2 * ============LICENSE_START===================================================
3 * SPARKY (AAI UI service)
4 * ============================================================================
5 * Copyright © 2017 AT&T Intellectual Property.
6 * Copyright © 2017 Amdocs
8 * ============================================================================
9 * Licensed under the Apache License, Version 2.0 (the "License");
10 * you may not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
13 * http://www.apache.org/licenses/LICENSE-2.0
15 * Unless required by applicable law or agreed to in writing, software
16 * distributed under the License is distributed on an "AS IS" BASIS,
17 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18 * See the License for the specific language governing permissions and
19 * limitations under the License.
20 * ============LICENSE_END=====================================================
22 * ECOMP and OpenECOMP are trademarks
23 * and service marks of AT&T Intellectual Property.
26 package org.openecomp.sparky.util;
29 import java.io.FileInputStream;
30 import java.io.FileOutputStream;
31 import java.io.IOException;
32 import java.io.InputStream;
33 import java.io.OutputStream;
34 import java.net.UnknownHostException;
35 import java.security.KeyManagementException;
36 import java.security.KeyStore;
37 import java.security.KeyStoreException;
38 import java.security.MessageDigest;
39 import java.security.NoSuchAlgorithmException;
40 import java.security.cert.CertificateEncodingException;
41 import java.security.cert.CertificateException;
42 import java.security.cert.CertificateParsingException;
43 import java.security.cert.X509Certificate;
44 import java.util.ArrayList;
45 import java.util.Collection;
46 import java.util.List;
48 import javax.net.ssl.SSLContext;
49 import javax.net.ssl.SSLException;
50 import javax.net.ssl.SSLSocket;
51 import javax.net.ssl.SSLSocketFactory;
52 import javax.net.ssl.TrustManager;
53 import javax.net.ssl.TrustManagerFactory;
54 import javax.net.ssl.X509TrustManager;
57 * The Class KeystoreBuilder.
59 public class KeystoreBuilder {
64 private class EndPoint {
65 private String hostname;
69 * Instantiates a new end point.
71 @SuppressWarnings("unused")
75 * Instantiates a new end point.
77 * @param host the host
78 * @param port the port
80 public EndPoint(String host, int port) {
85 public String getHostname() {
89 @SuppressWarnings("unused")
90 public void setHostname(String hostname) {
91 this.hostname = hostname;
94 public int getPort() {
98 public void setPort(int port) {
103 * @see java.lang.Object#toString()
106 public String toString() {
107 return "EndPoint [hostname=" + hostname + ", port=" + port + "]";
112 private List<EndPoint> endpoints = new ArrayList<EndPoint>();
115 * Initialize end points list.
117 * @param endpointList the endpoint list
119 private void initializeEndPointsList(String endpointList) {
120 String[] endpointUris = endpointList.split(";");
122 for (String endpointUri : endpointUris) {
124 String ipAndPort = endpointUri.replaceAll("http://", "");
125 ipAndPort = endpointUri.replaceAll("https://", "");
127 // System.out.println("ipAndPortUrl = " + ipAndPort);
129 String[] hostAndPort = ipAndPort.split(":");
131 String hostname = hostAndPort[0];
132 int port = Integer.parseInt(hostAndPort[1]);
134 EndPoint ep = new EndPoint(hostname, port);
141 * Instantiates a new keystore builder.
143 * @param endpointList the endpoint list
144 * @throws NoSuchAlgorithmException the no such algorithm exception
146 public KeystoreBuilder(String endpointList) throws NoSuchAlgorithmException {
147 initializeEndPointsList(endpointList);
148 sha1 = MessageDigest.getInstance("SHA1");
149 md5 = MessageDigest.getInstance("MD5");
152 private static final String SEP = File.separator;
153 private SavingTrustManager savingTrustManager;
154 private SSLSocketFactory sslSocketFactory;
155 private MessageDigest sha1;
156 private MessageDigest md5;
158 private String keystoreFileName;
159 private String keystorePassword;
160 private boolean dumpCertDetails = false;
162 public void setDumpCertDetails(boolean shouldSet) {
163 dumpCertDetails = shouldSet;
169 * @param keystoreFileName the keystore file name
170 * @param keystorePassword the keystore password
171 * @throws KeyStoreException the key store exception
172 * @throws NoSuchAlgorithmException the no such algorithm exception
173 * @throws CertificateException the certificate exception
174 * @throws IOException Signals that an I/O exception has occurred.
175 * @throws KeyManagementException the key management exception
177 public void updateKeystore(String keystoreFileName, String keystorePassword)
178 throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException,
179 KeyManagementException {
181 this.keystoreFileName = keystoreFileName;
182 this.keystorePassword = keystorePassword;
184 File file = new File(keystoreFileName);
185 String password = keystorePassword;
187 if (file.isFile() == false) {
189 File dir = new File(System.getProperty("java.home") + SEP + "lib" + SEP + "security");
190 file = new File(dir, "jssecacerts");
191 if (file.isFile() == false) {
193 file = new File(dir, "cacerts");
194 System.out.println("keystore file doesn't exist, preloading new file with cacerts");
197 System.out.println("keystore file doesn't exist, preloading new file with jssecacerts");
199 password = "changeit";
203 InputStream in = new FileInputStream(file);
204 ks = KeyStore.getInstance(KeyStore.getDefaultType());
205 ks.load(in, password.toCharArray());
208 SSLContext context = SSLContext.getInstance("TLS");
209 TrustManagerFactory tmf =
210 TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
212 X509TrustManager defaultTrustManager = (X509TrustManager) tmf.getTrustManagers()[0];
213 savingTrustManager = new SavingTrustManager(defaultTrustManager);
214 context.init(null, new TrustManager[] {savingTrustManager}, null);
215 sslSocketFactory = context.getSocketFactory();
217 System.out.println("About to add the following endpoint server certificates to the keystore:");
218 for (EndPoint ep : endpoints) {
219 System.out.println("\t--------------------------");
220 System.out.println("\t" + ep.toString());
222 X509Certificate[] certChain =
223 getCertificateChainForRemoteEndpoint(ep.getHostname(), ep.getPort());
225 if (certChain == null) {
226 System.out.println("Could not obtain server certificate chain");
230 dumpCertChainInfo(certChain);
232 updateKeyStoreWithCertChain(certChain);
239 * Gets the certificate chain for remote endpoint.
241 * @param hostname the hostname
242 * @param port the port
243 * @return the certificate chain for remote endpoint
244 * @throws UnknownHostException the unknown host exception
245 * @throws IOException Signals that an I/O exception has occurred.
247 private X509Certificate[] getCertificateChainForRemoteEndpoint(String hostname, int port)
248 throws UnknownHostException, IOException {
250 System.out.println("Opening connection to localhost:8442..");
251 SSLSocket socket = (SSLSocket) sslSocketFactory.createSocket("aai-int1.dev.att.com", 8440);
252 socket.setSoTimeout(10000);
255 System.out.println("Starting SSL handshake...");
256 socket.startHandshake();
258 System.out.println("\nNo errors, certificate is already trusted");
260 } catch (SSLException exc) {
261 System.out.println("\nCaught SSL exception, we are not authorized to access this server yet");
262 // e.printStackTrace(System.out);
265 return savingTrustManager.chain;
270 * Dump cert chain info.
272 * @param chain the chain
273 * @throws NoSuchAlgorithmException the no such algorithm exception
274 * @throws CertificateEncodingException the certificate encoding exception
275 * @throws CertificateParsingException the certificate parsing exception
277 private void dumpCertChainInfo(X509Certificate[] chain)
278 throws NoSuchAlgorithmException, CertificateEncodingException, CertificateParsingException {
280 System.out.println();
281 System.out.println("Server sent " + chain.length + " certificate(s):");
282 System.out.println();
284 for (int i = 0; i < chain.length; i++) {
285 X509Certificate cert = chain[i];
287 if (dumpCertDetails) {
288 System.out.println("Full cert details @ index = " + i + " \n" + cert.toString());
291 System.out.println("Subject: " + cert.getSubjectDN());
292 System.out.println("Issuer: " + cert.getIssuerDN());
293 System.out.println("SubjectAlternativeNames: ");
296 * RFC-5280, pg. 38, section 4.2.1.6 ( Subject Alternative Names )
298 * Finally, the semantics of subject alternative names that include wildcard characters (e.g.,
299 * as a placeholder for a set of names) are not addressed by this specification. Applications
300 * with specific requirements MAY use such names, but they must define the semantics.
302 * id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 }
304 * SubjectAltName ::= GeneralNames
306 * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
308 * GeneralName ::= CHOICE { otherName [0] OtherName, rfc822Name [1] IA5String, dNSName [2]
309 * IA5String, <-- the 2 in the output is a type operand x400Address [3] ORAddress,
310 * directoryName [4] Name, ediPartyName [5] EDIPartyName, uniformResourceIdentifier [6]
311 * IA5String, iPAddress [7] OCTET STRING, registeredID [8] OBJECT IDENTIFIER }
313 * OtherName ::= SEQUENCE { type-id OBJECT IDENTIFIER, value [0] EXPLICIT ANY DEFINED BY
316 * EDIPartyName ::= SEQUENCE { nameAssigner [0] DirectoryString OPTIONAL, partyName [1]
321 Collection<List<?>> sans = cert.getSubjectAlternativeNames();
323 for (List<?> san : sans) {
326 * It seems the structure of the array elements contained within the SAN is: [<sanType>,
331 int type = ((Integer) san.get(0)).intValue();
332 String typeStr = getSanType(type);
333 String value = (String) san.get(1);
335 System.out.println(String.format("\tType:'%s', Value: '%s'.", typeStr, value));
344 * Gets the subject alternative names.
346 * @param cert the cert
347 * @return the subject alternative names
348 * @throws CertificateParsingException the certificate parsing exception
350 private List<String> getSubjectAlternativeNames(X509Certificate cert)
351 throws CertificateParsingException {
353 Collection<List<?>> sans = cert.getSubjectAlternativeNames();
354 List<String> subjectAlternativeNames = new ArrayList<String>();
356 for (List<?> san : sans) {
359 * It seems the structure of the array elements contained within the SAN is: [<sanType>,
364 String value = (String) san.get(1);
365 subjectAlternativeNames.add(value);
368 return subjectAlternativeNames;
372 * Update key store with cert chain.
374 * @param chain the chain
375 * @throws NoSuchAlgorithmException the no such algorithm exception
376 * @throws KeyStoreException the key store exception
377 * @throws CertificateException the certificate exception
378 * @throws IOException Signals that an I/O exception has occurred.
380 private void updateKeyStoreWithCertChain(X509Certificate[] chain)
381 throws NoSuchAlgorithmException, KeyStoreException, CertificateException, IOException {
383 for (X509Certificate cert : chain) {
385 List<String> sans = getSubjectAlternativeNames(cert);
387 for (String san : sans) {
388 ks.setCertificateEntry(san, cert);
390 "Added certificate to keystore '" + keystoreFileName + "' using alias '" + san + "'");
394 OutputStream out = new FileOutputStream(keystoreFileName);
395 ks.store(out, keystorePassword.toCharArray());
402 * The Class SavingTrustManager.
404 private static class SavingTrustManager implements X509TrustManager {
406 private final X509TrustManager tm;
407 private X509Certificate[] chain;
410 * Instantiates a new saving trust manager.
414 SavingTrustManager(X509TrustManager tm) {
419 public X509Certificate[] getAcceptedIssuers() {
420 throw new UnsupportedOperationException();
424 * @see javax.net.ssl.X509TrustManager#checkClientTrusted(java.security.cert.X509Certificate[], java.lang.String)
427 public void checkClientTrusted(X509Certificate[] chain, String authType)
428 throws CertificateException {
429 throw new UnsupportedOperationException();
433 * @see javax.net.ssl.X509TrustManager#checkServerTrusted(java.security.cert.X509Certificate[], java.lang.String)
436 public void checkServerTrusted(X509Certificate[] chain, String authType)
437 throws CertificateException {
439 tm.checkServerTrusted(chain, authType);
443 private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();
448 * @param type the type
449 * @return the san type
451 // TODO: convert to enum(int,string)
452 private String getSanType(int type) {
461 return "x400Address";
463 return "directoryName";
465 return "ediPartyName";
467 return "uniformResourceIdentifier";
471 return "registeredID";
473 return "unknownSanType";
481 * @param bytes the bytes
484 private static String toHexString(byte[] bytes) {
485 StringBuilder sb = new StringBuilder(bytes.length * 3);
486 for (int b : bytes) {
488 sb.append(HEXDIGITS[b >> 4]);
489 sb.append(HEXDIGITS[b & 15]);
492 return sb.toString();
500 * @param args the arguments
501 * @throws Exception the exception
503 public static void main(String[] args) throws Exception {
505 // String endpointList = "aai-int1.test.att.com:8440;aai-int1.dev.att.com:8442";
508 * Examples: localhost:8440;localhost:8442 d:\1\adhoc_keystore.jks aaiDomain2 false
509 * localhost:8440;localhost:8442 d:\1\adhoc_keystore.jks aaiDomain2 true
512 if (args.length != 4) {
514 "Usage: KeyBuilder <[ip:port];*> <keystoreFileName>"
515 + " <keystorePassword> <dumpCertDetails> ");
518 KeystoreBuilder kb = new KeystoreBuilder(args[0]);
519 kb.setDumpCertDetails(Boolean.parseBoolean(args[3]));
520 kb.updateKeystore(args[1], args[2]);