diff options
Diffstat (limited to 'sdc-distribution-client/src/main/java/org/onap/sdc/http/HttpClientFactory.java')
-rw-r--r-- | sdc-distribution-client/src/main/java/org/onap/sdc/http/HttpClientFactory.java | 130 |
1 files changed, 23 insertions, 107 deletions
diff --git a/sdc-distribution-client/src/main/java/org/onap/sdc/http/HttpClientFactory.java b/sdc-distribution-client/src/main/java/org/onap/sdc/http/HttpClientFactory.java index 94e20fb..ee75102 100644 --- a/sdc-distribution-client/src/main/java/org/onap/sdc/http/HttpClientFactory.java +++ b/sdc-distribution-client/src/main/java/org/onap/sdc/http/HttpClientFactory.java @@ -22,6 +22,7 @@ package org.onap.sdc.http; import java.io.FileInputStream; import java.io.IOException; +import java.security.Key; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; @@ -29,6 +30,7 @@ import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; @@ -39,10 +41,12 @@ import org.apache.http.auth.AuthScope; import org.apache.http.auth.UsernamePasswordCredentials; import org.apache.http.client.CredentialsProvider; import org.apache.http.conn.ssl.SSLConnectionSocketFactory; +import org.apache.http.conn.ssl.TrustSelfSignedStrategy; import org.apache.http.impl.client.BasicCredentialsProvider; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClientBuilder; import org.apache.http.ssl.SSLContextBuilder; +import org.apache.http.ssl.SSLContexts; import org.onap.sdc.api.consumer.IConfiguration; import org.onap.sdc.utils.Pair; @@ -71,9 +75,7 @@ public class HttpClientFactory { } private Pair<String, CloseableHttpClient> createHttpsClient(IConfiguration configuration) { - return new Pair<>(HTTPS, - initSSL(configuration.getUser(), configuration.getPassword(), configuration.getKeyStorePath(), - configuration.getKeyStorePassword(), configuration.activateServerTLSAuth())); + return new Pair<>(HTTPS, initSSLMtls(configuration)); } private Pair<String, CloseableHttpClient> createHttpClient(IConfiguration configuration) { @@ -84,123 +86,37 @@ public class HttpClientFactory { .setProxy(getHttpProxyHost()).build()); } - private CloseableHttpClient initSSL(String username, String password, String keyStorePath, String keyStorePass, - boolean isSupportSSLVerification) { + private CloseableHttpClient initSSLMtls(IConfiguration configuration) { - try { + try (FileInputStream kis = new FileInputStream(configuration.getKeyStorePath()); + FileInputStream tis = new FileInputStream(configuration.getTrustStorePath())) { - // SSLContextBuilder is not thread safe CredentialsProvider credsProvider = new BasicCredentialsProvider(); credsProvider.setCredentials(new AuthScope("localhost", AUTHORIZATION_SCOPE_PORT), - new UsernamePasswordCredentials(username, password)); - SSLContext sslContext; - sslContext = SSLContext.getInstance(TLS); - TrustManagerFactory tmf = createTrustManagerFactory(); - TrustManager[] tms = tmf.getTrustManagers(); - if (isSupportSSLVerification) { - - if (keyStorePath != null && !keyStorePath.isEmpty()) { - // Using null here initialises the TMF with the default - // trust store. - - // Get hold of the default trust manager - X509TrustManager defaultTm = null; - for (TrustManager tm : tmf.getTrustManagers()) { - if (tm instanceof X509TrustManager) { - defaultTm = (X509TrustManager) tm; - break; - } - } - - // Do the same with your trust store this time - // Adapt how you load the keystore to your needs - KeyStore trustStore = loadKeyStore(keyStorePath, keyStorePass); - - tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); - tmf.init(trustStore); - - // Get hold of the default trust manager - X509TrustManager myTm = null; - for (TrustManager tm : tmf.getTrustManagers()) { - if (tm instanceof X509TrustManager) { - myTm = (X509TrustManager) tm; - break; - } - } - - // Wrap it in your own class. - final X509TrustManager finalDefaultTm = defaultTm; - final X509TrustManager finalMyTm = myTm; - X509TrustManager customTm = new X509TrustManager() { - @Override - public X509Certificate[] getAcceptedIssuers() { - // If you're planning to use client-cert auth, - // merge results from "defaultTm" and "myTm". - return finalDefaultTm.getAcceptedIssuers(); - } - - @Override - public void checkServerTrusted(X509Certificate[] chain, String authType) - throws CertificateException { - try { - finalMyTm.checkServerTrusted(chain, authType); - } catch (CertificateException e) { - // This will throw another CertificateException - // if this fails too. - finalDefaultTm.checkServerTrusted(chain, authType); - } - } - - @Override - public void checkClientTrusted(X509Certificate[] chain, String authType) - throws CertificateException { - // If you're planning to use client-cert auth, - // do the same as checking the server. - finalDefaultTm.checkClientTrusted(chain, authType); - } - }; - - tms = new TrustManager[] { customTm }; - - } - - sslContext.init(null, tms, null); - SSLContext.setDefault(sslContext); - - } else { - - SSLContextBuilder builder = new SSLContextBuilder(); - - builder.loadTrustMaterial(null, (chain, authType) -> true); - - sslContext = builder.build(); - } + new UsernamePasswordCredentials(configuration.getUser(), configuration.getPassword())); + + final KeyStore ks = KeyStore.getInstance("JKS"); + ks.load(kis, configuration.getKeyStorePassword().toCharArray()); + final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); + keyManagerFactory.init(ks, configuration.getKeyStorePassword().toCharArray()); + + final KeyStore ts = KeyStore.getInstance("JKS"); + ts.load(tis, configuration.getTrustStorePassword().toCharArray()); + final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); + trustManagerFactory.init(ts); + final SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(ts, new TrustSelfSignedStrategy()).loadKeyMaterial(ks, configuration.getKeyStorePassword().toCharArray()).build(); HostnameVerifier hostnameVerifier = (hostname, session) -> hostname.equalsIgnoreCase(session.getPeerHost()); SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslContext, new String[] { TLS }, null, - hostnameVerifier); + hostnameVerifier); + return HttpClientBuilder.create().setDefaultCredentialsProvider(credsProvider).setProxy(getHttpsProxyHost()) - .setSSLSocketFactory(sslsf).build(); + .setSSLSocketFactory(sslsf).build(); } catch (Exception e) { throw new HttpSdcClientException("Failed to create https client", e); } } - private TrustManagerFactory createTrustManagerFactory() throws NoSuchAlgorithmException, KeyStoreException { - TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); - tmf.init(DEFAULT_INIT_KEY_STORE_VALUE); - return tmf; - } - - private KeyStore loadKeyStore(String keyStorePath, String keyStorePass) - throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException { - KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType()); - try (FileInputStream keyStoreData = new FileInputStream(keyStorePath)) { - trustStore.load(keyStoreData, keyStorePass.toCharArray()); - } - return trustStore; - } - private HttpHost getHttpProxyHost() { HttpHost proxyHost = null; if (configuration.isUseSystemProxy() && System.getProperty("http.proxyHost") != null |