2 * Copyright 2016-2017, Nokia Corporation
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 package org.onap.vfc.nfvo.driver.vnfm.svnfm.nokia.vnfm;
19 import com.google.common.base.Joiner;
20 import com.google.common.io.BaseEncoding;
21 import java.nio.charset.StandardCharsets;
22 import java.security.KeyStore;
23 import java.security.SecureRandom;
24 import java.security.cert.CertificateException;
25 import java.security.cert.X509Certificate;
27 import javax.net.ssl.*;
28 import org.apache.http.conn.ssl.DefaultHostnameVerifier;
29 import org.onap.vfc.nfvo.driver.vnfm.svnfm.nokia.util.StoreLoader;
30 import org.slf4j.Logger;
31 import org.springframework.util.StringUtils;
33 import static java.util.UUID.randomUUID;
35 import static org.onap.vfc.nfvo.driver.vnfm.svnfm.nokia.util.CbamUtils.buildFatalFailure;
36 import static org.slf4j.LoggerFactory.getLogger;
38 public abstract class GenericSecurityProvider {
39 private static Logger logger = getLogger(GenericSecurityProvider.class);
41 protected abstract boolean skipHostnameVerification();
43 protected abstract boolean skipCertificateVerification();
45 protected abstract String trustedCertificates();
47 public HostnameVerifier buildHostnameVerifier() {
48 if (skipHostnameVerification()) {
49 return (hostname, session) -> true;
51 return new DefaultHostnameVerifier();
55 public SSLSocketFactory buildSSLSocketFactory() {
57 TrustManager[] trustManagers = new X509TrustManager[]{buildTrustManager()};
58 SSLContext sslContext = SSLContext.getInstance("TLS");
59 sslContext.init(null, trustManagers, new SecureRandom());
60 return sslContext.getSocketFactory();
61 } catch (Exception e) {
62 throw buildFatalFailure(logger, "Unable to create SSL socket factory", e);
66 public X509TrustManager buildTrustManager() {
67 if (skipCertificateVerification()) {
68 return new AllTrustedTrustManager();
70 if (StringUtils.isEmpty(trustedCertificates())) {
71 throw buildFatalFailure(logger, "If the skipCertificateVerification is set to false (default) the trustedCertificates can not be empty");
73 Set<String> trustedPems;
76 content = new String(BaseEncoding.base64().decode(trustedCertificates()), StandardCharsets.UTF_8);
77 trustedPems = StoreLoader.getCertifacates(content);
78 } catch (Exception e) {
79 throw buildFatalFailure(logger, "The trustedCertificates must be a base64 encoded collection of PEM certificates", e);
81 if (trustedPems.isEmpty()) {
82 throw buildFatalFailure(logger, "No certificate can be extracted from " + content);
85 KeyStore keyStore = StoreLoader.loadStore(Joiner.on("\n").join(trustedPems), randomUUID().toString(), randomUUID().toString());
86 TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
87 trustManagerFactory.init(keyStore);
88 return (X509TrustManager) trustManagerFactory.getTrustManagers()[0];
89 } catch (Exception e) {
90 throw buildFatalFailure(logger, "Unable to create keystore", e);
95 private static class AllTrustedTrustManager implements X509TrustManager {
97 public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
98 //no need to check certificates if everything is trusted
102 public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
103 //no need to check certificates if everything is trusted
107 public X509Certificate[] getAcceptedIssuers() {
108 return new X509Certificate[0];