2 * ============LICENSE_START=======================================================
4 * ================================================================================
5 * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
6 * ================================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END=========================================================
21 package org.onap.vid.aai.util;
24 import org.eclipse.jetty.util.security.Password;
25 import org.glassfish.jersey.client.ClientConfig;
26 import org.glassfish.jersey.client.ClientProperties;
27 import org.glassfish.jersey.client.HttpUrlConnectorProvider;
28 import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
29 import org.onap.portalsdk.core.util.SystemProperties;
31 import javax.net.ssl.*;
32 import javax.ws.rs.client.Client;
33 import javax.ws.rs.client.ClientBuilder;
34 import java.io.FileInputStream;
35 import java.io.IOException;
36 import java.security.*;
37 import java.security.cert.CertificateException;
38 import java.security.cert.X509Certificate;
41 * The Class HttpsAuthClient.
43 public class HttpsAuthClient {
46 public HttpsAuthClient(String certFilePath) {
47 this.certFilePath = certFilePath;
50 private final String certFilePath;
53 static EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(HttpsAuthClient.class);
59 * @throws KeyManagementException the key management exception
61 public Client getClient(HttpClientMode mode) throws GeneralSecurityException, IOException {
62 ClientConfig config = new ClientConfig();
66 String truststorePath = getCertificatesPath() + org.onap.vid.aai.util.AAIProperties.FILESEPARTOR + SystemProperties.getProperty(org.onap.vid.aai.util.AAIProperties.AAI_TRUSTSTORE_FILENAME);
67 String truststorePassword = SystemProperties.getProperty(org.onap.vid.aai.util.AAIProperties.AAI_TRUSTSTORE_PASSWD_X);
68 String decryptedTruststorePassword = Password.deobfuscate(truststorePassword);
70 System.setProperty("javax.net.ssl.trustStore", truststorePath);
71 System.setProperty("javax.net.ssl.trustStorePassword", decryptedTruststorePassword);
73 HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
74 public boolean verify(String string, SSLSession ssls) {
78 ctx = SSLContext.getInstance("TLSv1.2");
79 KeyManager[] keyManagers = null;
80 TrustManager[] trustManagers = getTrustManager(mode);
84 String aaiKeystorePath = getCertificatesPath() + org.onap.vid.aai.util.AAIProperties.FILESEPARTOR + SystemProperties.getProperty(org.onap.vid.aai.util.AAIProperties.AAI_KEYSTORE_FILENAME);
85 String aaiKeystorePassword = SystemProperties.getProperty(org.onap.vid.aai.util.AAIProperties.AAI_KEYSTORE_PASSWD_X);
86 config.property(HttpUrlConnectorProvider.SET_METHOD_WORKAROUND, Boolean.TRUE);
87 config.connectorProvider(new HttpUrlConnectorProvider().useSetMethodWorkaround());
88 KeyManagerFactory kmf = getKeyManagerFactory(aaiKeystorePath, aaiKeystorePassword);
89 keyManagers = kmf.getKeyManagers();
92 case WITHOUT_KEYSTORE:
93 config.property(ClientProperties.SUPPRESS_HTTP_COMPLIANCE_VALIDATION, true);
97 logger.debug(EELFLoggerDelegate.debugLogger, "Error setting up config. HttpClientMode is " + mode);
100 ctx.init(keyManagers, trustManagers, null);
101 return ClientBuilder.newBuilder()
103 .hostnameVerifier(new HostnameVerifier() {
105 public boolean verify(String s, SSLSession sslSession) {
108 }).withConfig(config)
110 .register(org.onap.vid.aai.util.CustomJacksonJaxBJsonProvider.class);
111 } catch (Exception e) {
112 logger.debug(EELFLoggerDelegate.debugLogger, "Error setting up config", e);
119 * @param aaiKeystorePath
120 * @param aaiKeystorePassword - in OBF format
122 * @throws NoSuchAlgorithmException
123 * @throws KeyStoreException
124 * @throws IOException
125 * @throws CertificateException
126 * @throws UnrecoverableKeyException
128 private KeyManagerFactory getKeyManagerFactory(String aaiKeystorePath, String aaiKeystorePassword) throws IOException, GeneralSecurityException {
129 String aaiDecryptedKeystorePassword = Password.deobfuscate(aaiKeystorePassword);
130 KeyManagerFactory kmf = null;
131 try (FileInputStream fin = new FileInputStream(aaiKeystorePath)) {
132 kmf = KeyManagerFactory.getInstance("SunX509");
133 KeyStore ks = KeyStore.getInstance("PKCS12");
134 char[] pwd = aaiDecryptedKeystorePassword.toCharArray();
137 } catch (Exception e) {
138 logger.debug(EELFLoggerDelegate.debugLogger, "Error setting up kmf");
139 logger.error(EELFLoggerDelegate.errorLogger, "Error setting up kmf (keystore path: {}, obfuascated keystore password: {})", aaiKeystorePath, aaiKeystorePassword, e);
145 private String getCertificatesPath() {
149 private TrustManager[] getTrustManager(HttpClientMode httpClientMode) {
150 //Creating a trustManager that will accept all certificates.
151 //TODO - remove this one the POMBA certificate is added to the tomcat_keystore file
152 TrustManager[] trustAllCerts = null;
153 if (httpClientMode == HttpClientMode.UNSECURE) {
155 trustAllCerts = new TrustManager[]{new X509TrustManager() {
156 public java.security.cert.X509Certificate[] getAcceptedIssuers() {
160 public void checkClientTrusted(X509Certificate[] certs, String authType) {
163 public void checkServerTrusted(X509Certificate[] certs, String authType) {
167 return trustAllCerts;