2 * ============LICENSE_START=======================================================
4 * ================================================================================
5 * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
6 * Copyright © 2017 Amdocs
7 * ================================================================================
8 * Licensed under the Apache License, Version 2.0 (the "License");
9 * you may not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS,
16 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
19 * ============LICENSE_END=========================================================
21 * ECOMP is a trademark and service mark of AT&T Intellectual Property.
23 package org.onap.aai.sparky.util;
26 import java.io.FileInputStream;
27 import java.io.FileOutputStream;
28 import java.io.IOException;
29 import java.io.InputStream;
30 import java.io.OutputStream;
31 import java.net.UnknownHostException;
32 import java.security.KeyManagementException;
33 import java.security.KeyStore;
34 import java.security.KeyStoreException;
35 import java.security.MessageDigest;
36 import java.security.NoSuchAlgorithmException;
37 import java.security.cert.CertificateEncodingException;
38 import java.security.cert.CertificateException;
39 import java.security.cert.CertificateParsingException;
40 import java.security.cert.X509Certificate;
41 import java.util.ArrayList;
42 import java.util.Collection;
43 import java.util.List;
45 import javax.net.ssl.SSLContext;
46 import javax.net.ssl.SSLException;
47 import javax.net.ssl.SSLSocket;
48 import javax.net.ssl.SSLSocketFactory;
49 import javax.net.ssl.TrustManager;
50 import javax.net.ssl.TrustManagerFactory;
51 import javax.net.ssl.X509TrustManager;
54 * The Class KeystoreBuilder.
56 public class KeystoreBuilder {
61 private class EndPoint {
62 private String hostname;
66 * Instantiates a new end point.
68 @SuppressWarnings("unused")
72 * Instantiates a new end point.
74 * @param host the host
75 * @param port the port
77 public EndPoint(String host, int port) {
82 public String getHostname() {
86 @SuppressWarnings("unused")
87 public void setHostname(String hostname) {
88 this.hostname = hostname;
91 public int getPort() {
95 public void setPort(int port) {
100 * @see java.lang.Object#toString()
103 public String toString() {
104 return "EndPoint [hostname=" + hostname + ", port=" + port + "]";
109 private List<EndPoint> endpoints = new ArrayList<EndPoint>();
112 * @return the endpoints
114 public List<EndPoint> getEndpoints() {
119 * @param endpoints the endpoints to set
121 public void setEndpoints(List<EndPoint> endpoints) {
122 this.endpoints = endpoints;
126 * Initialize end points list.
128 * @param endpointList the endpoint list
130 private void initializeEndPointsList(String endpointList) {
131 String[] endpointUris = endpointList.split(";");
133 for (String endpointUri : endpointUris) {
135 String ipAndPort = endpointUri.replaceAll("http://", "");
136 ipAndPort = endpointUri.replaceAll("https://", "");
138 // System.out.println("ipAndPortUrl = " + ipAndPort);
140 String[] hostAndPort = ipAndPort.split(":");
142 String hostname = hostAndPort[0];
143 int port = Integer.parseInt(hostAndPort[1]);
145 EndPoint ep = new EndPoint(hostname, port);
152 * Instantiates a new keystore builder.
154 * @param endpointList the endpoint list
155 * @throws NoSuchAlgorithmException the no such algorithm exception
157 public KeystoreBuilder(String endpointList) throws NoSuchAlgorithmException {
158 initializeEndPointsList(endpointList);
159 sha1 = MessageDigest.getInstance("SHA1");
160 md5 = MessageDigest.getInstance("MD5");
163 private static final String SEP = File.separator;
164 private SavingTrustManager savingTrustManager;
165 private SSLSocketFactory sslSocketFactory;
166 private MessageDigest sha1;
167 private MessageDigest md5;
169 private String keystoreFileName;
170 private String keystorePassword;
171 private boolean dumpCertDetails = false;
173 public void setDumpCertDetails(boolean shouldSet) {
174 dumpCertDetails = shouldSet;
180 * @param keystoreFileName the keystore file name
181 * @param keystorePassword the keystore password
182 * @throws KeyStoreException the key store exception
183 * @throws NoSuchAlgorithmException the no such algorithm exception
184 * @throws CertificateException the certificate exception
185 * @throws IOException Signals that an I/O exception has occurred.
186 * @throws KeyManagementException the key management exception
188 public void updateKeystore(String keystoreFileName, String keystorePassword)
189 throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException,
190 KeyManagementException {
192 this.keystoreFileName = keystoreFileName;
193 this.keystorePassword = keystorePassword;
195 File file = new File(keystoreFileName);
196 String password = keystorePassword;
198 if (file.isFile() == false) {
200 File dir = new File(System.getProperty("java.home") + SEP + "lib" + SEP + "security");
201 file = new File(dir, "jssecacerts");
202 if (file.isFile() == false) {
204 file = new File(dir, "cacerts");
205 System.out.println("keystore file doesn't exist, preloading new file with cacerts");
208 System.out.println("keystore file doesn't exist, preloading new file with jssecacerts");
210 password = keystorePassword;
214 InputStream in = new FileInputStream(file);
215 ks = KeyStore.getInstance(KeyStore.getDefaultType());
216 ks.load(in, password.toCharArray());
219 SSLContext context = SSLContext.getInstance("TLS");
220 TrustManagerFactory tmf =
221 TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
223 X509TrustManager defaultTrustManager = (X509TrustManager) tmf.getTrustManagers()[0];
224 savingTrustManager = new SavingTrustManager(defaultTrustManager);
225 context.init(null, new TrustManager[] {savingTrustManager}, null);
226 sslSocketFactory = context.getSocketFactory();
228 System.out.println("About to add the following endpoint server certificates to the keystore:");
229 for (EndPoint ep : endpoints) {
230 System.out.println("\t--------------------------");
231 System.out.println("\t" + ep.toString());
233 X509Certificate[] certChain =
234 getCertificateChainForRemoteEndpoint(ep.getHostname(), ep.getPort());
236 if (certChain == null) {
237 System.out.println("Could not obtain server certificate chain");
241 dumpCertChainInfo(certChain);
243 updateKeyStoreWithCertChain(certChain);
250 * Gets the certificate chain for remote endpoint.
252 * @param hostname the hostname
253 * @param port the port
254 * @return the certificate chain for remote endpoint
255 * @throws UnknownHostException the unknown host exception
256 * @throws IOException Signals that an I/O exception has occurred.
258 private X509Certificate[] getCertificateChainForRemoteEndpoint(String hostname, int port)
259 throws UnknownHostException, IOException {
261 System.out.println("Opening connection to "+hostname+":"+port+"..");
262 SSLSocket socket = (SSLSocket) sslSocketFactory.createSocket(hostname, port);
263 socket.setSoTimeout(10000);
266 System.out.println("Starting SSL handshake...");
267 socket.startHandshake();
269 System.out.println("\nNo errors, certificate is already trusted");
271 } catch (SSLException exc) {
272 System.out.println("\nCaught SSL exception, we are not authorized to access this server yet");
273 throw new SSLException("\nCaught SSL exception, we are not authorized to access this server yet");
274 // e.printStackTrace(System.out);
277 return savingTrustManager.chain;
282 * Dump cert chain info.
284 * @param chain the chain
285 * @throws NoSuchAlgorithmException the no such algorithm exception
286 * @throws CertificateEncodingException the certificate encoding exception
287 * @throws CertificateParsingException the certificate parsing exception
289 private void dumpCertChainInfo(X509Certificate[] chain)
290 throws NoSuchAlgorithmException, CertificateEncodingException, CertificateParsingException {
292 System.out.println();
293 System.out.println("Server sent " + chain.length + " certificate(s):");
294 System.out.println();
296 for (int i = 0; i < chain.length; i++) {
297 X509Certificate cert = chain[i];
299 if (dumpCertDetails) {
300 System.out.println("Full cert details @ index = " + i + " \n" + cert.toString());
303 System.out.println("Subject: " + cert.getSubjectDN());
304 System.out.println("Issuer: " + cert.getIssuerDN());
305 System.out.println("SubjectAlternativeNames: ");
308 * RFC-5280, pg. 38, section 4.2.1.6 ( Subject Alternative Names )
310 * Finally, the semantics of subject alternative names that include wildcard characters (e.g.,
311 * as a placeholder for a set of names) are not addressed by this specification. Applications
312 * with specific requirements MAY use such names, but they must define the semantics.
314 * id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 }
316 * SubjectAltName ::= GeneralNames
318 * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
320 * GeneralName ::= CHOICE { otherName [0] OtherName, rfc822Name [1] IA5String, dNSName [2]
321 * IA5String, <-- the 2 in the output is a type operand x400Address [3] ORAddress,
322 * directoryName [4] Name, ediPartyName [5] EDIPartyName, uniformResourceIdentifier [6]
323 * IA5String, iPAddress [7] OCTET STRING, registeredID [8] OBJECT IDENTIFIER }
325 * OtherName ::= SEQUENCE { type-id OBJECT IDENTIFIER, value [0] EXPLICIT ANY DEFINED BY
328 * EDIPartyName ::= SEQUENCE { nameAssigner [0] DirectoryString OPTIONAL, partyName [1]
333 Collection<List<?>> sans = cert.getSubjectAlternativeNames();
335 for (List<?> san : sans) {
338 * It seems the structure of the array elements contained within the SAN is: [<sanType>,
343 int type = ((Integer) san.get(0)).intValue();
344 String typeStr = getSanType(type);
345 String value = (String) san.get(1);
347 System.out.println(String.format("\tType:'%s', Value: '%s'.", typeStr, value));
356 * Gets the subject alternative names.
358 * @param cert the cert
359 * @return the subject alternative names
360 * @throws CertificateParsingException the certificate parsing exception
362 private List<String> getSubjectAlternativeNames(X509Certificate cert)
363 throws CertificateParsingException {
365 Collection<List<?>> sans = cert.getSubjectAlternativeNames();
366 List<String> subjectAlternativeNames = new ArrayList<String>();
368 for (List<?> san : sans) {
371 * It seems the structure of the array elements contained within the SAN is: [<sanType>,
376 String value = (String) san.get(1);
377 subjectAlternativeNames.add(value);
380 return subjectAlternativeNames;
384 * Update key store with cert chain.
386 * @param chain the chain
387 * @throws NoSuchAlgorithmException the no such algorithm exception
388 * @throws KeyStoreException the key store exception
389 * @throws CertificateException the certificate exception
390 * @throws IOException Signals that an I/O exception has occurred.
392 private void updateKeyStoreWithCertChain(X509Certificate[] chain)
393 throws NoSuchAlgorithmException, KeyStoreException, CertificateException, IOException {
395 for (X509Certificate cert : chain) {
397 List<String> sans = getSubjectAlternativeNames(cert);
399 for (String san : sans) {
400 ks.setCertificateEntry(san, cert);
402 "Added certificate to keystore '" + keystoreFileName + "' using alias '" + san + "'");
406 OutputStream out = new FileOutputStream(keystoreFileName);
407 ks.store(out, keystorePassword.toCharArray());
414 * The Class SavingTrustManager.
416 private static class SavingTrustManager implements X509TrustManager {
418 private final X509TrustManager tm;
419 private X509Certificate[] chain;
422 * Instantiates a new saving trust manager.
426 SavingTrustManager(X509TrustManager tm) {
431 public X509Certificate[] getAcceptedIssuers() {
432 throw new UnsupportedOperationException();
436 * @see javax.net.ssl.X509TrustManager#checkClientTrusted(java.security.cert.X509Certificate[], java.lang.String)
439 public void checkClientTrusted(X509Certificate[] chain, String authType)
440 throws CertificateException {
441 throw new UnsupportedOperationException();
445 * @see javax.net.ssl.X509TrustManager#checkServerTrusted(java.security.cert.X509Certificate[], java.lang.String)
448 public void checkServerTrusted(X509Certificate[] chain, String authType)
449 throws CertificateException {
451 tm.checkServerTrusted(chain, authType);
455 private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();
460 * @param type the type
461 * @return the san type
463 // TODO: convert to enum(int,string)
464 private String getSanType(int type) {
473 return "x400Address";
475 return "directoryName";
477 return "ediPartyName";
479 return "uniformResourceIdentifier";
483 return "registeredID";
485 return "unknownSanType";
493 * @param bytes the bytes
496 private static String toHexString(byte[] bytes) {
497 StringBuilder sb = new StringBuilder(bytes.length * 3);
498 for (int b : bytes) {
500 sb.append(HEXDIGITS[b >> 4]);
501 sb.append(HEXDIGITS[b & 15]);
504 return sb.toString();
512 * @param args the arguments
513 * @throws Exception the exception
515 public static void main(String[] args) throws Exception {
518 * Examples: localhost:8440;localhost:8442 d:\1\adhoc_keystore.jks aaiDomain2 false
519 * localhost:8440;localhost:8442 d:\1\adhoc_keystore.jks aaiDomain2 true
522 if (args.length != 4) {
524 "Usage: KeyBuilder <[ip:port];*> <keystoreFileName>"
525 + " <keystorePassword> <dumpCertDetails> ");
528 KeystoreBuilder kb = new KeystoreBuilder(args[0]);
529 kb.setDumpCertDetails(Boolean.parseBoolean(args[3]));
530 kb.updateKeystore(args[1], args[2]);