2 * Copyright (c) 2023 PANTHEON.tech, s.r.o. and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
8 package org.opendaylight.netconf.topology.spi;
10 import static java.util.Objects.requireNonNull;
12 import com.google.common.annotations.VisibleForTesting;
13 import com.google.common.base.Strings;
14 import java.io.IOException;
15 import java.io.StringReader;
16 import java.nio.charset.StandardCharsets;
17 import java.security.GeneralSecurityException;
18 import java.security.KeyPair;
19 import java.security.Provider;
20 import java.security.Security;
21 import java.util.Base64;
22 import java.util.List;
23 import javax.inject.Inject;
24 import javax.inject.Singleton;
25 import org.bouncycastle.jce.provider.BouncyCastleProvider;
26 import org.bouncycastle.openssl.PEMEncryptedKeyPair;
27 import org.bouncycastle.openssl.PEMKeyPair;
28 import org.bouncycastle.openssl.PEMParser;
29 import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
30 import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;
31 import org.opendaylight.aaa.encrypt.AAAEncryptionService;
32 import org.opendaylight.netconf.client.conf.NetconfClientConfiguration.NetconfClientProtocol;
33 import org.opendaylight.netconf.client.conf.NetconfClientConfigurationBuilder;
34 import org.opendaylight.netconf.client.mdsal.api.CredentialProvider;
35 import org.opendaylight.netconf.client.mdsal.api.SslHandlerFactoryProvider;
36 import org.opendaylight.netconf.shaded.sshd.client.auth.pubkey.UserAuthPublicKeyFactory;
37 import org.opendaylight.netconf.shaded.sshd.common.keyprovider.KeyIdentityProvider;
38 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev231228.password.grouping.password.type.CleartextPasswordBuilder;
39 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.netconf.client.rev231228.netconf.client.initiate.stack.grouping.transport.ssh.ssh.SshClientParametersBuilder;
40 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.netconf.client.rev231228.netconf.client.initiate.stack.grouping.transport.ssh.ssh.TcpClientParametersBuilder;
41 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev231228.ssh.client.grouping.ClientIdentity;
42 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev231228.ssh.client.grouping.ClientIdentityBuilder;
43 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev231228.ssh.client.grouping.client.identity.PasswordBuilder;
44 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.device.rev240120.connection.parameters.Protocol.Name;
45 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.device.rev240120.credentials.Credentials;
46 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.device.rev240120.credentials.credentials.KeyAuth;
47 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.device.rev240120.credentials.credentials.LoginPw;
48 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.device.rev240120.credentials.credentials.LoginPwUnencrypted;
49 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.node.topology.rev231121.NetconfNode;
50 import org.opendaylight.yang.gen.v1.urn.tbd.params.xml.ns.yang.network.topology.rev131021.NodeId;
51 import org.osgi.service.component.annotations.Activate;
52 import org.osgi.service.component.annotations.Component;
53 import org.osgi.service.component.annotations.Reference;
56 * Default implementation of NetconfClientConfigurationBuildFactory.
60 public final class NetconfClientConfigurationBuilderFactoryImpl implements NetconfClientConfigurationBuilderFactory {
61 private static final Provider BCPROV;
64 final var prov = Security.getProvider(BouncyCastleProvider.PROVIDER_NAME);
65 BCPROV = prov != null ? prov : new BouncyCastleProvider();
68 private final SslHandlerFactoryProvider sslHandlerFactoryProvider;
69 private final AAAEncryptionService encryptionService;
70 private final CredentialProvider credentialProvider;
74 public NetconfClientConfigurationBuilderFactoryImpl(
75 @Reference final AAAEncryptionService encryptionService,
76 @Reference final CredentialProvider credentialProvider,
77 @Reference final SslHandlerFactoryProvider sslHandlerFactoryProvider) {
78 this.encryptionService = requireNonNull(encryptionService);
79 this.credentialProvider = requireNonNull(credentialProvider);
80 this.sslHandlerFactoryProvider = requireNonNull(sslHandlerFactoryProvider);
84 public NetconfClientConfigurationBuilder createClientConfigurationBuilder(final NodeId nodeId,
85 final NetconfNode node) {
86 final var builder = NetconfClientConfigurationBuilder.create();
87 final var protocol = node.getProtocol();
88 if (node.requireTcpOnly()) {
89 builder.withProtocol(NetconfClientProtocol.TCP);
90 } else if (protocol == null || protocol.getName() == Name.SSH) {
91 builder.withProtocol(NetconfClientProtocol.SSH);
92 setSshParametersFromCredentials(builder, node.getCredentials());
93 } else if (protocol.getName() == Name.TLS) {
94 builder.withProtocol(NetconfClientProtocol.TLS).withSslHandlerFactory(
95 channel -> sslHandlerFactoryProvider.getSslHandlerFactory(protocol.getSpecification())
98 throw new IllegalArgumentException("Unsupported protocol type: " + protocol.getName());
101 final var helloCapabilities = node.getOdlHelloMessageCapabilities();
102 if (helloCapabilities != null) {
103 builder.withOdlHelloCapabilities(List.copyOf(helloCapabilities.requireCapability()));
107 .withName(nodeId.getValue())
108 .withTcpParameters(new TcpClientParametersBuilder()
109 .setRemoteAddress(node.requireHost())
110 .setRemotePort(node.requirePort()).build())
111 .withConnectionTimeoutMillis(node.requireConnectionTimeoutMillis().toJava());
114 private void setSshParametersFromCredentials(final NetconfClientConfigurationBuilder confBuilder,
115 final Credentials credentials) {
116 final var sshParamsBuilder = new SshClientParametersBuilder();
117 if (credentials instanceof LoginPwUnencrypted unencrypted) {
118 final var loginPassword = unencrypted.getLoginPasswordUnencrypted();
119 sshParamsBuilder.setClientIdentity(loginPasswordIdentity(
120 loginPassword.getUsername(), loginPassword.getPassword()));
121 } else if (credentials instanceof LoginPw loginPw) {
122 final var loginPassword = loginPw.getLoginPassword();
123 final var username = loginPassword.getUsername();
125 final byte[] plainBytes;
127 plainBytes = encryptionService.decrypt(loginPassword.getPassword());
128 } catch (GeneralSecurityException e) {
129 throw new IllegalStateException("Failed to decrypt password", e);
132 sshParamsBuilder.setClientIdentity(loginPasswordIdentity(username,
133 new String(plainBytes, StandardCharsets.UTF_8)));
134 } else if (credentials instanceof KeyAuth keyAuth) {
135 final var keyBased = keyAuth.getKeyBased();
136 sshParamsBuilder.setClientIdentity(new ClientIdentityBuilder().setUsername(keyBased.getUsername()).build());
137 confBuilder.withSshConfigurator(factoryMgr -> {
138 final var keyPair = getKeyPair(keyBased.getKeyId());
139 factoryMgr.setKeyIdentityProvider(KeyIdentityProvider.wrapKeyPairs(keyPair));
140 final var factory = new UserAuthPublicKeyFactory();
141 factory.setSignatureFactories(factoryMgr.getSignatureFactories());
142 factoryMgr.setUserAuthFactories(List.of(factory));
145 throw new IllegalArgumentException("Unsupported credential type: " + credentials.getClass());
147 confBuilder.withSshParameters(sshParamsBuilder.build());
150 private static ClientIdentity loginPasswordIdentity(final String username, final String password) {
151 return new ClientIdentityBuilder()
152 .setUsername(requireNonNull(username, "username is undefined"))
153 .setPassword(new PasswordBuilder()
154 .setPasswordType(new CleartextPasswordBuilder()
155 .setCleartextPassword(requireNonNull(password, "password is undefined"))
161 private KeyPair getKeyPair(final String keyId) {
162 // public key retrieval logic taken from DatastoreBackedPublicKeyAuth
163 final var dsKeypair = credentialProvider.credentialForId(keyId);
164 if (dsKeypair == null) {
165 throw new IllegalArgumentException("No keypair found with keyId=" + keyId);
167 final var passPhrase = Strings.isNullOrEmpty(dsKeypair.getPassphrase()) ? "" : dsKeypair.getPassphrase();
169 return decodePrivateKey(decryptString(dsKeypair.getPrivateKey()), decryptString(passPhrase));
170 } catch (IOException e) {
171 throw new IllegalStateException("Could not decode private key with keyId=" + keyId, e);
175 private String decryptString(final String encrypted) {
176 final byte[] cryptobytes = Base64.getDecoder().decode(encrypted);
177 final byte[] clearbytes;
179 clearbytes = encryptionService.decrypt(cryptobytes);
180 } catch (GeneralSecurityException e) {
181 throw new IllegalStateException("Failed to decrypt", e);
183 return new String(clearbytes, StandardCharsets.UTF_8);
188 static KeyPair decodePrivateKey(final String privateKey, final String passphrase) throws IOException {
189 try (var keyReader = new PEMParser(new StringReader(privateKey.replace("\\n", "\n")))) {
190 final var obj = keyReader.readObject();
192 final PEMKeyPair keyPair;
193 if (obj instanceof PEMEncryptedKeyPair encrypted) {
194 keyPair = encrypted.decryptKeyPair(new JcePEMDecryptorProviderBuilder()
196 .build(passphrase.toCharArray()));
197 } else if (obj instanceof PEMKeyPair plain) {
200 throw new IllegalArgumentException("Unhandled private key " + obj.getClass());
203 return new JcaPEMKeyConverter().getKeyPair(keyPair);