List of usage examples for org.bouncycastle.openssl.jcajce JcaMiscPEMGenerator JcaMiscPEMGenerator
public JcaMiscPEMGenerator(Object o) throws IOException
From source file:com.foilen.smalltools.crypt.bouncycastle.asymmetric.RSACrypt.java
License:Open Source License
@Override public void saveKeysPem(AsymmetricKeys keyPair, String fileName) { AssertTools.assertNotNull(keyPair, "The keypair needs to be set to save it"); AssertTools.assertNotNull(keyPair.getPrivateKey(), "The private key needs to be set to save it"); AssertTools.assertNotNull(keyPair.getPublicKey(), "The public key needs to be set to save it"); PemWriter pemWriter = null;// ww w .j a va 2 s. co m try { pemWriter = new PemWriter(new FileWriter(fileName)); PemObjectGenerator pemObjectGenerator = new JcaMiscPEMGenerator( retrieveKeyDetails(keyPair).getJcaPrivateKey()); pemWriter.writeObject(pemObjectGenerator); pemObjectGenerator = new JcaMiscPEMGenerator(retrieveKeyDetails(keyPair).getJcaPublicKey()); pemWriter.writeObject(pemObjectGenerator); } catch (Exception e) { throw new SmallToolsException("Could not save keys", e); } finally { CloseableTools.close(pemWriter); } }
From source file:com.foilen.smalltools.crypt.bouncycastle.asymmetric.RSACrypt.java
License:Open Source License
@Override public void savePrivateKeyPem(AsymmetricKeys keyPair, Writer writer) { AssertTools.assertNotNull(keyPair, "The keypair needs to be set to save it"); AssertTools.assertNotNull(keyPair.getPrivateKey(), "The private key needs to be set to save it"); PemWriter pemWriter = null;//from w w w .j ava2 s .co m try { pemWriter = new PemWriter(writer); PemObjectGenerator pemObjectGenerator = new JcaMiscPEMGenerator( retrieveKeyDetails(keyPair).getJcaPrivateKey()); pemWriter.writeObject(pemObjectGenerator); } catch (Exception e) { throw new SmallToolsException("Could not save key", e); } finally { CloseableTools.close(pemWriter); } }
From source file:com.foilen.smalltools.crypt.bouncycastle.asymmetric.RSACrypt.java
License:Open Source License
@Override public void savePublicKeyPem(AsymmetricKeys keyPair, Writer writer) { AssertTools.assertNotNull(keyPair, "The public keys need to be set to save it"); AssertTools.assertNotNull(keyPair.getPublicKey(), "The public key needs to be set to save it"); PemWriter pemWriter = null;/*w w w. j a v a2s . c o m*/ try { pemWriter = new PemWriter(writer); PemObjectGenerator pemObjectGenerator = new JcaMiscPEMGenerator( retrieveKeyDetails(keyPair).getJcaPublicKey()); pemWriter.writeObject(pemObjectGenerator); } catch (Exception e) { throw new SmallToolsException("Could not save key", e); } finally { CloseableTools.close(pemWriter); } }
From source file:org.apache.hadoop.hdfs.TestDFSStartupWithCRL.java
License:Apache License
@Test(timeout = 20000) public void testDFSStartup() throws Exception { String hostname = NetUtils.getLocalCanonicalHostname(); Path keyStore = Paths.get(BASE_DIR, hostname + "__kstore.jks"); Path trustStore = Paths.get(BASE_DIR, hostname + "__tstore.jks"); Path sslServerConfPath = Paths.get(confDir, TestDFSStartupWithCRL.class.getSimpleName() + ".ssl-server.xml"); Path inputCRLPath = Paths.get(BASE_DIR, "input.crl.pem"); Path fetchedCRLPath = Paths.get(BASE_DIR, "fetched.crl.pem"); // Generate server certificate KeyPair keyPair = KeyStoreTestUtil.generateKeyPair(keyAlgorithm); X509Certificate cert = KeyStoreTestUtil.generateCertificate("CN=" + hostname, keyPair, 10, signatureAlgorithm);/*from w w w . j av a 2s. co m*/ // Create server keystore and truststore KeyStoreTestUtil.createKeyStore(keyStore.toString(), password, "server", keyPair.getPrivate(), cert); KeyStoreTestUtil.createTrustStore(trustStore.toString(), password, "server", cert); // Generate CRL X509CRL crl = KeyStoreTestUtil.generateCRL(cert, keyPair.getPrivate(), signatureAlgorithm, null, null); FileWriter fw = new FileWriter(inputCRLPath.toFile(), false); PemWriter pw = new PemWriter(fw); pw.writeObject(new JcaMiscPEMGenerator(crl)); pw.flush(); fw.flush(); pw.close(); fw.close(); // RPC TLS with CRL configuration conf.set(CommonConfigurationKeysPublic.HADOOP_RPC_SOCKET_FACTORY_CLASS_DEFAULT_KEY, "org.apache.hadoop.net.HopsSSLSocketFactory"); conf.setBoolean(CommonConfigurationKeysPublic.IPC_SERVER_SSL_ENABLED, true); conf.set(SSLFactory.SSL_HOSTNAME_VERIFIER_KEY, "ALLOW_ALL"); String superUser = UserGroupInformation.getCurrentUser().getUserName(); conf.set(ProxyUsers.CONF_HADOOP_PROXYUSER + "." + superUser, "*"); conf.set(SSLFactory.SSL_ENABLED_PROTOCOLS, "TLSv1.2,TLSv1.1"); conf.set(HopsSSLSocketFactory.CryptoKeys.SOCKET_ENABLED_PROTOCOL.getValue(), "TLSv1.2"); Configuration sslServerConf = KeyStoreTestUtil.createServerSSLConfig(keyStore.toString(), password, password, trustStore.toString(), password, ""); KeyStoreTestUtil.saveConfig(sslServerConfPath.toFile(), sslServerConf); conf.set(SSLFactory.SSL_SERVER_CONF_KEY, TestDFSStartupWithCRL.class.getSimpleName() + ".ssl-server.xml"); conf.setBoolean(CommonConfigurationKeysPublic.HOPS_CRL_VALIDATION_ENABLED_KEY, true); conf.set(CommonConfigurationKeys.HOPS_CRL_FETCHER_CLASS_KEY, "org.apache.hadoop.security.ssl.RemoteCRLFetcher"); conf.set(CommonConfigurationKeysPublic.HOPS_CRL_FETCHER_INTERVAL_KEY, "1s"); conf.set(CommonConfigurationKeys.HOPS_CRL_INPUT_URI_KEY, "file://" + inputCRLPath.toString()); conf.set(CommonConfigurationKeys.HOPS_CRL_OUTPUT_FILE_KEY, fetchedCRLPath.toString()); // Start MiniDFS cluster cluster = new MiniDFSCluster.Builder(conf).build(); cluster.waitClusterUp(); Assert.assertEquals(1, cluster.getDataNodes().size()); }
From source file:org.apache.hadoop.yarn.server.resourcemanager.security.HopsworksRMAppSecurityActions.java
License:Apache License
private String stringifyCSR(PKCS10CertificationRequest csr) throws IOException { try (StringWriter sw = new StringWriter()) { PemWriter pw = new PemWriter(sw); PemObjectGenerator pog = new JcaMiscPEMGenerator(csr); pw.writeObject(pog.generate());/*w w w.j a v a 2s . c om*/ pw.flush(); sw.flush(); pw.close(); return sw.toString(); } }
From source file:org.apache.hadoop.yarn.server.TestYarnStartupWithCRL.java
License:Apache License
@Test(timeout = 20000) public void testYarnStartup() throws Exception { String hostname = NetUtils.getLocalCanonicalHostname(); Path keyStore = Paths.get(BASE_DIR, hostname + "__kstore.jks"); Path trustStore = Paths.get(BASE_DIR, hostname + "__tstore.jks"); Path sslServerConfPath = Paths.get(confDir, TestYarnStartupWithCRL.class.getSimpleName() + ".ssl-server.xml"); Path inputCRLPath = Paths.get(BASE_DIR, "input.crl.pem"); Path fetchedCRLPath = Paths.get(BASE_DIR, "fetched.crl.pem"); // Generate server certificate KeyPair keyPair = KeyStoreTestUtil.generateKeyPair(keyAlgorithm); X509Certificate cert = KeyStoreTestUtil.generateCertificate("CN=" + hostname, keyPair, 10, signatureAlgorithm);// www . j a v a2 s.c o m // Create server keystore and truststore KeyStoreTestUtil.createKeyStore(keyStore.toString(), password, "server", keyPair.getPrivate(), cert); KeyStoreTestUtil.createTrustStore(trustStore.toString(), password, "server", cert); // Generate CRL X509CRL crl = KeyStoreTestUtil.generateCRL(cert, keyPair.getPrivate(), signatureAlgorithm, null, null); FileWriter fw = new FileWriter(inputCRLPath.toFile(), false); PemWriter pw = new PemWriter(fw); pw.writeObject(new JcaMiscPEMGenerator(crl)); pw.flush(); fw.flush(); pw.close(); fw.close(); // RPC TLS with CRL configuration conf.set(CommonConfigurationKeysPublic.HADOOP_RPC_SOCKET_FACTORY_CLASS_DEFAULT_KEY, "org.apache.hadoop.net.HopsSSLSocketFactory"); conf.setBoolean(CommonConfigurationKeysPublic.IPC_SERVER_SSL_ENABLED, true); conf.set(SSLFactory.SSL_HOSTNAME_VERIFIER_KEY, "ALLOW_ALL"); String superUser = UserGroupInformation.getCurrentUser().getUserName(); conf.set(ProxyUsers.CONF_HADOOP_PROXYUSER + "." + superUser, "*"); Configuration sslServerConf = KeyStoreTestUtil.createServerSSLConfig(keyStore.toString(), password, password, trustStore.toString(), password, ""); KeyStoreTestUtil.saveConfig(sslServerConfPath.toFile(), sslServerConf); conf.set(SSLFactory.SSL_SERVER_CONF_KEY, TestYarnStartupWithCRL.class.getSimpleName() + ".ssl-server.xml"); conf.setBoolean(CommonConfigurationKeysPublic.HOPS_CRL_VALIDATION_ENABLED_KEY, true); conf.set(CommonConfigurationKeys.HOPS_CRL_FETCHER_CLASS_KEY, "org.apache.hadoop.security.ssl.RemoteCRLFetcher"); conf.set(CommonConfigurationKeysPublic.HOPS_CRL_FETCHER_INTERVAL_KEY, "1s"); conf.set(CommonConfigurationKeys.HOPS_CRL_INPUT_URI_KEY, "file://" + inputCRLPath.toString()); conf.set(CommonConfigurationKeys.HOPS_CRL_OUTPUT_FILE_KEY, fetchedCRLPath.toString()); // Start MiniYarn cluster cluster = new MiniYARNCluster(TestYarnStartupWithCRL.class.getSimpleName(), 1, 1, 1); cluster.init(conf); cluster.start(); cluster.waitForNodeManagersToConnect(2000); Assert.assertTrue(cluster.getResourceManager().areSchedulerServicesRunning()); Assert.assertEquals(1, cluster.getResourceManager().getResourceScheduler().getNumClusterNodes()); }
From source file:org.apache.nifi.minifi.c2.integration.test.NiFiRestConfigurationProviderSecureTest.java
License:Apache License
/** * Generates certificates with the tls-toolkit and then starts up the docker compose file */// ww w .j av a 2 s . com @BeforeClass public static void initCertificates() throws Exception { certificatesDirectory = Paths .get(NiFiRestConfigurationProviderSecureTest.class.getClassLoader() .getResource("docker-compose-NiFiRestConfigurationProviderSecureTest.yml").getFile()) .getParent().toAbsolutePath().resolve("certificates-NiFiRestConfigurationProviderSecureTest"); trustSslContext = initCertificates(certificatesDirectory, Arrays.asList("c2", "mocknifi")); healthCheckSocketFactory = trustSslContext.getSocketFactory(); KeyStore mockNiFiKeyStore = KeyStore.getInstance("JKS"); try (InputStream inputStream = Files .newInputStream(certificatesDirectory.resolve("mocknifi").resolve("keystore.jks"))) { mockNiFiKeyStore.load(inputStream, "badKeystorePass".toCharArray()); } try (PemWriter pemWriter = new PemWriter(new OutputStreamWriter( Files.newOutputStream(certificatesDirectory.resolve("mocknifi").resolve("cert.pem"))))) { pemWriter.writeObject(new JcaMiscPEMGenerator( mockNiFiKeyStore.getKey(TlsToolkitStandalone.NIFI_KEY, "badKeyPass".toCharArray()))); for (Certificate certificate : mockNiFiKeyStore.getCertificateChain(TlsToolkitStandalone.NIFI_KEY)) { pemWriter.writeObject(new JcaMiscPEMGenerator(certificate)); } } KeyStore mockNiFiTrustStore = KeyStore.getInstance("JKS"); try (InputStream inputStream = Files .newInputStream(certificatesDirectory.resolve("mocknifi").resolve("truststore.jks"))) { mockNiFiTrustStore.load(inputStream, "badTrustPass".toCharArray()); } try (PemWriter pemWriter = new PemWriter(new OutputStreamWriter( Files.newOutputStream(certificatesDirectory.resolve("mocknifi").resolve("ca.pem"))))) { pemWriter.writeObject( new JcaMiscPEMGenerator(mockNiFiTrustStore.getCertificate(TlsToolkitStandalone.NIFI_CERT))); } docker.before(); }
From source file:org.apache.nifi.toolkit.tls.manager.TlsClientManager.java
License:Apache License
@Override public void write(OutputStreamFactory outputStreamFactory) throws IOException, GeneralSecurityException { super.write(outputStreamFactory); String trustStorePassword = tlsClientConfig.getTrustStorePassword(); boolean trustStorePasswordGenerated = false; if (StringUtils.isEmpty(trustStorePassword)) { trustStorePassword = getPasswordUtil().generatePassword(); trustStorePasswordGenerated = true; }/*from ww w . j a v a 2 s .co m*/ trustStorePassword = TlsHelper.writeKeyStore(trustStore, outputStreamFactory, new File(tlsClientConfig.getTrustStore()), trustStorePassword, trustStorePasswordGenerated); tlsClientConfig.setTrustStorePassword(trustStorePassword); for (ConfigurationWriter<TlsClientConfig> configurationWriter : configurationWriters) { configurationWriter.write(tlsClientConfig, outputStreamFactory); } if (certificateAuthorityDirectory != null) { // Write out all trusted certificates from truststore for (String alias : Collections.list(trustStore.aliases())) { try { KeyStore.Entry trustStoreEntry = trustStore.getEntry(alias, null); if (trustStoreEntry instanceof KeyStore.TrustedCertificateEntry) { Certificate trustedCertificate = ((KeyStore.TrustedCertificateEntry) trustStoreEntry) .getTrustedCertificate(); try (OutputStream outputStream = outputStreamFactory .create(new File(certificateAuthorityDirectory, alias + ".pem")); OutputStreamWriter outputStreamWriter = new OutputStreamWriter(outputStream); PemWriter pemWriter = new PemWriter(outputStreamWriter)) { pemWriter.writeObject(new JcaMiscPEMGenerator(trustedCertificate)); } } } catch (UnrecoverableEntryException e) { // Ignore, not a trusted cert } } } }
From source file:org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone.java
License:Apache License
public void createNifiKeystoresAndTrustStores(StandaloneConfig standaloneConfig) throws GeneralSecurityException, IOException { File baseDir = standaloneConfig.getBaseDir(); if (!baseDir.exists() && !baseDir.mkdirs()) { throw new IOException(baseDir + " doesn't exist and unable to create it."); }/* ww w. j av a2s . c o m*/ if (!baseDir.isDirectory()) { throw new IOException("Expected directory to output to"); } String signingAlgorithm = standaloneConfig.getSigningAlgorithm(); int days = standaloneConfig.getDays(); String keyPairAlgorithm = standaloneConfig.getKeyPairAlgorithm(); int keySize = standaloneConfig.getKeySize(); File nifiCert = new File(baseDir, NIFI_CERT + ".pem"); File nifiKey = new File(baseDir, NIFI_KEY + ".key"); X509Certificate certificate; KeyPair caKeyPair; if (logger.isInfoEnabled()) { logger.info("Running standalone certificate generation with output directory " + baseDir); } if (nifiCert.exists()) { if (!nifiKey.exists()) { throw new IOException(nifiCert + " exists already, but " + nifiKey + " does not, we need both certificate and key to continue with an existing CA."); } try (FileReader pemEncodedCertificate = new FileReader(nifiCert)) { certificate = TlsHelper.parseCertificate(pemEncodedCertificate); } try (FileReader pemEncodedKeyPair = new FileReader(nifiKey)) { caKeyPair = TlsHelper.parseKeyPair(pemEncodedKeyPair); } certificate.verify(caKeyPair.getPublic()); if (!caKeyPair.getPublic().equals(certificate.getPublicKey())) { throw new IOException("Expected " + nifiKey + " to correspond to CA certificate at " + nifiCert); } if (logger.isInfoEnabled()) { logger.info("Using existing CA certificate " + nifiCert + " and key " + nifiKey); } } else if (nifiKey.exists()) { throw new IOException(nifiKey + " exists already, but " + nifiCert + " does not, we need both certificate and key to continue with an existing CA."); } else { TlsCertificateAuthorityManager tlsCertificateAuthorityManager = new TlsCertificateAuthorityManager( standaloneConfig); KeyStore.PrivateKeyEntry privateKeyEntry = tlsCertificateAuthorityManager .getOrGenerateCertificateAuthority(); certificate = (X509Certificate) privateKeyEntry.getCertificateChain()[0]; caKeyPair = new KeyPair(certificate.getPublicKey(), privateKeyEntry.getPrivateKey()); try (PemWriter pemWriter = new PemWriter( new OutputStreamWriter(outputStreamFactory.create(nifiCert)))) { pemWriter.writeObject(new JcaMiscPEMGenerator(certificate)); } try (PemWriter pemWriter = new PemWriter(new OutputStreamWriter(outputStreamFactory.create(nifiKey)))) { pemWriter.writeObject(new JcaMiscPEMGenerator(caKeyPair)); } if (logger.isInfoEnabled()) { logger.info("Generated new CA certificate " + nifiCert + " and key " + nifiKey); } } NiFiPropertiesWriterFactory niFiPropertiesWriterFactory = standaloneConfig.getNiFiPropertiesWriterFactory(); boolean overwrite = standaloneConfig.isOverwrite(); List<InstanceDefinition> instanceDefinitions = standaloneConfig.getInstanceDefinitions(); if (instanceDefinitions.isEmpty() && logger.isInfoEnabled()) { logger.info("No " + TlsToolkitStandaloneCommandLine.HOSTNAMES_ARG + " specified, not generating any host certificates or configuration."); } for (InstanceDefinition instanceDefinition : instanceDefinitions) { String hostname = instanceDefinition.getHostname(); File hostDir; int hostIdentifierNumber = instanceDefinition.getInstanceIdentifier().getNumber(); if (hostIdentifierNumber == 1) { hostDir = new File(baseDir, hostname); } else { hostDir = new File(baseDir, hostname + "_" + hostIdentifierNumber); } TlsClientConfig tlsClientConfig = new TlsClientConfig(standaloneConfig); File keystore = new File(hostDir, "keystore." + tlsClientConfig.getKeyStoreType().toLowerCase()); File truststore = new File(hostDir, "truststore." + tlsClientConfig.getTrustStoreType().toLowerCase()); if (hostDir.exists()) { if (!hostDir.isDirectory()) { throw new IOException(hostDir + " exists but is not a directory."); } else if (overwrite) { if (logger.isInfoEnabled()) { logger.info("Overwriting any existing ssl configuration in " + hostDir); } keystore.delete(); if (keystore.exists()) { throw new IOException("Keystore " + keystore + " already exists and couldn't be deleted."); } truststore.delete(); if (truststore.exists()) { throw new IOException( "Truststore " + truststore + " already exists and couldn't be deleted."); } } else { throw new IOException(hostDir + " exists and overwrite is not set."); } } else if (!hostDir.mkdirs()) { throw new IOException("Unable to make directory: " + hostDir.getAbsolutePath()); } else if (logger.isInfoEnabled()) { logger.info("Writing new ssl configuration to " + hostDir); } tlsClientConfig.setKeyStore(keystore.getAbsolutePath()); tlsClientConfig.setKeyStorePassword(instanceDefinition.getKeyStorePassword()); tlsClientConfig.setKeyPassword(instanceDefinition.getKeyPassword()); tlsClientConfig.setTrustStore(truststore.getAbsolutePath()); tlsClientConfig.setTrustStorePassword(instanceDefinition.getTrustStorePassword()); TlsClientManager tlsClientManager = new TlsClientManager(tlsClientConfig); KeyPair keyPair = TlsHelper.generateKeyPair(keyPairAlgorithm, keySize); Extensions sanDnsExtensions = TlsHelper.createDomainAlternativeNamesExtensions( tlsClientConfig.getDomainAlternativeNames(), tlsClientConfig.calcDefaultDn(hostname)); tlsClientManager.addPrivateKeyToKeyStore(keyPair, NIFI_KEY, CertificateUtils.generateIssuedCertificate(tlsClientConfig.calcDefaultDn(hostname), keyPair.getPublic(), sanDnsExtensions, certificate, caKeyPair, signingAlgorithm, days), certificate); tlsClientManager.setCertificateEntry(NIFI_CERT, certificate); tlsClientManager.addClientConfigurationWriter( new NifiPropertiesTlsClientConfigWriter(niFiPropertiesWriterFactory, new File(hostDir, "nifi.properties"), hostname, instanceDefinition.getNumber())); tlsClientManager.write(outputStreamFactory); if (logger.isInfoEnabled()) { logger.info("Successfully generated TLS configuration for " + hostname + " " + hostIdentifierNumber + " in " + hostDir); } } List<String> clientDns = standaloneConfig.getClientDns(); if (standaloneConfig.getClientDns().isEmpty() && logger.isInfoEnabled()) { logger.info("No " + TlsToolkitStandaloneCommandLine.CLIENT_CERT_DN_ARG + " specified, not generating any client certificates."); } List<String> clientPasswords = standaloneConfig.getClientPasswords(); for (int i = 0; i < clientDns.size(); i++) { String reorderedDn = CertificateUtils.reorderDn(clientDns.get(i)); String clientDnFile = getClientDnFile(reorderedDn); File clientCertFile = new File(baseDir, clientDnFile + ".p12"); if (clientCertFile.exists()) { if (overwrite) { if (logger.isInfoEnabled()) { logger.info("Overwriting existing client cert " + clientCertFile); } } else { throw new IOException(clientCertFile + " exists and overwrite is not set."); } } else if (logger.isInfoEnabled()) { logger.info("Generating new client certificate " + clientCertFile); } KeyPair keyPair = TlsHelper.generateKeyPair(keyPairAlgorithm, keySize); X509Certificate clientCert = CertificateUtils.generateIssuedCertificate(reorderedDn, keyPair.getPublic(), null, certificate, caKeyPair, signingAlgorithm, days); KeyStore keyStore = KeyStoreUtils.getKeyStore(KeystoreType.PKCS12.toString()); keyStore.load(null, null); keyStore.setKeyEntry(NIFI_KEY, keyPair.getPrivate(), null, new Certificate[] { clientCert, certificate }); String password = TlsHelper.writeKeyStore(keyStore, outputStreamFactory, clientCertFile, clientPasswords.get(i), standaloneConfig.isClientPasswordsGenerated()); try (FileWriter fileWriter = new FileWriter(new File(baseDir, clientDnFile + ".password"))) { fileWriter.write(password); } if (logger.isInfoEnabled()) { logger.info("Successfully generated client certificate " + clientCertFile); } } if (logger.isInfoEnabled()) { logger.info("tls-toolkit standalone completed successfully"); } }
From source file:org.apache.nifi.toolkit.tls.util.TlsHelper.java
License:Apache License
public static String pemEncodeJcaObject(Object object) throws IOException { StringWriter writer = new StringWriter(); try (PemWriter pemWriter = new PemWriter(writer)) { pemWriter.writeObject(new JcaMiscPEMGenerator(object)); }/*from w w w. ja va 2 s . co m*/ return writer.toString(); }