Fix weak-cryptography issues

Load the truststore/keystore of our own instead of using the default one. Issue-ID: SDC-3495 Change-Id: I0ecd764d5198480a065fd38299cc9ff9da66af29 Signed-off-by: xuegao <xue.gao@intl.att.com>
author: xuegao <xue.gao@intl.att.com> 2021-04-09 08:48:47 +0200
committer: Christophe Closset <christophe.closset@intl.att.com> 2021-04-12 08:37:47 +0000
commit: 45e2f0ae4c14ee24e696717c9d150a2ff0bdc872 (patch)
tree: 1cfd6c63051730d0653e926709735d383adeab14 /common
parent: 6035b0849ea1394345d86a63bb68851a8930c4ae (diff)
2 files changed, 130 insertions, 0 deletions
diff --git a/common/onap-common-configuration-management/onap-configuration-management-api/pom.xml b/common/onap-common-configuration-management/onap-configuration-management-api/pom.xml
index 7dcf1958cf..58d645785a 100644
--- a/common/onap-common-configuration-management/onap-configuration-management-api/pom.xml
+++ b/common/onap-common-configuration-management/onap-configuration-management-api/pom.xml
@@ -12,4 +12,17 @@
     <groupId>org.onap.sdc.common</groupId>
     <version>1.9.0-SNAPSHOT</version>
   </parent>
+  <dependencies>
+    <dependency>
+      <groupId>org.apache.httpcomponents</groupId>
+      <artifactId>httpclient</artifactId>
+      <version>${httpclient.version}</version>
+    </dependency>
+
+    <dependency>
+      <groupId>org.apache.httpcomponents</groupId>
+      <artifactId>httpcore</artifactId>
+      <version>${httpcore.version}</version>
+    </dependency>
+  </dependencies>
 </project>
diff --git a/common/onap-common-configuration-management/onap-configuration-management-api/src/main/java/org/onap/config/api/JettySSLUtils.java b/common/onap-common-configuration-management/onap-configuration-management-api/src/main/java/org/onap/config/api/JettySSLUtils.java
new file mode 100644
index 0000000000..44280cf105
--- /dev/null
+++ b/common/onap-common-configuration-management/onap-configuration-management-api/src/main/java/org/onap/config/api/JettySSLUtils.java
@@ -0,0 +1,117 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * SDC
+ * ================================================================================
+ * Copyright (C) 2019 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+package org.onap.config.api;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.util.Properties;
+import javax.net.ssl.SSLContext;
+import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
+import org.apache.http.ssl.SSLContexts;
+
+public class JettySSLUtils {
+
+    private JettySSLUtils() {
+    }
+
+    public static JettySslConfig getSSLConfig() throws IOException {
+        Properties sslProperties = new Properties();
+        String sslPropsPath = System.getenv("JETTY_BASE") + File.separator + "/start.d/ssl.ini";
+        File sslPropsFile = new File(sslPropsPath);
+        try (FileInputStream fis = new FileInputStream(sslPropsFile)) {
+            sslProperties.load(fis);
+        }
+        return new JettySslConfig(sslProperties);
+    }
+
+    public static SSLContext getSslContext() throws GeneralSecurityException, IOException {
+        JettySslConfig sslProperties = JettySSLUtils.getSSLConfig();
+        KeyStore trustStore = KeyStore.getInstance(sslProperties.getTruststoreType());
+        try (FileInputStream instream = new FileInputStream(new File(sslProperties.getTruststorePath()));) {
+            trustStore.load(instream, (sslProperties.getTruststorePass()).toCharArray());
+        }
+        KeyStore keystore = KeyStore.getInstance(sslProperties.getKeystoreType());
+        try (FileInputStream instream = new FileInputStream(new File(sslProperties.getKeystorePath()));) {
+            keystore.load(instream, sslProperties.getKeystorePass().toCharArray());
+        }
+        // Trust own CA and all self-signed certs
+        return SSLContexts.custom().loadKeyMaterial(keystore, sslProperties.getKeystorePass().toCharArray())
+            .loadTrustMaterial(trustStore, new TrustSelfSignedStrategy()).build();
+    }
+
+    public static class JettySslConfig {
+
+        static final String JETTY_BASE = System.getenv("JETTY_BASE");
+        static final String KEY_STORE_TYPE_PROPERTY_NAME = "jetty.sslContext.keyStoreType";
+        static final String TRUST_STORE_TYPE_PROPERTY_NAME = "jetty.sslContext.trustStoreType";
+        Properties sslProperties;
+
+        JettySslConfig(Properties sslProperties) {
+            this.sslProperties = sslProperties;
+        }
+
+        public String getJettyBase() {
+            return JettySslConfig.JETTY_BASE;
+        }
+
+        public String getKeystorePath() {
+            return sslProperties.getProperty("jetty.sslContext.keyStorePath");
+        }
+
+        public String getKeystorePass() {
+            return sslProperties.getProperty("jetty.sslContext.keyStorePassword");
+        }
+
+        public String getKeystoreType() {
+            return sslProperties.getProperty(KEY_STORE_TYPE_PROPERTY_NAME, KeyStore.getDefaultType());
+        }
+
+        public String getTruststorePath() {
+            return sslProperties.getProperty("jetty.sslContext.trustStorePath");
+        }
+
+        public String getTruststorePass() {
+            return sslProperties.getProperty("jetty.sslContext.trustStorePassword");
+        }
+
+        public String getTruststoreType() {
+            return sslProperties.getProperty(TRUST_STORE_TYPE_PROPERTY_NAME, KeyStore.getDefaultType());
+        }
+
+        public String getKeyStoreManager() {
+            return sslProperties.getProperty("jetty.sslContext.keyManagerPassword");
+        }
+
+        public Boolean getNeedClientAuth() {
+            if (sslProperties.containsKey("jetty.sslContext.needClientAuth")) {
+                return Boolean.valueOf(sslProperties.getProperty("jetty.sslContext.needClientAuth"));
+            } else {
+                return Boolean.FALSE;
+            }
+        }
+
+        public String getProperty(String key) {
+            return sslProperties.getProperty(key);
+        }
+    }
+}
author	xuegao <xue.gao@intl.att.com>	2021-04-09 08:48:47 +0200
committer	Christophe Closset <christophe.closset@intl.att.com>	2021-04-12 08:37:47 +0000
commit	45e2f0ae4c14ee24e696717c9d150a2ff0bdc872 (patch)
tree	1cfd6c63051730d0653e926709735d383adeab14 /common
parent	6035b0849ea1394345d86a63bb68851a8930c4ae (diff)