Fix sonar issues in Mapper1_0
[aaf/authz.git] / cadi / core / src / main / java / org / onap / aaf / cadi / config / SecurityInfo.java
1 /**
2  * ============LICENSE_START====================================================
3  * org.onap.aaf
4  * ===========================================================================
5  * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
6  * ===========================================================================
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  * 
11  *      http://www.apache.org/licenses/LICENSE-2.0
12  * 
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  * ============LICENSE_END====================================================
19  *
20  */
21
22 package org.onap.aaf.cadi.config;
23
24 import java.io.File;
25 import java.io.FileInputStream;
26 import java.io.IOException;
27 import java.net.InetAddress;
28 import java.net.UnknownHostException;
29 import java.rmi.AccessException;
30 import java.security.KeyManagementException;
31 import java.security.KeyStore;
32 import java.security.KeyStoreException;
33 import java.security.NoSuchAlgorithmException;
34 import java.security.UnrecoverableKeyException;
35 import java.security.cert.CertificateException;
36 import java.security.cert.X509Certificate;
37 import java.util.ArrayList;
38
39 import javax.net.ssl.HostnameVerifier;
40 import javax.net.ssl.HttpsURLConnection;
41 import javax.net.ssl.KeyManager;
42 import javax.net.ssl.KeyManagerFactory;
43 import javax.net.ssl.SSLContext;
44 import javax.net.ssl.SSLSession;
45 import javax.net.ssl.SSLSocketFactory;
46 import javax.net.ssl.TrustManager;
47 import javax.net.ssl.TrustManagerFactory;
48 import javax.net.ssl.X509KeyManager;
49 import javax.net.ssl.X509TrustManager;
50
51 import org.onap.aaf.cadi.Access;
52 import org.onap.aaf.cadi.CadiException;
53 import org.onap.aaf.cadi.Access.Level;
54 import org.onap.aaf.cadi.util.MaskFormatException;
55 import org.onap.aaf.cadi.util.NetMask;
56
57 public class SecurityInfo {
58         private static final String SECURITY_ALGO = "RSA";
59         private static final String HTTPS_PROTOCOLS = "https.protocols";
60         private static final String JDK_TLS_CLIENT_PROTOCOLS = "jdk.tls.client.protocols";
61
62         public static final String HTTPS_PROTOCOLS_DEFAULT = "TLSv1.1,TLSv1.2";
63         public static final String REGEX_COMMA = "\\s*,\\s*";
64         public static final String SslKeyManagerFactoryAlgorithm;
65         
66         private SSLSocketFactory scf;
67         private X509KeyManager[] km;
68         private X509TrustManager[] tm;
69         public final String default_alias;
70         private NetMask[] trustMasks;
71         private SSLContext ctx;
72         private HostnameVerifier maskHV;
73         public final Access access;
74
75         // Change Key Algorithms for IBM's VM.  Could put in others, if needed.
76         static {
77                 if(System.getProperty("java.vm.vendor").equalsIgnoreCase("IBM Corporation")) {
78                         SslKeyManagerFactoryAlgorithm = "IbmX509";
79                 } else {
80                         SslKeyManagerFactoryAlgorithm = "SunX509";
81                 }
82         }
83         
84
85         public SecurityInfo(final Access access) throws CadiException {
86                 try {
87                         this.access = access;
88                         // reuse DME2 Properties for convenience if specific Properties don't exist
89                         
90                         initializeKeyManager();
91                         
92                         initializeTrustManager();
93                         
94                         default_alias = access.getProperty(Config.CADI_ALIAS, null);
95                         
96                         initializeTrustMasks();
97
98                         String https_protocols = Config.logProp(access, Config.CADI_PROTOCOLS,
99                                                 access.getProperty(HTTPS_PROTOCOLS, HTTPS_PROTOCOLS_DEFAULT)
100                                                 );
101                         System.setProperty(HTTPS_PROTOCOLS, https_protocols);
102                         System.setProperty(JDK_TLS_CLIENT_PROTOCOLS, https_protocols);
103                         if("1.7".equals(System.getProperty("java.specification.version")) && https_protocols.contains("TLSv1.2")) {
104                                 System.setProperty(Config.HTTPS_CIPHER_SUITES, Config.HTTPS_CIPHER_SUITES_DEFAULT);
105                         }                       
106
107                         ctx = SSLContext.getInstance("TLS");
108                         ctx.init(km, tm, null);
109                         SSLContext.setDefault(ctx);
110                         scf = ctx.getSocketFactory();
111                 } catch (NoSuchAlgorithmException | KeyManagementException | KeyStoreException | CertificateException | UnrecoverableKeyException | IOException e) {
112                         throw new CadiException(e);
113                 }
114         }
115
116         /**
117          * @return the scf
118          */
119         public SSLSocketFactory getSSLSocketFactory() {
120                 return scf;
121         }
122
123         public SSLContext getSSLContext() {
124                 return ctx;
125         }
126
127         /**
128          * @return the km
129          */
130         public X509KeyManager[] getKeyManagers() {
131                 return km;
132         }
133
134         public void checkClientTrusted(X509Certificate[] certarr) throws CertificateException {
135                 for(X509TrustManager xtm : tm) {
136                         xtm.checkClientTrusted(certarr, SECURITY_ALGO);
137                 }
138         }
139
140         public void checkServerTrusted(X509Certificate[] certarr) throws CertificateException {
141                 for(X509TrustManager xtm : tm) {
142                         xtm.checkServerTrusted(certarr, SECURITY_ALGO);
143                 }
144         }
145
146         public void setSocketFactoryOn(HttpsURLConnection hsuc) {
147                 hsuc.setSSLSocketFactory(scf);
148                 if(maskHV != null && !maskHV.equals(hsuc.getHostnameVerifier())) {
149                         hsuc.setHostnameVerifier(maskHV);
150                 }
151         }
152         
153         protected void initializeKeyManager() throws CadiException, IOException, NoSuchAlgorithmException, KeyStoreException, CertificateException, UnrecoverableKeyException {
154                 String keyStore = access.getProperty(Config.CADI_KEYSTORE, null);
155                 if(keyStore != null && !new File(keyStore).exists()) {
156                         throw new CadiException(keyStore + " does not exist");
157                 }
158
159                 String keyStorePasswd = access.getProperty(Config.CADI_KEYSTORE_PASSWORD, null);
160                 keyStorePasswd = (keyStorePasswd == null) ? null : access.decrypt(keyStorePasswd, false);
161
162                 String keyPasswd = access.getProperty(Config.CADI_KEY_PASSWORD, null);
163                 keyPasswd = (keyPasswd == null) ? keyStorePasswd : access.decrypt(keyPasswd, false);
164
165                 KeyManagerFactory kmf = KeyManagerFactory.getInstance(SslKeyManagerFactoryAlgorithm);
166                 if(keyStore == null || keyStorePasswd == null) { 
167                         km = new X509KeyManager[0];
168                 } else {
169                         ArrayList<X509KeyManager> kmal = new ArrayList<X509KeyManager>();
170                         File file;
171                         for(String ksname : keyStore.split(REGEX_COMMA)) {
172                                 file = new File(ksname);
173                                 String keystoreFormat;
174                                 if(ksname.endsWith(".p12") || ksname.endsWith(".pkcs12")) {
175                                         keystoreFormat = "PKCS12";
176                                 } else {
177                                         keystoreFormat = "JKS";
178                                 }
179                                 if(file.exists()) {
180                                         FileInputStream fis = new FileInputStream(file);
181                                         try {
182                                                 KeyStore ks = KeyStore.getInstance(keystoreFormat);
183                                                 ks.load(fis, keyStorePasswd.toCharArray());
184                                                 kmf.init(ks, keyPasswd.toCharArray());
185                                         } finally {
186                                                 fis.close();
187                                         }
188                                 }
189                         }
190                         for(KeyManager km : kmf.getKeyManagers()) {
191                                 if(km instanceof X509KeyManager) {
192                                         kmal.add((X509KeyManager)km);
193                                 }
194                         }
195                         km = new X509KeyManager[kmal.size()];
196                         kmal.toArray(km);
197                 }
198         }
199
200         protected void initializeTrustManager() throws NoSuchAlgorithmException, CertificateException, IOException, KeyStoreException, CadiException {
201                 String trustStore = access.getProperty(Config.CADI_TRUSTSTORE, null);
202                 if(trustStore != null && !new File(trustStore).exists()) {
203                         throw new CadiException(trustStore + " does not exist");
204                 }
205
206                 String trustStorePasswd = access.getProperty(Config.CADI_TRUSTSTORE_PASSWORD, null);
207                 trustStorePasswd = (trustStorePasswd == null) ? "changeit"/*defacto Java Trust Pass*/ : access.decrypt(trustStorePasswd, false);
208
209                 TrustManagerFactory tmf = TrustManagerFactory.getInstance(SslKeyManagerFactoryAlgorithm);
210                 if(trustStore != null) {
211                         File file;
212                         for(String tsname : trustStore.split(REGEX_COMMA)) {
213                                 file = new File(tsname);
214                                 if(file.exists()) {
215                                         FileInputStream fis = new FileInputStream(file);
216                                         try {
217                                                 KeyStore ts = KeyStore.getInstance("JKS");
218                                                 ts.load(fis, trustStorePasswd.toCharArray());
219                                                 tmf.init(ts); 
220                                         } finally {
221                                                 fis.close();
222                                         }
223                                 }
224                         }
225
226                         TrustManager tms[] = tmf.getTrustManagers();
227                         if(tms != null && tms.length>0) {
228                                 tm = new X509TrustManager[tms.length];
229                                 for(int i = 0; i < tms.length; ++i) {
230                                         try {
231                                                 tm[i] = (X509TrustManager)tms[i];
232                                         } catch (ClassCastException e) {
233                                                 access.log(Level.WARN, "Non X509 TrustManager", tm[i].getClass().getName(), "skipped in SecurityInfo");
234                                         }
235                                 }
236                         }
237                 }
238
239         }
240         
241         protected void initializeTrustMasks() throws AccessException {
242                 String tips = access.getProperty(Config.CADI_TRUST_MASKS, null);
243                 if(tips != null) {
244                         access.log(Level.INIT, "Explicitly accepting valid X509s from", tips);
245                         String[] ipsplit = tips.split(REGEX_COMMA);
246                         trustMasks = new NetMask[ipsplit.length];
247                         for(int i = 0; i < ipsplit.length; ++i) {
248                                 try {
249                                         trustMasks[i] = new NetMask(ipsplit[i]);
250                                 } catch (MaskFormatException e) {
251                                         throw new AccessException("Invalid IP Mask in " + Config.CADI_TRUST_MASKS, e);
252                                 }
253                         }
254                 }
255                 
256                 if(trustMasks != null) {
257                         final HostnameVerifier origHV = HttpsURLConnection.getDefaultHostnameVerifier();
258                         HttpsURLConnection.setDefaultHostnameVerifier(maskHV = new HostnameVerifier() {
259                                 @Override
260                                 public boolean verify(final String urlHostName, final SSLSession session) {
261                                         try {
262                                                 // This will pick up /etc/host entries as well as DNS
263                                                 InetAddress ia = InetAddress.getByName(session.getPeerHost());
264                                                 for(NetMask tmask : trustMasks) {
265                                                         if(tmask.isInNet(ia.getHostAddress())) {
266                                                                 return true;
267                                                         }
268                                                 }
269                                         } catch (UnknownHostException e) {
270                                                 // It's ok. do normal Verify
271                                         }
272                                         return origHV.verify(urlHostName, session);
273                                 };
274                         });
275                 }
276         }
277         
278 }