From afb648cbb6e69725f5f0857f5429cf710c8a0243 Mon Sep 17 00:00:00 2001 From: Dan Timoney Date: Tue, 20 Jul 2021 16:29:15 -0400 Subject: Fix weak crypto issue in restconf adaptor Added new capability to disable host name verification on a per-connection basis in restapi-call-node and restconf adaptors, and use custom hostname verifier to handle IP addresses and localhost as exception cases. Issue-ID: CCSDK-3196 Signed-off-by: Dan Timoney Change-Id: I379f3b5093b5ff46433a33821127670747e8efa6 --- .../java/org/onap/ccsdk/sli/plugins/restapicall/Parameters.java | 1 + .../org/onap/ccsdk/sli/plugins/restapicall/RestapiCallNode.java | 3 ++- .../ccsdk/sli/plugins/restconfdiscovery/RestconfDiscoveryNode.java | 7 ++++--- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/plugins/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/Parameters.java b/plugins/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/Parameters.java index 9b542af91..6e84a9c02 100755 --- a/plugins/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/Parameters.java +++ b/plugins/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/Parameters.java @@ -53,4 +53,5 @@ public class Parameters { public boolean multipartFormData; public String multipartFile; public String targetEntity; + public boolean disableHostVerification; } diff --git a/plugins/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/RestapiCallNode.java b/plugins/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/RestapiCallNode.java index f1aa2b266..e3192562d 100755 --- a/plugins/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/RestapiCallNode.java +++ b/plugins/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/RestapiCallNode.java @@ -238,6 +238,7 @@ public class RestapiCallNode implements SvcLogicJavaPlugin { p.multipartFormData = valueOf(parseParam(paramMap, "multipartFormData", false, "false")); p.multipartFile = parseParam(paramMap, "multipartFile", false, null); p.targetEntity = parseParam(paramMap, "targetEntity", false, null); + p.disableHostVerification = valueOf(parseParam(paramMap, "disableHostVerification", false, "true")); return p; } @@ -925,7 +926,7 @@ public class RestapiCallNode implements SvcLogicJavaPlugin { protected SSLContext createSSLContext(Parameters p) { try (FileInputStream in = new FileInputStream(p.keyStoreFileName)) { - HttpsURLConnection.setDefaultHostnameVerifier(new AcceptIpAddressHostNameVerifier()); + HttpsURLConnection.setDefaultHostnameVerifier(new AcceptIpAddressHostNameVerifier(p.disableHostVerification)); KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); KeyStore ks = KeyStore.getInstance("PKCS12"); char[] pwd = p.keyStorePassword.toCharArray(); diff --git a/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/restconfdiscovery/RestconfDiscoveryNode.java b/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/restconfdiscovery/RestconfDiscoveryNode.java index 5b47cf5b6..d6b93f744 100644 --- a/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/restconfdiscovery/RestconfDiscoveryNode.java +++ b/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/restconfdiscovery/RestconfDiscoveryNode.java @@ -24,6 +24,7 @@ import org.glassfish.jersey.media.sse.EventSource; import org.glassfish.jersey.media.sse.SseFeature; import org.onap.ccsdk.sli.core.sli.SvcLogicContext; import org.onap.ccsdk.sli.core.sli.SvcLogicException; +import org.onap.ccsdk.sli.core.utils.common.AcceptIpAddressHostNameVerifier; import org.onap.ccsdk.sli.plugins.restapicall.Parameters; import org.onap.ccsdk.sli.plugins.restapicall.RestapiCallNode; import org.onap.ccsdk.sli.plugins.restconfapicall.RestconfApiCallNode; @@ -142,7 +143,7 @@ public class RestconfDiscoveryNode implements SvcLogicDiscoveryPlugin { try { RestapiCallNode restapi = restconfApiCallNode.getRestapiCallNode(); p = RestapiCallNode.getParameters(paramMap, new Parameters()); - Client client = ignoreSslClient().register(SseFeature.class); + Client client = ignoreSslClient(p.disableHostVerification).register(SseFeature.class); target = restapi.addAuthType(client, p).target(url); } catch (SvcLogicException e) { log.error("Exception occured!", e); @@ -170,7 +171,7 @@ public class RestconfDiscoveryNode implements SvcLogicDiscoveryPlugin { // Note: Sonar complains about host name verification being // disabled here. This is necessary to handle devices using self-signed // certificates (where CA would be unknown) - so we are leaving this code as is. - private Client ignoreSslClient() { + private Client ignoreSslClient(boolean disableHostVerification) { SSLContext sslcontext = null; try { @@ -193,7 +194,7 @@ public class RestconfDiscoveryNode implements SvcLogicDiscoveryPlugin { throw new IllegalStateException(e); } - return ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier((s1, s2) -> true).build(); + return ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier(new AcceptIpAddressHostNameVerifier(disableHostVerification)).build(); } } -- cgit 1.2.3-korg