From 45e2f0ae4c14ee24e696717c9d150a2ff0bdc872 Mon Sep 17 00:00:00 2001
From: xuegao <xue.gao@intl.att.com>
Date: Fri, 9 Apr 2021 08:48:47 +0200
Subject: [PATCH] Fix weak-cryptography issues

Load the truststore/keystore of our own instead of using the default one.

Issue-ID: SDC-3495
Change-Id: I0ecd764d5198480a065fd38299cc9ff9da66af29
Signed-off-by: xuegao <xue.gao@intl.att.com>
---
 catalog-fe/pom.xml                                 |  6 ++-
 .../org/openecomp/sdc/fe/impl/PluginStatusBL.java  |  2 +-
 .../onap-configuration-management-api/pom.xml      | 13 +++++
 .../java/org/onap/config/api}/JettySSLUtils.java   |  4 +-
 .../rest/services/VnfPackageRepositoryImpl.java    | 62 +++-------------------
 5 files changed, 27 insertions(+), 60 deletions(-)
 rename {catalog-fe/src/main/java/org/openecomp/sdc/fe/utils => common/onap-common-configuration-management/onap-configuration-management-api/src/main/java/org/onap/config/api}/JettySSLUtils.java (97%)

diff --git a/catalog-fe/pom.xml b/catalog-fe/pom.xml
index bde5a8b4bf..3591a51bc2 100644
--- a/catalog-fe/pom.xml
+++ b/catalog-fe/pom.xml
@@ -26,7 +26,11 @@
       <version>${functionaljava.version}</version>
       <scope>compile</scope>
     </dependency>
-
+    <dependency>
+      <groupId>org.onap.sdc.common</groupId>
+      <artifactId>onap-configuration-management-api</artifactId>
+      <version>${project.version}</version>
+    </dependency>
     <dependency>
       <groupId>org.openecomp.sdc</groupId>
       <artifactId>common-app-api</artifactId>
diff --git a/catalog-fe/src/main/java/org/openecomp/sdc/fe/impl/PluginStatusBL.java b/catalog-fe/src/main/java/org/openecomp/sdc/fe/impl/PluginStatusBL.java
index 080ab6809a..e1b4572a05 100644
--- a/catalog-fe/src/main/java/org/openecomp/sdc/fe/impl/PluginStatusBL.java
+++ b/catalog-fe/src/main/java/org/openecomp/sdc/fe/impl/PluginStatusBL.java
@@ -36,12 +36,12 @@ import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClients;
 import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
+import org.onap.config.api.JettySSLUtils;
 import org.openecomp.sdc.common.log.wrappers.Logger;
 import org.openecomp.sdc.exception.InvalidArgumentException;
 import org.openecomp.sdc.fe.config.ConfigurationManager;
 import org.openecomp.sdc.fe.config.PluginsConfiguration;
 import org.openecomp.sdc.fe.config.PluginsConfiguration.Plugin;
-import org.openecomp.sdc.fe.utils.JettySSLUtils;
 
 public class PluginStatusBL {
 
diff --git a/common/onap-common-configuration-management/onap-configuration-management-api/pom.xml b/common/onap-common-configuration-management/onap-configuration-management-api/pom.xml
index 7dcf1958cf..58d645785a 100644
--- a/common/onap-common-configuration-management/onap-configuration-management-api/pom.xml
+++ b/common/onap-common-configuration-management/onap-configuration-management-api/pom.xml
@@ -12,4 +12,17 @@
     <groupId>org.onap.sdc.common</groupId>
     <version>1.9.0-SNAPSHOT</version>
   </parent>
+  <dependencies>
+    <dependency>
+      <groupId>org.apache.httpcomponents</groupId>
+      <artifactId>httpclient</artifactId>
+      <version>${httpclient.version}</version>
+    </dependency>
+
+    <dependency>
+      <groupId>org.apache.httpcomponents</groupId>
+      <artifactId>httpcore</artifactId>
+      <version>${httpcore.version}</version>
+    </dependency>
+  </dependencies>
 </project>
diff --git a/catalog-fe/src/main/java/org/openecomp/sdc/fe/utils/JettySSLUtils.java b/common/onap-common-configuration-management/onap-configuration-management-api/src/main/java/org/onap/config/api/JettySSLUtils.java
similarity index 97%
rename from catalog-fe/src/main/java/org/openecomp/sdc/fe/utils/JettySSLUtils.java
rename to common/onap-common-configuration-management/onap-configuration-management-api/src/main/java/org/onap/config/api/JettySSLUtils.java
index a9badde06b..44280cf105 100644
--- a/catalog-fe/src/main/java/org/openecomp/sdc/fe/utils/JettySSLUtils.java
+++ b/common/onap-common-configuration-management/onap-configuration-management-api/src/main/java/org/onap/config/api/JettySSLUtils.java
@@ -17,7 +17,7 @@
  * limitations under the License.
  * ============LICENSE_END=========================================================
  */
-package org.openecomp.sdc.fe.utils;
+package org.onap.config.api;
 
 import java.io.File;
 import java.io.FileInputStream;
@@ -45,7 +45,7 @@ public class JettySSLUtils {
     }
 
     public static SSLContext getSslContext() throws GeneralSecurityException, IOException {
-        JettySSLUtils.JettySslConfig sslProperties = JettySSLUtils.getSSLConfig();
+        JettySslConfig sslProperties = JettySSLUtils.getSSLConfig();
         KeyStore trustStore = KeyStore.getInstance(sslProperties.getTruststoreType());
         try (FileInputStream instream = new FileInputStream(new File(sslProperties.getTruststorePath()));) {
             trustStore.load(instream, (sslProperties.getTruststorePass()).toCharArray());
diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vnf-repository-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/VnfPackageRepositoryImpl.java b/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vnf-repository-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/VnfPackageRepositoryImpl.java
index 17ee57001e..5bfd29affa 100644
--- a/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vnf-repository-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/VnfPackageRepositoryImpl.java
+++ b/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vnf-repository-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/VnfPackageRepositoryImpl.java
@@ -20,26 +20,22 @@ import static javax.ws.rs.core.HttpHeaders.CONTENT_DISPOSITION;
 import static org.openecomp.core.utilities.file.FileUtils.getFileExtension;
 import static org.openecomp.core.utilities.file.FileUtils.getNetworkPackageName;
 
+import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.nio.charset.StandardCharsets;
+import java.security.GeneralSecurityException;
 import java.security.KeyManagementException;
-import java.security.KeyStore;
-import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
 import java.util.List;
 import java.util.Objects;
 import java.util.Optional;
 import javax.inject.Named;
 import javax.net.ssl.SSLContext;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.TrustManagerFactory;
-import javax.net.ssl.X509TrustManager;
 import javax.ws.rs.client.Client;
 import javax.ws.rs.client.ClientBuilder;
 import javax.ws.rs.core.Response;
 import org.onap.config.api.ConfigurationManager;
+import org.onap.config.api.JettySSLUtils;
 import org.openecomp.core.utilities.orchestration.OnboardingTypesEnum;
 import org.openecomp.sdc.common.errors.CoreException;
 import org.openecomp.sdc.common.errors.ErrorCode;
@@ -81,62 +77,16 @@ public class VnfPackageRepositoryImpl implements VnfPackageRepository {
 
     private static Client trustSSLClient() {
         try {
-            SSLContext sslcontext = SSLContext.getInstance("TLS");
-            sslcontext.init(null, new TrustManager[]{new MyTrustManager()}, new java.security.SecureRandom());
+            SSLContext sslcontext = JettySSLUtils.getSslContext();
             return ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier((requestedHost, remoteServerSession)
                     -> requestedHost.equalsIgnoreCase(remoteServerSession.getPeerHost())).build();
 
-        } catch (NoSuchAlgorithmException | KeyManagementException e) {
-            LOGGER.error("Failed to initialize SSL unsecure context", e);
+        } catch (IOException | GeneralSecurityException e) {
+            LOGGER.error("Failed to initialize SSL context", e);
         }
         return ClientBuilder.newClient();
     }
 
-    private static class MyTrustManager implements X509TrustManager {
-        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
-        private MyTrustManager() throws NoSuchAlgorithmException {
-        }
-
-        @Override
-        public X509Certificate[] getAcceptedIssuers() {
-            return new X509Certificate[] {};
-        }
-
-        @Override
-        public void checkServerTrusted(X509Certificate[] certs, String authType) throws CertificateException {
-            X509TrustManager x509Tm = getDefaultTrustManager(tmf);
-            if(x509Tm == null) {
-                throw new CertificateException("No X509TrustManager found");
-            }
-            x509Tm.checkServerTrusted(certs, authType);
-        }
-
-        @Override
-        public void checkClientTrusted(X509Certificate[] certs, String authType) throws CertificateException {
-            X509TrustManager x509Tm = getDefaultTrustManager(tmf);
-            if(x509Tm == null) {
-                throw new CertificateException("No X509TrustManager found");
-            }
-            x509Tm.checkClientTrusted(certs, authType);
-        }
-
-        private X509TrustManager getDefaultTrustManager(TrustManagerFactory tmf) {
-            try {
-                tmf.init((KeyStore)null);
-            } catch (KeyStoreException e) {
-                throw new IllegalStateException(e);
-            }
-            X509TrustManager x509Tm = null;
-            for(TrustManager tm: tmf.getTrustManagers())
-            {
-                if(tm instanceof X509TrustManager) {
-                    x509Tm = (X509TrustManager) tm;
-                    break;
-                }
-            }
-            return x509Tm;
-        }
-    }
 
     private final Configuration config;
 
-- 
2.16.6