From c76191fa4b80309ea239aa30d63951188b7fef76 Mon Sep 17 00:00:00 2001 From: exceptionfactory Date: Fri, 29 Sep 2023 16:13:02 -0500 Subject: [PATCH] NIFI-12152 This closes #7818. Refactored addProvider() Bouncy Castle references - Removed Security.addProvider() references from several tests - Refactored KeyStoreUtils to use instance of BouncyCastleProvider instead of BC provider name string - Refactored MiNiFi references to pass BouncyCastleProvider for BCFKS Signed-off-by: Joseph Witt --- .../ingestors/RestChangeIngestor.java | 36 +++++++----- .../nifi/minifi/c2/jetty/JettyServer.java | 35 ++++++++---- .../security/ssl/StandardKeyStoreBuilder.java | 9 +-- .../nifi/security/util/KeyStoreUtils.java | 57 +++++-------------- .../ocsp/OcspCertificateValidatorTest.java | 23 ++------ .../processors/snowflake/SnowflakePipeIT.java | 8 --- .../CryptographicHashContentTest.java | 8 --- .../NiFiRegistryPropertiesLoader.java | 3 - .../registry/security/util/KeyStoreUtils.java | 44 ++------------ .../security/util/KeyStoreUtilsTest.java | 14 ----- .../properties/ConfigEncryptionTool.groovy | 4 -- .../encryptconfig/EncryptConfigMain.groovy | 5 -- .../nifi/toolkit/tls/util/TlsHelperTest.java | 21 +------ 13 files changed, 73 insertions(+), 194 deletions(-) diff --git a/minifi/minifi-bootstrap/src/main/java/org/apache/nifi/minifi/bootstrap/configuration/ingestors/RestChangeIngestor.java b/minifi/minifi-bootstrap/src/main/java/org/apache/nifi/minifi/bootstrap/configuration/ingestors/RestChangeIngestor.java index a33520e318..b2b648ca2e 100644 --- a/minifi/minifi-bootstrap/src/main/java/org/apache/nifi/minifi/bootstrap/configuration/ingestors/RestChangeIngestor.java +++ b/minifi/minifi-bootstrap/src/main/java/org/apache/nifi/minifi/bootstrap/configuration/ingestors/RestChangeIngestor.java @@ -31,7 +31,6 @@ import java.io.UncheckedIOException; import java.net.URI; import java.nio.ByteBuffer; import java.security.KeyStore; -import java.security.Security; import java.util.Collection; import java.util.Map; import java.util.Properties; @@ -48,6 +47,7 @@ import org.apache.nifi.minifi.bootstrap.configuration.differentiators.WholeConfi import org.apache.nifi.minifi.bootstrap.configuration.ingestors.interfaces.ChangeIngestor; import org.apache.nifi.security.ssl.StandardKeyStoreBuilder; import org.apache.nifi.security.ssl.StandardSslContextBuilder; +import org.apache.nifi.security.util.KeystoreType; import org.apache.nifi.security.util.TlsPlatform; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.eclipse.jetty.server.Request; @@ -62,10 +62,6 @@ import org.slf4j.LoggerFactory; public class RestChangeIngestor implements ChangeIngestor { - static { - Security.addProvider(new BouncyCastleProvider()); - } - public static final String GET_TEXT = "This is a config change listener for an Apache NiFi - MiNiFi instance.\n" + "Use this rest server to upload a flow.json to configure the MiNiFi instance.\n" + "Send a POST http request to '/' to upload the file."; @@ -86,6 +82,8 @@ public class RestChangeIngestor implements ChangeIngestor { private final static Logger logger = LoggerFactory.getLogger(RestChangeIngestor.class); + private static final BouncyCastleProvider BOUNCY_CASTLE_PROVIDER = new BouncyCastleProvider(); + private static final Map>> DIFFERENTIATOR_CONSTRUCTOR_MAP = Map.of( WHOLE_CONFIG_KEY, WholeConfigDifferentiator::getByteBufferDifferentiator ); @@ -174,22 +172,34 @@ public class RestChangeIngestor implements ChangeIngestor { KeyStore trustStore = null; try (FileInputStream keyStoreStream = new FileInputStream(properties.getProperty(KEYSTORE_LOCATION_KEY))) { - keyStore = new StandardKeyStoreBuilder() - .type(properties.getProperty(KEYSTORE_TYPE_KEY)) + final String keyStoreType = properties.getProperty(KEYSTORE_TYPE_KEY); + final StandardKeyStoreBuilder builder = new StandardKeyStoreBuilder() + .type(keyStoreType) .inputStream(keyStoreStream) - .password(properties.getProperty(KEYSTORE_PASSWORD_KEY).toCharArray()) - .build(); + .password(properties.getProperty(KEYSTORE_PASSWORD_KEY).toCharArray()); + + if (KeystoreType.BCFKS.getType().equals(keyStoreType)) { + builder.provider(BOUNCY_CASTLE_PROVIDER); + } + + keyStore = builder.build(); } catch (IOException ioe) { throw new UncheckedIOException("Key Store loading failed", ioe); } if (properties.getProperty(TRUSTSTORE_LOCATION_KEY) != null) { + final String trustStoreType = properties.getProperty(TRUSTSTORE_TYPE_KEY); try (FileInputStream trustStoreStream = new FileInputStream(properties.getProperty(TRUSTSTORE_LOCATION_KEY))) { - trustStore = new StandardKeyStoreBuilder() - .type(properties.getProperty(TRUSTSTORE_TYPE_KEY)) + final StandardKeyStoreBuilder builder = new StandardKeyStoreBuilder() + .type(trustStoreType) .inputStream(trustStoreStream) - .password(properties.getProperty(TRUSTSTORE_PASSWORD_KEY).toCharArray()) - .build(); + .password(properties.getProperty(TRUSTSTORE_PASSWORD_KEY).toCharArray()); + + if (KeystoreType.BCFKS.getType().equals(trustStoreType)) { + builder.provider(BOUNCY_CASTLE_PROVIDER); + } + + trustStore = builder.build(); } catch (IOException ioe) { throw new UncheckedIOException("Trust Store loading failed", ioe); } diff --git a/minifi/minifi-c2/minifi-c2-jetty/src/main/java/org/apache/nifi/minifi/c2/jetty/JettyServer.java b/minifi/minifi-c2/minifi-c2-jetty/src/main/java/org/apache/nifi/minifi/c2/jetty/JettyServer.java index 3f7d5f559e..5769c605f9 100644 --- a/minifi/minifi-c2/minifi-c2-jetty/src/main/java/org/apache/nifi/minifi/c2/jetty/JettyServer.java +++ b/minifi/minifi-c2/minifi-c2-jetty/src/main/java/org/apache/nifi/minifi/c2/jetty/JettyServer.java @@ -33,7 +33,6 @@ import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; import java.security.KeyStore; -import java.security.Security; import java.util.stream.Stream; import javax.net.ssl.SSLContext; import org.apache.nifi.jetty.configuration.connector.StandardServerConnectorFactory; @@ -56,9 +55,8 @@ public class JettyServer { private static final String C2_SERVER_HOME = System.getenv("C2_SERVER_HOME"); private static final String WEB_DEFAULTS_XML = "webdefault.xml"; - static { - Security.addProvider(new BouncyCastleProvider()); - } + private static final BouncyCastleProvider BOUNCY_CASTLE_PROVIDER = new BouncyCastleProvider(); + private static final String BCFKS = "BCFKS"; public static void main(String[] args) throws Exception { C2Properties properties = C2Properties.getInstance(); @@ -116,11 +114,17 @@ public class JettyServer { File keyStoreFile = Paths.get(C2_SERVER_HOME).resolve(properties.getProperty(MINIFI_C2_SERVER_KEYSTORE)).toFile(); logger.debug("Loading Key Store [{}]", keyStoreFile.getPath()); try (FileInputStream keyStoreStream = new FileInputStream(keyStoreFile)) { - keyStore = new StandardKeyStoreBuilder() - .type(properties.getProperty(MINIFI_C2_SERVER_KEYSTORE_TYPE)) + final String keyStoreType = properties.getProperty(MINIFI_C2_SERVER_KEYSTORE_TYPE); + final StandardKeyStoreBuilder builder = new StandardKeyStoreBuilder() + .type(keyStoreType) .inputStream(keyStoreStream) - .password(properties.getProperty(MINIFI_C2_SERVER_KEYSTORE_PASSWD).toCharArray()) - .build(); + .password(properties.getProperty(MINIFI_C2_SERVER_KEYSTORE_PASSWD).toCharArray()); + + if (BCFKS.equals(keyStoreType)) { + builder.provider(BOUNCY_CASTLE_PROVIDER); + } + + keyStore = builder.build(); } catch (IOException ioe) { throw new UncheckedIOException("Key Store loading failed", ioe); } @@ -128,11 +132,18 @@ public class JettyServer { File trustStoreFile = Paths.get(C2_SERVER_HOME).resolve(properties.getProperty(MINIFI_C2_SERVER_TRUSTSTORE)).toFile(); logger.debug("Loading Trust Store [{}]", trustStoreFile.getPath()); try (FileInputStream trustStoreStream = new FileInputStream(trustStoreFile)) { - truststore = new StandardKeyStoreBuilder() - .type(properties.getProperty(MINIFI_C2_SERVER_TRUSTSTORE_TYPE)) + final String trustStoreType = properties.getProperty(MINIFI_C2_SERVER_TRUSTSTORE_TYPE); + + final StandardKeyStoreBuilder builder = new StandardKeyStoreBuilder() + .type(trustStoreType) .inputStream(trustStoreStream) - .password(properties.getProperty(MINIFI_C2_SERVER_TRUSTSTORE_PASSWD).toCharArray()) - .build(); + .password(properties.getProperty(MINIFI_C2_SERVER_TRUSTSTORE_PASSWD).toCharArray()); + + if (BCFKS.equals(trustStoreType)) { + builder.provider(BOUNCY_CASTLE_PROVIDER); + } + + truststore = builder.build(); } catch (IOException ioe) { throw new UncheckedIOException("Trust Store loading failed", ioe); } diff --git a/nifi-commons/nifi-security-ssl/src/main/java/org/apache/nifi/security/ssl/StandardKeyStoreBuilder.java b/nifi-commons/nifi-security-ssl/src/main/java/org/apache/nifi/security/ssl/StandardKeyStoreBuilder.java index 2f5271bd51..aef8ea3626 100644 --- a/nifi-commons/nifi-security-ssl/src/main/java/org/apache/nifi/security/ssl/StandardKeyStoreBuilder.java +++ b/nifi-commons/nifi-security-ssl/src/main/java/org/apache/nifi/security/ssl/StandardKeyStoreBuilder.java @@ -21,7 +21,7 @@ import java.io.InputStream; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; -import java.security.NoSuchProviderException; +import java.security.Provider; import java.security.cert.CertificateException; import java.util.Objects; @@ -29,7 +29,7 @@ import java.util.Objects; * Standard implementation of Key Store Builder */ public class StandardKeyStoreBuilder implements KeyStoreBuilder { - private String provider; + private Provider provider; private String type = KeyStore.getDefaultType(); @@ -65,7 +65,7 @@ public class StandardKeyStoreBuilder implements KeyStoreBuilder { * @param provider Key Store Provider * @return Builder */ - public StandardKeyStoreBuilder provider(final String provider) { + public StandardKeyStoreBuilder provider(final Provider provider) { this.provider = Objects.requireNonNull(provider, "Key Store Provider required"); return this; } @@ -109,9 +109,6 @@ public class StandardKeyStoreBuilder implements KeyStoreBuilder { } catch (final KeyStoreException e) { final String message = String.format("Key Store Type [%s] creation failed", type); throw new BuilderConfigurationException(message, e); - } catch (final NoSuchProviderException e) { - final String message = String.format("Key Store Type [%s] Provider [%s] creation failed", type, provider); - throw new BuilderConfigurationException(message, e); } } } diff --git a/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/KeyStoreUtils.java b/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/KeyStoreUtils.java index 1a7b60d01d..4b541c0ce6 100644 --- a/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/KeyStoreUtils.java +++ b/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/KeyStoreUtils.java @@ -32,9 +32,7 @@ import java.security.KeyPairGenerator; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; -import java.security.NoSuchProviderException; import java.security.SecureRandom; -import java.security.Security; import java.security.UnrecoverableKeyException; import java.security.cert.Certificate; import java.security.cert.CertificateException; @@ -60,8 +58,8 @@ import org.slf4j.LoggerFactory; public class KeyStoreUtils { private static final Logger logger = LoggerFactory.getLogger(KeyStoreUtils.class); - public static final String SUN_PROVIDER_NAME = "SUN"; - public static final String SUN_JSSE_PROVIDER_NAME = "SunJSSE"; + private static final BouncyCastleProvider BOUNCY_CASTLE_PROVIDER = new BouncyCastleProvider(); + private static final String JKS_EXT = ".jks"; private static final String PKCS12_EXT = ".p12"; private static final String BCFKS_EXT = ".bcfks"; @@ -76,20 +74,7 @@ public class KeyStoreUtils { private static final String KEYSTORE_ERROR_MSG = "There was an error creating a Keystore."; private static final String TRUSTSTORE_ERROR_MSG = "There was an error creating a Truststore."; - private static final Map KEY_STORE_TYPE_PROVIDERS = new HashMap<>(); private static final Map KEY_STORE_EXTENSIONS = new HashMap<>(); - private static final Map SECRET_KEY_STORE_PROVIDERS = new HashMap<>(); - - static { - Security.addProvider(new BouncyCastleProvider()); - - KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.BCFKS.getType(), BouncyCastleProvider.PROVIDER_NAME); - KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.PKCS12.getType(), SUN_JSSE_PROVIDER_NAME); - KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.JKS.getType(), SUN_PROVIDER_NAME); - - SECRET_KEY_STORE_PROVIDERS.put(KeystoreType.BCFKS, BouncyCastleProvider.PROVIDER_NAME); - SECRET_KEY_STORE_PROVIDERS.put(KeystoreType.PKCS12, SUN_JSSE_PROVIDER_NAME); - } static { KEY_STORE_EXTENSIONS.put(KeystoreType.JKS, JKS_EXT); @@ -97,17 +82,6 @@ public class KeyStoreUtils { KEY_STORE_EXTENSIONS.put(KeystoreType.BCFKS, BCFKS_EXT); } - /** - * Returns the provider that will be used for the given keyStoreType - * - * @param keyStoreType the keyStoreType - * @return Key Store Provider Name or null when not found - */ - public static String getKeyStoreProvider(final String keyStoreType) { - final String storeType = StringUtils.upperCase(keyStoreType); - return KEY_STORE_TYPE_PROVIDERS.get(storeType); - } - /** * Returns an empty KeyStore backed by the appropriate provider * @@ -116,15 +90,11 @@ public class KeyStoreUtils { * @throws KeyStoreException if a KeyStore of the given type cannot be instantiated */ public static KeyStore getKeyStore(final String keyStoreType) throws KeyStoreException { - final String keyStoreProvider = getKeyStoreProvider(keyStoreType); - if (StringUtils.isNotEmpty(keyStoreProvider)) { - try { - return KeyStore.getInstance(keyStoreType, keyStoreProvider); - } catch (final Exception e) { - logger.error("KeyStore Type [{}] Provider [{}] instance creation failed", keyStoreType, keyStoreProvider, e); - } + if (KeystoreType.BCFKS.toString().equals(keyStoreType)) { + return KeyStore.getInstance(keyStoreType, BOUNCY_CASTLE_PROVIDER); + } else { + return KeyStore.getInstance(keyStoreType); } - return KeyStore.getInstance(keyStoreType); } /** @@ -136,15 +106,14 @@ public class KeyStoreUtils { */ public static KeyStore getSecretKeyStore(final String keystoreTypeName) throws KeyStoreException { final KeystoreType keystoreType = getKeystoreType(keystoreTypeName); - final String provider = SECRET_KEY_STORE_PROVIDERS.get(keystoreType); - if (provider == null) { + + if (KeystoreType.BCFKS == keystoreType) { + return KeyStore.getInstance(keystoreType.getType(), BOUNCY_CASTLE_PROVIDER); + } else if (KeystoreType.PKCS12 == keystoreType) { + return KeyStore.getInstance(keystoreType.getType()); + } else { throw new KeyStoreException(String.format("Keystore Type [%s] does not support Secret Keys", keystoreType.getType())); } - try { - return KeyStore.getInstance(keystoreType.getType(), provider); - } catch (final NoSuchProviderException e) { - throw new KeyStoreException(String.format("KeyStore Type [%s] Provider [%s] not found", keystoreType.getType(), provider), e); - } } /** @@ -493,7 +462,7 @@ public class KeyStoreUtils { * @return Secret Key Entry supported status */ public static boolean isSecretKeyEntrySupported(final KeystoreType keystoreType) { - return SECRET_KEY_STORE_PROVIDERS.containsKey(keystoreType); + return KeystoreType.BCFKS == keystoreType || KeystoreType.PKCS12 == keystoreType; } /** diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/x509/ocsp/OcspCertificateValidatorTest.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/x509/ocsp/OcspCertificateValidatorTest.java index 09e57e5763..215e5c1c1f 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/x509/ocsp/OcspCertificateValidatorTest.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/x509/ocsp/OcspCertificateValidatorTest.java @@ -23,7 +23,6 @@ import java.security.KeyPairGenerator; import java.security.NoSuchAlgorithmException; import java.security.PrivateKey; import java.security.PublicKey; -import java.security.Security; import java.security.SignatureException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; @@ -39,18 +38,15 @@ import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cert.X509v3CertificateBuilder; import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; -import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.operator.ContentSigner; import org.bouncycastle.operator.OperatorCreationException; import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; -import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertThrows; -import static org.junit.jupiter.api.Assertions.assertTrue; public class OcspCertificateValidatorTest { private static final Logger logger = LoggerFactory.getLogger(OcspCertificateValidatorTest.class); @@ -60,12 +56,6 @@ public class OcspCertificateValidatorTest { private static final long YESTERDAY = System.currentTimeMillis() - 24 * 60 * 60 * 1000; private static final long ONE_YEAR_FROM_NOW = System.currentTimeMillis() + 365L * 24 * 60 * 60 * 1000; private static final String SIGNATURE_ALGORITHM = "SHA256withRSA"; - private static final String PROVIDER = "BC"; - - @BeforeAll - public static void setUpOnce() { - Security.addProvider(new BouncyCastleProvider()); - } /** * Generates a public/private RSA keypair using the default key size. @@ -108,7 +98,7 @@ public class OcspCertificateValidatorTest { private static X509Certificate generateCertificate(String dn, KeyPair keyPair) throws IOException, CertificateException, OperatorCreationException { PrivateKey privateKey = keyPair.getPrivate(); - ContentSigner sigGen = new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(PROVIDER).build(privateKey); + ContentSigner sigGen = new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).build(privateKey); SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded()); Date startDate = new Date(YESTERDAY); Date endDate = new Date(ONE_YEAR_FROM_NOW); @@ -133,8 +123,7 @@ public class OcspCertificateValidatorTest { // Sign the certificate X509CertificateHolder certificateHolder = certBuilder.build(sigGen); - return new JcaX509CertificateConverter().setProvider(PROVIDER) - .getCertificate(certificateHolder); + return new JcaX509CertificateConverter().getCertificate(certificateHolder); } /** @@ -167,7 +156,7 @@ public class OcspCertificateValidatorTest { */ private static X509Certificate generateIssuedCertificate(String dn, PublicKey publicKey, String issuerDn, PrivateKey issuerKey) throws CertificateException, OperatorCreationException { - ContentSigner sigGen = new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(PROVIDER).build(issuerKey); + ContentSigner sigGen = new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).build(issuerKey); SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()); Date startDate = new Date(YESTERDAY); Date endDate = new Date(ONE_YEAR_FROM_NOW); @@ -180,8 +169,7 @@ public class OcspCertificateValidatorTest { subPubKeyInfo); X509CertificateHolder certificateHolder = v3CertGen.build(sigGen); - return new JcaX509CertificateConverter().setProvider(PROVIDER) - .getCertificate(certificateHolder); + return new JcaX509CertificateConverter().getCertificate(certificateHolder); } @Test @@ -237,7 +225,6 @@ public class OcspCertificateValidatorTest { assertEquals(issuerDn, certificate.getIssuerX500Principal().getName()); certificate.verify(issuerCertificate.getPublicKey()); - SignatureException se = assertThrows(SignatureException.class, () -> certificate.verify(certificate.getPublicKey())); - assertTrue(se.getMessage().contains("certificate does not verify with supplied key")); + assertThrows(SignatureException.class, () -> certificate.verify(certificate.getPublicKey())); } } \ No newline at end of file diff --git a/nifi-nar-bundles/nifi-snowflake-bundle/nifi-snowflake-processors/src/test/java/org/apache/nifi/processors/snowflake/SnowflakePipeIT.java b/nifi-nar-bundles/nifi-snowflake-bundle/nifi-snowflake-processors/src/test/java/org/apache/nifi/processors/snowflake/SnowflakePipeIT.java index 225e46fa3f..ce602d6990 100644 --- a/nifi-nar-bundles/nifi-snowflake-bundle/nifi-snowflake-processors/src/test/java/org/apache/nifi/processors/snowflake/SnowflakePipeIT.java +++ b/nifi-nar-bundles/nifi-snowflake-bundle/nifi-snowflake-processors/src/test/java/org/apache/nifi/processors/snowflake/SnowflakePipeIT.java @@ -17,7 +17,6 @@ package org.apache.nifi.processors.snowflake; -import java.security.Security; import java.util.Collections; import java.util.HashMap; import java.util.Map; @@ -29,17 +28,10 @@ import org.apache.nifi.processors.snowflake.util.SnowflakeAttributes; import org.apache.nifi.processors.snowflake.util.SnowflakeInternalStageType; import org.apache.nifi.util.TestRunner; import org.apache.nifi.util.TestRunners; -import org.bouncycastle.jce.provider.BouncyCastleProvider; -import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; class SnowflakePipeIT implements SnowflakeConfigAware { - @BeforeAll - static void setUpOnce() { - Security.addProvider(new BouncyCastleProvider()); - } - @Test void shouldPutIntoInternalStage() throws Exception { final PutSnowflakeInternalStage processor = new PutSnowflakeInternalStage(); diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/CryptographicHashContentTest.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/CryptographicHashContentTest.java index 5573c79372..dce05cad1c 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/CryptographicHashContentTest.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/CryptographicHashContentTest.java @@ -22,15 +22,12 @@ import org.apache.nifi.security.util.crypto.HashService; import org.apache.nifi.util.MockFlowFile; import org.apache.nifi.util.TestRunner; import org.apache.nifi.util.TestRunners; -import org.bouncycastle.jce.provider.BouncyCastleProvider; -import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import java.io.ByteArrayInputStream; import java.io.IOException; import java.nio.charset.StandardCharsets; -import java.security.Security; import java.util.Collections; import java.util.List; import java.util.Map; @@ -41,11 +38,6 @@ import static org.junit.jupiter.api.Assertions.assertNotEquals; public class CryptographicHashContentTest { private TestRunner runner; - @BeforeAll - static void setUpOnce() { - Security.addProvider(new BouncyCastleProvider()); - } - @BeforeEach void setupRunner() { runner = TestRunners.newTestRunner(new CryptographicHashContent()); diff --git a/nifi-registry/nifi-registry-core/nifi-registry-properties-loader/src/main/java/org/apache/nifi/registry/properties/NiFiRegistryPropertiesLoader.java b/nifi-registry/nifi-registry-core/nifi-registry-properties-loader/src/main/java/org/apache/nifi/registry/properties/NiFiRegistryPropertiesLoader.java index c5f5a750c2..1fdaf9862e 100644 --- a/nifi-registry/nifi-registry-core/nifi-registry-properties-loader/src/main/java/org/apache/nifi/registry/properties/NiFiRegistryPropertiesLoader.java +++ b/nifi-registry/nifi-registry-core/nifi-registry-properties-loader/src/main/java/org/apache/nifi/registry/properties/NiFiRegistryPropertiesLoader.java @@ -21,14 +21,12 @@ import org.apache.nifi.properties.SensitivePropertyProvider; import org.apache.nifi.properties.SensitivePropertyProviderFactory; import org.apache.nifi.properties.StandardSensitivePropertyProviderFactory; import org.apache.nifi.registry.properties.util.NiFiRegistryBootstrapUtils; -import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import java.io.File; import java.io.FileReader; import java.io.IOException; -import java.security.Security; import java.util.Properties; public class NiFiRegistryPropertiesLoader { @@ -125,7 +123,6 @@ public class NiFiRegistryPropertiesLoader { public NiFiRegistryProperties load(final File file) { final ProtectedNiFiRegistryProperties protectedNiFiProperties = readProtectedPropertiesFromDisk(file); if (protectedNiFiProperties.hasProtectedKeys()) { - Security.addProvider(new BouncyCastleProvider()); getSensitivePropertyProviderFactory() .getSupportedProviders() .forEach(protectedNiFiProperties::addSensitivePropertyProvider); diff --git a/nifi-registry/nifi-registry-core/nifi-registry-security-utils/src/main/java/org/apache/nifi/registry/security/util/KeyStoreUtils.java b/nifi-registry/nifi-registry-core/nifi-registry-security-utils/src/main/java/org/apache/nifi/registry/security/util/KeyStoreUtils.java index 952419d183..26e2af9622 100644 --- a/nifi-registry/nifi-registry-core/nifi-registry-security-utils/src/main/java/org/apache/nifi/registry/security/util/KeyStoreUtils.java +++ b/nifi-registry/nifi-registry-core/nifi-registry-security-utils/src/main/java/org/apache/nifi/registry/security/util/KeyStoreUtils.java @@ -17,42 +17,13 @@ package org.apache.nifi.registry.security.util; -import org.apache.commons.lang3.StringUtils; import org.bouncycastle.jce.provider.BouncyCastleProvider; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import java.security.KeyStore; import java.security.KeyStoreException; -import java.security.Security; -import java.util.HashMap; -import java.util.Map; public class KeyStoreUtils { - private static final Logger logger = LoggerFactory.getLogger(KeyStoreUtils.class); - - private static final String SUN_SECURITY_PROVIDER = "SUN"; - - private static final Map KEY_STORE_TYPE_PROVIDERS = new HashMap<>(); - - static { - Security.addProvider(new BouncyCastleProvider()); - - KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.JKS.toString(), SUN_SECURITY_PROVIDER); - KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.PKCS12.toString(), BouncyCastleProvider.PROVIDER_NAME); - KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.BCFKS.toString(), BouncyCastleProvider.PROVIDER_NAME); - } - - /** - * Returns the provider that will be used for the given keyStoreType - * - * @param keyStoreType the keyStoreType - * @return the provider that will be used - */ - public static String getKeyStoreProvider(final String keyStoreType) { - final String storeType = StringUtils.upperCase(keyStoreType); - return KEY_STORE_TYPE_PROVIDERS.get(storeType); - } + private static final BouncyCastleProvider BOUNCY_CASTLE_PROVIDER = new BouncyCastleProvider(); /** * Returns an empty KeyStore backed by the appropriate provider @@ -62,15 +33,10 @@ public class KeyStoreUtils { * @throws KeyStoreException if a KeyStore of the given type cannot be instantiated */ public static KeyStore getKeyStore(final String keyStoreType) throws KeyStoreException { - final String keyStoreProvider = getKeyStoreProvider(keyStoreType); - if (StringUtils.isNotEmpty(keyStoreProvider)) { - try { - return KeyStore.getInstance(keyStoreType, keyStoreProvider); - } catch (Exception e) { - logger.error("Unable to load " + keyStoreProvider + " " + keyStoreType - + " keystore. This may cause issues getting trusted CA certificates as well as Certificate Chains for use in TLS.", e); - } + if (KeystoreType.BCFKS.toString().equals(keyStoreType)) { + return KeyStore.getInstance(keyStoreType, BOUNCY_CASTLE_PROVIDER); + } else { + return KeyStore.getInstance(keyStoreType); } - return KeyStore.getInstance(keyStoreType); } } diff --git a/nifi-registry/nifi-registry-core/nifi-registry-security-utils/src/test/java/org/apache/nifi/registry/security/util/KeyStoreUtilsTest.java b/nifi-registry/nifi-registry-core/nifi-registry-security-utils/src/test/java/org/apache/nifi/registry/security/util/KeyStoreUtilsTest.java index a6178bbcd8..2e81a15084 100644 --- a/nifi-registry/nifi-registry-core/nifi-registry-security-utils/src/test/java/org/apache/nifi/registry/security/util/KeyStoreUtilsTest.java +++ b/nifi-registry/nifi-registry-core/nifi-registry-security-utils/src/test/java/org/apache/nifi/registry/security/util/KeyStoreUtilsTest.java @@ -16,7 +16,6 @@ */ package org.apache.nifi.registry.security.util; -import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.junit.jupiter.api.Test; import java.security.KeyStore; @@ -24,7 +23,6 @@ import java.security.KeyStoreException; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertNotNull; -import static org.junit.jupiter.api.Assertions.assertNull; public class KeyStoreUtilsTest { @@ -36,16 +34,4 @@ public class KeyStoreUtilsTest { assertEquals(keystoreType.name(), keyStore.getType()); } } - - @Test - public void testGetKeyStoreProviderNullType() { - final String keyStoreProvider = KeyStoreUtils.getKeyStoreProvider(null); - assertNull(keyStoreProvider); - } - - @Test - public void testGetKeyStoreProviderBouncyCastleProvider() { - final String keyStoreProvider = KeyStoreUtils.getKeyStoreProvider(KeystoreType.PKCS12.name()); - assertEquals(BouncyCastleProvider.PROVIDER_NAME, keyStoreProvider); - } } diff --git a/nifi-toolkit/nifi-toolkit-encrypt-config/src/main/groovy/org/apache/nifi/properties/ConfigEncryptionTool.groovy b/nifi-toolkit/nifi-toolkit-encrypt-config/src/main/groovy/org/apache/nifi/properties/ConfigEncryptionTool.groovy index b11df35c63..cbfe5b920a 100644 --- a/nifi-toolkit/nifi-toolkit-encrypt-config/src/main/groovy/org/apache/nifi/properties/ConfigEncryptionTool.groovy +++ b/nifi-toolkit/nifi-toolkit-encrypt-config/src/main/groovy/org/apache/nifi/properties/ConfigEncryptionTool.groovy @@ -43,7 +43,6 @@ import org.apache.nifi.util.NiFiProperties import org.apache.nifi.util.console.TextDevice import org.apache.nifi.util.console.TextDevices import org.bouncycastle.crypto.generators.SCrypt -import org.bouncycastle.jce.provider.BouncyCastleProvider import org.slf4j.Logger import org.slf4j.LoggerFactory import org.xml.sax.SAXException @@ -56,7 +55,6 @@ import java.nio.file.Path import java.nio.file.Paths import java.nio.file.StandardCopyOption import java.security.KeyException -import java.security.Security import java.util.function.Supplier import java.util.regex.Matcher import java.util.zip.GZIPInputStream @@ -1348,8 +1346,6 @@ class ConfigEncryptionTool { * @param args the command-line arguments */ static void main(String[] args) { - Security.addProvider(new BouncyCastleProvider()) - ConfigEncryptionTool tool = new ConfigEncryptionTool() try { diff --git a/nifi-toolkit/nifi-toolkit-encrypt-config/src/main/groovy/org/apache/nifi/toolkit/encryptconfig/EncryptConfigMain.groovy b/nifi-toolkit/nifi-toolkit-encrypt-config/src/main/groovy/org/apache/nifi/toolkit/encryptconfig/EncryptConfigMain.groovy index e6ce68e3cc..4d38d00d28 100644 --- a/nifi-toolkit/nifi-toolkit-encrypt-config/src/main/groovy/org/apache/nifi/toolkit/encryptconfig/EncryptConfigMain.groovy +++ b/nifi-toolkit/nifi-toolkit-encrypt-config/src/main/groovy/org/apache/nifi/toolkit/encryptconfig/EncryptConfigMain.groovy @@ -19,12 +19,9 @@ package org.apache.nifi.toolkit.encryptconfig import org.apache.commons.cli.HelpFormatter import org.apache.commons.cli.Options import org.apache.nifi.properties.ConfigEncryptionTool -import org.bouncycastle.jce.provider.BouncyCastleProvider import org.slf4j.Logger import org.slf4j.LoggerFactory -import java.security.Security - class EncryptConfigMain { private static final Logger logger = LoggerFactory.getLogger(EncryptConfigMain.class) @@ -90,8 +87,6 @@ class EncryptConfigMain { } static void main(String[] args) { - Security.addProvider(new BouncyCastleProvider()) - if (args.length < 1) { printUsageAndExit(EXIT_STATUS_FAILURE) } diff --git a/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/util/TlsHelperTest.java b/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/util/TlsHelperTest.java index 738cefbd0e..285f7775e0 100644 --- a/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/util/TlsHelperTest.java +++ b/nifi-toolkit/nifi-toolkit-tls/src/test/java/org/apache/nifi/toolkit/tls/util/TlsHelperTest.java @@ -28,10 +28,8 @@ import org.bouncycastle.asn1.x509.GeneralName; import org.bouncycastle.asn1.x509.GeneralNames; import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; -import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.openssl.PEMKeyPair; import org.bouncycastle.openssl.PEMParser; -import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter; import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest; import org.bouncycastle.util.IPAddress; import org.junit.jupiter.api.BeforeAll; @@ -59,7 +57,6 @@ import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.security.PrivateKey; import java.security.PublicKey; -import java.security.Security; import java.security.UnrecoverableKeyException; import java.security.cert.Certificate; import java.security.cert.CertificateException; @@ -89,25 +86,11 @@ public class TlsHelperTest { private int keySize; private String keyPairAlgorithm; - public static KeyPair loadKeyPair(final Reader reader) throws IOException { - try (PEMParser pemParser = new PEMParser(reader)) { - Object object = pemParser.readObject(); - assertEquals(PEMKeyPair.class, object.getClass()); - return new JcaPEMKeyConverter().getKeyPair((PEMKeyPair) object); - } - } - - public static KeyPair loadKeyPair(File file) throws IOException { - try (final FileReader fileReader = new FileReader(file)) { - return loadKeyPair(fileReader); - } - } - public static X509Certificate loadCertificate(final Reader reader) throws IOException, CertificateException { try (PEMParser pemParser = new PEMParser(reader)) { Object object = pemParser.readObject(); assertEquals(X509CertificateHolder.class, object.getClass()); - return new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME).getCertificate((X509CertificateHolder) object); + return new JcaX509CertificateConverter().getCertificate((X509CertificateHolder) object); } } @@ -310,8 +293,6 @@ public class TlsHelperTest { @Test public void testOutputToFileTwoCertsAsPem(@TempDir final File folder) throws IOException, CertificateException, NoSuchAlgorithmException, KeyStoreException { - Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); - KeyStore keyStore = setupKeystore(); HashMap certs = TlsHelper.extractCerts(keyStore); TlsHelper.outputCertsAsPem(certs, folder,".crt");