2 * ============LICENSE_START=======================================================
4 * ================================================================================
5 * Copyright (C) 2018 - 2019 Nokia. All rights reserved.
6 * ================================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END=========================================================
21 package org.onap.vid.aai.util;
23 import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
24 import org.onap.vid.aai.exceptions.HttpClientBuilderException;
26 import javax.net.ssl.*;
27 import java.io.FileInputStream;
28 import java.io.IOException;
29 import java.security.GeneralSecurityException;
30 import java.security.KeyStore;
31 import java.security.cert.X509Certificate;
33 public class SSLContextProvider {
35 private static EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SSLContextProvider.class);
37 public SSLContext getSslContext(String keystorePath, String keystorePassword, HttpClientMode httpClientMode) throws HttpClientBuilderException {
39 final SSLContext ctx = SSLContext.getInstance("TLSv1.2");
40 KeyManager[] keyManagers = getKeyManagerFactory(keystorePath, keystorePassword, httpClientMode);
41 ctx.init(keyManagers, getTrustManager(httpClientMode), null);
43 } catch (IOException | GeneralSecurityException e) {
44 logger.debug(EELFLoggerDelegate.debugLogger, "Error setting up ssl context.");
45 throw new HttpClientBuilderException(e);
51 * @param keystorePassword - in clear
54 * @throws GeneralSecurityException
56 private KeyManager[] getKeyManagerFactory(String keystorePath, String keystorePassword, HttpClientMode httpClientMode) throws IOException, GeneralSecurityException {
57 switch (httpClientMode) {
59 final KeyManagerFactory kmf;
60 try (FileInputStream fin = new FileInputStream(keystorePath)) {
61 kmf = KeyManagerFactory.getInstance("SunX509");
62 KeyStore ks = KeyStore.getInstance("PKCS12");
63 char[] pwd = keystorePassword.toCharArray();
66 } catch (Exception e) {
67 logger.debug(EELFLoggerDelegate.debugLogger, "Error setting up kmf");
68 logger.error(EELFLoggerDelegate.errorLogger, "Error setting up kmf (keystore path: {}, deobfuascated keystore password: {})", keystorePath, keystorePassword, e);
71 return kmf.getKeyManagers();
73 case WITHOUT_KEYSTORE:
77 logger.debug(EELFLoggerDelegate.debugLogger, "Error setting up getKeyManagerFactory. HttpClientMode is " + httpClientMode);
78 throw new IllegalStateException("Error setting up getKeyManagerFactory. HttpClientMode is " + httpClientMode);
82 private TrustManager[] getTrustManager(HttpClientMode httpClientMode) {
83 //Creating a trustManager that will accept all certificates.
84 //TODO - remove this one the POMBA certificate is added to the tomcat_keystore file
85 TrustManager[] trustAllCerts = null;
86 if (httpClientMode == HttpClientMode.UNSECURE) {
88 trustAllCerts = new TrustManager[]{new X509TrustManager() {
89 public java.security.cert.X509Certificate[] getAcceptedIssuers() {
90 return new java.security.cert.X509Certificate[]{};
93 public void checkClientTrusted(X509Certificate[] certs, String authType) {
97 public void checkServerTrusted(X509Certificate[] certs, String authType) {
102 return trustAllCerts;