diff options
author | Dan Timoney <dtimoney@att.com> | 2021-07-20 16:29:15 -0400 |
---|---|---|
committer | Dan Timoney <dtimoney@att.com> | 2021-07-20 16:29:15 -0400 |
commit | afb648cbb6e69725f5f0857f5429cf710c8a0243 (patch) | |
tree | 46edda5ecc25dc992084a668e725d646fa3978e6 /plugins | |
parent | 6dfa45c5b883af5d9d3371f303513180cefa6f86 (diff) |
Fix weak crypto issue in restconf adaptor
Added new capability to disable host name verification on a per-connection
basis in restapi-call-node and restconf adaptors, and use custom
hostname verifier to handle IP addresses and localhost as exception
cases.
Issue-ID: CCSDK-3196
Signed-off-by: Dan Timoney <dtimoney@att.com>
Change-Id: I379f3b5093b5ff46433a33821127670747e8efa6
Diffstat (limited to 'plugins')
3 files changed, 7 insertions, 4 deletions
diff --git a/plugins/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/Parameters.java b/plugins/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/Parameters.java index 9b542af91..6e84a9c02 100755 --- a/plugins/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/Parameters.java +++ b/plugins/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/Parameters.java @@ -53,4 +53,5 @@ public class Parameters { public boolean multipartFormData; public String multipartFile; public String targetEntity; + public boolean disableHostVerification; } diff --git a/plugins/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/RestapiCallNode.java b/plugins/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/RestapiCallNode.java index f1aa2b266..e3192562d 100755 --- a/plugins/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/RestapiCallNode.java +++ b/plugins/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/RestapiCallNode.java @@ -238,6 +238,7 @@ public class RestapiCallNode implements SvcLogicJavaPlugin { p.multipartFormData = valueOf(parseParam(paramMap, "multipartFormData", false, "false")); p.multipartFile = parseParam(paramMap, "multipartFile", false, null); p.targetEntity = parseParam(paramMap, "targetEntity", false, null); + p.disableHostVerification = valueOf(parseParam(paramMap, "disableHostVerification", false, "true")); return p; } @@ -925,7 +926,7 @@ public class RestapiCallNode implements SvcLogicJavaPlugin { protected SSLContext createSSLContext(Parameters p) { try (FileInputStream in = new FileInputStream(p.keyStoreFileName)) { - HttpsURLConnection.setDefaultHostnameVerifier(new AcceptIpAddressHostNameVerifier()); + HttpsURLConnection.setDefaultHostnameVerifier(new AcceptIpAddressHostNameVerifier(p.disableHostVerification)); KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); KeyStore ks = KeyStore.getInstance("PKCS12"); char[] pwd = p.keyStorePassword.toCharArray(); diff --git a/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/restconfdiscovery/RestconfDiscoveryNode.java b/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/restconfdiscovery/RestconfDiscoveryNode.java index 5b47cf5b6..d6b93f744 100644 --- a/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/restconfdiscovery/RestconfDiscoveryNode.java +++ b/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/restconfdiscovery/RestconfDiscoveryNode.java @@ -24,6 +24,7 @@ import org.glassfish.jersey.media.sse.EventSource; import org.glassfish.jersey.media.sse.SseFeature; import org.onap.ccsdk.sli.core.sli.SvcLogicContext; import org.onap.ccsdk.sli.core.sli.SvcLogicException; +import org.onap.ccsdk.sli.core.utils.common.AcceptIpAddressHostNameVerifier; import org.onap.ccsdk.sli.plugins.restapicall.Parameters; import org.onap.ccsdk.sli.plugins.restapicall.RestapiCallNode; import org.onap.ccsdk.sli.plugins.restconfapicall.RestconfApiCallNode; @@ -142,7 +143,7 @@ public class RestconfDiscoveryNode implements SvcLogicDiscoveryPlugin { try { RestapiCallNode restapi = restconfApiCallNode.getRestapiCallNode(); p = RestapiCallNode.getParameters(paramMap, new Parameters()); - Client client = ignoreSslClient().register(SseFeature.class); + Client client = ignoreSslClient(p.disableHostVerification).register(SseFeature.class); target = restapi.addAuthType(client, p).target(url); } catch (SvcLogicException e) { log.error("Exception occured!", e); @@ -170,7 +171,7 @@ public class RestconfDiscoveryNode implements SvcLogicDiscoveryPlugin { // Note: Sonar complains about host name verification being // disabled here. This is necessary to handle devices using self-signed // certificates (where CA would be unknown) - so we are leaving this code as is. - private Client ignoreSslClient() { + private Client ignoreSslClient(boolean disableHostVerification) { SSLContext sslcontext = null; try { @@ -193,7 +194,7 @@ public class RestconfDiscoveryNode implements SvcLogicDiscoveryPlugin { throw new IllegalStateException(e); } - return ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier((s1, s2) -> true).build(); + return ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier(new AcceptIpAddressHostNameVerifier(disableHostVerification)).build(); } } |