2 * ============LICENSE_START=======================================================
4 * ================================================================================
5 * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved.
6 * Copyright © 2017-2018 Amdocs
7 * ================================================================================
8 * Licensed under the Apache License, Version 2.0 (the "License");
9 * you may not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS,
16 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
19 * ============LICENSE_END=========================================================
21 package org.onap.aai.sa.searchdbabstraction.elasticsearch.dao;
23 import java.io.IOException;
24 import java.io.InputStream;
25 import java.nio.file.Files;
26 import java.nio.file.Paths;
27 import java.security.KeyManagementException;
28 import java.security.KeyStore;
29 import java.security.KeyStoreException;
30 import java.security.NoSuchAlgorithmException;
31 import java.security.UnrecoverableKeyException;
32 import java.security.cert.CertificateException;
33 import java.security.cert.X509Certificate;
34 import java.util.Arrays;
35 import javax.net.ssl.HttpsURLConnection;
36 import javax.net.ssl.KeyManager;
37 import javax.net.ssl.KeyManagerFactory;
38 import javax.net.ssl.SSLContext;
39 import javax.net.ssl.TrustManager;
40 import javax.net.ssl.TrustManagerFactory;
41 import javax.net.ssl.X509TrustManager;
42 import org.onap.aai.cl.api.Logger;
43 import org.onap.aai.cl.eelf.LoggerFactory;
44 import org.onap.aai.sa.searchdbabstraction.elasticsearch.config.ElasticSearchConfig;
47 * HTTPS (TLS) specific configuration.
49 public class ElasticSearchHttpsController {
51 private static final Logger logger =
52 LoggerFactory.getInstance().getLogger(ElasticSearchHttpsController.class.getName());
54 private static final String SSL_PROTOCOL = "TLS";
55 private static final String KEYSTORE_ALGORITHM = "SunX509";
56 private static final String KEYSTORE_TYPE = "PKCS12";
58 public ElasticSearchHttpsController(ElasticSearchConfig config) throws NoSuchAlgorithmException, KeyStoreException,
59 CertificateException, IOException, KeyManagementException, UnrecoverableKeyException {
60 logger.debug("Initialising HTTPS configuration");
62 SSLContext ctx = SSLContext.getInstance(SSL_PROTOCOL);
63 KeyManagerFactory kmf = KeyManagerFactory.getInstance(KEYSTORE_ALGORITHM);
64 KeyStore keyStore = KeyStore.getInstance(KEYSTORE_TYPE);
66 String clientCertPassword = config.getKeyStorePassword();
69 if (clientCertPassword != null) {
70 pwd = clientCertPassword.toCharArray();
72 logger.debug("No key store password is defined");
75 TrustManager[] trustManagers = getTrustManagers(config);
76 KeyManager[] keyManagers = null;
78 String clientCertFileName = config.getKeyStorePath();
79 if (clientCertFileName != null) {
80 InputStream fin = Files.newInputStream(Paths.get(clientCertFileName));
81 keyStore.load(fin, pwd);
82 kmf.init(keyStore, pwd);
83 keyManagers = kmf.getKeyManagers();
86 ctx.init(keyManagers, trustManagers, null);
87 logger.debug("Initialised SSL context");
89 HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory());
90 HttpsURLConnection.setDefaultHostnameVerifier((host, session) -> host.equalsIgnoreCase(session.getPeerHost()));
93 private TrustManager[] getTrustManagers(ElasticSearchConfig config)
94 throws NoSuchAlgorithmException, KeyStoreException, IOException, CertificateException {
95 TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
96 // Using null here initializes the TMF with the default trust store.
97 tmf.init((KeyStore) null);
99 // Find the default trust manager.
100 final X509TrustManager defaultTrustManager = findX509TrustManager(tmf);
102 String trustStoreFile = config.getTrustStorePath();
103 if (trustStoreFile == null) {
104 logger.debug("No trust store defined");
105 return new TrustManager[] {defaultTrustManager};
108 // Create a new Trust Manager from the local trust store.
109 try (InputStream myKeys = Files.newInputStream(Paths.get(trustStoreFile))) {
110 KeyStore myTrustStore = KeyStore.getInstance(KeyStore.getDefaultType());
111 char[] pwdArray = null;
112 if (config.getTrustStorePassword() != null) {
113 pwdArray = config.getTrustStorePassword().toCharArray();
115 myTrustStore.load(myKeys, pwdArray);
116 tmf.init(myTrustStore);
119 // Create a custom trust manager that wraps both our trust store and the default.
120 final X509TrustManager finalLocalTm = findX509TrustManager(tmf);
122 return new TrustManager[] {new X509TrustManager() {
124 public X509Certificate[] getAcceptedIssuers() {
125 return defaultTrustManager.getAcceptedIssuers();
129 public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
131 finalLocalTm.checkServerTrusted(chain, authType);
132 } catch (CertificateException e) {
133 defaultTrustManager.checkServerTrusted(chain, authType);
138 public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
139 defaultTrustManager.checkClientTrusted(chain, authType);
144 private X509TrustManager findX509TrustManager(TrustManagerFactory tmf) {
145 return (X509TrustManager) Arrays.asList(tmf.getTrustManagers()).stream()
146 .filter(tm -> tm instanceof X509TrustManager).findFirst().orElse(null);