Add fingerprint trust store implementation to PeerForwarderHttpServer (…

…opensearch-project#1848) Signed-off-by: Chase Engelbrecht <[email protected]> Signed-off-by: Chase Engelbrecht <[email protected]>
shenkw1 · Sep 30, 2022 · 54e2209 · 54e2209
1 parent 967919b
commit 54e2209
Showing 1 changed file with 11 additions and 4 deletions.
diff --git a/...java/org/opensearch/dataprepper/peerforwarder/server/PeerForwarderHttpServerProvider.java b/...java/org/opensearch/dataprepper/peerforwarder/server/PeerForwarderHttpServerProvider.java
@@ -8,6 +8,7 @@
 import com.linecorp.armeria.server.Server;
 import com.linecorp.armeria.server.ServerBuilder;
 import io.netty.handler.ssl.ClientAuth;
+import io.netty.handler.ssl.util.FingerprintTrustManagerFactory;
 import org.opensearch.dataprepper.peerforwarder.ForwardingAuthentication;
 import org.opensearch.dataprepper.peerforwarder.PeerForwarderConfiguration;
 import org.opensearch.dataprepper.peerforwarder.certificate.CertificateProviderFactory;
@@ -61,10 +62,16 @@ public Server get() {
             );
 
             if (peerForwarderConfiguration.getAuthentication() == ForwardingAuthentication.MUTUAL_TLS) {
-                sb.tlsCustomizer(sslContextBuilder -> sslContextBuilder.trustManager(
-                                new ByteArrayInputStream(certificate.getCertificate().getBytes(StandardCharsets.UTF_8))
-                        )
-                        .clientAuth(ClientAuth.REQUIRE));
+                if (peerForwarderConfiguration.isSslFingerprintVerificationOnly()) {
+                    final FingerprintTrustManagerFactory fingerprintTrustManagerFactory = new FingerprintTrustManagerFactory(certificate.getFingerprint());
+                    sb.tlsCustomizer(sslContextBuilder -> sslContextBuilder.trustManager(fingerprintTrustManagerFactory)
+                            .clientAuth(ClientAuth.REQUIRE));
+                } else {
+                    sb.tlsCustomizer(sslContextBuilder -> sslContextBuilder.trustManager(
+                                    new ByteArrayInputStream(certificate.getCertificate().getBytes(StandardCharsets.UTF_8))
+                            )
+                            .clientAuth(ClientAuth.REQUIRE));
+                }
             }
         } else {
             LOG.warn("Creating Peer Forwarder server without SSL/TLS. This is not secure.");