|
||||
try {
|
||||
final String cn = IETFUtils.valueToString(new X500Name(requestedDn).getRDNs(BCStyle.CN)[0].getFirst().getValue());
|
||||
namesList.add(new GeneralName(GeneralName.dNSName, cn));
|
||||
} catch (Exception e) {
|
||||
throw new IOException("Failed to extract CN from request DN: " + requestedDn, e);
|
||||
}
|
||||
|
||||
if(StringUtils.isNotBlank(domainAlternativeNames)) {
|
||||
for(String alternativeName : domainAlternativeNames.split(",")) {
|
||||
namesList.add(new GeneralName(GeneralName.dNSName, alternativeName));
|
||||
}
|
||||
}
|
||||
|
||||
GeneralNames subjectAltNames = new GeneralNames(namesList.toArray(new GeneralName [] {}));
|
||||
|
|
|
|||
|
|
@ -52,6 +52,7 @@ import java.util.Date;
|
|||
import java.util.List;
|
||||
import java.util.concurrent.TimeUnit;
|
||||
import java.util.stream.Collectors;
|
||||
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.apache.nifi.security.util.CertificateUtils;
|
||||
import org.apache.nifi.toolkit.tls.configuration.TlsConfig;
|
||||
|
|
@ -319,9 +320,12 @@ public class TlsHelperTest {
|
|||
assert subjectName.equals(DN);
|
||||
|
||||
List<String> extractedSans = extractSanFromCsr(csrWithSan);
|
||||
assert extractedSans.size() == SAN_COUNT;
|
||||
assert extractedSans.size() == SAN_COUNT + 1;
|
||||
List<String> formattedSans = SAN_ENTRIES.stream().map(s -> "DNS: " + s).collect(Collectors.toList());
|
||||
assert extractedSans.containsAll(formattedSans);
|
||||
|
||||
// We check that the SANs also contain the CN
|
||||
assert extractedSans.contains("DNS: localhost");
|
||||
}
|
||||
|
||||
private List<String> extractSanFromCsr(JcaPKCS10CertificationRequest csr) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue