2 * Copyright 2016-2017, Nokia Corporation
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
16 package org.onap.vfc.nfvo.driver.vnfm.svnfm.nokia.vnfm;
18 import com.google.common.base.Joiner;
19 import com.google.common.io.BaseEncoding;
20 import org.apache.http.conn.ssl.DefaultHostnameVerifier;
21 import org.onap.vfc.nfvo.driver.vnfm.svnfm.nokia.util.StoreLoader;
22 import org.slf4j.Logger;
23 import org.springframework.beans.factory.annotation.Value;
24 import org.springframework.stereotype.Component;
25 import org.springframework.util.StringUtils;
27 import javax.net.ssl.*;
28 import java.nio.charset.StandardCharsets;
29 import java.security.KeyStore;
30 import java.security.SecureRandom;
31 import java.security.cert.CertificateException;
32 import java.security.cert.X509Certificate;
35 import static java.util.UUID.randomUUID;
36 import static org.onap.vfc.nfvo.driver.vnfm.svnfm.nokia.util.CbamUtils.buildFatalFailure;
37 import static org.slf4j.LoggerFactory.getLogger;
40 * Responsible for providing a token to access CBAM APIs
43 public class CbamSecurityProvider {
44 private static Logger logger = getLogger(CbamSecurityProvider.class);
45 @Value("${trustedCertificates}")
46 private String trustedCertificates;
47 @Value("${skipCertificateVerification}")
48 private boolean skipCertificateVerification;
49 @Value("${skipHostnameVerification}")
50 private boolean skipHostnameVerification;
52 protected HostnameVerifier buildHostnameVerifier() {
53 if (skipHostnameVerification) {
54 return (hostname, session) -> true;
56 return new DefaultHostnameVerifier();
60 protected SSLSocketFactory buildSSLSocketFactory() {
62 TrustManager[] trustManagers = new X509TrustManager[]{buildTrustManager()};
63 SSLContext sslContext = SSLContext.getInstance("TLS");
64 sslContext.init(null, trustManagers, new SecureRandom());
65 return sslContext.getSocketFactory();
66 } catch (Exception e) {
67 throw buildFatalFailure(logger, "Unable to create SSL socket factory", e);
71 protected X509TrustManager buildTrustManager() {
72 if (skipCertificateVerification) {
73 return new AllTrustedTrustManager();
75 if (StringUtils.isEmpty(trustedCertificates)) {
76 throw buildFatalFailure(logger, "If the skipCertificateVerification is set to false (default) the trustedCertificates can not be empty");
78 Set<String> trustedPems;
81 content = new String(BaseEncoding.base64().decode(trustedCertificates), StandardCharsets.UTF_8);
82 trustedPems = StoreLoader.getCertifacates(content);
83 } catch (Exception e) {
84 throw buildFatalFailure(logger, "The trustedCertificates must be a base64 encoded collection of PEM certificates", e);
86 if (trustedPems.isEmpty()) {
87 throw buildFatalFailure(logger, "No certificate can be extracted from " + content);
90 KeyStore keyStore = StoreLoader.loadStore(Joiner.on("\n").join(trustedPems), randomUUID().toString(), randomUUID().toString());
91 TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
92 trustManagerFactory.init(keyStore);
93 return (X509TrustManager) trustManagerFactory.getTrustManagers()[0];
94 } catch (Exception e) {
95 throw buildFatalFailure(logger, "Unable to create keystore", e);
100 private static class AllTrustedTrustManager implements X509TrustManager {
102 public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
103 //no need to check certificates if everything is trusted
107 public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
108 //no need to check certificates if everything is trusted
112 public X509Certificate[] getAcceptedIssuers() {
113 return new X509Certificate[0];