From 54e220917029830ac9d3b1d85b9d4203e059f749 Mon Sep 17 00:00:00 2001
From: Chase <62891993+engechas@users.noreply.github.com>
Date: Fri, 30 Sep 2022 14:27:25 -0500
Subject: [PATCH] Add fingerprint trust store implementation to
 PeerForwarderHttpServer (#1848)

Signed-off-by: Chase Engelbrecht <engechas@amazon.com>

Signed-off-by: Chase Engelbrecht <engechas@amazon.com>
---
 .../server/PeerForwarderHttpServerProvider.java   | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/data-prepper-core/src/main/java/org/opensearch/dataprepper/peerforwarder/server/PeerForwarderHttpServerProvider.java b/data-prepper-core/src/main/java/org/opensearch/dataprepper/peerforwarder/server/PeerForwarderHttpServerProvider.java
index 7d426f39bd..aab39c2e3f 100644
--- a/data-prepper-core/src/main/java/org/opensearch/dataprepper/peerforwarder/server/PeerForwarderHttpServerProvider.java
+++ b/data-prepper-core/src/main/java/org/opensearch/dataprepper/peerforwarder/server/PeerForwarderHttpServerProvider.java
@@ -8,6 +8,7 @@
 import com.linecorp.armeria.server.Server;
 import com.linecorp.armeria.server.ServerBuilder;
 import io.netty.handler.ssl.ClientAuth;
+import io.netty.handler.ssl.util.FingerprintTrustManagerFactory;
 import org.opensearch.dataprepper.peerforwarder.ForwardingAuthentication;
 import org.opensearch.dataprepper.peerforwarder.PeerForwarderConfiguration;
 import org.opensearch.dataprepper.peerforwarder.certificate.CertificateProviderFactory;
@@ -61,10 +62,16 @@ public Server get() {
             );
 
             if (peerForwarderConfiguration.getAuthentication() == ForwardingAuthentication.MUTUAL_TLS) {
-                sb.tlsCustomizer(sslContextBuilder -> sslContextBuilder.trustManager(
-                                new ByteArrayInputStream(certificate.getCertificate().getBytes(StandardCharsets.UTF_8))
-                        )
-                        .clientAuth(ClientAuth.REQUIRE));
+                if (peerForwarderConfiguration.isSslFingerprintVerificationOnly()) {
+                    final FingerprintTrustManagerFactory fingerprintTrustManagerFactory = new FingerprintTrustManagerFactory(certificate.getFingerprint());
+                    sb.tlsCustomizer(sslContextBuilder -> sslContextBuilder.trustManager(fingerprintTrustManagerFactory)
+                            .clientAuth(ClientAuth.REQUIRE));
+                } else {
+                    sb.tlsCustomizer(sslContextBuilder -> sslContextBuilder.trustManager(
+                                    new ByteArrayInputStream(certificate.getCertificate().getBytes(StandardCharsets.UTF_8))
+                            )
+                            .clientAuth(ClientAuth.REQUIRE));
+                }
             }
         } else {
             LOG.warn("Creating Peer Forwarder server without SSL/TLS. This is not secure.");