From d3e074c0010cce39ed4ca0071f5a78aadc8d6496 Mon Sep 17 00:00:00 2001 From: Jim Hahn Date: Tue, 30 Jun 2020 09:14:51 -0400 Subject: Fix sonar about always-trust-manager This trust manager is not secure and should be avoided. However, it is only used when the configuration explicitly says to allow self-signed certificates. Modified the code to use an apache trust manager, thus avoid the sonar complaint. Issue-ID: POLICY-2650 Change-Id: Iaf4c72689916ed5ed5e6864666f3f54b2c5e0f12 Signed-off-by: Jim Hahn --- utils/pom.xml | 5 ++++ .../policy/common/utils/network/NetworkUtil.java | 27 ++-------------------- 2 files changed, 7 insertions(+), 25 deletions(-) diff --git a/utils/pom.xml b/utils/pom.xml index 846d6871..95ea2c39 100644 --- a/utils/pom.xml +++ b/utils/pom.xml @@ -60,6 +60,11 @@ org.apache.commons commons-lang3 + + commons-net + commons-net + 3.6 + com.google.guava guava diff --git a/utils/src/main/java/org/onap/policy/common/utils/network/NetworkUtil.java b/utils/src/main/java/org/onap/policy/common/utils/network/NetworkUtil.java index 4b823fdc..a2fb5a8b 100644 --- a/utils/src/main/java/org/onap/policy/common/utils/network/NetworkUtil.java +++ b/utils/src/main/java/org/onap/policy/common/utils/network/NetworkUtil.java @@ -26,9 +26,8 @@ import java.net.InetSocketAddress; import java.net.ServerSocket; import java.net.Socket; import java.net.UnknownHostException; -import java.security.cert.X509Certificate; import javax.net.ssl.TrustManager; -import javax.net.ssl.X509TrustManager; +import org.apache.commons.net.util.TrustManagerUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -48,29 +47,7 @@ public class NetworkUtil { /** * A trust manager that always trusts certificates. */ - // @formatter:off - private static final TrustManager[] ALWAYS_TRUST_MANAGER = new TrustManager[] { - new X509TrustManager() { - - @Override - public X509Certificate[] getAcceptedIssuers() { - return new X509Certificate[0]; - } - - @Override - public void checkClientTrusted(final java.security.cert.X509Certificate[] certs, - final String authType) { - // always trust - } - - @Override - public void checkServerTrusted(final java.security.cert.X509Certificate[] certs, - final String authType) { - // always trust - } - } - }; - // @formatter:on + private static final TrustManager[] ALWAYS_TRUST_MANAGER = { TrustManagerUtils.getAcceptAllTrustManager() }; private NetworkUtil() { // Empty constructor -- cgit 1.2.3-korg