--- /dev/null
+/**
+ * ============LICENSE_START=======================================================
+ * org.onap.aai
+ * ================================================================================
+ * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved.
+ * Copyright © 2017-2018 Amdocs
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+package org.onap.aai.sa.searchdbabstraction.elasticsearch.dao;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
+import org.onap.aai.cl.api.Logger;
+import org.onap.aai.cl.eelf.LoggerFactory;
+import org.onap.aai.sa.searchdbabstraction.elasticsearch.config.ElasticSearchConfig;
+
+/**
+ * HTTPS (TLS) specific configuration.
+ */
+public class ElasticSearchHttpsController {
+
+ private static final Logger logger =
+ LoggerFactory.getInstance().getLogger(ElasticSearchHttpsController.class.getName());
+
+ private static final String SSL_PROTOCOL = "TLS";
+ private static final String KEYSTORE_ALGORITHM = "SunX509";
+ private static final String KEYSTORE_TYPE = "PKCS12";
+
+ public ElasticSearchHttpsController(ElasticSearchConfig config) throws NoSuchAlgorithmException, KeyStoreException,
+ CertificateException, IOException, KeyManagementException, UnrecoverableKeyException {
+ logger.debug("Initialising HTTPS configuration");
+
+ SSLContext ctx = SSLContext.getInstance(SSL_PROTOCOL);
+ KeyManagerFactory kmf = KeyManagerFactory.getInstance(KEYSTORE_ALGORITHM);
+ KeyStore keyStore = KeyStore.getInstance(KEYSTORE_TYPE);
+
+ String clientCertPassword = config.getKeyStorePassword();
+
+ char[] pwd = null;
+ if (clientCertPassword != null) {
+ pwd = clientCertPassword.toCharArray();
+ } else {
+ logger.debug("No key store password is defined");
+ }
+
+ TrustManager[] trustManagers = getTrustManagers(config);
+ KeyManager[] keyManagers = null;
+
+ String clientCertFileName = config.getKeyStorePath();
+ if (clientCertFileName != null) {
+ InputStream fin = Files.newInputStream(Paths.get(clientCertFileName));
+ keyStore.load(fin, pwd);
+ kmf.init(keyStore, pwd);
+ keyManagers = kmf.getKeyManagers();
+ }
+
+ ctx.init(keyManagers, trustManagers, null);
+ logger.debug("Initialised SSL context");
+
+ HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory());
+ HttpsURLConnection.setDefaultHostnameVerifier((host, session) -> host.equalsIgnoreCase(session.getPeerHost()));
+ }
+
+ private TrustManager[] getTrustManagers(ElasticSearchConfig config)
+ throws NoSuchAlgorithmException, KeyStoreException, IOException, CertificateException {
+ TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+ // Using null here initializes the TMF with the default trust store.
+ tmf.init((KeyStore) null);
+
+ // Find the default trust manager.
+ final X509TrustManager defaultTrustManager = findX509TrustManager(tmf);
+
+ String trustStoreFile = config.getTrustStorePath();
+ if (trustStoreFile == null) {
+ logger.debug("No trust store defined");
+ return new TrustManager[] {defaultTrustManager};
+ }
+
+ // Create a new Trust Manager from the local trust store.
+ try (InputStream myKeys = Files.newInputStream(Paths.get(trustStoreFile))) {
+ KeyStore myTrustStore = KeyStore.getInstance(KeyStore.getDefaultType());
+ char[] pwdArray = null;
+ if (config.getTrustStorePassword() != null) {
+ pwdArray = config.getTrustStorePassword().toCharArray();
+ }
+ myTrustStore.load(myKeys, pwdArray);
+ tmf.init(myTrustStore);
+ }
+
+ // Create a custom trust manager that wraps both our trust store and the default.
+ final X509TrustManager finalLocalTm = findX509TrustManager(tmf);
+
+ return new TrustManager[] {new X509TrustManager() {
+ @Override
+ public X509Certificate[] getAcceptedIssuers() {
+ return defaultTrustManager.getAcceptedIssuers();
+ }
+
+ @Override
+ public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+ try {
+ finalLocalTm.checkServerTrusted(chain, authType);
+ } catch (CertificateException e) {
+ defaultTrustManager.checkServerTrusted(chain, authType);
+ }
+ }
+
+ @Override
+ public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+ defaultTrustManager.checkClientTrusted(chain, authType);
+ }
+ }};
+ }
+
+ private X509TrustManager findX509TrustManager(TrustManagerFactory tmf) {
+ return (X509TrustManager) Arrays.asList(tmf.getTrustManagers()).stream()
+ .filter(tm -> tm instanceof X509TrustManager).findFirst().orElse(null);
+ }
+}
Code Review / aai / search-data-service.git / blobdiff