diff options
author | xuegao <xue.gao@intl.att.com> | 2021-04-09 08:48:47 +0200 |
---|---|---|
committer | Christophe Closset <christophe.closset@intl.att.com> | 2021-04-12 08:37:47 +0000 |
commit | 45e2f0ae4c14ee24e696717c9d150a2ff0bdc872 (patch) | |
tree | 1cfd6c63051730d0653e926709735d383adeab14 | |
parent | 6035b0849ea1394345d86a63bb68851a8930c4ae (diff) |
Fix weak-cryptography issues
Load the truststore/keystore of our own instead of using the default one.
Issue-ID: SDC-3495
Change-Id: I0ecd764d5198480a065fd38299cc9ff9da66af29
Signed-off-by: xuegao <xue.gao@intl.att.com>
-rw-r--r-- | catalog-fe/pom.xml | 6 | ||||
-rw-r--r-- | catalog-fe/src/main/java/org/openecomp/sdc/fe/impl/PluginStatusBL.java | 2 | ||||
-rw-r--r-- | common/onap-common-configuration-management/onap-configuration-management-api/pom.xml | 13 | ||||
-rw-r--r-- | common/onap-common-configuration-management/onap-configuration-management-api/src/main/java/org/onap/config/api/JettySSLUtils.java (renamed from catalog-fe/src/main/java/org/openecomp/sdc/fe/utils/JettySSLUtils.java) | 4 | ||||
-rw-r--r-- | openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vnf-repository-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/VnfPackageRepositoryImpl.java | 62 |
5 files changed, 27 insertions, 60 deletions
diff --git a/catalog-fe/pom.xml b/catalog-fe/pom.xml index bde5a8b4bf..3591a51bc2 100644 --- a/catalog-fe/pom.xml +++ b/catalog-fe/pom.xml @@ -26,7 +26,11 @@ <version>${functionaljava.version}</version> <scope>compile</scope> </dependency> - + <dependency> + <groupId>org.onap.sdc.common</groupId> + <artifactId>onap-configuration-management-api</artifactId> + <version>${project.version}</version> + </dependency> <dependency> <groupId>org.openecomp.sdc</groupId> <artifactId>common-app-api</artifactId> diff --git a/catalog-fe/src/main/java/org/openecomp/sdc/fe/impl/PluginStatusBL.java b/catalog-fe/src/main/java/org/openecomp/sdc/fe/impl/PluginStatusBL.java index 080ab6809a..e1b4572a05 100644 --- a/catalog-fe/src/main/java/org/openecomp/sdc/fe/impl/PluginStatusBL.java +++ b/catalog-fe/src/main/java/org/openecomp/sdc/fe/impl/PluginStatusBL.java @@ -36,12 +36,12 @@ import org.apache.http.conn.ssl.SSLConnectionSocketFactory; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClients; import org.apache.http.impl.conn.PoolingHttpClientConnectionManager; +import org.onap.config.api.JettySSLUtils; import org.openecomp.sdc.common.log.wrappers.Logger; import org.openecomp.sdc.exception.InvalidArgumentException; import org.openecomp.sdc.fe.config.ConfigurationManager; import org.openecomp.sdc.fe.config.PluginsConfiguration; import org.openecomp.sdc.fe.config.PluginsConfiguration.Plugin; -import org.openecomp.sdc.fe.utils.JettySSLUtils; public class PluginStatusBL { diff --git a/common/onap-common-configuration-management/onap-configuration-management-api/pom.xml b/common/onap-common-configuration-management/onap-configuration-management-api/pom.xml index 7dcf1958cf..58d645785a 100644 --- a/common/onap-common-configuration-management/onap-configuration-management-api/pom.xml +++ b/common/onap-common-configuration-management/onap-configuration-management-api/pom.xml @@ -12,4 +12,17 @@ <groupId>org.onap.sdc.common</groupId> <version>1.9.0-SNAPSHOT</version> </parent> + <dependencies> + <dependency> + <groupId>org.apache.httpcomponents</groupId> + <artifactId>httpclient</artifactId> + <version>${httpclient.version}</version> + </dependency> + + <dependency> + <groupId>org.apache.httpcomponents</groupId> + <artifactId>httpcore</artifactId> + <version>${httpcore.version}</version> + </dependency> + </dependencies> </project> diff --git a/catalog-fe/src/main/java/org/openecomp/sdc/fe/utils/JettySSLUtils.java b/common/onap-common-configuration-management/onap-configuration-management-api/src/main/java/org/onap/config/api/JettySSLUtils.java index a9badde06b..44280cf105 100644 --- a/catalog-fe/src/main/java/org/openecomp/sdc/fe/utils/JettySSLUtils.java +++ b/common/onap-common-configuration-management/onap-configuration-management-api/src/main/java/org/onap/config/api/JettySSLUtils.java @@ -17,7 +17,7 @@ * limitations under the License. * ============LICENSE_END========================================================= */ -package org.openecomp.sdc.fe.utils; +package org.onap.config.api; import java.io.File; import java.io.FileInputStream; @@ -45,7 +45,7 @@ public class JettySSLUtils { } public static SSLContext getSslContext() throws GeneralSecurityException, IOException { - JettySSLUtils.JettySslConfig sslProperties = JettySSLUtils.getSSLConfig(); + JettySslConfig sslProperties = JettySSLUtils.getSSLConfig(); KeyStore trustStore = KeyStore.getInstance(sslProperties.getTruststoreType()); try (FileInputStream instream = new FileInputStream(new File(sslProperties.getTruststorePath()));) { trustStore.load(instream, (sslProperties.getTruststorePass()).toCharArray()); diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vnf-repository-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/VnfPackageRepositoryImpl.java b/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vnf-repository-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/VnfPackageRepositoryImpl.java index 17ee57001e..5bfd29affa 100644 --- a/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vnf-repository-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/VnfPackageRepositoryImpl.java +++ b/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vnf-repository-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/VnfPackageRepositoryImpl.java @@ -20,26 +20,22 @@ import static javax.ws.rs.core.HttpHeaders.CONTENT_DISPOSITION; import static org.openecomp.core.utilities.file.FileUtils.getFileExtension; import static org.openecomp.core.utilities.file.FileUtils.getNetworkPackageName; +import java.io.IOException; import java.nio.ByteBuffer; import java.nio.charset.StandardCharsets; +import java.security.GeneralSecurityException; import java.security.KeyManagementException; -import java.security.KeyStore; -import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; -import java.security.cert.CertificateException; -import java.security.cert.X509Certificate; import java.util.List; import java.util.Objects; import java.util.Optional; import javax.inject.Named; import javax.net.ssl.SSLContext; -import javax.net.ssl.TrustManager; -import javax.net.ssl.TrustManagerFactory; -import javax.net.ssl.X509TrustManager; import javax.ws.rs.client.Client; import javax.ws.rs.client.ClientBuilder; import javax.ws.rs.core.Response; import org.onap.config.api.ConfigurationManager; +import org.onap.config.api.JettySSLUtils; import org.openecomp.core.utilities.orchestration.OnboardingTypesEnum; import org.openecomp.sdc.common.errors.CoreException; import org.openecomp.sdc.common.errors.ErrorCode; @@ -81,62 +77,16 @@ public class VnfPackageRepositoryImpl implements VnfPackageRepository { private static Client trustSSLClient() { try { - SSLContext sslcontext = SSLContext.getInstance("TLS"); - sslcontext.init(null, new TrustManager[]{new MyTrustManager()}, new java.security.SecureRandom()); + SSLContext sslcontext = JettySSLUtils.getSslContext(); return ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier((requestedHost, remoteServerSession) -> requestedHost.equalsIgnoreCase(remoteServerSession.getPeerHost())).build(); - } catch (NoSuchAlgorithmException | KeyManagementException e) { - LOGGER.error("Failed to initialize SSL unsecure context", e); + } catch (IOException | GeneralSecurityException e) { + LOGGER.error("Failed to initialize SSL context", e); } return ClientBuilder.newClient(); } - private static class MyTrustManager implements X509TrustManager { - TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); - private MyTrustManager() throws NoSuchAlgorithmException { - } - - @Override - public X509Certificate[] getAcceptedIssuers() { - return new X509Certificate[] {}; - } - - @Override - public void checkServerTrusted(X509Certificate[] certs, String authType) throws CertificateException { - X509TrustManager x509Tm = getDefaultTrustManager(tmf); - if(x509Tm == null) { - throw new CertificateException("No X509TrustManager found"); - } - x509Tm.checkServerTrusted(certs, authType); - } - - @Override - public void checkClientTrusted(X509Certificate[] certs, String authType) throws CertificateException { - X509TrustManager x509Tm = getDefaultTrustManager(tmf); - if(x509Tm == null) { - throw new CertificateException("No X509TrustManager found"); - } - x509Tm.checkClientTrusted(certs, authType); - } - - private X509TrustManager getDefaultTrustManager(TrustManagerFactory tmf) { - try { - tmf.init((KeyStore)null); - } catch (KeyStoreException e) { - throw new IllegalStateException(e); - } - X509TrustManager x509Tm = null; - for(TrustManager tm: tmf.getTrustManagers()) - { - if(tm instanceof X509TrustManager) { - x509Tm = (X509TrustManager) tm; - break; - } - } - return x509Tm; - } - } private final Configuration config; |