diff options
author | xuegao <xg353y@intl.att.com> | 2019-11-28 15:13:18 +0100 |
---|---|---|
committer | xuegao <xg353y@intl.att.com> | 2019-11-29 16:23:22 +0100 |
commit | 1ebfe6b467e5a6a42c756f225397da76f9e3dfc2 (patch) | |
tree | 29c55623caf2373cd51f71ceb80d80e513a1c330 /src/main | |
parent | 876d1a49367b4614680954913590372d773ec8ec (diff) |
Merge ssl password
Use the aaf encrypted ssl password fot server.ssl parameters
Issue-ID: CLAMP-339
Change-Id: I8869bb527f2851c1d298cd03e45327791a8acfab
Signed-off-by: xuegao <xg353y@intl.att.com>
Diffstat (limited to 'src/main')
7 files changed, 215 insertions, 23 deletions
diff --git a/src/main/java/org/onap/clamp/clds/Application.java b/src/main/java/org/onap/clamp/clds/Application.java index efc4b128..e41140f5 100644 --- a/src/main/java/org/onap/clamp/clds/Application.java +++ b/src/main/java/org/onap/clamp/clds/Application.java @@ -29,6 +29,7 @@ import com.att.eelf.configuration.EELFLogger; import com.att.eelf.configuration.EELFManager; import java.io.IOException; +import java.io.InputStream; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; @@ -39,6 +40,7 @@ import java.util.Enumeration; import org.apache.catalina.connector.Connector; import org.onap.clamp.clds.util.ClampVersioning; import org.onap.clamp.clds.util.ResourceFileUtil; +import org.onap.clamp.util.PassDecoder; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.SpringApplication; @@ -135,6 +137,8 @@ public class Application extends SpringBootServletInitializer { return tomcat; } + + private Connector createRedirectConnector(int redirectSecuredPort) { if (redirectSecuredPort <= 0) { eelfLogger.warn("HTTP port redirection to HTTPS is disabled because the HTTPS port is 0 (random port) or -1" @@ -155,10 +159,12 @@ public class Application extends SpringBootServletInitializer { if (env.getProperty("server.ssl.key-store") != null) { KeyStore keystore = KeyStore.getInstance(env.getProperty("server.ssl.key-store-type")); - keystore.load( - ResourceFileUtil.getResourceAsStream( - env.getProperty("server.ssl.key-store").replaceAll("classpath:", "")), - env.getProperty("server.ssl.key-store-password").toCharArray()); + String password = PassDecoder.decode(env.getProperty("server.ssl.key-store-password"), + env.getProperty("clamp.config.keyFile")); + String keyStore = env.getProperty("server.ssl.key-store"); + InputStream is = ResourceFileUtil.getResourceAsStream(keyStore.replaceAll("classpath:", "")); + keystore.load(is, password.toCharArray()); + Enumeration<String> aliases = keystore.aliases(); while (aliases.hasMoreElements()) { String alias = aliases.nextElement(); diff --git a/src/main/java/org/onap/clamp/clds/config/CamelConfiguration.java b/src/main/java/org/onap/clamp/clds/config/CamelConfiguration.java index 271dc84f..949ff1eb 100644 --- a/src/main/java/org/onap/clamp/clds/config/CamelConfiguration.java +++ b/src/main/java/org/onap/clamp/clds/config/CamelConfiguration.java @@ -48,6 +48,7 @@ import org.apache.http.conn.ssl.SSLSocketFactory; import org.apache.http.impl.client.HttpClientBuilder; import org.apache.http.impl.conn.BasicHttpClientConnectionManager; import org.onap.clamp.clds.util.ClampVersioning; +import org.onap.clamp.util.PassDecoder; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.core.env.Environment; import org.springframework.stereotype.Component; @@ -61,18 +62,24 @@ public class CamelConfiguration extends RouteBuilder { @Autowired private Environment env; - private void configureDefaultSslProperties() { + private void configureDefaultSslProperties() throws IOException { if (env.getProperty("server.ssl.trust-store") != null) { URL storeResource = Thread.currentThread().getContextClassLoader() .getResource(env.getProperty("server.ssl.trust-store").replaceAll("classpath:", "")); System.setProperty("javax.net.ssl.trustStore", storeResource.getPath()); - System.setProperty("javax.net.ssl.trustStorePassword", env.getProperty("server.ssl.trust-store-password")); + String keyFile = env.getProperty("clamp.config.keyFile"); + String trustStorePass = PassDecoder.decode(env.getProperty("server.ssl.trust-store-password"), + keyFile); + System.setProperty("javax.net.ssl.trustStorePassword", trustStorePass); System.setProperty("javax.net.ssl.trustStoreType", "jks"); System.setProperty("ssl.TrustManagerFactory.algorithm", "PKIX"); storeResource = Thread.currentThread().getContextClassLoader() .getResource(env.getProperty("server.ssl.key-store").replaceAll("classpath:", "")); System.setProperty("javax.net.ssl.keyStore", storeResource.getPath()); - System.setProperty("javax.net.ssl.keyStorePassword", env.getProperty("server.ssl.key-store-password")); + + String keyStorePass = PassDecoder.decode(env.getProperty("server.ssl.key-store-password"), + keyFile); + System.setProperty("javax.net.ssl.keyStorePassword", keyStorePass); System.setProperty("javax.net.ssl.keyStoreType", env.getProperty("server.ssl.key-store-type")); } } @@ -81,10 +88,12 @@ public class CamelConfiguration extends RouteBuilder { throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException, CertificateException, IOException { if (env.getProperty("server.ssl.trust-store") != null) { KeyStore truststore = KeyStore.getInstance("JKS"); + String keyFile = env.getProperty("clamp.config.keyFile"); + String password = PassDecoder.decode(env.getProperty("server.ssl.trust-store-password"), keyFile); truststore.load( Thread.currentThread().getContextClassLoader() .getResourceAsStream(env.getProperty("server.ssl.trust-store").replaceAll("classpath:", "")), - env.getProperty("server.ssl.trust-store-password").toCharArray()); + password.toCharArray()); TrustManagerFactory trustFactory = TrustManagerFactory.getInstance("PKIX"); trustFactory.init(truststore); diff --git a/src/main/java/org/onap/clamp/clds/config/SslConfig.java b/src/main/java/org/onap/clamp/clds/config/SslConfig.java new file mode 100644 index 00000000..7c7433e9 --- /dev/null +++ b/src/main/java/org/onap/clamp/clds/config/SslConfig.java @@ -0,0 +1,97 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP CLAMP + * ================================================================================ + * Copyright (C) 2019 AT&T Intellectual Property. All rights + * reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END============================================ + * =================================================================== + * + */ + +package org.onap.clamp.clds.config; + +import java.io.IOException; +import java.io.InputStream; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.cert.CertificateException; + +import org.onap.clamp.clds.util.ResourceFileUtil; +import org.onap.clamp.util.PassDecoder; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.web.ServerProperties; +import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory; +import org.springframework.boot.web.server.Ssl; +import org.springframework.boot.web.server.SslStoreProvider; +import org.springframework.boot.web.server.WebServerFactoryCustomizer; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Profile; +import org.springframework.core.env.Environment; +import org.springframework.core.io.ResourceLoader; + +@Configuration +@Profile("clamp-ssl-config") +public class SslConfig { + @Autowired + private Environment env; + + @Bean + WebServerFactoryCustomizer<TomcatServletWebServerFactory> tomcatCustomizer(ServerProperties serverProperties, + ResourceLoader resourceLoader) { + return (tomcat) -> tomcat.setSslStoreProvider(new SslStoreProvider() { + @Override + public KeyStore getKeyStore() throws KeyStoreException, + NoSuchAlgorithmException, CertificateException, IOException { + KeyStore keystore = KeyStore.getInstance(env.getProperty("server.ssl.key-store-type")); + String password = PassDecoder.decode(env.getProperty("server.ssl.key-store-password"), + env.getProperty("clamp.config.keyFile")); + String keyStore = env.getProperty("server.ssl.key-store"); + InputStream is = ResourceFileUtil.getResourceAsStream(keyStore.replaceAll("classpath:", "")); + keystore.load(is, password.toCharArray()); + return keystore; + } + + @Override + public KeyStore getTrustStore() throws KeyStoreException, + NoSuchAlgorithmException, CertificateException, IOException { + KeyStore truststore = KeyStore.getInstance("JKS"); + String password = PassDecoder.decode(env.getProperty("server.ssl.trust-store-password"), + env.getProperty("clamp.config.keyFile")); + truststore.load( + Thread.currentThread().getContextClassLoader() + .getResourceAsStream(env.getProperty("server.ssl.trust-store") + .replaceAll("classpath:", "")), + password.toCharArray()); + return truststore; + } + }); + } + + @Bean + WebServerFactoryCustomizer<TomcatServletWebServerFactory> tomcatSslCustomizer(ServerProperties serverProperties, + ResourceLoader resourceLoader) { + return (tomcat) -> tomcat.setSsl(new Ssl() { + @Override + public String getKeyPassword() { + String password = PassDecoder.decode(env.getProperty("server.ssl.key-password"), + env.getProperty("clamp.config.keyFile")); + return password; + } + }); + } +}
\ No newline at end of file diff --git a/src/main/java/org/onap/clamp/clds/filter/ClampCadiFilter.java b/src/main/java/org/onap/clamp/clds/filter/ClampCadiFilter.java index 68544de6..9e04bd08 100644 --- a/src/main/java/org/onap/clamp/clds/filter/ClampCadiFilter.java +++ b/src/main/java/org/onap/clamp/clds/filter/ClampCadiFilter.java @@ -60,19 +60,19 @@ public class ClampCadiFilter extends CadiFilter { @Value("${server.ssl.key-store:#{null}}") private String keyStore; - @Value("${clamp.config.cadi.cadiKeystorePassword:#{null}}") + @Value("${server.ssl.key-store-password:#{null}}") private String keyStorePass; @Value("${server.ssl.trust-store:#{null}}") private String trustStore; - @Value("${clamp.config.cadi.cadiTruststorePassword:#{null}}") + @Value("${server.ssl.trust-store-password:#{null}}") private String trustStorePass; @Value("${server.ssl.key-alias:clamp@clamp.onap.org}") private String alias; - @Value("${clamp.config.cadi.keyFile:#{null}}") + @Value("${clamp.config.keyFile:#{null}}") private String keyFile; @Value("${clamp.config.cadi.cadiLoglevel:#{null}}") @@ -152,7 +152,8 @@ public class ClampCadiFilter extends CadiFilter { .generateCertificate(new ByteArrayInputStream( URLDecoder.decode(certHeader, StandardCharsets.UTF_8.toString()).getBytes())); X509Certificate caCert = (X509Certificate) certificateFactory - .generateCertificate(new ByteArrayInputStream(ResourceFileUtil.getResourceAsString("clds/aaf/ssl/ca-certs.pem").getBytes())); + .generateCertificate(new ByteArrayInputStream( + ResourceFileUtil.getResourceAsString("clds/aaf/ssl/ca-certs.pem").getBytes())); X509Certificate[] certifArray = ((X509Certificate[]) request .getAttribute("javax.servlet.request.X509Certificate")); diff --git a/src/main/java/org/onap/clamp/util/PassDecoder.java b/src/main/java/org/onap/clamp/util/PassDecoder.java new file mode 100644 index 00000000..70a47477 --- /dev/null +++ b/src/main/java/org/onap/clamp/util/PassDecoder.java @@ -0,0 +1,74 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP CLAMP + * ================================================================================ + * Copyright (C) 2019 AT&T Intellectual Property. All rights + * reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END============================================ + * =================================================================== + */ + +package org.onap.clamp.util; + +import com.att.eelf.configuration.EELFLogger; +import com.att.eelf.configuration.EELFManager; + +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.io.InputStream; +import org.onap.aaf.cadi.Symm; +import org.onap.clamp.clds.util.ResourceFileUtil; + +/** + * PassDecoder for decrypting the truststore and keystore password. + */ +public class PassDecoder { + /** + * Used to log PassDecoder class. + */ + private static final EELFLogger logger = EELFManager.getInstance().getLogger(PassDecoder.class); + + /** + * Decode the password. + * @param encryptedPass The encrypted password + * @param keyFileIs The key file in InputStream format + */ + public static String decode(String encryptedPass, String keyFile) { + if (null == keyFile) { + logger.debug("Key file is not defined, thus password will not be decrypted"); + return encryptedPass; + } + if (null == encryptedPass) { + logger.error("Encrypted password is not defined"); + return null; + } + try { + InputStream is; + if (keyFile.contains("classpath:")) { + is = ResourceFileUtil.getResourceAsStream(keyFile.replaceAll("classpath:", "")); + } else { + File key = new File(keyFile); + is = new FileInputStream(key); + } + Symm symm = Symm.obtain(is); + + return symm.depass(encryptedPass); + } catch (IOException e) { + logger.error("Exception occurred during the key decryption", e); + return null; + } + } +} diff --git a/src/main/resources/application-noaaf.properties b/src/main/resources/application-noaaf.properties index 79466c89..d389b211 100644 --- a/src/main/resources/application-noaaf.properties +++ b/src/main/resources/application-noaaf.properties @@ -55,21 +55,25 @@ server.port=8443 ## Config part for Server certificates # Can be a classpath parameter instead of file:/ server.ssl.key-store=classpath:/clds/aaf/org.onap.clamp.p12 -server.ssl.key-store-password=China in the Spring -server.ssl.key-password=China in the Spring +server.ssl.key-store-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc +server.ssl.key-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc server.ssl.key-store-type=PKCS12 server.ssl.key-alias=clamp@clamp.onap.org ## Config part for Client certificates server.ssl.client-auth=want server.ssl.trust-store=classpath:/clds/aaf/truststoreONAPall.jks -server.ssl.trust-store-password=changeit +server.ssl.trust-store-password=enc:iDnPBBLq_EMidXlMa1FEuBR8TZzYxrCg66vq_XfLHdJ + +# The key file used to decode the key store and trust store password +# If not defined, the key store and trust store password will not be decrypted +clamp.config.keyFile=classpath:/clds/aaf/org.onap.clamp.keyfile #server.http-to-https-redirection.port=8080 server.servlet.context-path=/ #Modified engine-rest applicationpath -spring.profiles.active=clamp-default,clamp-default-user,clamp-sdc-controller-new +spring.profiles.active=clamp-default,clamp-default-user,clamp-sdc-controller-new,clamp-ssl-config spring.http.converters.preferred-json-mapper=gson #The max number of active threads in this pool diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 3ac6fa25..b97d6436 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -60,21 +60,25 @@ server.port=8443 ## Config part for Server certificates # Can be a classpath parameter instead of file:/ server.ssl.key-store=classpath:/clds/aaf/org.onap.clamp.p12 -server.ssl.key-store-password=China in the Spring -server.ssl.key-password=China in the Spring +server.ssl.key-store-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc +server.ssl.key-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc server.ssl.key-store-type=PKCS12 server.ssl.key-alias=clamp@clamp.onap.org +# The key file used to decode the key store and trust store password +# If not defined, the key store and trust store password will not be decrypted +clamp.config.keyFile=classpath:/clds/aaf/org.onap.clamp.keyfile + ## Config part for Client certificates server.ssl.client-auth=want server.ssl.trust-store=classpath:/clds/aaf/truststoreONAPall.jks -server.ssl.trust-store-password=changeit +server.ssl.trust-store-password=enc:iDnPBBLq_EMidXlMa1FEuBR8TZzYxrCg66vq_XfLHdJ #server.http-to-https-redirection.port=8080 server.servlet.context-path=/ #Modified engine-rest applicationpath -spring.profiles.active=clamp-default,clamp-aaf-authentication,clamp-sdc-controller-new +spring.profiles.active=clamp-default,clamp-aaf-authentication,clamp-sdc-controller-new,clamp-ssl-config spring.http.converters.preferred-json-mapper=gson #The max number of active threads in this pool @@ -240,13 +244,10 @@ clamp.config.security.permission.instance=dev clamp.config.security.authentication.class=org.onap.aaf.cadi.principal.X509Principal #AAF related parameters -clamp.config.cadi.keyFile=classpath:/clds/aaf/org.onap.clamp.keyfile clamp.config.cadi.cadiLoglevel=DEBUG clamp.config.cadi.cadiLatitude=10 clamp.config.cadi.cadiLongitude=10 clamp.config.cadi.aafLocateUrl=https://aaf-locate:8095 -clamp.config.cadi.cadiKeystorePassword=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc -clamp.config.cadi.cadiTruststorePassword=enc:iDnPBBLq_EMidXlMa1FEuBR8TZzYxrCg66vq_XfLHdJ clamp.config.cadi.oauthTokenUrl= https://AAF_LOCATE_URL/locate/onap.org.osaaf.aaf.token:2.1/token clamp.config.cadi.oauthIntrospectUrll=https://AAF_LOCATE_URL/locate/onap.org.osaaf.aaf.introspect:2.1/introspect clamp.config.cadi.aafEnv=DEV |