import org.onap.aaf.cadi.util.NetMask;
public class SecurityInfo {
- private static final String SECURITY_ALGO = "RSA";
- private static final String HTTPS_PROTOCOLS = "https.protocols";
- private static final String JDK_TLS_CLIENT_PROTOCOLS = "jdk.tls.client.protocols";
+ private static final String SECURITY_ALGO = "RSA";
+ private static final String HTTPS_PROTOCOLS = "https.protocols";
+ private static final String JDK_TLS_CLIENT_PROTOCOLS = "jdk.tls.client.protocols";
- public static final String HTTPS_PROTOCOLS_DEFAULT = "TLSv1.1,TLSv1.2";
- public static final String REGEX_COMMA = "\\s*,\\s*";
- public static final String SSL_KEY_MANAGER_FACTORY_ALGORITHM;
-
- private SSLSocketFactory socketFactory;
- private X509KeyManager[] x509KeyManager;
- private X509TrustManager[] x509TrustManager;
- public final String defaultAlias;
- private NetMask[] trustMasks;
- private SSLContext context;
- private HostnameVerifier maskHV;
- public final Access access;
+ public static final String HTTPS_PROTOCOLS_DEFAULT = "TLSv1.1,TLSv1.2";
+ public static final String REGEX_COMMA = "\\s*,\\s*";
+ public static final String SSL_KEY_MANAGER_FACTORY_ALGORITHM;
+
+ private SSLSocketFactory socketFactory;
+ private X509KeyManager[] x509KeyManager;
+ private X509TrustManager[] x509TrustManager;
+ public final String defaultAlias;
+ private NetMask[] trustMasks;
+ private SSLContext context;
+ private HostnameVerifier maskHV;
+ public final Access access;
- // Change Key Algorithms for IBM's VM. Could put in others, if needed.
- static {
- if ("IBM Corporation".equalsIgnoreCase(System.getProperty("java.vm.vendor"))) {
- SSL_KEY_MANAGER_FACTORY_ALGORITHM = "IbmX509";
- } else {
- SSL_KEY_MANAGER_FACTORY_ALGORITHM = "SunX509";
- }
- }
-
+ // Change Key Algorithms for IBM's VM. Could put in others, if needed.
+ static {
+ if ("IBM Corporation".equalsIgnoreCase(System.getProperty("java.vm.vendor"))) {
+ SSL_KEY_MANAGER_FACTORY_ALGORITHM = "IbmX509";
+ } else {
+ SSL_KEY_MANAGER_FACTORY_ALGORITHM = "SunX509";
+ }
+ }
+
- public SecurityInfo(final Access access) throws CadiException {
- try {
- this.access = access;
- // reuse DME2 Properties for convenience if specific Properties don't exist
-
- initializeKeyManager();
-
- initializeTrustManager();
-
- defaultAlias = access.getProperty(Config.CADI_ALIAS, null);
-
- initializeTrustMasks();
+ public SecurityInfo(final Access access) throws CadiException {
+ try {
+ this.access = access;
+ // reuse DME2 Properties for convenience if specific Properties don't exist
+
+ initializeKeyManager();
+
+ initializeTrustManager();
+
+ defaultAlias = access.getProperty(Config.CADI_ALIAS, null);
+
+ initializeTrustMasks();
- String httpsProtocols = Config.logProp(access, Config.CADI_PROTOCOLS,
- access.getProperty(HTTPS_PROTOCOLS, HTTPS_PROTOCOLS_DEFAULT)
- );
- System.setProperty(HTTPS_PROTOCOLS, httpsProtocols);
- System.setProperty(JDK_TLS_CLIENT_PROTOCOLS, httpsProtocols);
- if ("1.7".equals(System.getProperty("java.specification.version")) && httpsProtocols.contains("TLSv1.2")) {
- System.setProperty(Config.HTTPS_CIPHER_SUITES, Config.HTTPS_CIPHER_SUITES_DEFAULT);
- }
+ String httpsProtocols = Config.logProp(access, Config.CADI_PROTOCOLS,
+ access.getProperty(HTTPS_PROTOCOLS, HTTPS_PROTOCOLS_DEFAULT)
+ );
+ System.setProperty(HTTPS_PROTOCOLS, httpsProtocols);
+ System.setProperty(JDK_TLS_CLIENT_PROTOCOLS, httpsProtocols);
+ if ("1.7".equals(System.getProperty("java.specification.version")) && httpsProtocols.contains("TLSv1.2")) {
+ System.setProperty(Config.HTTPS_CIPHER_SUITES, Config.HTTPS_CIPHER_SUITES_DEFAULT);
+ }
- context = SSLContext.getInstance("TLS");
- context.init(x509KeyManager, x509TrustManager, null);
- SSLContext.setDefault(context);
- socketFactory = context.getSocketFactory();
- } catch (NoSuchAlgorithmException | KeyManagementException | KeyStoreException | CertificateException | UnrecoverableKeyException | IOException e) {
- throw new CadiException(e);
- }
- }
+ context = SSLContext.getInstance("TLS");
+ context.init(x509KeyManager, x509TrustManager, null);
+ SSLContext.setDefault(context);
+ socketFactory = context.getSocketFactory();
+ } catch (NoSuchAlgorithmException | KeyManagementException | KeyStoreException | CertificateException | UnrecoverableKeyException | IOException e) {
+ throw new CadiException(e);
+ }
+ }
- /**
- * @return the scf
- */
- public SSLSocketFactory getSSLSocketFactory() {
- return socketFactory;
- }
+ /**
+ * @return the scf
+ */
+ public SSLSocketFactory getSSLSocketFactory() {
+ return socketFactory;
+ }
- public SSLContext getSSLContext() {
- return context;
- }
+ public SSLContext getSSLContext() {
+ return context;
+ }
- /**
- * @return the km
- */
- public X509KeyManager[] getKeyManagers() {
- return x509KeyManager;
- }
+ /**
+ * @return the km
+ */
+ public X509KeyManager[] getKeyManagers() {
+ return x509KeyManager;
+ }
- public void checkClientTrusted(X509Certificate[] certarr) throws CertificateException {
- for (X509TrustManager xtm : x509TrustManager) {
- xtm.checkClientTrusted(certarr, SECURITY_ALGO);
- }
- }
+ public void checkClientTrusted(X509Certificate[] certarr) throws CertificateException {
+ for (X509TrustManager xtm : x509TrustManager) {
+ xtm.checkClientTrusted(certarr, SECURITY_ALGO);
+ }
+ }
- public void checkServerTrusted(X509Certificate[] certarr) throws CertificateException {
- for (X509TrustManager xtm : x509TrustManager) {
- xtm.checkServerTrusted(certarr, SECURITY_ALGO);
- }
- }
+ public void checkServerTrusted(X509Certificate[] certarr) throws CertificateException {
+ for (X509TrustManager xtm : x509TrustManager) {
+ xtm.checkServerTrusted(certarr, SECURITY_ALGO);
+ }
+ }
- public void setSocketFactoryOn(HttpsURLConnection hsuc) {
- hsuc.setSSLSocketFactory(socketFactory);
- if (maskHV != null && !maskHV.equals(hsuc.getHostnameVerifier())) {
- hsuc.setHostnameVerifier(maskHV);
- }
- }
-
- protected void initializeKeyManager() throws CadiException, IOException, NoSuchAlgorithmException, KeyStoreException, CertificateException, UnrecoverableKeyException {
- String keyStore = access.getProperty(Config.CADI_KEYSTORE, null);
- if (keyStore != null && !new File(keyStore).exists()) {
- throw new CadiException(keyStore + " does not exist");
- }
+ public void setSocketFactoryOn(HttpsURLConnection hsuc) {
+ hsuc.setSSLSocketFactory(socketFactory);
+ if (maskHV != null && !maskHV.equals(hsuc.getHostnameVerifier())) {
+ hsuc.setHostnameVerifier(maskHV);
+ }
+ }
+
+ protected void initializeKeyManager() throws CadiException, IOException, NoSuchAlgorithmException, KeyStoreException, CertificateException, UnrecoverableKeyException {
+ String keyStore = access.getProperty(Config.CADI_KEYSTORE, null);
+ if (keyStore != null && !new File(keyStore).exists()) {
+ throw new CadiException(keyStore + " does not exist");
+ }
- String keyStorePasswd = access.getProperty(Config.CADI_KEYSTORE_PASSWORD, null);
- keyStorePasswd = (keyStorePasswd == null) ? null : access.decrypt(keyStorePasswd, false);
- if (keyStore == null || keyStorePasswd == null) {
- x509KeyManager = new X509KeyManager[0];
- return;
- }
+ String keyStorePasswd = access.getProperty(Config.CADI_KEYSTORE_PASSWORD, null);
+ keyStorePasswd = (keyStorePasswd == null) ? null : access.decrypt(keyStorePasswd, false);
+ if (keyStore == null || keyStorePasswd == null) {
+ x509KeyManager = new X509KeyManager[0];
+ return;
+ }
- String keyPasswd = access.getProperty(Config.CADI_KEY_PASSWORD, null);
- keyPasswd = (keyPasswd == null) ? keyStorePasswd : access.decrypt(keyPasswd, false);
+ String keyPasswd = access.getProperty(Config.CADI_KEY_PASSWORD, null);
+ keyPasswd = (keyPasswd == null) ? keyStorePasswd : access.decrypt(keyPasswd, false);
- KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(SSL_KEY_MANAGER_FACTORY_ALGORITHM);
+ KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(SSL_KEY_MANAGER_FACTORY_ALGORITHM);
- ArrayList<X509KeyManager> keyManagers = new ArrayList<>();
- File file;
- for (String ksname : keyStore.split(REGEX_COMMA)) {
- String keystoreFormat;
- if (ksname.endsWith(".p12") || ksname.endsWith(".pkcs12")) {
- keystoreFormat = "PKCS12";
- } else {
- keystoreFormat = "JKS";
- }
+ ArrayList<X509KeyManager> keyManagers = new ArrayList<>();
+ File file;
+ for (String ksname : keyStore.split(REGEX_COMMA)) {
+ String keystoreFormat;
+ if (ksname.endsWith(".p12") || ksname.endsWith(".pkcs12")) {
+ keystoreFormat = "PKCS12";
+ } else {
+ keystoreFormat = "JKS";
+ }
- file = new File(ksname);
- if (file.exists()) {
- FileInputStream fis = new FileInputStream(file);
- try {
- KeyStore ks = KeyStore.getInstance(keystoreFormat);
- ks.load(fis, keyStorePasswd.toCharArray());
- keyManagerFactory.init(ks, keyPasswd.toCharArray());
- } finally {
- fis.close();
- }
- }
- }
- for (KeyManager keyManager : keyManagerFactory.getKeyManagers()) {
- if (keyManager instanceof X509KeyManager) {
- keyManagers.add((X509KeyManager)keyManager);
- }
- }
- x509KeyManager = new X509KeyManager[keyManagers.size()];
- keyManagers.toArray(x509KeyManager);
- }
+ file = new File(ksname);
+ if (file.exists()) {
+ FileInputStream fis = new FileInputStream(file);
+ try {
+ KeyStore ks = KeyStore.getInstance(keystoreFormat);
+ ks.load(fis, keyStorePasswd.toCharArray());
+ keyManagerFactory.init(ks, keyPasswd.toCharArray());
+ } finally {
+ fis.close();
+ }
+ }
+ }
+ for (KeyManager keyManager : keyManagerFactory.getKeyManagers()) {
+ if (keyManager instanceof X509KeyManager) {
+ keyManagers.add((X509KeyManager)keyManager);
+ }
+ }
+ x509KeyManager = new X509KeyManager[keyManagers.size()];
+ keyManagers.toArray(x509KeyManager);
+ }
- protected void initializeTrustManager() throws NoSuchAlgorithmException, CertificateException, IOException, KeyStoreException, CadiException {
- String trustStore = access.getProperty(Config.CADI_TRUSTSTORE, null);
- if (trustStore != null && !new File(trustStore).exists()) {
- throw new CadiException(trustStore + " does not exist");
- }
+ protected void initializeTrustManager() throws NoSuchAlgorithmException, CertificateException, IOException, KeyStoreException, CadiException {
+ String trustStore = access.getProperty(Config.CADI_TRUSTSTORE, null);
+ if (trustStore != null && !new File(trustStore).exists()) {
+ throw new CadiException(trustStore + " does not exist");
+ }
- if (trustStore == null) {
- return;
- }
+ if (trustStore == null) {
+ return;
+ }
- String trustStorePasswd = access.getProperty(Config.CADI_TRUSTSTORE_PASSWORD, null);
- trustStorePasswd = (trustStorePasswd == null) ? "changeit"/*defacto Java Trust Pass*/ : access.decrypt(trustStorePasswd, false);
+ String trustStorePasswd = access.getProperty(Config.CADI_TRUSTSTORE_PASSWORD, null);
+ trustStorePasswd = (trustStorePasswd == null) ? "changeit"/*defacto Java Trust Pass*/ : access.decrypt(trustStorePasswd, false);
- TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(SSL_KEY_MANAGER_FACTORY_ALGORITHM);
- File file;
- for (String trustStoreName : trustStore.split(REGEX_COMMA)) {
- file = new File(trustStoreName);
- if (file.exists()) {
- FileInputStream fis = new FileInputStream(file);
- try {
- KeyStore ts = KeyStore.getInstance("JKS");
- ts.load(fis, trustStorePasswd.toCharArray());
- trustManagerFactory.init(ts);
- } finally {
- fis.close();
- }
- }
- }
+ TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(SSL_KEY_MANAGER_FACTORY_ALGORITHM);
+ File file;
+ for (String trustStoreName : trustStore.split(REGEX_COMMA)) {
+ file = new File(trustStoreName);
+ if (file.exists()) {
+ FileInputStream fis = new FileInputStream(file);
+ try {
+ KeyStore ts = KeyStore.getInstance("JKS");
+ ts.load(fis, trustStorePasswd.toCharArray());
+ trustManagerFactory.init(ts);
+ } finally {
+ fis.close();
+ }
+ }
+ }
- TrustManager trustManagers[] = trustManagerFactory.getTrustManagers();
- if (trustManagers == null || trustManagers.length == 0) {
- return;
- }
+ TrustManager trustManagers[] = trustManagerFactory.getTrustManagers();
+ if (trustManagers == null || trustManagers.length == 0) {
+ return;
+ }
- x509TrustManager = new X509TrustManager[trustManagers.length];
- for (int i = 0; i < trustManagers.length; ++i) {
- try {
- x509TrustManager[i] = (X509TrustManager)trustManagers[i];
- } catch (ClassCastException e) {
- access.log(Level.WARN, "Non X509 TrustManager", x509TrustManager[i].getClass().getName(), "skipped in SecurityInfo");
- }
- }
- }
-
- protected void initializeTrustMasks() throws AccessException {
- String tips = access.getProperty(Config.CADI_TRUST_MASKS, null);
- if (tips == null) {
- return;
- }
+ x509TrustManager = new X509TrustManager[trustManagers.length];
+ for (int i = 0; i < trustManagers.length; ++i) {
+ try {
+ x509TrustManager[i] = (X509TrustManager)trustManagers[i];
+ } catch (ClassCastException e) {
+ access.log(Level.WARN, "Non X509 TrustManager", x509TrustManager[i].getClass().getName(), "skipped in SecurityInfo");
+ }
+ }
+ }
+
+ protected void initializeTrustMasks() throws AccessException {
+ String tips = access.getProperty(Config.CADI_TRUST_MASKS, null);
+ if (tips == null) {
+ return;
+ }
- access.log(Level.INIT, "Explicitly accepting valid X509s from", tips);
- String[] ipsplit = tips.split(REGEX_COMMA);
- trustMasks = new NetMask[ipsplit.length];
- for (int i = 0; i < ipsplit.length; ++i) {
- try {
- trustMasks[i] = new NetMask(ipsplit[i]);
- } catch (MaskFormatException e) {
- throw new AccessException("Invalid IP Mask in " + Config.CADI_TRUST_MASKS, e);
- }
- }
-
- final HostnameVerifier origHV = HttpsURLConnection.getDefaultHostnameVerifier();
- maskHV = new HostnameVerifier() {
- @Override
- public boolean verify(final String urlHostName, final SSLSession session) {
- try {
- // This will pick up /etc/host entries as well as DNS
- InetAddress ia = InetAddress.getByName(session.getPeerHost());
- for (NetMask tmask : trustMasks) {
- if (tmask.isInNet(ia.getHostAddress())) {
- return true;
- }
- }
- } catch (UnknownHostException e) {
- // It's ok. do normal Verify
- }
- return origHV.verify(urlHostName, session);
- };
- };
- HttpsURLConnection.setDefaultHostnameVerifier(maskHV);
- }
-
+ access.log(Level.INIT, "Explicitly accepting valid X509s from", tips);
+ String[] ipsplit = tips.split(REGEX_COMMA);
+ trustMasks = new NetMask[ipsplit.length];
+ for (int i = 0; i < ipsplit.length; ++i) {
+ try {
+ trustMasks[i] = new NetMask(ipsplit[i]);
+ } catch (MaskFormatException e) {
+ throw new AccessException("Invalid IP Mask in " + Config.CADI_TRUST_MASKS, e);
+ }
+ }
+
+ final HostnameVerifier origHV = HttpsURLConnection.getDefaultHostnameVerifier();
+ maskHV = new HostnameVerifier() {
+ @Override
+ public boolean verify(final String urlHostName, final SSLSession session) {
+ try {
+ // This will pick up /etc/host entries as well as DNS
+ InetAddress ia = InetAddress.getByName(session.getPeerHost());
+ for (NetMask tmask : trustMasks) {
+ if (tmask.isInNet(ia.getHostAddress())) {
+ return true;
+ }
+ }
+ } catch (UnknownHostException e) {
+ // It's ok. do normal Verify
+ }
+ return origHV.verify(urlHostName, session);
+ };
+ };
+ HttpsURLConnection.setDefaultHostnameVerifier(maskHV);
+ }
+
}
Code Review / aaf / authz.git / blobdiff