org.apache.nifi.security.util

Class KeyStoreUtils

java.lang.Object

org.apache.nifi.security.util.KeyStoreUtils

public class KeyStoreUtils
extends Object

Field Summary

Fields

Modifier and Type	Field and Description
private static String	BCFKS_EXT
private static String	CERT_ALIAS
private static String	CERT_DN
private static int	CERT_DURATION_DAYS
private static String	JKS_EXT
private static String	KEY_ALGORITHM
private static String	KEY_ALIAS
private static Map<KeystoreType,String>	KEY_STORE_EXTENSIONS
private static Map<String,String>	KEY_STORE_TYPE_PROVIDERS
private static String	KEYSTORE_ERROR_MSG
private static org.slf4j.Logger	logger
private static int	PASSWORD_LENGTH
private static String	PKCS12_EXT
private static Map<KeystoreType,String>	SECRET_KEY_STORE_PROVIDERS
private static String	SIGNING_ALGORITHM
static String	SUN_JSSE_PROVIDER_NAME
static String	SUN_PROVIDER_NAME
private static String	TEST_KEYSTORE_PREFIX
private static String	TEST_TRUSTSTORE_PREFIX
private static String	TRUSTSTORE_ERROR_MSG

Constructor Summary

Constructors

Constructor and Description
KeyStoreUtils()

Method Summary

Modifier and Type	Method and Description
private static X509Certificate	createKeyStoreAndGetX509Certificate(String alias, String keyStorePassword, String keyPassword, String keyStorePath, KeystoreType keyStoreType, int certDurationDays, String[] dnsSubjectAlternativeNames) Loads the Keystore and returns a X509 Certificate with the given values.
static TlsConfiguration	createTlsConfigAndNewKeystoreTruststore(TlsConfiguration tlsConfiguration, int certDurationDays, String[] dnsSubjectAlternativeNames) Creates a temporary Keystore and Truststore and returns it wrapped in a new TLS configuration with the given values.
private static void	createTrustStore(X509Certificate cert, String alias, String password, String path, KeystoreType truststoreType) Loads the Truststore with the given values.
private static String	generatePassword() Generates a random Hex-encoded password.
private static Path	generateTempKeystorePath(KeystoreType keystoreType) Generates a temporary keystore file and returns the path.
private static Path	generateTempTruststorePath(KeystoreType truststoreType) Generates a temporary truststore file and returns the path.
static KeyManagerFactory	getKeyManagerFactoryFromKeyStore(KeyStore keyStore, char[] keystorePassword, char[] keyPassword) Returns the KeyManagerFactory from the provided KeyStore object, initialized with the key or keystore password.
static KeyStore	getKeyStore(String keyStoreType) Returns an empty KeyStore backed by the appropriate provider
private static String	getKeystoreExtension(KeystoreType keystoreType) Returns the Keystore extension given the Keystore type.
static String	getKeyStoreProvider(String keyStoreType) Returns the provider that will be used for the given keyStoreType
private static KeystoreType	getKeystoreType(String keystoreTypeName)
static KeystoreType	getKeystoreTypeFromExtension(String keystorePath) Get Keystore Type based on file extension defaults to returning PKCS12
static KeyStore	getSecretKeyStore(String keystoreTypeName) Returns an empty KeyStore for Secret Keys backed by the appropriate provider
static TrustManagerFactory	getTrustManagerFactoryFromTrustStore(KeyStore trustStore) Returns the TrustManagerFactory from the provided KeyStore object, initialized.
static boolean	isKeyPasswordCorrect(URL keystore, KeystoreType keystoreType, char[] password, char[] keyPassword) Returns true if the given keystore can be loaded using the given keystore type and password and the default (first) alias can be retrieved with the key-specific password.
static boolean	isSecretKeyEntrySupported(KeystoreType keystoreType) Is Secret Key Entry supported for specified Keystore Type
static boolean	isStoreValid(URL keystore, KeystoreType keystoreType, char[] password) Returns true if the given keystore can be loaded using the given keystore type and password.
private static KeyStore	loadEmptyKeyStore(KeystoreType keyStoreType) Loads and returns an empty Keystore backed by the appropriate provider.
static KeyManagerFactory	loadKeyManagerFactory(String keystorePath, String keystorePassword, String keyPassword, String keystoreType) Returns the initialized KeyManagerFactory.
static KeyManagerFactory	loadKeyManagerFactory(TlsConfiguration tlsConfiguration) Returns the initialized KeyManagerFactory.
static KeyStore	loadKeyStore(String keystorePath, char[] keystorePassword, String keystoreType) Returns a loaded KeyStore given the provided configuration values.
static KeyStore	loadSecretKeyStore(String keystorePath, char[] keystorePassword, String keystoreTypeName) Load KeyStore containing Secret Key entries using configured Security Provider
static TrustManagerFactory	loadTrustManagerFactory(String truststorePath, String truststorePassword, String truststoreType) Returns the initialized TrustManagerFactory.
static TrustManagerFactory	loadTrustManagerFactory(TlsConfiguration tlsConfiguration) Returns the initialized TrustManagerFactory.
static KeyStore	loadTrustStore(String truststorePath, char[] truststorePassword, String truststoreType) Returns a loaded KeyStore (acting as a truststore) given the provided configuration values.
static String	sslContextToString(SSLContext sslContext)
static String	sslServerSocketToString(SSLServerSocket sslServerSocket)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

logger

private static final org.slf4j.Logger logger

SUN_PROVIDER_NAME

public static final String SUN_PROVIDER_NAME

See Also:

Constant Field Values

SUN_JSSE_PROVIDER_NAME

public static final String SUN_JSSE_PROVIDER_NAME

See Also:

Constant Field Values

JKS_EXT

private static final String JKS_EXT

See Also:

Constant Field Values

PKCS12_EXT

private static final String PKCS12_EXT

See Also:

Constant Field Values

BCFKS_EXT

private static final String BCFKS_EXT

See Also:

Constant Field Values

KEY_ALIAS

private static final String KEY_ALIAS

See Also:

Constant Field Values

CERT_ALIAS

private static final String CERT_ALIAS

See Also:

Constant Field Values

CERT_DN

private static final String CERT_DN

See Also:

Constant Field Values

KEY_ALGORITHM

private static final String KEY_ALGORITHM

See Also:

Constant Field Values

SIGNING_ALGORITHM

private static final String SIGNING_ALGORITHM

See Also:

Constant Field Values

CERT_DURATION_DAYS

private static final int CERT_DURATION_DAYS

See Also:

Constant Field Values

PASSWORD_LENGTH

private static final int PASSWORD_LENGTH

See Also:

Constant Field Values

TEST_KEYSTORE_PREFIX

private static final String TEST_KEYSTORE_PREFIX

See Also:

Constant Field Values

TEST_TRUSTSTORE_PREFIX

private static final String TEST_TRUSTSTORE_PREFIX

See Also:

Constant Field Values

KEYSTORE_ERROR_MSG

private static final String KEYSTORE_ERROR_MSG

See Also:

Constant Field Values

TRUSTSTORE_ERROR_MSG

private static final String TRUSTSTORE_ERROR_MSG

See Also:

Constant Field Values

KEY_STORE_TYPE_PROVIDERS

private static final Map<String,String> KEY_STORE_TYPE_PROVIDERS

KEY_STORE_EXTENSIONS

private static final Map<KeystoreType,String> KEY_STORE_EXTENSIONS

SECRET_KEY_STORE_PROVIDERS

private static final Map<KeystoreType,String> SECRET_KEY_STORE_PROVIDERS

Constructor Detail

KeyStoreUtils

public KeyStoreUtils()

Method Detail

getKeyStoreProvider

public static String getKeyStoreProvider(String keyStoreType)

Returns the provider that will be used for the given keyStoreType

Parameters:

keyStoreType - the keyStoreType

Returns:

Key Store Provider Name or null when not found

getKeyStore

public static KeyStore getKeyStore(String keyStoreType)
                            throws KeyStoreException

Returns an empty KeyStore backed by the appropriate provider

Parameters:

keyStoreType - the keyStoreType

Returns:

an empty KeyStore

Throws:

KeyStoreException - if a KeyStore of the given type cannot be instantiated

getSecretKeyStore

public static KeyStore getSecretKeyStore(String keystoreTypeName)
                                  throws KeyStoreException

Returns an empty KeyStore for Secret Keys backed by the appropriate provider

Parameters:

keystoreTypeName - Keystore Type Name

Returns:

an empty KeyStore

Throws:

KeyStoreException - if a KeyStore of the given type cannot be instantiated

loadKeyStore

public static KeyStore loadKeyStore(String keystorePath,
                                    char[] keystorePassword,
                                    String keystoreType)
                             throws TlsException

Returns a loaded KeyStore given the provided configuration values.

Parameters:

keystorePath - the file path to the keystore

keystorePassword - the keystore password

keystoreType - the keystore type

Returns:

the loaded keystore

Throws:

TlsException - if there is a problem loading the keystore

loadSecretKeyStore

public static KeyStore loadSecretKeyStore(String keystorePath,
                                          char[] keystorePassword,
                                          String keystoreTypeName)
                                   throws TlsException

Load KeyStore containing Secret Key entries using configured Security Provider

Parameters:

keystorePath - File path to KeyStore

keystorePassword - Password for loading KeyStore

keystoreTypeName - Keystore Type Name

Returns:

KeyStore loaded using specified configuration

Throws:

TlsException - Thrown when unable to load KeyStore or unsupported Keystore Type

createTlsConfigAndNewKeystoreTruststore

public static TlsConfiguration createTlsConfigAndNewKeystoreTruststore(TlsConfiguration tlsConfiguration,
                                                                       int certDurationDays,
                                                                       String[] dnsSubjectAlternativeNames)
                                                                throws IOException,
                                                                       GeneralSecurityException

Creates a temporary Keystore and Truststore and returns it wrapped in a new TLS configuration with the given values.

Parameters:

tlsConfiguration - a TlsConfiguration

certDurationDays - The number of days the cert should be valid

dnsSubjectAlternativeNames - An optional array of dnsName SANs

Returns:

a TlsConfiguration

Throws:

IOException

GeneralSecurityException

getKeyManagerFactoryFromKeyStore

public static KeyManagerFactory getKeyManagerFactoryFromKeyStore(KeyStore keyStore,
                                                                 char[] keystorePassword,
                                                                 char[] keyPassword)
                                                          throws TlsException

Returns the KeyManagerFactory from the provided KeyStore object, initialized with the key or keystore password.

Parameters:

keyStore - the loaded keystore

keystorePassword - the keystore password

keyPassword - the key password

Returns:

the key manager factory

Throws:

TlsException - if there is a problem initializing or reading from the keystore

loadKeyManagerFactory

public static KeyManagerFactory loadKeyManagerFactory(TlsConfiguration tlsConfiguration)
                                               throws TlsException

Returns the initialized KeyManagerFactory.

Parameters:

tlsConfiguration - the TLS configuration

Returns:

the initialized key manager factory

Throws:

TlsException - if there is a problem initializing or reading from the keystore

loadKeyManagerFactory

public static KeyManagerFactory loadKeyManagerFactory(String keystorePath,
                                                      String keystorePassword,
                                                      String keyPassword,
                                                      String keystoreType)
                                               throws TlsException

Returns the initialized KeyManagerFactory.

Parameters:

keystorePath - the file path to the keystore

keystorePassword - the keystore password

keyPassword - the key password

keystoreType - the keystore type

Returns:

the initialized key manager factory

Throws:

TlsException - if there is a problem initializing or reading from the keystore

loadTrustStore

public static KeyStore loadTrustStore(String truststorePath,
                                      char[] truststorePassword,
                                      String truststoreType)
                               throws TlsException

Returns a loaded KeyStore (acting as a truststore) given the provided configuration values.

Parameters:

truststorePath - the file path to the truststore

truststorePassword - the truststore password

truststoreType - the truststore type

Returns:

the loaded truststore

Throws:

TlsException - if there is a problem loading the truststore

getTrustManagerFactoryFromTrustStore

public static TrustManagerFactory getTrustManagerFactoryFromTrustStore(KeyStore trustStore)
                                                                throws TlsException

Returns the TrustManagerFactory from the provided KeyStore object, initialized.

Parameters:

trustStore - the loaded truststore

Returns:

the trust manager factory

Throws:

TlsException - if there is a problem initializing or reading from the truststore

loadTrustManagerFactory

public static TrustManagerFactory loadTrustManagerFactory(TlsConfiguration tlsConfiguration)
                                                   throws TlsException

Returns the initialized TrustManagerFactory.

Parameters:

tlsConfiguration - the TLS configuration

Returns:

the initialized trust manager factory

Throws:

TlsException - if there is a problem initializing or reading from the truststore

loadTrustManagerFactory

public static TrustManagerFactory loadTrustManagerFactory(String truststorePath,
                                                          String truststorePassword,
                                                          String truststoreType)
                                                   throws TlsException

Returns the initialized TrustManagerFactory.

Parameters:

truststorePath - the file path to the truststore

truststorePassword - the truststore password

truststoreType - the truststore type

Returns:

the initialized trust manager factory

Throws:

TlsException - if there is a problem initializing or reading from the truststore

isStoreValid

public static boolean isStoreValid(URL keystore,
                                   KeystoreType keystoreType,
                                   char[] password)

Returns true if the given keystore can be loaded using the given keystore type and password. Returns false otherwise.

Parameters:

keystore - the keystore to validate

keystoreType - the type of the keystore

password - the password to access the keystore

Returns:

true if valid; false otherwise

isKeyPasswordCorrect

public static boolean isKeyPasswordCorrect(URL keystore,
                                           KeystoreType keystoreType,
                                           char[] password,
                                           char[] keyPassword)

Returns true if the given keystore can be loaded using the given keystore type and password and the default (first) alias can be retrieved with the key-specific password. Returns false otherwise.

Parameters:

keystore - the keystore to validate

keystoreType - the type of the keystore

password - the password to access the keystore

keyPassword - the password to access the specific key

Returns:

true if valid; false otherwise

getKeystoreTypeFromExtension

public static KeystoreType getKeystoreTypeFromExtension(String keystorePath)

Get Keystore Type based on file extension defaults to returning PKCS12

Parameters:

keystorePath - Path to KeyStore

Returns:

Keystore Type defaults to PKCS12

isSecretKeyEntrySupported

public static boolean isSecretKeyEntrySupported(KeystoreType keystoreType)

Is Secret Key Entry supported for specified Keystore Type

Parameters:

keystoreType - Keystore Type

Returns:

Secret Key Entry supported status

sslContextToString

public static String sslContextToString(SSLContext sslContext)

sslServerSocketToString

public static String sslServerSocketToString(SSLServerSocket sslServerSocket)

createKeyStoreAndGetX509Certificate

private static X509Certificate createKeyStoreAndGetX509Certificate(String alias,
                                                                   String keyStorePassword,
                                                                   String keyPassword,
                                                                   String keyStorePath,
                                                                   KeystoreType keyStoreType,
                                                                   int certDurationDays,
                                                                   String[] dnsSubjectAlternativeNames)
                                                            throws IOException,
                                                                   KeyStoreException,
                                                                   NoSuchAlgorithmException,
                                                                   CertificateException

Loads the Keystore and returns a X509 Certificate with the given values.

Parameters:

alias - the certificate alias

keyStorePassword - the keystore password

keyPassword - the key password

keyStorePath - the keystore path

keyStoreType - the keystore type

dnsSubjectAlternativeNames - An optional array of dnsName SANs

certDurationDays - the duration of the validity of the certificate, in days

Returns:

a X509Certificate

Throws:

IOException

KeyStoreException

NoSuchAlgorithmException

CertificateException

createTrustStore

private static void createTrustStore(X509Certificate cert,
                                     String alias,
                                     String password,
                                     String path,
                                     KeystoreType truststoreType)
                              throws KeyStoreException,
                                     NoSuchAlgorithmException,
                                     CertificateException

Loads the Truststore with the given values.

Parameters:

cert - the certificate

alias - the certificate alias

password - the truststore password

path - the truststore path

truststoreType - the truststore type

Throws:

KeyStoreException

NoSuchAlgorithmException

CertificateException

generateTempKeystorePath

private static Path generateTempKeystorePath(KeystoreType keystoreType)
                                      throws IOException

Generates a temporary keystore file and returns the path.

Parameters:

keystoreType - the Keystore type

Returns:

a Path

Throws:

IOException

generateTempTruststorePath

private static Path generateTempTruststorePath(KeystoreType truststoreType)
                                        throws IOException

Generates a temporary truststore file and returns the path.

Parameters:

truststoreType - the Truststore type

Returns:

a Path

Throws:

IOException

loadEmptyKeyStore

private static KeyStore loadEmptyKeyStore(KeystoreType keyStoreType)
                                   throws KeyStoreException,
                                          CertificateException,
                                          NoSuchAlgorithmException

Loads and returns an empty Keystore backed by the appropriate provider.

Parameters:

keyStoreType - the keystore type

Returns:

an empty keystore

Throws:

KeyStoreException - if a keystore of the given type cannot be instantiated

CertificateException

NoSuchAlgorithmException

getKeystoreExtension

private static String getKeystoreExtension(KeystoreType keystoreType)

Returns the Keystore extension given the Keystore type.

Parameters:

keystoreType - the keystore type

Returns:

the keystore extension

generatePassword

private static String generatePassword()

Generates a random Hex-encoded password.

Returns:

a password as a Hex-encoded String

getKeystoreType

private static KeystoreType getKeystoreType(String keystoreTypeName)