nokiav2/driver/src/main/java/org/onap/vfc/nfvo/driver/vnfm/svnfm/nokia/vnfm/GenericSecurityProvider.java

   1 /*
   2  * Copyright 2016-2017, Nokia Corporation
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *     http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 package org.onap.vfc.nfvo.driver.vnfm.svnfm.nokia.vnfm;
  18
  19 import com.google.common.base.Joiner;
  20 import com.google.common.io.BaseEncoding;
  21 import java.nio.charset.StandardCharsets;
  22 import java.security.KeyStore;
  23 import java.security.SecureRandom;
  24 import java.security.cert.CertificateException;
  25 import java.security.cert.X509Certificate;
  26 import java.util.Set;
  27 import javax.net.ssl.*;
  28 import org.apache.http.conn.ssl.DefaultHostnameVerifier;
  29 import org.onap.vfc.nfvo.driver.vnfm.svnfm.nokia.util.StoreLoader;
  30 import org.slf4j.Logger;
  31 import org.springframework.util.StringUtils;
  32
  33 import static java.util.UUID.randomUUID;
  34
  35 import static org.onap.vfc.nfvo.driver.vnfm.svnfm.nokia.util.CbamUtils.buildFatalFailure;
  36 import static org.slf4j.LoggerFactory.getLogger;
  37
  38 public abstract class GenericSecurityProvider {
  39     private static Logger logger = getLogger(GenericSecurityProvider.class);
  40
  41     protected abstract boolean skipHostnameVerification();
  42
  43     protected abstract boolean skipCertificateVerification();
  44
  45     protected abstract String trustedCertificates();
  46
  47     public HostnameVerifier buildHostnameVerifier() {
  48         if (skipHostnameVerification()) {
  49             return (hostname, session) -> true;
  50         } else {
  51             return new DefaultHostnameVerifier();
  52         }
  53     }
  54
  55     public SSLSocketFactory buildSSLSocketFactory() {
  56         try {
  57             TrustManager[] trustManagers = new X509TrustManager[]{buildTrustManager()};
  58             SSLContext sslContext = SSLContext.getInstance("TLS");
  59             sslContext.init(null, trustManagers, new SecureRandom());
  60             return sslContext.getSocketFactory();
  61         } catch (Exception e) {
  62             throw buildFatalFailure(logger, "Unable to create SSL socket factory", e);
  63         }
  64     }
  65
  66     public X509TrustManager buildTrustManager() {
  67         if (skipCertificateVerification()) {
  68             return new AllTrustedTrustManager();
  69         } else {
  70             if (StringUtils.isEmpty(trustedCertificates())) {
  71                 throw buildFatalFailure(logger, "If the skipCertificateVerification is set to false (default) the trustedCertificates can not be empty");
  72             }
  73             Set<String> trustedPems;
  74             String content;
  75             try {
  76                 content = new String(BaseEncoding.base64().decode(trustedCertificates()), StandardCharsets.UTF_8);
  77                 trustedPems = StoreLoader.getCertifacates(content);
  78             } catch (Exception e) {
  79                 throw buildFatalFailure(logger, "The trustedCertificates must be a base64 encoded collection of PEM certificates", e);
  80             }
  81             if (trustedPems.isEmpty()) {
  82                 throw buildFatalFailure(logger, "No certificate can be extracted from " + content);
  83             }
  84             try {
  85                 KeyStore keyStore = StoreLoader.loadStore(Joiner.on("\n").join(trustedPems), randomUUID().toString(), randomUUID().toString());
  86                 TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
  87                 trustManagerFactory.init(keyStore);
  88                 return (X509TrustManager) trustManagerFactory.getTrustManagers()[0];
  89             } catch (Exception e) {
  90                 throw buildFatalFailure(logger, "Unable to create keystore", e);
  91             }
  92         }
  93     }
  94
  95     private static class AllTrustedTrustManager implements X509TrustManager {
  96         @Override
  97         public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
  98             //no need to check certificates if everything is trusted
  99         }
 100
 101         @Override
 102         public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
 103             //no need to check certificates if everything is trusted
 104         }
 105
 106         @Override
 107         public X509Certificate[] getAcceptedIssuers() {
 108             return new X509Certificate[0];
 109         }
 110     }
 111 }