diff options
author | xuegao <xue.gao@intl.att.com> | 2021-04-09 08:48:47 +0200 |
---|---|---|
committer | Christophe Closset <christophe.closset@intl.att.com> | 2021-04-12 08:37:47 +0000 |
commit | 45e2f0ae4c14ee24e696717c9d150a2ff0bdc872 (patch) | |
tree | 1cfd6c63051730d0653e926709735d383adeab14 /openecomp-be/api | |
parent | 6035b0849ea1394345d86a63bb68851a8930c4ae (diff) |
Fix weak-cryptography issues
Load the truststore/keystore of our own instead of using the default one.
Issue-ID: SDC-3495
Change-Id: I0ecd764d5198480a065fd38299cc9ff9da66af29
Signed-off-by: xuegao <xue.gao@intl.att.com>
Diffstat (limited to 'openecomp-be/api')
-rw-r--r-- | openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vnf-repository-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/VnfPackageRepositoryImpl.java | 62 |
1 files changed, 6 insertions, 56 deletions
diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vnf-repository-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/VnfPackageRepositoryImpl.java b/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vnf-repository-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/VnfPackageRepositoryImpl.java index 17ee57001e..5bfd29affa 100644 --- a/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vnf-repository-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/VnfPackageRepositoryImpl.java +++ b/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vnf-repository-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/VnfPackageRepositoryImpl.java @@ -20,26 +20,22 @@ import static javax.ws.rs.core.HttpHeaders.CONTENT_DISPOSITION; import static org.openecomp.core.utilities.file.FileUtils.getFileExtension; import static org.openecomp.core.utilities.file.FileUtils.getNetworkPackageName; +import java.io.IOException; import java.nio.ByteBuffer; import java.nio.charset.StandardCharsets; +import java.security.GeneralSecurityException; import java.security.KeyManagementException; -import java.security.KeyStore; -import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; -import java.security.cert.CertificateException; -import java.security.cert.X509Certificate; import java.util.List; import java.util.Objects; import java.util.Optional; import javax.inject.Named; import javax.net.ssl.SSLContext; -import javax.net.ssl.TrustManager; -import javax.net.ssl.TrustManagerFactory; -import javax.net.ssl.X509TrustManager; import javax.ws.rs.client.Client; import javax.ws.rs.client.ClientBuilder; import javax.ws.rs.core.Response; import org.onap.config.api.ConfigurationManager; +import org.onap.config.api.JettySSLUtils; import org.openecomp.core.utilities.orchestration.OnboardingTypesEnum; import org.openecomp.sdc.common.errors.CoreException; import org.openecomp.sdc.common.errors.ErrorCode; @@ -81,62 +77,16 @@ public class VnfPackageRepositoryImpl implements VnfPackageRepository { private static Client trustSSLClient() { try { - SSLContext sslcontext = SSLContext.getInstance("TLS"); - sslcontext.init(null, new TrustManager[]{new MyTrustManager()}, new java.security.SecureRandom()); + SSLContext sslcontext = JettySSLUtils.getSslContext(); return ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier((requestedHost, remoteServerSession) -> requestedHost.equalsIgnoreCase(remoteServerSession.getPeerHost())).build(); - } catch (NoSuchAlgorithmException | KeyManagementException e) { - LOGGER.error("Failed to initialize SSL unsecure context", e); + } catch (IOException | GeneralSecurityException e) { + LOGGER.error("Failed to initialize SSL context", e); } return ClientBuilder.newClient(); } - private static class MyTrustManager implements X509TrustManager { - TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); - private MyTrustManager() throws NoSuchAlgorithmException { - } - - @Override - public X509Certificate[] getAcceptedIssuers() { - return new X509Certificate[] {}; - } - - @Override - public void checkServerTrusted(X509Certificate[] certs, String authType) throws CertificateException { - X509TrustManager x509Tm = getDefaultTrustManager(tmf); - if(x509Tm == null) { - throw new CertificateException("No X509TrustManager found"); - } - x509Tm.checkServerTrusted(certs, authType); - } - - @Override - public void checkClientTrusted(X509Certificate[] certs, String authType) throws CertificateException { - X509TrustManager x509Tm = getDefaultTrustManager(tmf); - if(x509Tm == null) { - throw new CertificateException("No X509TrustManager found"); - } - x509Tm.checkClientTrusted(certs, authType); - } - - private X509TrustManager getDefaultTrustManager(TrustManagerFactory tmf) { - try { - tmf.init((KeyStore)null); - } catch (KeyStoreException e) { - throw new IllegalStateException(e); - } - X509TrustManager x509Tm = null; - for(TrustManager tm: tmf.getTrustManagers()) - { - if(tm instanceof X509TrustManager) { - x509Tm = (X509TrustManager) tm; - break; - } - } - return x509Tm; - } - } private final Configuration config; |