+++ /dev/null
-/**
- * ============LICENSE_START=======================================================
- * org.onap.aai
- * ================================================================================
- * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved.
- * Copyright © 2017-2018 Amdocs
- * ================================================================================
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * ============LICENSE_END=========================================================
- */
-package org.onap.aai.sa.searchdbabstraction.elasticsearch.dao;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.nio.file.Files;
-import java.nio.file.Paths;
-import java.security.KeyManagementException;
-import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.UnrecoverableKeyException;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-import java.util.Arrays;
-import javax.net.ssl.HttpsURLConnection;
-import javax.net.ssl.KeyManager;
-import javax.net.ssl.KeyManagerFactory;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.TrustManagerFactory;
-import javax.net.ssl.X509TrustManager;
-import org.onap.aai.cl.api.Logger;
-import org.onap.aai.cl.eelf.LoggerFactory;
-import org.onap.aai.sa.searchdbabstraction.elasticsearch.config.ElasticSearchConfig;
-
-/**
- * HTTPS (TLS) specific configuration.
- */
-public class ElasticSearchHttpsController {
-
- private static final Logger logger =
- LoggerFactory.getInstance().getLogger(ElasticSearchHttpsController.class.getName());
-
- private static final String SSL_PROTOCOL = "TLS";
- private static final String KEYSTORE_ALGORITHM = "SunX509";
- private static final String KEYSTORE_TYPE = "PKCS12";
-
- public ElasticSearchHttpsController(ElasticSearchConfig config) throws NoSuchAlgorithmException, KeyStoreException,
- CertificateException, IOException, KeyManagementException, UnrecoverableKeyException {
- logger.debug("Initialising HTTPS configuration");
-
- SSLContext ctx = SSLContext.getInstance(SSL_PROTOCOL);
- KeyManagerFactory kmf = KeyManagerFactory.getInstance(KEYSTORE_ALGORITHM);
- KeyStore keyStore = KeyStore.getInstance(KEYSTORE_TYPE);
-
- String clientCertPassword = config.getKeyStorePassword();
-
- char[] pwd = null;
- if (clientCertPassword != null) {
- pwd = clientCertPassword.toCharArray();
- } else {
- logger.debug("No key store password is defined");
- }
-
- TrustManager[] trustManagers = getTrustManagers(config);
- KeyManager[] keyManagers = null;
-
- String clientCertFileName = config.getKeyStorePath();
- if (clientCertFileName != null) {
- InputStream fin = Files.newInputStream(Paths.get(clientCertFileName));
- keyStore.load(fin, pwd);
- kmf.init(keyStore, pwd);
- keyManagers = kmf.getKeyManagers();
- }
-
- ctx.init(keyManagers, trustManagers, null);
- logger.debug("Initialised SSL context");
-
- HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory());
- HttpsURLConnection.setDefaultHostnameVerifier((host, session) -> host.equalsIgnoreCase(session.getPeerHost()));
- }
-
- private TrustManager[] getTrustManagers(ElasticSearchConfig config)
- throws NoSuchAlgorithmException, KeyStoreException, IOException, CertificateException {
- TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
- // Using null here initializes the TMF with the default trust store.
- tmf.init((KeyStore) null);
-
- // Find the default trust manager.
- final X509TrustManager defaultTrustManager = findX509TrustManager(tmf);
-
- String trustStoreFile = config.getTrustStorePath();
- if (trustStoreFile == null) {
- logger.debug("No trust store defined");
- return new TrustManager[] {defaultTrustManager};
- }
-
- // Create a new Trust Manager from the local trust store.
- try (InputStream myKeys = Files.newInputStream(Paths.get(trustStoreFile))) {
- KeyStore myTrustStore = KeyStore.getInstance(KeyStore.getDefaultType());
- char[] pwdArray = null;
- if (config.getTrustStorePassword() != null) {
- pwdArray = config.getTrustStorePassword().toCharArray();
- }
- myTrustStore.load(myKeys, pwdArray);
- tmf.init(myTrustStore);
- }
-
- // Create a custom trust manager that wraps both our trust store and the default.
- final X509TrustManager finalLocalTm = findX509TrustManager(tmf);
-
- return new TrustManager[] {new X509TrustManager() {
- @Override
- public X509Certificate[] getAcceptedIssuers() {
- return defaultTrustManager.getAcceptedIssuers();
- }
-
- @Override
- public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
- try {
- finalLocalTm.checkServerTrusted(chain, authType);
- } catch (CertificateException e) {
- defaultTrustManager.checkServerTrusted(chain, authType);
- }
- }
-
- @Override
- public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
- defaultTrustManager.checkClientTrusted(chain, authType);
- }
- }};
- }
-
- private X509TrustManager findX509TrustManager(TrustManagerFactory tmf) {
- return (X509TrustManager) Arrays.asList(tmf.getTrustManagers()).stream()
- .filter(tm -> tm instanceof X509TrustManager).findFirst().orElse(null);
- }
-}