From 9f1267e9490084219517e4a56c7fa7fcb0d4063e Mon Sep 17 00:00:00 2001 From: Pierre Villard Date: Sat, 29 Jul 2017 12:38:14 +0200 Subject: [PATCH] NIFI-4222 - Adding CN by default in SANs for generated certificates with tls-toolkit This closes #2042. Signed-off-by: Andy LoPresto --- .../tls/standalone/TlsToolkitStandalone.java | 4 +-- .../nifi/toolkit/tls/util/TlsHelper.java | 28 +++++++++++++------ .../nifi/toolkit/tls/util/TlsHelperTest.java | 6 +++- 3 files changed, 25 insertions(+), 13 deletions(-) diff --git a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandalone.java b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandalone.java index fdfaeed640..304ce7f939 100644 --- a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandalone.java +++ b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandalone.java @@ -17,7 +17,6 @@ package org.apache.nifi.toolkit.tls.standalone; -import org.apache.commons.lang3.StringUtils; import org.apache.nifi.security.util.CertificateUtils; import org.apache.nifi.security.util.KeystoreType; import org.apache.nifi.security.util.KeyStoreUtils; @@ -181,8 +180,7 @@ public class TlsToolkitStandalone { tlsClientConfig.setTrustStorePassword(instanceDefinition.getTrustStorePassword()); TlsClientManager tlsClientManager = new TlsClientManager(tlsClientConfig); KeyPair keyPair = TlsHelper.generateKeyPair(keyPairAlgorithm, keySize); - Extensions sanDnsExtensions = StringUtils.isBlank(tlsClientConfig.getDomainAlternativeNames()) - ? null : TlsHelper.createDomainAlternativeNamesExtensions(tlsClientConfig.getDomainAlternativeNames()); + Extensions sanDnsExtensions = TlsHelper.createDomainAlternativeNamesExtensions(tlsClientConfig.getDomainAlternativeNames(), tlsClientConfig.calcDefaultDn(hostname)); tlsClientManager.addPrivateKeyToKeyStore(keyPair, NIFI_KEY, CertificateUtils.generateIssuedCertificate(tlsClientConfig.calcDefaultDn(hostname), keyPair.getPublic(), sanDnsExtensions, certificate, caKeyPair, signingAlgorithm, days), certificate); tlsClientManager.setCertificateEntry(NIFI_CERT, certificate); diff --git a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java index c244f073dd..d1d93e414d 100644 --- a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java +++ b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java @@ -42,6 +42,8 @@ import javax.crypto.spec.SecretKeySpec; import org.apache.commons.lang3.StringUtils; import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; import org.bouncycastle.asn1.x500.X500Name; +import org.bouncycastle.asn1.x500.style.BCStyle; +import org.bouncycastle.asn1.x500.style.IETFUtils; import org.bouncycastle.asn1.x509.Extension; import org.bouncycastle.asn1.x509.Extensions; import org.bouncycastle.asn1.x509.ExtensionsGenerator; @@ -199,22 +201,30 @@ public class TlsHelper { JcaPKCS10CertificationRequestBuilder jcaPKCS10CertificationRequestBuilder = new JcaPKCS10CertificationRequestBuilder(new X500Name(requestedDn), keyPair.getPublic()); // add Subject Alternative Name(s) - if(StringUtils.isNotBlank(domainAlternativeNames)) { - try { - jcaPKCS10CertificationRequestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, createDomainAlternativeNamesExtensions(domainAlternativeNames)); - } catch (IOException e) { - throw new OperatorCreationException("Error while adding " + domainAlternativeNames + " as Subject Alternative Name.", e); - } + try { + jcaPKCS10CertificationRequestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, createDomainAlternativeNamesExtensions(domainAlternativeNames, requestedDn)); + } catch (IOException e) { + throw new OperatorCreationException("Error while adding " + domainAlternativeNames + " as Subject Alternative Name.", e); } JcaContentSignerBuilder jcaContentSignerBuilder = new JcaContentSignerBuilder(signingAlgorithm); return new JcaPKCS10CertificationRequest(jcaPKCS10CertificationRequestBuilder.build(jcaContentSignerBuilder.build(keyPair.getPrivate()))); } - public static Extensions createDomainAlternativeNamesExtensions(String domainAlternativeNames) throws IOException { + public static Extensions createDomainAlternativeNamesExtensions(String domainAlternativeNames, String requestedDn) throws IOException { List namesList = new ArrayList<>(); - for(String alternativeName : domainAlternativeNames.split(",")) { - namesList.add(new GeneralName(GeneralName.dNSName, alternativeName)); + + try { + final String cn = IETFUtils.valueToString(new X500Name(requestedDn).getRDNs(BCStyle.CN)[0].getFirst().getValue()); + namesList.add(new GeneralName(GeneralName.dNSName, cn)); + } catch (Exception e) { + throw new IOException("Failed to extract CN from request DN: " + requestedDn, e); + } + + if(StringUtils.isNotBlank(domainAlternativeNames)) { + for(String alternativeName : domainAlternativeNames.split(",")) { + namesList.add(new GeneralName(GeneralName.dNSName, alternativeName)); + } } GeneralNames subjectAltNames = new GeneralNames(namesList.toArray(new GeneralName [] {})); diff --git a/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/util/TlsHelperTest.java b/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/util/TlsHelperTest.java index 223dbb7a34..9e234964c2 100644 --- a/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/util/TlsHelperTest.java +++ b/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/util/TlsHelperTest.java @@ -52,6 +52,7 @@ import java.util.Date; import java.util.List; import java.util.concurrent.TimeUnit; import java.util.stream.Collectors; + import org.apache.commons.lang3.StringUtils; import org.apache.nifi.security.util.CertificateUtils; import org.apache.nifi.toolkit.tls.configuration.TlsConfig; @@ -319,9 +320,12 @@ public class TlsHelperTest { assert subjectName.equals(DN); List extractedSans = extractSanFromCsr(csrWithSan); - assert extractedSans.size() == SAN_COUNT; + assert extractedSans.size() == SAN_COUNT + 1; List formattedSans = SAN_ENTRIES.stream().map(s -> "DNS: " + s).collect(Collectors.toList()); assert extractedSans.containsAll(formattedSans); + + // We check that the SANs also contain the CN + assert extractedSans.contains("DNS: localhost"); } private List extractSanFromCsr(JcaPKCS10CertificationRequest csr) {