diff options
author | xuegao <xue.gao@intl.att.com> | 2021-03-30 13:35:13 +0200 |
---|---|---|
committer | Vasyl Razinkov <vasyl.razinkov@est.tech> | 2021-04-02 11:39:43 +0000 |
commit | 24494466f8756d654a023b38f5ad73ec0ec2d603 (patch) | |
tree | bb9c2a7b4a215d3428dfe6080474db1139d3c45f /openecomp-be/api | |
parent | 69139f69742e4738f53d45b66a5051dd63a790b8 (diff) |
Fix weak-cryptography issues
Fix the weak-cryptography issues identified in sonarcloud.
Issue-ID: SDC-3495
Change-Id: I0e65c9ad2fa2dda1ffc2c527cc220b9de7a6f217
Signed-off-by: xuegao <xue.gao@intl.att.com>
Diffstat (limited to 'openecomp-be/api')
-rw-r--r-- | openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vnf-repository-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/VnfPackageRepositoryImpl.java | 68 |
1 files changed, 55 insertions, 13 deletions
diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vnf-repository-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/VnfPackageRepositoryImpl.java b/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vnf-repository-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/VnfPackageRepositoryImpl.java index 88ee6fa43d..17ee57001e 100644 --- a/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vnf-repository-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/VnfPackageRepositoryImpl.java +++ b/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vnf-repository-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/VnfPackageRepositoryImpl.java @@ -23,7 +23,10 @@ import static org.openecomp.core.utilities.file.FileUtils.getNetworkPackageName; import java.nio.ByteBuffer; import java.nio.charset.StandardCharsets; import java.security.KeyManagementException; +import java.security.KeyStore; +import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; +import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.List; import java.util.Objects; @@ -31,6 +34,7 @@ import java.util.Optional; import javax.inject.Named; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManager; +import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509TrustManager; import javax.ws.rs.client.Client; import javax.ws.rs.client.ClientBuilder; @@ -73,29 +77,67 @@ import org.springframework.stereotype.Service; public class VnfPackageRepositoryImpl implements VnfPackageRepository { private static final Logger LOGGER = LoggerFactory.getLogger(VnfPackageRepositoryImpl.class); - private static final Client CLIENT = ignoreSSLClient(); + private static final Client CLIENT = trustSSLClient(); - private static Client ignoreSSLClient() { + private static Client trustSSLClient() { try { SSLContext sslcontext = SSLContext.getInstance("TLS"); - sslcontext.init(null, new TrustManager[]{new X509TrustManager() { - public void checkClientTrusted(X509Certificate[] c, String s) { - } - - public void checkServerTrusted(X509Certificate[] c, String s) { - } + sslcontext.init(null, new TrustManager[]{new MyTrustManager()}, new java.security.SecureRandom()); + return ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier((requestedHost, remoteServerSession) + -> requestedHost.equalsIgnoreCase(remoteServerSession.getPeerHost())).build(); - public X509Certificate[] getAcceptedIssuers() { - return new X509Certificate[0]; - } - }}, new java.security.SecureRandom()); - return ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier((a, b) -> true).build(); } catch (NoSuchAlgorithmException | KeyManagementException e) { LOGGER.error("Failed to initialize SSL unsecure context", e); } return ClientBuilder.newClient(); } + private static class MyTrustManager implements X509TrustManager { + TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); + private MyTrustManager() throws NoSuchAlgorithmException { + } + + @Override + public X509Certificate[] getAcceptedIssuers() { + return new X509Certificate[] {}; + } + + @Override + public void checkServerTrusted(X509Certificate[] certs, String authType) throws CertificateException { + X509TrustManager x509Tm = getDefaultTrustManager(tmf); + if(x509Tm == null) { + throw new CertificateException("No X509TrustManager found"); + } + x509Tm.checkServerTrusted(certs, authType); + } + + @Override + public void checkClientTrusted(X509Certificate[] certs, String authType) throws CertificateException { + X509TrustManager x509Tm = getDefaultTrustManager(tmf); + if(x509Tm == null) { + throw new CertificateException("No X509TrustManager found"); + } + x509Tm.checkClientTrusted(certs, authType); + } + + private X509TrustManager getDefaultTrustManager(TrustManagerFactory tmf) { + try { + tmf.init((KeyStore)null); + } catch (KeyStoreException e) { + throw new IllegalStateException(e); + } + X509TrustManager x509Tm = null; + for(TrustManager tm: tmf.getTrustManagers()) + { + if(tm instanceof X509TrustManager) { + x509Tm = (X509TrustManager) tm; + break; + } + } + return x509Tm; + } + } + private final Configuration config; public VnfPackageRepositoryImpl(Configuration config) { |