Apache
/
nifi
mirror of https://github.com/apache/nifi.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

NIFI-12152 This closes #7818. Refactored addProvider() Bouncy Castle references 

- Removed Security.addProvider() references from several tests
- Refactored KeyStoreUtils to use instance of BouncyCastleProvider instead of BC provider name string
- Refactored MiNiFi references to pass BouncyCastleProvider for BCFKS

Signed-off-by: Joseph Witt <joewitt@apache.org>
This commit is contained in:
exceptionfactory 2023-09-29 16:13:02 -05:00 committed by Joseph Witt
parent 75c3b19979
commit c76191fa4b
No known key found for this signature in database
GPG Key ID: 9093BF854F811A1A
13 changed files with 73 additions and 194 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
minifi/minifi-bootstrap/src/main/java/org/apache/nifi/minifi/bootstrap/configuration/ingestors/RestChangeIngestor.java
View File

@ -31,7 +31,6 @@ import java.io.UncheckedIOException;
import java.net.URI;
import java.nio.ByteBuffer;
import java.security.KeyStore;
import java.security.Security;
import java.util.Collection;
import java.util.Map;
import java.util.Properties;
@ -48,6 +47,7 @@ import org.apache.nifi.minifi.bootstrap.configuration.differentiators.WholeConfi
import org.apache.nifi.minifi.bootstrap.configuration.ingestors.interfaces.ChangeIngestor;
import org.apache.nifi.security.ssl.StandardKeyStoreBuilder;
import org.apache.nifi.security.ssl.StandardSslContextBuilder;
import org.apache.nifi.security.util.KeystoreType;
import org.apache.nifi.security.util.TlsPlatform;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.eclipse.jetty.server.Request;
@ -62,10 +62,6 @@ import org.slf4j.LoggerFactory;
public class RestChangeIngestor implements ChangeIngestor {
static {
Security.addProvider(new BouncyCastleProvider());
}
public static final String GET_TEXT = "This is a config change listener for an Apache NiFi - MiNiFi instance.\n" +
"Use this rest server to upload a flow.json to configure the MiNiFi instance.\n" +
"Send a POST http request to '/' to upload the file.";
@ -86,6 +82,8 @@ public class RestChangeIngestor implements ChangeIngestor {
private final static Logger logger = LoggerFactory.getLogger(RestChangeIngestor.class);
private static final BouncyCastleProvider BOUNCY_CASTLE_PROVIDER = new BouncyCastleProvider();
private static final Map<String, Supplier<Differentiator<ByteBuffer>>> DIFFERENTIATOR_CONSTRUCTOR_MAP = Map.of(
WHOLE_CONFIG_KEY, WholeConfigDifferentiator::getByteBufferDifferentiator
);
@ -174,22 +172,34 @@ public class RestChangeIngestor implements ChangeIngestor {
KeyStore trustStore = null;
try (FileInputStream keyStoreStream = new FileInputStream(properties.getProperty(KEYSTORE_LOCATION_KEY))) {
keyStore = new StandardKeyStoreBuilder()
.type(properties.getProperty(KEYSTORE_TYPE_KEY))
final String keyStoreType = properties.getProperty(KEYSTORE_TYPE_KEY);
final StandardKeyStoreBuilder builder = new StandardKeyStoreBuilder()
.type(keyStoreType)
.inputStream(keyStoreStream)
.password(properties.getProperty(KEYSTORE_PASSWORD_KEY).toCharArray())
.build();
.password(properties.getProperty(KEYSTORE_PASSWORD_KEY).toCharArray());
if (KeystoreType.BCFKS.getType().equals(keyStoreType)) {
builder.provider(BOUNCY_CASTLE_PROVIDER);
}
keyStore = builder.build();
} catch (IOException ioe) {
throw new UncheckedIOException("Key Store loading failed", ioe);
}
if (properties.getProperty(TRUSTSTORE_LOCATION_KEY) != null) {
final String trustStoreType = properties.getProperty(TRUSTSTORE_TYPE_KEY);
try (FileInputStream trustStoreStream = new FileInputStream(properties.getProperty(TRUSTSTORE_LOCATION_KEY))) {
trustStore = new StandardKeyStoreBuilder()
.type(properties.getProperty(TRUSTSTORE_TYPE_KEY))
final StandardKeyStoreBuilder builder = new StandardKeyStoreBuilder()
.type(trustStoreType)
.inputStream(trustStoreStream)
.password(properties.getProperty(TRUSTSTORE_PASSWORD_KEY).toCharArray())
.build();
.password(properties.getProperty(TRUSTSTORE_PASSWORD_KEY).toCharArray());
if (KeystoreType.BCFKS.getType().equals(trustStoreType)) {
builder.provider(BOUNCY_CASTLE_PROVIDER);
}
trustStore = builder.build();
} catch (IOException ioe) {
throw new UncheckedIOException("Trust Store loading failed", ioe);
}

35
minifi/minifi-c2/minifi-c2-jetty/src/main/java/org/apache/nifi/minifi/c2/jetty/JettyServer.java
View File

@ -33,7 +33,6 @@ import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyStore;
import java.security.Security;
import java.util.stream.Stream;
import javax.net.ssl.SSLContext;
import org.apache.nifi.jetty.configuration.connector.StandardServerConnectorFactory;
@ -56,9 +55,8 @@ public class JettyServer {
private static final String C2_SERVER_HOME = System.getenv("C2_SERVER_HOME");
private static final String WEB_DEFAULTS_XML = "webdefault.xml";
static {
Security.addProvider(new BouncyCastleProvider());
}
private static final BouncyCastleProvider BOUNCY_CASTLE_PROVIDER = new BouncyCastleProvider();
private static final String BCFKS = "BCFKS";
public static void main(String[] args) throws Exception {
C2Properties properties = C2Properties.getInstance();
@ -116,11 +114,17 @@ public class JettyServer {
File keyStoreFile = Paths.get(C2_SERVER_HOME).resolve(properties.getProperty(MINIFI_C2_SERVER_KEYSTORE)).toFile();
logger.debug("Loading Key Store [{}]", keyStoreFile.getPath());
try (FileInputStream keyStoreStream = new FileInputStream(keyStoreFile)) {
keyStore = new StandardKeyStoreBuilder()
.type(properties.getProperty(MINIFI_C2_SERVER_KEYSTORE_TYPE))
final String keyStoreType = properties.getProperty(MINIFI_C2_SERVER_KEYSTORE_TYPE);
final StandardKeyStoreBuilder builder = new StandardKeyStoreBuilder()
.type(keyStoreType)
.inputStream(keyStoreStream)
.password(properties.getProperty(MINIFI_C2_SERVER_KEYSTORE_PASSWD).toCharArray())
.build();
.password(properties.getProperty(MINIFI_C2_SERVER_KEYSTORE_PASSWD).toCharArray());
if (BCFKS.equals(keyStoreType)) {
builder.provider(BOUNCY_CASTLE_PROVIDER);
}
keyStore = builder.build();
} catch (IOException ioe) {
throw new UncheckedIOException("Key Store loading failed", ioe);
}
@ -128,11 +132,18 @@ public class JettyServer {
File trustStoreFile = Paths.get(C2_SERVER_HOME).resolve(properties.getProperty(MINIFI_C2_SERVER_TRUSTSTORE)).toFile();
logger.debug("Loading Trust Store [{}]", trustStoreFile.getPath());
try (FileInputStream trustStoreStream = new FileInputStream(trustStoreFile)) {
truststore = new StandardKeyStoreBuilder()
.type(properties.getProperty(MINIFI_C2_SERVER_TRUSTSTORE_TYPE))
final String trustStoreType = properties.getProperty(MINIFI_C2_SERVER_TRUSTSTORE_TYPE);
final StandardKeyStoreBuilder builder = new StandardKeyStoreBuilder()
.type(trustStoreType)
.inputStream(trustStoreStream)
.password(properties.getProperty(MINIFI_C2_SERVER_TRUSTSTORE_PASSWD).toCharArray())
.build();
.password(properties.getProperty(MINIFI_C2_SERVER_TRUSTSTORE_PASSWD).toCharArray());
if (BCFKS.equals(trustStoreType)) {
builder.provider(BOUNCY_CASTLE_PROVIDER);
}
truststore = builder.build();
} catch (IOException ioe) {
throw new UncheckedIOException("Trust Store loading failed", ioe);
}

9
nifi-commons/nifi-security-ssl/src/main/java/org/apache/nifi/security/ssl/StandardKeyStoreBuilder.java
View File

@ -21,7 +21,7 @@ import java.io.InputStream;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Provider;
import java.security.cert.CertificateException;
import java.util.Objects;
@ -29,7 +29,7 @@ import java.util.Objects;
* Standard implementation of Key Store Builder
*/
public class StandardKeyStoreBuilder implements KeyStoreBuilder {
private String provider;
private Provider provider;
private String type = KeyStore.getDefaultType();
@ -65,7 +65,7 @@ public class StandardKeyStoreBuilder implements KeyStoreBuilder {
* @param provider Key Store Provider
* @return Builder
*/
public StandardKeyStoreBuilder provider(final String provider) {
public StandardKeyStoreBuilder provider(final Provider provider) {
this.provider = Objects.requireNonNull(provider, "Key Store Provider required");
return this;
}
@ -109,9 +109,6 @@ public class StandardKeyStoreBuilder implements KeyStoreBuilder {
} catch (final KeyStoreException e) {
final String message = String.format("Key Store Type [%s] creation failed", type);
throw new BuilderConfigurationException(message, e);
} catch (final NoSuchProviderException e) {
final String message = String.format("Key Store Type [%s] Provider [%s] creation failed", type, provider);
throw new BuilderConfigurationException(message, e);
}
}
}

57
nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/KeyStoreUtils.java
View File

@ -32,9 +32,7 @@ import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;
import java.security.Security;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
@ -60,8 +58,8 @@ import org.slf4j.LoggerFactory;
public class KeyStoreUtils {
private static final Logger logger = LoggerFactory.getLogger(KeyStoreUtils.class);
public static final String SUN_PROVIDER_NAME = "SUN";
public static final String SUN_JSSE_PROVIDER_NAME = "SunJSSE";
private static final BouncyCastleProvider BOUNCY_CASTLE_PROVIDER = new BouncyCastleProvider();
private static final String JKS_EXT = ".jks";
private static final String PKCS12_EXT = ".p12";
private static final String BCFKS_EXT = ".bcfks";
@ -76,20 +74,7 @@ public class KeyStoreUtils {
private static final String KEYSTORE_ERROR_MSG = "There was an error creating a Keystore.";
private static final String TRUSTSTORE_ERROR_MSG = "There was an error creating a Truststore.";
private static final Map<String, String> KEY_STORE_TYPE_PROVIDERS = new HashMap<>();
private static final Map<KeystoreType, String> KEY_STORE_EXTENSIONS = new HashMap<>();
private static final Map<KeystoreType, String> SECRET_KEY_STORE_PROVIDERS = new HashMap<>();
static {
Security.addProvider(new BouncyCastleProvider());
KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.BCFKS.getType(), BouncyCastleProvider.PROVIDER_NAME);
KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.PKCS12.getType(), SUN_JSSE_PROVIDER_NAME);
KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.JKS.getType(), SUN_PROVIDER_NAME);
SECRET_KEY_STORE_PROVIDERS.put(KeystoreType.BCFKS, BouncyCastleProvider.PROVIDER_NAME);
SECRET_KEY_STORE_PROVIDERS.put(KeystoreType.PKCS12, SUN_JSSE_PROVIDER_NAME);
}
static {
KEY_STORE_EXTENSIONS.put(KeystoreType.JKS, JKS_EXT);
@ -97,17 +82,6 @@ public class KeyStoreUtils {
KEY_STORE_EXTENSIONS.put(KeystoreType.BCFKS, BCFKS_EXT);
}
/**
* Returns the provider that will be used for the given keyStoreType
*
* @param keyStoreType the keyStoreType
* @return Key Store Provider Name or null when not found
*/
public static String getKeyStoreProvider(final String keyStoreType) {
final String storeType = StringUtils.upperCase(keyStoreType);
return KEY_STORE_TYPE_PROVIDERS.get(storeType);
}
/**
* Returns an empty KeyStore backed by the appropriate provider
*
@ -116,15 +90,11 @@ public class KeyStoreUtils {
* @throws KeyStoreException if a KeyStore of the given type cannot be instantiated
*/
public static KeyStore getKeyStore(final String keyStoreType) throws KeyStoreException {
final String keyStoreProvider = getKeyStoreProvider(keyStoreType);
if (StringUtils.isNotEmpty(keyStoreProvider)) {
try {
return KeyStore.getInstance(keyStoreType, keyStoreProvider);
} catch (final Exception e) {
logger.error("KeyStore Type [{}] Provider [{}] instance creation failed", keyStoreType, keyStoreProvider, e);
}
if (KeystoreType.BCFKS.toString().equals(keyStoreType)) {
return KeyStore.getInstance(keyStoreType, BOUNCY_CASTLE_PROVIDER);
} else {
return KeyStore.getInstance(keyStoreType);
}
return KeyStore.getInstance(keyStoreType);
}
/**
@ -136,15 +106,14 @@ public class KeyStoreUtils {
*/
public static KeyStore getSecretKeyStore(final String keystoreTypeName) throws KeyStoreException {
final KeystoreType keystoreType = getKeystoreType(keystoreTypeName);
final String provider = SECRET_KEY_STORE_PROVIDERS.get(keystoreType);
if (provider == null) {
if (KeystoreType.BCFKS == keystoreType) {
return KeyStore.getInstance(keystoreType.getType(), BOUNCY_CASTLE_PROVIDER);
} else if (KeystoreType.PKCS12 == keystoreType) {
return KeyStore.getInstance(keystoreType.getType());
} else {
throw new KeyStoreException(String.format("Keystore Type [%s] does not support Secret Keys", keystoreType.getType()));
}
try {
return KeyStore.getInstance(keystoreType.getType(), provider);
} catch (final NoSuchProviderException e) {
throw new KeyStoreException(String.format("KeyStore Type [%s] Provider [%s] not found", keystoreType.getType(), provider), e);
}
}
/**
@ -493,7 +462,7 @@ public class KeyStoreUtils {
* @return Secret Key Entry supported status
*/
public static boolean isSecretKeyEntrySupported(final KeystoreType keystoreType) {
return SECRET_KEY_STORE_PROVIDERS.containsKey(keystoreType);
return KeystoreType.BCFKS == keystoreType || KeystoreType.PKCS12 == keystoreType;
}
/**

23
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/x509/ocsp/OcspCertificateValidatorTest.java
View File

@ -23,7 +23,6 @@ import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Security;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
@ -39,18 +38,15 @@ import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.junit.jupiter.api.Assertions.assertTrue;
public class OcspCertificateValidatorTest {
private static final Logger logger = LoggerFactory.getLogger(OcspCertificateValidatorTest.class);
@ -60,12 +56,6 @@ public class OcspCertificateValidatorTest {
private static final long YESTERDAY = System.currentTimeMillis() - 24 * 60 * 60 * 1000;
private static final long ONE_YEAR_FROM_NOW = System.currentTimeMillis() + 365L * 24 * 60 * 60 * 1000;
private static final String SIGNATURE_ALGORITHM = "SHA256withRSA";
private static final String PROVIDER = "BC";
@BeforeAll
public static void setUpOnce() {
Security.addProvider(new BouncyCastleProvider());
}
/**
* Generates a public/private RSA keypair using the default key size.
@ -108,7 +98,7 @@ public class OcspCertificateValidatorTest {
private static X509Certificate generateCertificate(String dn, KeyPair keyPair) throws IOException, CertificateException,
OperatorCreationException {
PrivateKey privateKey = keyPair.getPrivate();
ContentSigner sigGen = new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(PROVIDER).build(privateKey);
ContentSigner sigGen = new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).build(privateKey);
SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded());
Date startDate = new Date(YESTERDAY);
Date endDate = new Date(ONE_YEAR_FROM_NOW);
@ -133,8 +123,7 @@ public class OcspCertificateValidatorTest {
// Sign the certificate
X509CertificateHolder certificateHolder = certBuilder.build(sigGen);
return new JcaX509CertificateConverter().setProvider(PROVIDER)
.getCertificate(certificateHolder);
return new JcaX509CertificateConverter().getCertificate(certificateHolder);
}
/**
@ -167,7 +156,7 @@ public class OcspCertificateValidatorTest {
*/
private static X509Certificate generateIssuedCertificate(String dn, PublicKey publicKey, String issuerDn, PrivateKey issuerKey) throws
CertificateException, OperatorCreationException {
ContentSigner sigGen = new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(PROVIDER).build(issuerKey);
ContentSigner sigGen = new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).build(issuerKey);
SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(publicKey.getEncoded());
Date startDate = new Date(YESTERDAY);
Date endDate = new Date(ONE_YEAR_FROM_NOW);
@ -180,8 +169,7 @@ public class OcspCertificateValidatorTest {
subPubKeyInfo);
X509CertificateHolder certificateHolder = v3CertGen.build(sigGen);
return new JcaX509CertificateConverter().setProvider(PROVIDER)
.getCertificate(certificateHolder);
return new JcaX509CertificateConverter().getCertificate(certificateHolder);
}
@Test
@ -237,7 +225,6 @@ public class OcspCertificateValidatorTest {
assertEquals(issuerDn, certificate.getIssuerX500Principal().getName());
certificate.verify(issuerCertificate.getPublicKey());
SignatureException se = assertThrows(SignatureException.class, () -> certificate.verify(certificate.getPublicKey()));
assertTrue(se.getMessage().contains("certificate does not verify with supplied key"));
assertThrows(SignatureException.class, () -> certificate.verify(certificate.getPublicKey()));
}
}

8
nifi-nar-bundles/nifi-snowflake-bundle/nifi-snowflake-processors/src/test/java/org/apache/nifi/processors/snowflake/SnowflakePipeIT.java
View File

@ -17,7 +17,6 @@
package org.apache.nifi.processors.snowflake;
import java.security.Security;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
@ -29,17 +28,10 @@ import org.apache.nifi.processors.snowflake.util.SnowflakeAttributes;
import org.apache.nifi.processors.snowflake.util.SnowflakeInternalStageType;
import org.apache.nifi.util.TestRunner;
import org.apache.nifi.util.TestRunners;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
class SnowflakePipeIT implements SnowflakeConfigAware {
@BeforeAll
static void setUpOnce() {
Security.addProvider(new BouncyCastleProvider());
}
@Test
void shouldPutIntoInternalStage() throws Exception {
final PutSnowflakeInternalStage processor = new PutSnowflakeInternalStage();

8
nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/CryptographicHashContentTest.java
View File

@ -22,15 +22,12 @@ import org.apache.nifi.security.util.crypto.HashService;
import org.apache.nifi.util.MockFlowFile;
import org.apache.nifi.util.TestRunner;
import org.apache.nifi.util.TestRunners;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.Security;
import java.util.Collections;
import java.util.List;
import java.util.Map;
@ -41,11 +38,6 @@ import static org.junit.jupiter.api.Assertions.assertNotEquals;
public class CryptographicHashContentTest {
private TestRunner runner;
@BeforeAll
static void setUpOnce() {
Security.addProvider(new BouncyCastleProvider());
}
@BeforeEach
void setupRunner() {
runner = TestRunners.newTestRunner(new CryptographicHashContent());

3
nifi-registry/nifi-registry-core/nifi-registry-properties-loader/src/main/java/org/apache/nifi/registry/properties/NiFiRegistryPropertiesLoader.java
View File

@ -21,14 +21,12 @@ import org.apache.nifi.properties.SensitivePropertyProvider;
import org.apache.nifi.properties.SensitivePropertyProviderFactory;
import org.apache.nifi.properties.StandardSensitivePropertyProviderFactory;
import org.apache.nifi.registry.properties.util.NiFiRegistryBootstrapUtils;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.File;
import java.io.FileReader;
import java.io.IOException;
import java.security.Security;
import java.util.Properties;
public class NiFiRegistryPropertiesLoader {
@ -125,7 +123,6 @@ public class NiFiRegistryPropertiesLoader {
public NiFiRegistryProperties load(final File file) {
final ProtectedNiFiRegistryProperties protectedNiFiProperties = readProtectedPropertiesFromDisk(file);
if (protectedNiFiProperties.hasProtectedKeys()) {
Security.addProvider(new BouncyCastleProvider());
getSensitivePropertyProviderFactory()
.getSupportedProviders()
.forEach(protectedNiFiProperties::addSensitivePropertyProvider);

44
nifi-registry/nifi-registry-core/nifi-registry-security-utils/src/main/java/org/apache/nifi/registry/security/util/KeyStoreUtils.java
View File

@ -17,42 +17,13 @@
package org.apache.nifi.registry.security.util;
import org.apache.commons.lang3.StringUtils;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.Security;
import java.util.HashMap;
import java.util.Map;
public class KeyStoreUtils {
private static final Logger logger = LoggerFactory.getLogger(KeyStoreUtils.class);
private static final String SUN_SECURITY_PROVIDER = "SUN";
private static final Map<String, String> KEY_STORE_TYPE_PROVIDERS = new HashMap<>();
static {
Security.addProvider(new BouncyCastleProvider());
KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.JKS.toString(), SUN_SECURITY_PROVIDER);
KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.PKCS12.toString(), BouncyCastleProvider.PROVIDER_NAME);
KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.BCFKS.toString(), BouncyCastleProvider.PROVIDER_NAME);
}
/**
* Returns the provider that will be used for the given keyStoreType
*
* @param keyStoreType the keyStoreType
* @return the provider that will be used
*/
public static String getKeyStoreProvider(final String keyStoreType) {
final String storeType = StringUtils.upperCase(keyStoreType);
return KEY_STORE_TYPE_PROVIDERS.get(storeType);
}
private static final BouncyCastleProvider BOUNCY_CASTLE_PROVIDER = new BouncyCastleProvider();
/**
* Returns an empty KeyStore backed by the appropriate provider
@ -62,15 +33,10 @@ public class KeyStoreUtils {
* @throws KeyStoreException if a KeyStore of the given type cannot be instantiated
*/
public static KeyStore getKeyStore(final String keyStoreType) throws KeyStoreException {
final String keyStoreProvider = getKeyStoreProvider(keyStoreType);
if (StringUtils.isNotEmpty(keyStoreProvider)) {
try {
return KeyStore.getInstance(keyStoreType, keyStoreProvider);
} catch (Exception e) {
logger.error("Unable to load " + keyStoreProvider + " " + keyStoreType
+ " keystore. This may cause issues getting trusted CA certificates as well as Certificate Chains for use in TLS.", e);
}
if (KeystoreType.BCFKS.toString().equals(keyStoreType)) {
return KeyStore.getInstance(keyStoreType, BOUNCY_CASTLE_PROVIDER);
} else {
return KeyStore.getInstance(keyStoreType);
}
return KeyStore.getInstance(keyStoreType);
}
}

14
nifi-registry/nifi-registry-core/nifi-registry-security-utils/src/test/java/org/apache/nifi/registry/security/util/KeyStoreUtilsTest.java
View File

@ -16,7 +16,6 @@
*/
package org.apache.nifi.registry.security.util;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.junit.jupiter.api.Test;
import java.security.KeyStore;
@ -24,7 +23,6 @@ import java.security.KeyStoreException;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNotNull;
import static org.junit.jupiter.api.Assertions.assertNull;
public class KeyStoreUtilsTest {
@ -36,16 +34,4 @@ public class KeyStoreUtilsTest {
assertEquals(keystoreType.name(), keyStore.getType());
}
}
@Test
public void testGetKeyStoreProviderNullType() {
final String keyStoreProvider = KeyStoreUtils.getKeyStoreProvider(null);
assertNull(keyStoreProvider);
}
@Test
public void testGetKeyStoreProviderBouncyCastleProvider() {
final String keyStoreProvider = KeyStoreUtils.getKeyStoreProvider(KeystoreType.PKCS12.name());
assertEquals(BouncyCastleProvider.PROVIDER_NAME, keyStoreProvider);
}
}

4
nifi-toolkit/nifi-toolkit-encrypt-config/src/main/groovy/org/apache/nifi/properties/ConfigEncryptionTool.groovy
View File

@ -43,7 +43,6 @@ import org.apache.nifi.util.NiFiProperties
import org.apache.nifi.util.console.TextDevice
import org.apache.nifi.util.console.TextDevices
import org.bouncycastle.crypto.generators.SCrypt
import org.bouncycastle.jce.provider.BouncyCastleProvider
import org.slf4j.Logger
import org.slf4j.LoggerFactory
import org.xml.sax.SAXException
@ -56,7 +55,6 @@ import java.nio.file.Path
import java.nio.file.Paths
import java.nio.file.StandardCopyOption
import java.security.KeyException
import java.security.Security
import java.util.function.Supplier
import java.util.regex.Matcher
import java.util.zip.GZIPInputStream
@ -1348,8 +1346,6 @@ class ConfigEncryptionTool {
* @param args the command-line arguments
*/
static void main(String[] args) {
Security.addProvider(new BouncyCastleProvider())
ConfigEncryptionTool tool = new ConfigEncryptionTool()
try {

5
nifi-toolkit/nifi-toolkit-encrypt-config/src/main/groovy/org/apache/nifi/toolkit/encryptconfig/EncryptConfigMain.groovy
View File

@ -19,12 +19,9 @@ package org.apache.nifi.toolkit.encryptconfig
import org.apache.commons.cli.HelpFormatter
import org.apache.commons.cli.Options
import org.apache.nifi.properties.ConfigEncryptionTool
import org.bouncycastle.jce.provider.BouncyCastleProvider
import org.slf4j.Logger
import org.slf4j.LoggerFactory
import java.security.Security
class EncryptConfigMain {
private static final Logger logger = LoggerFactory.getLogger(EncryptConfigMain.class)
@ -90,8 +87,6 @@ class EncryptConfigMain {
}
static void main(String[] args) {
Security.addProvider(new BouncyCastleProvider())
if (args.length < 1) {
printUsageAndExit(EXIT_STATUS_FAILURE)
}

21
nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/util/TlsHelperTest.java
View File

@ -28,10 +28,8 @@ import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest;
import org.bouncycastle.util.IPAddress;
import org.junit.jupiter.api.BeforeAll;
@ -59,7 +57,6 @@ import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Security;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
@ -89,25 +86,11 @@ public class TlsHelperTest {
private int keySize;
private String keyPairAlgorithm;
public static KeyPair loadKeyPair(final Reader reader) throws IOException {
try (PEMParser pemParser = new PEMParser(reader)) {
Object object = pemParser.readObject();
assertEquals(PEMKeyPair.class, object.getClass());
return new JcaPEMKeyConverter().getKeyPair((PEMKeyPair) object);
}
}
public static KeyPair loadKeyPair(File file) throws IOException {
try (final FileReader fileReader = new FileReader(file)) {
return loadKeyPair(fileReader);
}
}
public static X509Certificate loadCertificate(final Reader reader) throws IOException, CertificateException {
try (PEMParser pemParser = new PEMParser(reader)) {
Object object = pemParser.readObject();
assertEquals(X509CertificateHolder.class, object.getClass());
return new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME).getCertificate((X509CertificateHolder) object);
return new JcaX509CertificateConverter().getCertificate((X509CertificateHolder) object);
}
}
@ -310,8 +293,6 @@ public class TlsHelperTest {
@Test
public void testOutputToFileTwoCertsAsPem(@TempDir final File folder) throws IOException, CertificateException, NoSuchAlgorithmException, KeyStoreException {
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
KeyStore keyStore = setupKeystore();
HashMap<String, Certificate> certs = TlsHelper.extractCerts(keyStore);
TlsHelper.outputCertsAsPem(certs, folder,".crt");