From e8c3685742892482c0a5492e16d61e1f417119d2 Mon Sep 17 00:00:00 2001 From: Abhishek Bajaj Date: Thu, 11 Mar 2021 18:34:35 +0530 Subject: security blocker in restconf collector Issue-ID: DCAEGEN2-2518 Signed-off-by: Abhishek Bajaj Change-Id: Id216e79c2bb616372f08201cf9e08f3caf003006 --- .../java/org/onap/dcae/common/RestapiCallNode.java | 86 ++++++++++++++++--- .../dcae/controller/PersistentEventConnection.java | 96 +++++++++++++++++----- 2 files changed, 150 insertions(+), 32 deletions(-) (limited to 'src') diff --git a/src/main/java/org/onap/dcae/common/RestapiCallNode.java b/src/main/java/org/onap/dcae/common/RestapiCallNode.java index 387fa98..4152db9 100755 --- a/src/main/java/org/onap/dcae/common/RestapiCallNode.java +++ b/src/main/java/org/onap/dcae/common/RestapiCallNode.java @@ -2,7 +2,7 @@ * ============LICENSE_START======================================================= * org.onap.dcaegen2.collectors.restconf * ================================================================================ - * Copyright (C) 2018-2019 Huawei. All rights reserved. + * Copyright (C) 2018-2021 Huawei. All rights reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -43,6 +43,7 @@ import java.net.SocketException; import java.nio.file.Files; import java.nio.file.Paths; import java.security.KeyStore; +import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.*; @@ -325,14 +326,21 @@ public class RestapiCallNode { ssl = createSSLContext(p); } if (ssl != null) { - HostnameVerifier hostnameVerifier = (hostname, session) -> true; - + // HostnameVerifier hostnameVerifier = (hostname, session) -> true; + HostnameVerifier hostnameVerifier = new HostnameVerifier() { + @Override + public boolean verify(String hostname,SSLSession session) { + HostnameVerifier hv = HttpsURLConnection.getDefaultHostnameVerifier(); + return hv.verify(hostname, session); + } + }; + config.getProperties().put(HTTPSProperties.PROPERTY_HTTPS_PROPERTIES, new HTTPSProperties(hostnameVerifier, ssl)); } } else { - /* Create a trust manager that does not validate certificate chains */ + /* Create a trust manager that does not validate certificate chains TrustManager[] trustAllCerts = new TrustManager[] {new X509TrustManager() { public java.security.cert.X509Certificate[] getAcceptedIssuers() { return null; @@ -344,20 +352,70 @@ public class RestapiCallNode { } }; - /* Install the all-trusting trust manager */ + Install the all-trusting trust manager SSLContext sc = SSLContext.getInstance("SSL"); sc.init(null, trustAllCerts, new java.security.SecureRandom()); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); - /* Create all-trusting host name verifier */ + Create all-trusting host name verifier HostnameVerifier allHostsValid = new HostnameVerifier() { public boolean verify(String hostname, SSLSession session) { return true; } }; - /* Install the all-trusting host verifier*/ - HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid); + Install the all-trusting host verifier + HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);*/ + + TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); + + //Using null here initialises the tmf with default trust store + tmf.init((KeyStore)null); + + //Get hold of default trust manager + X509TrustManager x509Tm = null; + for(TrustManager tm: tmf.getTrustManagers()) + { + if(tm instanceof X509TrustManager) { + x509Tm = (X509TrustManager) tm; + break; + } + } + + //Wrap it in your own class + final X509TrustManager finalTm = x509Tm; + X509TrustManager customTm = new X509TrustManager() { + + @Override + public X509Certificate[] getAcceptedIssuers() { + return finalTm.getAcceptedIssuers(); + } + + @Override + public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { + finalTm.checkServerTrusted(chain, authType); + + } + + @Override + public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { + finalTm.checkClientTrusted(chain, authType); + + }}; + + SSLContext sc = SSLContext.getInstance("TLS"); + sc.init(null,new TrustManager[]{customTm},new java.security.SecureRandom()); + HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); + + HostnameVerifier hostnameverifier = new HostnameVerifier() { + @Override + public boolean verify(String hostname, SSLSession session) { + HostnameVerifier hv = HttpsURLConnection.getDefaultHostnameVerifier(); + return hv.verify(hostname, session); + + }}; + + HttpsURLConnection.setDefaultHostnameVerifier(hostnameverifier); } logProperties(config.getProperties()); @@ -448,8 +506,16 @@ public class RestapiCallNode { System.setProperty("javax.net.ssl.trustStore", p.trustStoreFileName); System.setProperty("javax.net.ssl.trustStorePassword", p.trustStorePassword); - HttpsURLConnection.setDefaultHostnameVerifier((string, ssls) -> true); - + // HttpsURLConnection.setDefaultHostnameVerifier((string, ssls) -> true); + HostnameVerifier hostnameVerifier = new HostnameVerifier() { + @Override + public boolean verify(String hostname,SSLSession session) { + HostnameVerifier hv = HttpsURLConnection.getDefaultHostnameVerifier(); + return hv.verify(hostname, session); + } + }; + HttpsURLConnection.setDefaultHostnameVerifier(hostnameVerifier); + KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); KeyStore ks = KeyStore.getInstance("PKCS12"); char[] pwd = p.keyStorePassword.toCharArray(); diff --git a/src/main/java/org/onap/dcae/controller/PersistentEventConnection.java b/src/main/java/org/onap/dcae/controller/PersistentEventConnection.java index 7434fc2..3b16360 100644 --- a/src/main/java/org/onap/dcae/controller/PersistentEventConnection.java +++ b/src/main/java/org/onap/dcae/controller/PersistentEventConnection.java @@ -2,7 +2,7 @@ * ============LICENSE_START======================================================= * org.onap.dcaegen2.collectors.restconf * ================================================================================ - * Copyright (C) 2018-2019 Huawei. All rights reserved. + * Copyright (C) 2018-2021 Huawei. All rights reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -31,14 +31,19 @@ import org.onap.dcae.common.*; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSession; import javax.net.ssl.TrustManager; +import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509TrustManager; import javax.ws.rs.client.Client; import javax.ws.rs.client.ClientBuilder; import javax.ws.rs.client.WebTarget; import javax.ws.rs.core.HttpHeaders; import java.security.KeyManagementException; +import java.security.KeyStore; import java.security.NoSuchAlgorithmException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; @@ -260,7 +265,7 @@ public class PersistentEventConnection implements Runnable { log.info("SSE received url " + event_sseventsUrl); } - private EventSource OpenSseConnection() { + private EventSource OpenSseConnection() throws Exception { Parameters p = null; try { @@ -293,30 +298,77 @@ public class PersistentEventConnection implements Runnable { userName + ":" + password).getBytes()); } - private Client ignoreSslClient() { - SSLContext sslcontext = null; + private Client ignoreSslClient() throws Exception { + /* + * SSLContext sslcontext = null; + * + * try { sslcontext = SSLContext.getInstance("TLS"); sslcontext.init(null, new + * TrustManager[]{new X509TrustManager() { + * + * @Override public void checkClientTrusted(X509Certificate[] arg0, String arg1) + * throws CertificateException { } + * + * @Override public void checkServerTrusted(X509Certificate[] arg0, String arg1) + * throws CertificateException { } + * + * @Override public X509Certificate[] getAcceptedIssuers() { return new + * X509Certificate[0]; } }}, new java.security.SecureRandom()); } catch + * (NoSuchAlgorithmException | KeyManagementException e) { throw new + * IllegalStateException(e); } + * + * return + * ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier((s1, s2) + * -> true).build(); + */ + TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); + + //Using null here initialises the tmf with default trust store + tmf.init((KeyStore)null); + + //Get hold of default trust manager + X509TrustManager x509Tm = null; + for(TrustManager tm: tmf.getTrustManagers()) + { + if(tm instanceof X509TrustManager) { + x509Tm = (X509TrustManager) tm; + break; + } + } + + //Wrap it in your own class + final X509TrustManager finalTm = x509Tm; + X509TrustManager customTm = new X509TrustManager() { + + @Override + public X509Certificate[] getAcceptedIssuers() { + return finalTm.getAcceptedIssuers(); + } - try { - sslcontext = SSLContext.getInstance("TLS"); - sslcontext.init(null, new TrustManager[]{new X509TrustManager() { - @Override - public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException { - } + @Override + public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { + finalTm.checkServerTrusted(chain, authType); - @Override - public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException { - } + } - @Override - public X509Certificate[] getAcceptedIssuers() { - return new X509Certificate[0]; - } - }}, new java.security.SecureRandom()); - } catch (NoSuchAlgorithmException | KeyManagementException e) { - throw new IllegalStateException(e); - } + @Override + public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { + finalTm.checkClientTrusted(chain, authType); + + }}; + + SSLContext sc = SSLContext.getInstance("TLS"); + sc.init(null,new TrustManager[]{customTm},new java.security.SecureRandom()); + HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); - return ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier((s1, s2) -> true).build(); + HostnameVerifier hostnameverifier = new HostnameVerifier() { + @Override + public boolean verify(String hostname, SSLSession session) { + HostnameVerifier hv = HttpsURLConnection.getDefaultHostnameVerifier(); + return hv.verify(hostname, session); + + }}; + + return ClientBuilder.newBuilder().sslContext(sc).hostnameVerifier(hostnameverifier).build(); } public String getEventRuleId() { -- cgit 1.2.3-korg