+++ /dev/null
-/*******************************************************************************\r
- * ============LICENSE_START====================================================\r
- * * org.onap.aaf\r
- * * ===========================================================================\r
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
- * * ===========================================================================\r
- * * Licensed under the Apache License, Version 2.0 (the "License");\r
- * * you may not use this file except in compliance with the License.\r
- * * You may obtain a copy of the License at\r
- * * \r
- * * http://www.apache.org/licenses/LICENSE-2.0\r
- * * \r
- * * Unless required by applicable law or agreed to in writing, software\r
- * * distributed under the License is distributed on an "AS IS" BASIS,\r
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
- * * See the License for the specific language governing permissions and\r
- * * limitations under the License.\r
- * * ============LICENSE_END====================================================\r
- * *\r
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
- * *\r
- ******************************************************************************/\r
-package org.onap.aaf.cadi.config;\r
-\r
-import java.io.File;\r
-import java.io.FileInputStream;\r
-import java.io.IOException;\r
-import java.net.InetAddress;\r
-import java.net.UnknownHostException;\r
-import java.rmi.AccessException;\r
-import java.security.GeneralSecurityException;\r
-import java.security.KeyStore;\r
-import java.security.cert.CertificateException;\r
-import java.security.cert.X509Certificate;\r
-import java.util.ArrayList;\r
-\r
-import javax.net.ssl.HostnameVerifier;\r
-import javax.net.ssl.HttpsURLConnection;\r
-import javax.net.ssl.KeyManager;\r
-import javax.net.ssl.KeyManagerFactory;\r
-import javax.net.ssl.SSLContext;\r
-import javax.net.ssl.SSLSession;\r
-import javax.net.ssl.SSLSocketFactory;\r
-import javax.net.ssl.TrustManager;\r
-import javax.net.ssl.TrustManagerFactory;\r
-import javax.net.ssl.X509KeyManager;\r
-import javax.net.ssl.X509TrustManager;\r
-\r
-import org.onap.aaf.cadi.Access;\r
-import org.onap.aaf.cadi.Access.Level;\r
-import org.onap.aaf.cadi.util.MaskFormatException;\r
-import org.onap.aaf.cadi.util.NetMask;\r
-\r
-public class SecurityInfo {\r
- private static final String SECURITY_ALGO = "RSA";\r
- private static final String HTTPS_PROTOCOLS = "https.protocols";\r
- private static final String JDK_TLS_CLIENT_PROTOCOLS = "jdk.tls.client.protocols";\r
-\r
- public static final String HTTPS_PROTOCOLS_DEFAULT = "TLSv1.1,TLSv1.2";\r
- public static final String REGEX_COMMA = "\\s*,\\s*";\r
- public static final String SslKeyManagerFactoryAlgorithm;\r
- \r
- private SSLSocketFactory scf;\r
- private X509KeyManager[] km;\r
- private X509TrustManager[] tm;\r
- public final String default_alias;\r
- private NetMask[] trustMasks;\r
- private SSLContext ctx;\r
- private HostnameVerifier maskHV;\r
-\r
- // Change Key Algorithms for IBM's VM. Could put in others, if needed.\r
- static {\r
- if(System.getProperty("java.vm.vendor").equalsIgnoreCase("IBM Corporation")) {\r
- SslKeyManagerFactoryAlgorithm = "IbmX509";\r
- } else {\r
- SslKeyManagerFactoryAlgorithm = "SunX509";\r
- }\r
- }\r
- \r
-\r
- public SecurityInfo(final Access access) throws GeneralSecurityException, IOException {\r
- // reuse DME2 Properties for convenience if specific Properties don't exist\r
- String keyStore = access.getProperty(Config.CADI_KEYSTORE,\r
- access.getProperty(Config.AFT_DME2_KEYSTORE,null));\r
- String keyStorePasswd = access.getProperty(Config.CADI_KEYSTORE_PASSWORD,\r
- access.getProperty(Config.AFT_DME2_KEYSTORE_PASSWORD, null));\r
- keyStorePasswd = keyStorePasswd==null?null:access.decrypt(keyStorePasswd,false);\r
- String trustStore = access.getProperty(Config.CADI_TRUSTSTORE,\r
- access.getProperty(Config.AFT_DME2_TRUSTSTORE, null));\r
- String trustStorePasswd = access.getProperty(Config.CADI_TRUSTSTORE_PASSWORD,\r
- access.getProperty(Config.AFT_DME2_TRUSTSTORE_PASSWORD,null));\r
- trustStorePasswd = trustStorePasswd==null?null:access.decrypt(trustStorePasswd,false);\r
- default_alias = access.getProperty(Config.CADI_ALIAS, \r
- access.getProperty(Config.AFT_DME2_CLIENT_SSL_CERT_ALIAS,null));\r
- \r
- String keyPasswd = access.getProperty(Config.CADI_KEY_PASSWORD,null);\r
- keyPasswd = keyPasswd==null?keyStorePasswd:access.decrypt(keyPasswd,false);\r
- String tips=access.getProperty(Config.CADI_TRUST_MASKS, null);\r
- if(tips!=null) {\r
- access.log(Level.INIT,"Explicitly accepting valid X509s from",tips);\r
- String[] ipsplit = tips.split(REGEX_COMMA);\r
- trustMasks = new NetMask[ipsplit.length];\r
- for(int i=0;i<ipsplit.length;++i) {\r
- try {\r
- trustMasks[i]=new NetMask(ipsplit[i]);\r
- } catch (MaskFormatException e) {\r
- throw new AccessException("Invalid IP Mask in " + Config.CADI_TRUST_MASKS,e);\r
- }\r
- }\r
- }\r
- String https_protocols = Config.logProp(access,Config.CADI_PROTOCOLS, \r
- access.getProperty(Config.AFT_DME2_SSL_INCLUDE_PROTOCOLS, \r
- access.getProperty(HTTPS_PROTOCOLS,HTTPS_PROTOCOLS_DEFAULT)\r
- ));\r
- System.setProperty(HTTPS_PROTOCOLS,https_protocols);\r
- System.setProperty(JDK_TLS_CLIENT_PROTOCOLS, https_protocols);\r
- \r
- KeyManagerFactory kmf = KeyManagerFactory.getInstance(SslKeyManagerFactoryAlgorithm);\r
- File file;\r
-\r
-\r
- if(keyStore==null || keyStorePasswd == null) { \r
- km = new X509KeyManager[0];\r
- } else {\r
- ArrayList<X509KeyManager> kmal = new ArrayList<X509KeyManager>();\r
- for(String ksname : keyStore.split(REGEX_COMMA)) {\r
- file = new File(ksname);\r
- String keystoreFormat;\r
- if(ksname.endsWith("pkcs12")) {\r
- keystoreFormat = "PKCS12";\r
- } else {\r
- keystoreFormat = "JKS";\r
- }\r
- if(file.exists()) {\r
- FileInputStream fis = new FileInputStream(file);\r
- try {\r
- KeyStore ks = KeyStore.getInstance(keystoreFormat);\r
- ks.load(fis, keyStorePasswd.toCharArray());\r
- kmf.init(ks, keyPasswd.toCharArray());\r
- } finally {\r
- fis.close();\r
- }\r
- }\r
- }\r
- for(KeyManager km : kmf.getKeyManagers()) {\r
- if(km instanceof X509KeyManager) {\r
- kmal.add((X509KeyManager)km);\r
- }\r
- }\r
- km = new X509KeyManager[kmal.size()];\r
- kmal.toArray(km);\r
- }\r
-\r
- TrustManagerFactory tmf = TrustManagerFactory.getInstance(SslKeyManagerFactoryAlgorithm);\r
- if(trustStore!=null) {\r
- for(String tsname : trustStore.split(REGEX_COMMA)) {\r
- file = new File(tsname);\r
- if(file.exists()) {\r
- FileInputStream fis = new FileInputStream(file);\r
- try {\r
- KeyStore ts = KeyStore.getInstance("JKS");\r
- ts.load(fis, trustStorePasswd.toCharArray());\r
- tmf.init(ts); \r
- } finally {\r
- fis.close();\r
- }\r
- }\r
- }\r
- TrustManager tms[] = tmf.getTrustManagers();\r
- tm = new X509TrustManager[tms==null?0:tms.length];\r
- for(int i=0;i<tms.length;++i) {\r
- try {\r
- tm[i]=(X509TrustManager)tms[i];\r
- } catch (ClassCastException e) {\r
- access.log(Level.WARN, "Non X509 TrustManager", tm[i].getClass().getName(),"skipped in SecurityInfo");\r
- }\r
- }\r
- }\r
- \r
- if(trustMasks!=null) {\r
- final HostnameVerifier origHV = HttpsURLConnection.getDefaultHostnameVerifier();\r
- HttpsURLConnection.setDefaultHostnameVerifier(maskHV = new HostnameVerifier() {\r
- @Override\r
- public boolean verify(final String urlHostName, final SSLSession session) {\r
- try {\r
- // This will pick up /etc/host entries as well as DNS\r
- InetAddress ia = InetAddress.getByName(session.getPeerHost());\r
- for(NetMask tmask : trustMasks) {\r
- if(tmask.isInNet(ia.getHostAddress())) {\r
- return true;\r
- }\r
- }\r
- } catch (UnknownHostException e) {\r
- // It's ok. do normal Verify\r
- }\r
- return origHV.verify(urlHostName,session);\r
- };\r
- });\r
- }\r
- ctx = SSLContext.getInstance("TLS");\r
- ctx.init(km, tm, null);\r
- SSLContext.setDefault(ctx);\r
- scf = ctx.getSocketFactory();\r
- }\r
-\r
- /**\r
- * @return the scf\r
- */\r
- public SSLSocketFactory getSSLSocketFactory() {\r
- return scf;\r
- }\r
-\r
- public SSLContext getSSLContext() {\r
- return ctx;\r
- }\r
-\r
- /**\r
- * @return the km\r
- */\r
- public X509KeyManager[] getKeyManagers() {\r
- return km;\r
- }\r
-\r
- public void checkClientTrusted(X509Certificate[] certarr) throws CertificateException {\r
- for(X509TrustManager xtm : tm) {\r
- xtm.checkClientTrusted(certarr, SECURITY_ALGO);\r
- }\r
- }\r
-\r
- public void checkServerTrusted(X509Certificate[] certarr) throws CertificateException {\r
- for(X509TrustManager xtm : tm) {\r
- xtm.checkServerTrusted(certarr, SECURITY_ALGO);\r
- }\r
- }\r
-\r
- public void setSocketFactoryOn(HttpsURLConnection hsuc) {\r
- hsuc.setSSLSocketFactory(scf);\r
- if(maskHV!=null && !maskHV.equals(hsuc.getHostnameVerifier())) {\r
- hsuc.setHostnameVerifier(maskHV);\r
- }\r
- }\r
-\r
-}\r
Code Review / aaf / cadi.git / blobdiff