NIFI-4247 Support ranges in `tls-toolkit` SAN cli option. by natural · Pull Request #3457 · apache/nifi

natural · 2019-05-01T16:46:28Z

The code in this change-set provides support for ranges in the SAN argument of the tls-toolkit cli. For example:

$ ./bin/tls-toolkit.sh standalone -n 'nifi[01-10].subdomain[1-4].domain' --subjectAlternativeNames 'nifi[21-30].other[2-5].example.com'

Thank you for submitting a contribution to Apache NiFi.

In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:

For all changes:

Is there a JIRA ticket associated with this PR? Is it referenced
in the commit message?
Does your PR title start with NIFI-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
Has your PR been rebased against the latest commit within the target branch (typically master)?
Is your initial contribution a single, squashed commit?

For code changes:

Have you ensured that the full suite of tests is executed via mvn -Pcontrib-check clean install at the root nifi folder?
Have you written or updated unit tests to verify your changes?
If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
If applicable, have you updated the LICENSE file, including the main LICENSE file under nifi-assembly?
If applicable, have you updated the NOTICE file, including the main NOTICE file found under nifi-assembly?
If adding new Properties, have you added .displayName in addition to .name (programmatic access) for each of the new properties?

For documentation related changes:

Have you ensured that format looks appropriate for the output in which it is rendered?

Note:

Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible.

alopresto · 2019-05-03T02:02:06Z

Reviewing...

alopresto · 2019-05-03T02:08:08Z

...i-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandalone.java

+                tlsClientConfig.setDomainAlternativeNames(Collections.singletonList(domainAlternativeNames.get(instanceIndex)));
+                logger.info("Using alternate name " + domainAlternativeNames.get(instanceIndex) + " with hostname " + hostname + ".");
+            } else {
+                logger.info("Hostname count does not match given alternate name count.  Verify names in resulting certificate.");


Might want to escalate this to logger.warn as it would be an edge case (not even sure we know how to handle it) when a non-static domain alternative name pattern is applied but the range does not match the hostname pattern count.

Will update to logger.warn

alopresto · 2019-05-04T02:25:48Z

Troy, this looks like great work. I would like to see more explicit unit test cases added, but I understand that the toolkit testing can sometimes be difficult because of the tight coupling with System.exit(), etc.

I ran a number of scenarios and I've pasted my results below to document. Only one scenario (#7) failed, and one (#1) had a possible minor improvement.

1. Static hostname, no SAN

Expected output: 1 generated keystore containing 1 certificate with single hostname and 1 SAN entry (1 hostname)
Result: PASS (with minor improvement)

...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉
🔓 0s @ 19:06:33 $ ./bin/tls-toolkit.sh standalone -n static.nifi.apache.org
2019/05/03 19:06:47 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No nifiPropertiesFile specified, using embedded one.
2019/05/03 19:06:47 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone certificate generation with output directory ../nifi-toolkit-1.10.0-SNAPSHOT
2019/05/03 19:06:48 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Generated new CA certificate ../nifi-toolkit-1.10.0-SNAPSHOT/nifi-cert.pem and key ../nifi-toolkit-1.10.0-SNAPSHOT/nifi-key.key
2019/05/03 19:06:48 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Hostname count does not match given alternate name count.  Verify names in resulting certificate.
2019/05/03 19:06:48 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl configuration to ../nifi-toolkit-1.10.0-SNAPSHOT/static.nifi.apache.org
2019/05/03 19:06:48 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for static.nifi.apache.org 1 in ../nifi-toolkit-1.10.0-SNAPSHOT/static.nifi.apache.org
2019/05/03 19:06:48 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No clientCertDn specified, not generating any client certificates.
2019/05/03 19:06:48 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit standalone completed successfully
...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉
🔓 1s @ 19:06:48 $ keytool -list -v -keystore static.nifi.apache.org/keystore.jks
...

Your keystore contains 1 entry

Alias name: nifi-key
Creation date: May 3, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=static.nifi.apache.org, OU=NIFI
Issuer: CN=localhost, OU=NIFI
...

#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: static.nifi.apache.org
]
...

Notes:

Remove log output that "hostname count does not match SAN count" when no SAN provided

2. Static hostname, static SAN

Expected output: 1 generated keystore containing 1 certificate with single hostname and 2 SAN entries (1 hostname, 1 alternate name)
Result: PASS

...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉
🔓 0s @ 19:09:43 $ ./bin/tls-toolkit.sh standalone -n static.nifi.apache.org --subjectAlternativeName alternative.nifi.apache.org
2019/05/03 19:10:13 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No nifiPropertiesFile specified, using embedded one.
2019/05/03 19:10:13 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone certificate generation with output directory ../nifi-toolkit-1.10.0-SNAPSHOT
2019/05/03 19:10:13 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Verifying the certificate signature for CN=localhost,OU=NIFI
2019/05/03 19:10:13 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Attempting to verify certificate CN=localhost,OU=NIFI signature with CN=localhost,OU=NIFI
2019/05/03 19:10:13 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Certificate was signed by CN=localhost,OU=NIFI
2019/05/03 19:10:13 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing CA certificate ../nifi-toolkit-1.10.0-SNAPSHOT/nifi-cert.pem and key ../nifi-toolkit-1.10.0-SNAPSHOT/nifi-key.key
2019/05/03 19:10:13 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl configuration to ../nifi-toolkit-1.10.0-SNAPSHOT/static.nifi.apache.org
2019/05/03 19:10:13 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for static.nifi.apache.org 1 in ../nifi-toolkit-1.10.0-SNAPSHOT/static.nifi.apache.org
2019/05/03 19:10:13 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No clientCertDn specified, not generating any client certificates.
2019/05/03 19:10:13 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit standalone completed successfully
...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉
🔓 1s @ 19:10:13 $ keytool -list -v -keystore static.nifi.apache.org/keystore.jks
...
Your keystore contains 1 entry

Alias name: nifi-key
Creation date: May 3, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=static.nifi.apache.org, OU=NIFI
Issuer: CN=localhost, OU=NIFI
...

#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: static.nifi.apache.org
  DNSName: alternative.nifi.apache.org
]

3. Dynamic hostname, static SAN

Expected output: 2 generated keystores each containing 1 certificate with single hostname and 2 SAN entries (1 (dynamic) hostname, 1 static alternate name)
Result: PASS

...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉
🔓 0s @ 19:12:23 $ ./bin/tls-toolkit.sh standalone -n node[1-2].nifi.apache.org --subjectAlternativeName alternative.nifi.apache.org
2019/05/03 19:12:43 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No nifiPropertiesFile specified, using embedded one.
2019/05/03 19:12:43 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone certificate generation with output directory ../nifi-toolkit-1.10.0-SNAPSHOT
2019/05/03 19:12:43 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Verifying the certificate signature for CN=localhost,OU=NIFI
2019/05/03 19:12:43 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Attempting to verify certificate CN=localhost,OU=NIFI signature with CN=localhost,OU=NIFI
2019/05/03 19:12:43 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Certificate was signed by CN=localhost,OU=NIFI
2019/05/03 19:12:43 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing CA certificate ../nifi-toolkit-1.10.0-SNAPSHOT/nifi-cert.pem and key ../nifi-toolkit-1.10.0-SNAPSHOT/nifi-key.key
2019/05/03 19:12:43 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl configuration to ../nifi-toolkit-1.10.0-SNAPSHOT/node1.nifi.apache.org
2019/05/03 19:12:43 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for node1.nifi.apache.org 1 in ../nifi-toolkit-1.10.0-SNAPSHOT/node1.nifi.apache.org
2019/05/03 19:12:43 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl configuration to ../nifi-toolkit-1.10.0-SNAPSHOT/node2.nifi.apache.org
2019/05/03 19:12:43 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for node2.nifi.apache.org 1 in ../nifi-toolkit-1.10.0-SNAPSHOT/node2.nifi.apache.org
2019/05/03 19:12:43 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No clientCertDn specified, not generating any client certificates.
2019/05/03 19:12:43 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit standalone completed successfully
...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉
🔓 1s @ 19:12:44 $ keytool -list -v -keystore node1.nifi.apache.org/keystore.jks
...
Your keystore contains 1 entry

Alias name: nifi-key
Creation date: May 3, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=node1.nifi.apache.org, OU=NIFI
Issuer: CN=localhost, OU=NIFI
...

#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: node1.nifi.apache.org
  DNSName: alternative.nifi.apache.org
]
...
...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉
🔓 1s @ 19:13:04 $ keytool -list -v -keystore node2.nifi.apache.org/keystore.jks
...
Your keystore contains 1 entry

Alias name: nifi-key
Creation date: May 3, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=node2.nifi.apache.org, OU=NIFI
Issuer: CN=localhost, OU=NIFI
...

#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: node2.nifi.apache.org
  DNSName: alternative.nifi.apache.org
]
...

4. Dynamic hostname, dynamic SAN (same range)

Expected output: 2 generated keystores each containing 1 certificate with single hostname and 2 SAN entries (1 (dynamic) hostname, 1 (dynamic) SAN)
Result: PASS

...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉
🔓 0s @ 19:15:33 $ ./bin/tls-toolkit.sh standalone -n node[1-2].nifi.apache.org --subjectAlternativeName alternative[1-2].nifi.apache.org
2019/05/03 19:15:44 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No nifiPropertiesFile specified, using embedded one.
2019/05/03 19:15:45 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone certificate generation with output directory ../nifi-toolkit-1.10.0-SNAPSHOT
2019/05/03 19:15:45 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Verifying the certificate signature for CN=localhost,OU=NIFI
2019/05/03 19:15:45 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Attempting to verify certificate CN=localhost,OU=NIFI signature with CN=localhost,OU=NIFI
2019/05/03 19:15:45 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Certificate was signed by CN=localhost,OU=NIFI
2019/05/03 19:15:45 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing CA certificate ../nifi-toolkit-1.10.0-SNAPSHOT/nifi-cert.pem and key ../nifi-toolkit-1.10.0-SNAPSHOT/nifi-key.key
2019/05/03 19:15:45 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using alternate name alternative1.nifi.apache.org with hostname node1.nifi.apache.org.
2019/05/03 19:15:45 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl configuration to ../nifi-toolkit-1.10.0-SNAPSHOT/node1.nifi.apache.org
2019/05/03 19:15:45 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for node1.nifi.apache.org 1 in ../nifi-toolkit-1.10.0-SNAPSHOT/node1.nifi.apache.org
2019/05/03 19:15:45 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using alternate name alternative2.nifi.apache.org with hostname node2.nifi.apache.org.
2019/05/03 19:15:45 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl configuration to ../nifi-toolkit-1.10.0-SNAPSHOT/node2.nifi.apache.org
2019/05/03 19:15:45 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for node2.nifi.apache.org 1 in ../nifi-toolkit-1.10.0-SNAPSHOT/node2.nifi.apache.org
2019/05/03 19:15:45 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No clientCertDn specified, not generating any client certificates.
2019/05/03 19:15:45 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit standalone completed successfully
...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉
🔓 1s @ 19:15:45 $ keytool -list -v -keystore node1.nifi.apache.org/keystore.jks
...
Your keystore contains 1 entry

Alias name: nifi-key
Creation date: May 3, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=node1.nifi.apache.org, OU=NIFI
Issuer: CN=localhost, OU=NIFI
...

#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: node1.nifi.apache.org
  DNSName: alternative1.nifi.apache.org
]
...
...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉
🔓 1s @ 19:15:52 $ keytool -list -v -keystore node2.nifi.apache.org/keystore.jks
...
Your keystore contains 1 entry

Alias name: nifi-key
Creation date: May 3, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=node2.nifi.apache.org, OU=NIFI
Issuer: CN=localhost, OU=NIFI
...

#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: node2.nifi.apache.org
  DNSName: alternative2.nifi.apache.org
]
...

5. Dynamic hostname, dynamic SAN (different range values; same range length)

Expected output: 2 generated keystores each containing 1 certificate with single hostname and 2 SAN entries (1 (dynamic) hostname, 1 (dynamic) SAN)
Result: PASS

...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉
🔓 0s @ 19:17:42 $ ./bin/tls-toolkit.sh standalone -n node[1-2].nifi.apache.org --subjectAlternativeName alternative[3-4].nifi.apache.org
2019/05/03 19:17:54 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No nifiPropertiesFile specified, using embedded one.
2019/05/03 19:17:55 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone certificate generation with output directory ../nifi-toolkit-1.10.0-SNAPSHOT
2019/05/03 19:17:55 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Verifying the certificate signature for CN=localhost,OU=NIFI
2019/05/03 19:17:55 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Attempting to verify certificate CN=localhost,OU=NIFI signature with CN=localhost,OU=NIFI
2019/05/03 19:17:55 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Certificate was signed by CN=localhost,OU=NIFI
2019/05/03 19:17:55 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing CA certificate ../nifi-toolkit-1.10.0-SNAPSHOT/nifi-cert.pem and key ../nifi-toolkit-1.10.0-SNAPSHOT/nifi-key.key
2019/05/03 19:17:55 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using alternate name alternative3.nifi.apache.org with hostname node1.nifi.apache.org.
2019/05/03 19:17:55 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl configuration to ../nifi-toolkit-1.10.0-SNAPSHOT/node1.nifi.apache.org
2019/05/03 19:17:55 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for node1.nifi.apache.org 1 in ../nifi-toolkit-1.10.0-SNAPSHOT/node1.nifi.apache.org
2019/05/03 19:17:55 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using alternate name alternative4.nifi.apache.org with hostname node2.nifi.apache.org.
2019/05/03 19:17:55 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl configuration to ../nifi-toolkit-1.10.0-SNAPSHOT/node2.nifi.apache.org
2019/05/03 19:17:55 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for node2.nifi.apache.org 1 in ../nifi-toolkit-1.10.0-SNAPSHOT/node2.nifi.apache.org
2019/05/03 19:17:55 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No clientCertDn specified, not generating any client certificates.
2019/05/03 19:17:55 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit standalone completed successfully
...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉
🔓 1s @ 19:17:56 $ keytool -list -v -keystore node1.nifi.apache.org/keystore.jks
...
Your keystore contains 1 entry

Alias name: nifi-key
Creation date: May 3, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=node1.nifi.apache.org, OU=NIFI
Issuer: CN=localhost, OU=NIFI
...

#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: node1.nifi.apache.org
  DNSName: alternative3.nifi.apache.org
]
...
...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉
🔓 1s @ 19:18:00 $ keytool -list -v -keystore node2.nifi.apache.org/keystore.jks
...
Your keystore contains 1 entry

Alias name: nifi-key
Creation date: May 3, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=node2.nifi.apache.org, OU=NIFI
Issuer: CN=localhost, OU=NIFI
...

#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: node2.nifi.apache.org
  DNSName: alternative4.nifi.apache.org
]
...

6. Dynamic hostname, dynamic SAN (different range values; different range length)

Expected output: 2 generated keystores each containing 1 certificate with single hostname and 4 SAN entries (1 (dynamic) hostname, 3 (exhaustive) SAN)
Result: PASS

...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉
🔓 0s @ 19:20:06 $ ./bin/tls-toolkit.sh standalone -n node[1-2].nifi.apache.org --subjectAlternativeName alternative[5-7].nifi.apache.org
2019/05/03 19:20:23 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No nifiPropertiesFile specified, using embedded one.
2019/05/03 19:20:23 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone certificate generation with output directory ../nifi-toolkit-1.10.0-SNAPSHOT
2019/05/03 19:20:23 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Verifying the certificate signature for CN=localhost,OU=NIFI
2019/05/03 19:20:23 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Attempting to verify certificate CN=localhost,OU=NIFI signature with CN=localhost,OU=NIFI
2019/05/03 19:20:23 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Certificate was signed by CN=localhost,OU=NIFI
2019/05/03 19:20:23 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing CA certificate ../nifi-toolkit-1.10.0-SNAPSHOT/nifi-cert.pem and key ../nifi-toolkit-1.10.0-SNAPSHOT/nifi-key.key
2019/05/03 19:20:23 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Hostname count does not match given alternate name count.  Verify names in resulting certificate.
2019/05/03 19:20:23 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl configuration to ../nifi-toolkit-1.10.0-SNAPSHOT/node1.nifi.apache.org
2019/05/03 19:20:24 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for node1.nifi.apache.org 1 in ../nifi-toolkit-1.10.0-SNAPSHOT/node1.nifi.apache.org
2019/05/03 19:20:24 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Hostname count does not match given alternate name count.  Verify names in resulting certificate.
2019/05/03 19:20:24 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl configuration to ../nifi-toolkit-1.10.0-SNAPSHOT/node2.nifi.apache.org
2019/05/03 19:20:24 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for node2.nifi.apache.org 1 in ../nifi-toolkit-1.10.0-SNAPSHOT/node2.nifi.apache.org
2019/05/03 19:20:24 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No clientCertDn specified, not generating any client certificates.
2019/05/03 19:20:24 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit standalone completed successfully
...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉
🔓 1s @ 19:20:24 $ keytool -list -v -keystore node1.nifi.apache.org/keystore.jks
...
Your keystore contains 1 entry

Alias name: nifi-key
Creation date: May 3, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=node1.nifi.apache.org, OU=NIFI
Issuer: CN=localhost, OU=NIFI
...

#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: node1.nifi.apache.org
  DNSName: alternative5.nifi.apache.org
  DNSName: alternative6.nifi.apache.org
  DNSName: alternative7.nifi.apache.org
]
...
...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉
🔓 1s @ 19:20:33 $ keytool -list -v -keystore node2.nifi.apache.org/keystore.jks
...
Your keystore contains 1 entry

Alias name: nifi-key
Creation date: May 3, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=node2.nifi.apache.org, OU=NIFI
Issuer: CN=localhost, OU=NIFI
...

#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: node2.nifi.apache.org
  DNSName: alternative5.nifi.apache.org
  DNSName: alternative6.nifi.apache.org
  DNSName: alternative7.nifi.apache.org
]
...

7. Dynamic hostname, dynamic SAN (different range values; same range length; reverse order)

Expected output: 2 generated keystores each containing 1 certificate with single hostname and 2 SAN entries (1 (dynamic) hostname, 1 (dynamic) SAN)
Result: FAIL

...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉
🔓 0s @ 19:22:47 $ ./bin/tls-toolkit.sh standalone -n node[1-2].nifi.apache.org --subjectAlternativeName alternative[2-1].nifi.apache.org
2019/05/03 19:22:58 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No nifiPropertiesFile specified, using embedded one.
2019/05/03 19:22:58 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone certificate generation with output directory ../nifi-toolkit-1.10.0-SNAPSHOT
2019/05/03 19:22:58 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Verifying the certificate signature for CN=localhost,OU=NIFI
2019/05/03 19:22:58 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Attempting to verify certificate CN=localhost,OU=NIFI signature with CN=localhost,OU=NIFI
2019/05/03 19:22:58 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Certificate was signed by CN=localhost,OU=NIFI
2019/05/03 19:22:58 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing CA certificate ../nifi-toolkit-1.10.0-SNAPSHOT/nifi-cert.pem and key ../nifi-toolkit-1.10.0-SNAPSHOT/nifi-key.key
2019/05/03 19:22:58 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Hostname count does not match given alternate name count.  Verify names in resulting certificate.
2019/05/03 19:22:58 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl configuration to ../nifi-toolkit-1.10.0-SNAPSHOT/node1.nifi.apache.org
2019/05/03 19:22:58 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for node1.nifi.apache.org 1 in ../nifi-toolkit-1.10.0-SNAPSHOT/node1.nifi.apache.org
2019/05/03 19:22:58 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Hostname count does not match given alternate name count.  Verify names in resulting certificate.
2019/05/03 19:22:58 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl configuration to ../nifi-toolkit-1.10.0-SNAPSHOT/node2.nifi.apache.org
2019/05/03 19:22:59 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for node2.nifi.apache.org 1 in ../nifi-toolkit-1.10.0-SNAPSHOT/node2.nifi.apache.org
2019/05/03 19:22:59 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No clientCertDn specified, not generating any client certificates.
2019/05/03 19:22:59 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit standalone completed successfully
...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉
🔓 2s @ 19:22:59 $ keytool -list -v -keystore node1.nifi.apache.org/keystore.jks
...
Your keystore contains 1 entry

Alias name: nifi-key
Creation date: May 3, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=node1.nifi.apache.org, OU=NIFI
Issuer: CN=localhost, OU=NIFI
...

#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: node1.nifi.apache.org
]
...
...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉
🔓 1s @ 19:23:07 $ keytool -list -v -keystore node2.nifi.apache.org/keystore.jks
...
Your keystore contains 1 entry

Alias name: nifi-key
Creation date: May 3, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=node2.nifi.apache.org, OU=NIFI
Issuer: CN=localhost, OU=NIFI
...

#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: node2.nifi.apache.org
]
...

Notes:

No SANs (other than explicit hostname) populated; no error thrown
Either calculate reversed range, or throw exception early

8. Dynamic hostname, dynamic SAN (different range values; range is non-numeric)

Expected output: 2 generated keystores each containing 1 certificate with single hostname and 2 SAN entries (1 (dynamic) hostname, 1 (dynamic) SAN) or early exception
Result: PASS

...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉
🔓 0s @ 19:25:08 $ ./bin/tls-toolkit.sh standalone -n node[1-2].nifi.apache.org --subjectAlternativeName alternative[A-B].nifi.apache.org
Service standalone error: Expected either one number or two separated by a single hyphen

Usage: tls-toolkit service [-h] [args]

Services:
   standalone: Creates certificates and config files for nifi cluster.
   server: Acts as a Certificate Authority that can be used by clients to get Certificates
   client: Generates a private key and gets it signed by the certificate authority.
   status: Checks the status of an HTTPS endpoint by making a GET request using a supplied keystore and truststore.

alopresto · 2019-05-04T02:37:33Z

I also made a trivial formatting fix. You can pull from alopresto/nifi-4247-a, but it's likely faster to just remove the space manually.

natural · 2019-05-06T17:12:40Z

@alopresto those tests are great, thank you for including them in your comment. So much better than "Oh I tried this or that and it failed."

I think I can include those tests or something similar in the unit tests; they're already doing similar checks I believe.

I'm not quite certain what's going on with no. 7, so there may be some work in fixing it that.

NIFI-4247 Support ranges in tls-toolkit SAN cli option.

5219273

alopresto reviewed May 3, 2019

View reviewed changes

natural closed this May 10, 2019

natural mentioned this pull request May 10, 2019

NIFI-4247 Support ranges in tls-toolkit SAN cli option. #3466

Closed

11 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

NIFI-4247 Support ranges in `tls-toolkit` SAN cli option.#3457

NIFI-4247 Support ranges in `tls-toolkit` SAN cli option.#3457
natural wants to merge 1 commit intoapache:masterfrom
natural:nifi-4247-a

natural commented May 1, 2019

Uh oh!

alopresto commented May 3, 2019

Uh oh!

alopresto May 3, 2019

Uh oh!

natural May 6, 2019

Uh oh!

alopresto commented May 4, 2019 •

edited

Loading

Uh oh!

alopresto commented May 4, 2019

Uh oh!

natural commented May 6, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Comments

Conversation

natural commented May 1, 2019

For all changes:

For code changes:

For documentation related changes:

Note:

Uh oh!

alopresto commented May 3, 2019

Uh oh!

alopresto May 3, 2019

Choose a reason for hiding this comment

Uh oh!

natural May 6, 2019

Choose a reason for hiding this comment

Uh oh!

alopresto commented May 4, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

1. Static hostname, no SAN

Notes:

2. Static hostname, static SAN

3. Dynamic hostname, static SAN

4. Dynamic hostname, dynamic SAN (same range)

5. Dynamic hostname, dynamic SAN (different range values; same range length)

6. Dynamic hostname, dynamic SAN (different range values; different range length)

7. Dynamic hostname, dynamic SAN (different range values; same range length; reverse order)

Notes:

8. Dynamic hostname, dynamic SAN (different range values; range is non-numeric)

Uh oh!

alopresto commented May 4, 2019

Uh oh!

natural commented May 6, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Comments

alopresto commented May 4, 2019 •

edited

Loading