From 5f2ec88300146916e15144fa56c6f53cd03c14a6 Mon Sep 17 00:00:00 2001 From: Dilshan Edirisuriya Date: Mon, 14 Sep 2015 15:28:28 +0530 Subject: [PATCH] Changes in certificate managment --- .../pom.xml | 1 + .../mgt/core/impl/CertificateGenerator.java | 62 ++++++++++++++++++ .../service/CertificateManagementService.java | 2 + .../CertificateManagementServiceImpl.java | 4 ++ .../internal/SCEPManagerServiceComponent.java | 63 +++---------------- .../pom.xml | 12 +++- .../authenticator/framework/DataHolder.java | 14 ++++- .../WebappAuthenticatorFrameworkValve.java | 19 ------ .../CertificateAuthenticator.java | 35 ++++++++++- ...uthenticatorFrameworkServiceComponent.java | 23 +++++++ 10 files changed, 158 insertions(+), 77 deletions(-) diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/pom.xml b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/pom.xml index f22bffeab8..a253cc9a7f 100644 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/pom.xml +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/pom.xml @@ -71,6 +71,7 @@ org.bouncycastle.operator.jcajce, org.bouncycastle.pkcs, org.bouncycastle.util, + org.bouncycastle.asn1.util, org.jscep.message, org.jscep.transaction, org.w3c.dom, diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java index 3aed3f4004..c97d84472d 100755 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java @@ -20,7 +20,11 @@ package org.wso2.carbon.certificate.mgt.core.impl; import org.apache.commons.codec.binary.Base64; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.bouncycastle.asn1.ASN1Encodable; +import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.ASN1Primitive; import org.bouncycastle.asn1.pkcs.Attribute; +import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.asn1.x509.KeyUsage; import org.bouncycastle.asn1.x509.X509Extension; @@ -366,6 +370,16 @@ public class CertificateGenerator { try { certificateBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage( KeyUsage.digitalSignature | KeyUsage.keyEncipherment)); + + if(attributes != null) { + ASN1Encodable extractedValue = getChallengePassword(attributes); + + if(extractedValue != null) { + certificateBuilder.addExtension(PKCSObjectIdentifiers.pkcs_9_at_challengePassword, true, + extractedValue); + } + } + sigGen = new JcaContentSignerBuilder(ConfigurationUtil.SHA256_RSA) .setProvider(ConfigurationUtil.PROVIDER).build(privateKey); issuedCert = new JcaX509CertificateConverter().setProvider( @@ -390,6 +404,19 @@ public class CertificateGenerator { return issuedCert; } + private ASN1Encodable getChallengePassword(Attribute[] attributes) { + + for (Attribute attribute : attributes) { + if (PKCSObjectIdentifiers.pkcs_9_at_challengePassword.equals(attribute.getAttrType())) { + if(attribute.getAttrValues() != null && attribute.getAttrValues().size() > 0) { + return attribute.getAttrValues().getObjectAt(0); + } + } + } + + return null; + } + private CMSSignedData getMessageData(final List certs) throws KeystoreException { CMSSignedDataGenerator generator = new CMSSignedDataGenerator(); @@ -534,4 +561,39 @@ public class CertificateGenerator { throw new KeystoreException(errorMsg, e); } } + + public String extractChallengeToken(X509Certificate certificate) { + + byte[] challengePassword = certificate.getExtensionValue( + PKCSObjectIdentifiers.pkcs_9_at_challengePassword.toString()); + + if (challengePassword != null) { + return new String(challengePassword); + } + + return null; + } + + private ASN1Primitive toASN1Primitive(byte[] data) { + + ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(data); + ASN1InputStream inputStream = new ASN1InputStream(byteArrayInputStream); + + try { + return inputStream.readObject(); + } catch (IOException e) { + String errorMsg = "IOException occurred when converting binary array to ASN1Primitive"; + log.error(errorMsg, e); + } finally { + try { + byteArrayInputStream.close(); + inputStream.close(); + } catch (IOException e) { + String errorMsg = "IOException occurred when closing streams"; + log.error(errorMsg, e); + } + } + + return null; + } } \ No newline at end of file diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java index 0b47c43707..00a8a68e74 100644 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java @@ -51,4 +51,6 @@ public interface CertificateManagementService { boolean verifySignature(String headerSignature) throws KeystoreException; public X509Certificate extractCertificateFromSignature(String headerSignature) throws KeystoreException; + + String extractChallengeToken(X509Certificate certificate); } diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java index c379df4264..cc3fb3efeb 100644 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java @@ -96,4 +96,8 @@ public class CertificateManagementServiceImpl implements CertificateManagementSe public X509Certificate extractCertificateFromSignature(String headerSignature) throws KeystoreException { return certificateGenerator.extractCertificateFromSignature(headerSignature); } + + public String extractChallengeToken(X509Certificate certificate) { + return certificateGenerator.extractChallengeToken(certificate); + } } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/SCEPManagerServiceComponent.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/SCEPManagerServiceComponent.java index e414b6c8ae..9c3b20a7a8 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/SCEPManagerServiceComponent.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/SCEPManagerServiceComponent.java @@ -4,83 +4,40 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.osgi.framework.BundleContext; import org.osgi.service.component.ComponentContext; -import org.wso2.carbon.certificate.mgt.core.service.CertificateManagementService; -import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService; -import org.wso2.carbon.device.mgt.ios.core.service.IOSEnrollmentService; +import org.wso2.carbon.device.mgt.core.scep.SCEPManager; +import org.wso2.carbon.device.mgt.core.scep.SCEPManagerImpl; /** - * @scr.component name="org.wso2.carbon.device.ios.enrollment" immediate="true" - * @scr.reference name="org.wso2.carbon.device.manager" - * interface="org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService" - * policy="dynamic" - * cardinality="1..n" - * bind="setDeviceManagementService" - * unbind="unsetDeviceManagementService" - * @scr.reference name="org.wso2.carbon.certificate.mgt" - * interface="org.wso2.carbon.certificate.mgt.core.service.CertificateManagementService" - * policy="dynamic" - * cardinality="1..n" - * bind="setCertificateManagementService" - * unbind="unsetCertificateManagementService" + * @scr.component name="org.wso2.carbon.device.mgt.core.scep" immediate="true" */ public class SCEPManagerServiceComponent { - private static final Log log = LogFactory.getLog(IOSEnrollmentServiceComponent.class); + private static final Log log = LogFactory.getLog(SCEPManagerServiceComponent.class); protected void activate(ComponentContext componentContext) { try { if (log.isDebugEnabled()) { - log.debug("Initializing iOS device management core bundle"); + log.debug("Initializing SCEP core bundle"); } BundleContext bundleContext = componentContext.getBundleContext(); - bundleContext.registerService(IOSEnrollmentService.class.getName(), - IOSEnrollmentService.getInstance(), null); + bundleContext.registerService(SCEPManager.class.getName(), + new SCEPManagerImpl(), null); if (log.isDebugEnabled()) { - log.debug("iOS device management core bundle has been successfully initialized"); + log.debug("SCEP core bundle has been successfully initialized"); } } catch (Throwable e) { - String msg = "Error occurred while initializing ios device management core bundle"; + String msg = "Error occurred while initializing SCEP core bundle"; log.error(msg, e); } } protected void deactivate(ComponentContext ctx) { if (log.isDebugEnabled()) { - log.debug("Deactivating iOS device management core bundle"); + log.debug("Deactivating SCEP core bundle"); } } - protected void setDeviceManagementService(DeviceManagementProviderService deviceManagementService) { - if (log.isDebugEnabled()) { - log.debug("Setting device management service provider"); - } - IOSEnrollmentServiceHolder.getInstance().setDeviceManagementService(deviceManagementService); - } - - protected void unsetDeviceManagementService(DeviceManagementProviderService deviceManagementService) { - if (log.isDebugEnabled()) { - log.debug("Removing device management service provider"); - } - - IOSEnrollmentServiceHolder.getInstance().setDeviceManagementService(null); - } - - protected void setCertificateManagementService(CertificateManagementService certificateManagementService) { - if (log.isDebugEnabled()) { - log.debug("Setting certificate management service"); - } - IOSEnrollmentServiceHolder.getInstance().setCertificateManagementService(certificateManagementService); - } - - protected void unsetCertificateManagementService(CertificateManagementService certificateManagementService) { - if (log.isDebugEnabled()) { - log.debug("Removing certificate management service"); - } - - IOSEnrollmentServiceHolder.getInstance().setCertificateManagementService(null); - } - } diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml index 2b7953b8cb..66f49daea6 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml @@ -94,7 +94,9 @@ org.apache.axis2.transport.http, org.wso2.carbon.apimgt.impl, org.wso2.carbon.certificate.mgt.core.service, - org.wso2.carbon.certificate.mgt.core.exception + org.wso2.carbon.certificate.mgt.core.exception, + org.wso2.carbon.device.mgt.common, + org.wso2.carbon.device.mgt.core.scep @@ -152,6 +154,14 @@ org.wso2.carbon.devicemgt org.wso2.carbon.certificate.mgt.core + + org.wso2.carbon.devicemgt + org.wso2.carbon.device.mgt.core + + + org.wso2.carbon.devicemgt + org.wso2.carbon.device.mgt.common + diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/DataHolder.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/DataHolder.java index 2ad358341d..e270014a1d 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/DataHolder.java +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/DataHolder.java @@ -19,6 +19,8 @@ package org.wso2.carbon.webapp.authenticator.framework; import org.wso2.carbon.certificate.mgt.core.service.CertificateManagementService; +import org.wso2.carbon.device.mgt.core.scep.SCEPManager; +import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService; import org.wso2.carbon.user.core.service.RealmService; public class DataHolder { @@ -26,11 +28,11 @@ public class DataHolder { private WebappAuthenticatorRepository repository; private RealmService realmService; private CertificateManagementService certificateManagementService; + private SCEPManager scepManager; + private static DataHolder thisInstance = new DataHolder(); private DataHolder() {} - private static DataHolder thisInstance = new DataHolder(); - public static DataHolder getInstance() { return thisInstance; } @@ -58,4 +60,12 @@ public class DataHolder { public void setCertificateManagementService(CertificateManagementService certificateManagementService) { this.certificateManagementService = certificateManagementService; } + + public SCEPManager getScepManager() { + return scepManager; + } + + public void setScepManager(SCEPManager scepManager) { + this.scepManager = scepManager; + } } diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticatorFrameworkValve.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticatorFrameworkValve.java index 1701c7d30c..02b94941cd 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticatorFrameworkValve.java +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticatorFrameworkValve.java @@ -27,13 +27,10 @@ import org.wso2.carbon.tomcat.ext.valves.CompositeValve; import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator; import javax.servlet.http.HttpServletResponse; -import java.util.Arrays; -import java.util.List; public class WebappAuthenticatorFrameworkValve extends CarbonTomcatValve { private static final String AUTHENTICATION_SCHEME = "authentication-scheme"; - private static final String BYPASS_URIS = "bypass-uris"; private static final Log log = LogFactory.getLog(WebappAuthenticatorFrameworkValve.class); @Override @@ -46,22 +43,6 @@ public class WebappAuthenticatorFrameworkValve extends CarbonTomcatValve { return; } - String byPassURIs = request.getContext().findParameter(WebappAuthenticatorFrameworkValve.BYPASS_URIS); - - if(byPassURIs != null && !byPassURIs.isEmpty()) { - - List requestURI = Arrays.asList(byPassURIs.split(",")); - - if(requestURI != null && requestURI.size() > 0) { - for (String pathURI : requestURI) { - if (request.getRequestURI().equals(pathURI)) { - this.getNext().invoke(request, response, compositeValve); - return; - } - } - } - } - WebappAuthenticator authenticator = WebappAuthenticatorFactory.getAuthenticator(authScheme); if (authenticator == null) { String msg = "Failed to load an appropriate authenticator to authenticate the request"; diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java index 7ef83a3fd9..77edaadbae 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java @@ -5,8 +5,16 @@ import org.apache.catalina.connector.Response; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.wso2.carbon.certificate.mgt.core.exception.KeystoreException; +import org.wso2.carbon.context.PrivilegedCarbonContext; +import org.wso2.carbon.device.mgt.common.DeviceIdentifier; +import org.wso2.carbon.device.mgt.common.DeviceManagementConstants; +import org.wso2.carbon.device.mgt.core.scep.SCEPException; +import org.wso2.carbon.device.mgt.core.scep.SCEPManager; +import org.wso2.carbon.device.mgt.core.scep.TenantedDeviceWrapper; import org.wso2.carbon.webapp.authenticator.framework.DataHolder; +import java.security.cert.X509Certificate; + /** * This authenticator authenticates HTTP requests using certificates. */ @@ -47,12 +55,35 @@ public class CertificateAuthenticator implements WebappAuthenticator { if (certHeader != null && DataHolder.getInstance().getCertificateManagementService(). verifySignature(certHeader)) { - return Status.SUCCESS; + + X509Certificate certificate = DataHolder.getInstance().getCertificateManagementService(). + extractCertificateFromSignature(certHeader); + String challengeToken = DataHolder.getInstance().getCertificateManagementService(). + extractChallengeToken(certificate); + + if(challengeToken != null) { + + challengeToken = challengeToken.substring(challengeToken.indexOf("(") + 1).trim(); + + SCEPManager scepManager = DataHolder.getInstance().getScepManager(); + DeviceIdentifier deviceIdentifier = new DeviceIdentifier(); + deviceIdentifier.setId(challengeToken); + deviceIdentifier.setType(DeviceManagementConstants.MobileDeviceTypes.MOBILE_DEVICE_TYPE_IOS); + + TenantedDeviceWrapper tenantedDeviceWrapper = scepManager.getValidatedDevice(deviceIdentifier); + + PrivilegedCarbonContext ctx = PrivilegedCarbonContext.getThreadLocalCarbonContext(); + ctx.setTenantId(tenantedDeviceWrapper.getTenantId()); + ctx.setTenantDomain(tenantedDeviceWrapper.getTenantDomain()); + + return Status.SUCCESS; + } } } } catch (KeystoreException e) { log.error("KeystoreException occurred ", e); - return Status.FAILURE; + } catch (SCEPException e) { + log.error("SCEPException occurred ", e); } return Status.FAILURE; diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/internal/WebappAuthenticatorFrameworkServiceComponent.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/internal/WebappAuthenticatorFrameworkServiceComponent.java index 7b7935a1f9..1479e7991d 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/internal/WebappAuthenticatorFrameworkServiceComponent.java +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/internal/WebappAuthenticatorFrameworkServiceComponent.java @@ -22,6 +22,8 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.osgi.service.component.ComponentContext; import org.wso2.carbon.certificate.mgt.core.service.CertificateManagementService; +import org.wso2.carbon.device.mgt.core.scep.SCEPManager; +import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService; import org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve; import org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer; import org.wso2.carbon.user.core.service.RealmService; @@ -50,6 +52,12 @@ import java.util.List; * cardinality="1..n" * bind="setCertificateManagementService" * unbind="unsetCertificateManagementService" + * @scr.reference name="org.wso2.carbon.device.mgt.core.scep" + * interface="org.wso2.carbon.device.mgt.core.scep.SCEPManager" + * policy="dynamic" + * cardinality="1..n" + * bind="setSCEPManagementService" + * unbind="unsetSCEPManagementService" */ public class WebappAuthenticatorFrameworkServiceComponent { @@ -112,4 +120,19 @@ public class WebappAuthenticatorFrameworkServiceComponent { DataHolder.getInstance().setCertificateManagementService(null); } + + protected void setSCEPManagementService(SCEPManager scepManager) { + if (log.isDebugEnabled()) { + log.debug("Setting SCEP management service"); + } + DataHolder.getInstance().setScepManager(scepManager); + } + + protected void unsetSCEPManagementService(SCEPManager scepManager) { + if (log.isDebugEnabled()) { + log.debug("Removing SCEP management service"); + } + + DataHolder.getInstance().setScepManager(null); + } }