aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorxuegao <xue.gao@intl.att.com>2021-03-30 13:35:13 +0200
committerVasyl Razinkov <vasyl.razinkov@est.tech>2021-04-02 11:39:43 +0000
commit24494466f8756d654a023b38f5ad73ec0ec2d603 (patch)
treebb9c2a7b4a215d3428dfe6080474db1139d3c45f
parent69139f69742e4738f53d45b66a5051dd63a790b8 (diff)
Fix weak-cryptography issues
Fix the weak-cryptography issues identified in sonarcloud. Issue-ID: SDC-3495 Change-Id: I0e65c9ad2fa2dda1ffc2c527cc220b9de7a6f217 Signed-off-by: xuegao <xue.gao@intl.att.com>
-rw-r--r--openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vnf-repository-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/VnfPackageRepositoryImpl.java68
1 files changed, 55 insertions, 13 deletions
diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vnf-repository-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/VnfPackageRepositoryImpl.java b/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vnf-repository-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/VnfPackageRepositoryImpl.java
index 88ee6fa43d..17ee57001e 100644
--- a/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vnf-repository-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/VnfPackageRepositoryImpl.java
+++ b/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vnf-repository-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/VnfPackageRepositoryImpl.java
@@ -23,7 +23,10 @@ import static org.openecomp.core.utilities.file.FileUtils.getNetworkPackageName;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Objects;
@@ -31,6 +34,7 @@ import java.util.Optional;
import javax.inject.Named;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import javax.ws.rs.client.Client;
import javax.ws.rs.client.ClientBuilder;
@@ -73,29 +77,67 @@ import org.springframework.stereotype.Service;
public class VnfPackageRepositoryImpl implements VnfPackageRepository {
private static final Logger LOGGER = LoggerFactory.getLogger(VnfPackageRepositoryImpl.class);
- private static final Client CLIENT = ignoreSSLClient();
+ private static final Client CLIENT = trustSSLClient();
- private static Client ignoreSSLClient() {
+ private static Client trustSSLClient() {
try {
SSLContext sslcontext = SSLContext.getInstance("TLS");
- sslcontext.init(null, new TrustManager[]{new X509TrustManager() {
- public void checkClientTrusted(X509Certificate[] c, String s) {
- }
-
- public void checkServerTrusted(X509Certificate[] c, String s) {
- }
+ sslcontext.init(null, new TrustManager[]{new MyTrustManager()}, new java.security.SecureRandom());
+ return ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier((requestedHost, remoteServerSession)
+ -> requestedHost.equalsIgnoreCase(remoteServerSession.getPeerHost())).build();
- public X509Certificate[] getAcceptedIssuers() {
- return new X509Certificate[0];
- }
- }}, new java.security.SecureRandom());
- return ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier((a, b) -> true).build();
} catch (NoSuchAlgorithmException | KeyManagementException e) {
LOGGER.error("Failed to initialize SSL unsecure context", e);
}
return ClientBuilder.newClient();
}
+ private static class MyTrustManager implements X509TrustManager {
+ TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+ private MyTrustManager() throws NoSuchAlgorithmException {
+ }
+
+ @Override
+ public X509Certificate[] getAcceptedIssuers() {
+ return new X509Certificate[] {};
+ }
+
+ @Override
+ public void checkServerTrusted(X509Certificate[] certs, String authType) throws CertificateException {
+ X509TrustManager x509Tm = getDefaultTrustManager(tmf);
+ if(x509Tm == null) {
+ throw new CertificateException("No X509TrustManager found");
+ }
+ x509Tm.checkServerTrusted(certs, authType);
+ }
+
+ @Override
+ public void checkClientTrusted(X509Certificate[] certs, String authType) throws CertificateException {
+ X509TrustManager x509Tm = getDefaultTrustManager(tmf);
+ if(x509Tm == null) {
+ throw new CertificateException("No X509TrustManager found");
+ }
+ x509Tm.checkClientTrusted(certs, authType);
+ }
+
+ private X509TrustManager getDefaultTrustManager(TrustManagerFactory tmf) {
+ try {
+ tmf.init((KeyStore)null);
+ } catch (KeyStoreException e) {
+ throw new IllegalStateException(e);
+ }
+ X509TrustManager x509Tm = null;
+ for(TrustManager tm: tmf.getTrustManagers())
+ {
+ if(tm instanceof X509TrustManager) {
+ x509Tm = (X509TrustManager) tm;
+ break;
+ }
+ }
+ return x509Tm;
+ }
+ }
+
private final Configuration config;
public VnfPackageRepositoryImpl(Configuration config) {