Changes in certificate managment

revert-70aa11f8
Dilshan Edirisuriya 9 years ago
parent 3907c0fba2
commit 5f2ec88300

@ -71,6 +71,7 @@
org.bouncycastle.operator.jcajce, org.bouncycastle.operator.jcajce,
org.bouncycastle.pkcs, org.bouncycastle.pkcs,
org.bouncycastle.util, org.bouncycastle.util,
org.bouncycastle.asn1.util,
org.jscep.message, org.jscep.message,
org.jscep.transaction, org.jscep.transaction,
org.w3c.dom, org.w3c.dom,

@ -20,7 +20,11 @@ package org.wso2.carbon.certificate.mgt.core.impl;
import org.apache.commons.codec.binary.Base64; import org.apache.commons.codec.binary.Base64;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.pkcs.Attribute; import org.bouncycastle.asn1.pkcs.Attribute;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.KeyUsage; import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.X509Extension; import org.bouncycastle.asn1.x509.X509Extension;
@ -366,6 +370,16 @@ public class CertificateGenerator {
try { try {
certificateBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage( certificateBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(
KeyUsage.digitalSignature | KeyUsage.keyEncipherment)); KeyUsage.digitalSignature | KeyUsage.keyEncipherment));
if(attributes != null) {
ASN1Encodable extractedValue = getChallengePassword(attributes);
if(extractedValue != null) {
certificateBuilder.addExtension(PKCSObjectIdentifiers.pkcs_9_at_challengePassword, true,
extractedValue);
}
}
sigGen = new JcaContentSignerBuilder(ConfigurationUtil.SHA256_RSA) sigGen = new JcaContentSignerBuilder(ConfigurationUtil.SHA256_RSA)
.setProvider(ConfigurationUtil.PROVIDER).build(privateKey); .setProvider(ConfigurationUtil.PROVIDER).build(privateKey);
issuedCert = new JcaX509CertificateConverter().setProvider( issuedCert = new JcaX509CertificateConverter().setProvider(
@ -390,6 +404,19 @@ public class CertificateGenerator {
return issuedCert; return issuedCert;
} }
private ASN1Encodable getChallengePassword(Attribute[] attributes) {
for (Attribute attribute : attributes) {
if (PKCSObjectIdentifiers.pkcs_9_at_challengePassword.equals(attribute.getAttrType())) {
if(attribute.getAttrValues() != null && attribute.getAttrValues().size() > 0) {
return attribute.getAttrValues().getObjectAt(0);
}
}
}
return null;
}
private CMSSignedData getMessageData(final List<X509Certificate> certs) throws KeystoreException { private CMSSignedData getMessageData(final List<X509Certificate> certs) throws KeystoreException {
CMSSignedDataGenerator generator = new CMSSignedDataGenerator(); CMSSignedDataGenerator generator = new CMSSignedDataGenerator();
@ -534,4 +561,39 @@ public class CertificateGenerator {
throw new KeystoreException(errorMsg, e); throw new KeystoreException(errorMsg, e);
} }
} }
public String extractChallengeToken(X509Certificate certificate) {
byte[] challengePassword = certificate.getExtensionValue(
PKCSObjectIdentifiers.pkcs_9_at_challengePassword.toString());
if (challengePassword != null) {
return new String(challengePassword);
}
return null;
}
private ASN1Primitive toASN1Primitive(byte[] data) {
ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(data);
ASN1InputStream inputStream = new ASN1InputStream(byteArrayInputStream);
try {
return inputStream.readObject();
} catch (IOException e) {
String errorMsg = "IOException occurred when converting binary array to ASN1Primitive";
log.error(errorMsg, e);
} finally {
try {
byteArrayInputStream.close();
inputStream.close();
} catch (IOException e) {
String errorMsg = "IOException occurred when closing streams";
log.error(errorMsg, e);
}
}
return null;
}
} }

@ -51,4 +51,6 @@ public interface CertificateManagementService {
boolean verifySignature(String headerSignature) throws KeystoreException; boolean verifySignature(String headerSignature) throws KeystoreException;
public X509Certificate extractCertificateFromSignature(String headerSignature) throws KeystoreException; public X509Certificate extractCertificateFromSignature(String headerSignature) throws KeystoreException;
String extractChallengeToken(X509Certificate certificate);
} }

@ -96,4 +96,8 @@ public class CertificateManagementServiceImpl implements CertificateManagementSe
public X509Certificate extractCertificateFromSignature(String headerSignature) throws KeystoreException { public X509Certificate extractCertificateFromSignature(String headerSignature) throws KeystoreException {
return certificateGenerator.extractCertificateFromSignature(headerSignature); return certificateGenerator.extractCertificateFromSignature(headerSignature);
} }
public String extractChallengeToken(X509Certificate certificate) {
return certificateGenerator.extractChallengeToken(certificate);
}
} }

@ -4,83 +4,40 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.osgi.framework.BundleContext; import org.osgi.framework.BundleContext;
import org.osgi.service.component.ComponentContext; import org.osgi.service.component.ComponentContext;
import org.wso2.carbon.certificate.mgt.core.service.CertificateManagementService; import org.wso2.carbon.device.mgt.core.scep.SCEPManager;
import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService; import org.wso2.carbon.device.mgt.core.scep.SCEPManagerImpl;
import org.wso2.carbon.device.mgt.ios.core.service.IOSEnrollmentService;
/** /**
* @scr.component name="org.wso2.carbon.device.ios.enrollment" immediate="true" * @scr.component name="org.wso2.carbon.device.mgt.core.scep" immediate="true"
* @scr.reference name="org.wso2.carbon.device.manager"
* interface="org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService"
* policy="dynamic"
* cardinality="1..n"
* bind="setDeviceManagementService"
* unbind="unsetDeviceManagementService"
* @scr.reference name="org.wso2.carbon.certificate.mgt"
* interface="org.wso2.carbon.certificate.mgt.core.service.CertificateManagementService"
* policy="dynamic"
* cardinality="1..n"
* bind="setCertificateManagementService"
* unbind="unsetCertificateManagementService"
*/ */
public class SCEPManagerServiceComponent { public class SCEPManagerServiceComponent {
private static final Log log = LogFactory.getLog(IOSEnrollmentServiceComponent.class); private static final Log log = LogFactory.getLog(SCEPManagerServiceComponent.class);
protected void activate(ComponentContext componentContext) { protected void activate(ComponentContext componentContext) {
try { try {
if (log.isDebugEnabled()) { if (log.isDebugEnabled()) {
log.debug("Initializing iOS device management core bundle"); log.debug("Initializing SCEP core bundle");
} }
BundleContext bundleContext = componentContext.getBundleContext(); BundleContext bundleContext = componentContext.getBundleContext();
bundleContext.registerService(IOSEnrollmentService.class.getName(), bundleContext.registerService(SCEPManager.class.getName(),
IOSEnrollmentService.getInstance(), null); new SCEPManagerImpl(), null);
if (log.isDebugEnabled()) { if (log.isDebugEnabled()) {
log.debug("iOS device management core bundle has been successfully initialized"); log.debug("SCEP core bundle has been successfully initialized");
} }
} catch (Throwable e) { } catch (Throwable e) {
String msg = "Error occurred while initializing ios device management core bundle"; String msg = "Error occurred while initializing SCEP core bundle";
log.error(msg, e); log.error(msg, e);
} }
} }
protected void deactivate(ComponentContext ctx) { protected void deactivate(ComponentContext ctx) {
if (log.isDebugEnabled()) { if (log.isDebugEnabled()) {
log.debug("Deactivating iOS device management core bundle"); log.debug("Deactivating SCEP core bundle");
} }
} }
protected void setDeviceManagementService(DeviceManagementProviderService deviceManagementService) {
if (log.isDebugEnabled()) {
log.debug("Setting device management service provider");
}
IOSEnrollmentServiceHolder.getInstance().setDeviceManagementService(deviceManagementService);
}
protected void unsetDeviceManagementService(DeviceManagementProviderService deviceManagementService) {
if (log.isDebugEnabled()) {
log.debug("Removing device management service provider");
}
IOSEnrollmentServiceHolder.getInstance().setDeviceManagementService(null);
}
protected void setCertificateManagementService(CertificateManagementService certificateManagementService) {
if (log.isDebugEnabled()) {
log.debug("Setting certificate management service");
}
IOSEnrollmentServiceHolder.getInstance().setCertificateManagementService(certificateManagementService);
}
protected void unsetCertificateManagementService(CertificateManagementService certificateManagementService) {
if (log.isDebugEnabled()) {
log.debug("Removing certificate management service");
}
IOSEnrollmentServiceHolder.getInstance().setCertificateManagementService(null);
}
} }

@ -94,7 +94,9 @@
org.apache.axis2.transport.http, org.apache.axis2.transport.http,
org.wso2.carbon.apimgt.impl, org.wso2.carbon.apimgt.impl,
org.wso2.carbon.certificate.mgt.core.service, org.wso2.carbon.certificate.mgt.core.service,
org.wso2.carbon.certificate.mgt.core.exception org.wso2.carbon.certificate.mgt.core.exception,
org.wso2.carbon.device.mgt.common,
org.wso2.carbon.device.mgt.core.scep
</Import-Package> </Import-Package>
<!--<Fragment-Host>tomcat</Fragment-Host>--> <!--<Fragment-Host>tomcat</Fragment-Host>-->
</instructions> </instructions>
@ -152,6 +154,14 @@
<groupId>org.wso2.carbon.devicemgt</groupId> <groupId>org.wso2.carbon.devicemgt</groupId>
<artifactId>org.wso2.carbon.certificate.mgt.core</artifactId> <artifactId>org.wso2.carbon.certificate.mgt.core</artifactId>
</dependency> </dependency>
<dependency>
<groupId>org.wso2.carbon.devicemgt</groupId>
<artifactId>org.wso2.carbon.device.mgt.core</artifactId>
</dependency>
<dependency>
<groupId>org.wso2.carbon.devicemgt</groupId>
<artifactId>org.wso2.carbon.device.mgt.common</artifactId>
</dependency>
</dependencies> </dependencies>
</project> </project>

@ -19,6 +19,8 @@
package org.wso2.carbon.webapp.authenticator.framework; package org.wso2.carbon.webapp.authenticator.framework;
import org.wso2.carbon.certificate.mgt.core.service.CertificateManagementService; import org.wso2.carbon.certificate.mgt.core.service.CertificateManagementService;
import org.wso2.carbon.device.mgt.core.scep.SCEPManager;
import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService;
import org.wso2.carbon.user.core.service.RealmService; import org.wso2.carbon.user.core.service.RealmService;
public class DataHolder { public class DataHolder {
@ -26,11 +28,11 @@ public class DataHolder {
private WebappAuthenticatorRepository repository; private WebappAuthenticatorRepository repository;
private RealmService realmService; private RealmService realmService;
private CertificateManagementService certificateManagementService; private CertificateManagementService certificateManagementService;
private SCEPManager scepManager;
private static DataHolder thisInstance = new DataHolder();
private DataHolder() {} private DataHolder() {}
private static DataHolder thisInstance = new DataHolder();
public static DataHolder getInstance() { public static DataHolder getInstance() {
return thisInstance; return thisInstance;
} }
@ -58,4 +60,12 @@ public class DataHolder {
public void setCertificateManagementService(CertificateManagementService certificateManagementService) { public void setCertificateManagementService(CertificateManagementService certificateManagementService) {
this.certificateManagementService = certificateManagementService; this.certificateManagementService = certificateManagementService;
} }
public SCEPManager getScepManager() {
return scepManager;
}
public void setScepManager(SCEPManager scepManager) {
this.scepManager = scepManager;
}
} }

@ -27,13 +27,10 @@ import org.wso2.carbon.tomcat.ext.valves.CompositeValve;
import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator; import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import java.util.Arrays;
import java.util.List;
public class WebappAuthenticatorFrameworkValve extends CarbonTomcatValve { public class WebappAuthenticatorFrameworkValve extends CarbonTomcatValve {
private static final String AUTHENTICATION_SCHEME = "authentication-scheme"; private static final String AUTHENTICATION_SCHEME = "authentication-scheme";
private static final String BYPASS_URIS = "bypass-uris";
private static final Log log = LogFactory.getLog(WebappAuthenticatorFrameworkValve.class); private static final Log log = LogFactory.getLog(WebappAuthenticatorFrameworkValve.class);
@Override @Override
@ -46,22 +43,6 @@ public class WebappAuthenticatorFrameworkValve extends CarbonTomcatValve {
return; return;
} }
String byPassURIs = request.getContext().findParameter(WebappAuthenticatorFrameworkValve.BYPASS_URIS);
if(byPassURIs != null && !byPassURIs.isEmpty()) {
List<String> requestURI = Arrays.asList(byPassURIs.split(","));
if(requestURI != null && requestURI.size() > 0) {
for (String pathURI : requestURI) {
if (request.getRequestURI().equals(pathURI)) {
this.getNext().invoke(request, response, compositeValve);
return;
}
}
}
}
WebappAuthenticator authenticator = WebappAuthenticatorFactory.getAuthenticator(authScheme); WebappAuthenticator authenticator = WebappAuthenticatorFactory.getAuthenticator(authScheme);
if (authenticator == null) { if (authenticator == null) {
String msg = "Failed to load an appropriate authenticator to authenticate the request"; String msg = "Failed to load an appropriate authenticator to authenticate the request";

@ -5,8 +5,16 @@ import org.apache.catalina.connector.Response;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.certificate.mgt.core.exception.KeystoreException; import org.wso2.carbon.certificate.mgt.core.exception.KeystoreException;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.device.mgt.common.DeviceIdentifier;
import org.wso2.carbon.device.mgt.common.DeviceManagementConstants;
import org.wso2.carbon.device.mgt.core.scep.SCEPException;
import org.wso2.carbon.device.mgt.core.scep.SCEPManager;
import org.wso2.carbon.device.mgt.core.scep.TenantedDeviceWrapper;
import org.wso2.carbon.webapp.authenticator.framework.DataHolder; import org.wso2.carbon.webapp.authenticator.framework.DataHolder;
import java.security.cert.X509Certificate;
/** /**
* This authenticator authenticates HTTP requests using certificates. * This authenticator authenticates HTTP requests using certificates.
*/ */
@ -47,12 +55,35 @@ public class CertificateAuthenticator implements WebappAuthenticator {
if (certHeader != null && DataHolder.getInstance().getCertificateManagementService(). if (certHeader != null && DataHolder.getInstance().getCertificateManagementService().
verifySignature(certHeader)) { verifySignature(certHeader)) {
X509Certificate certificate = DataHolder.getInstance().getCertificateManagementService().
extractCertificateFromSignature(certHeader);
String challengeToken = DataHolder.getInstance().getCertificateManagementService().
extractChallengeToken(certificate);
if(challengeToken != null) {
challengeToken = challengeToken.substring(challengeToken.indexOf("(") + 1).trim();
SCEPManager scepManager = DataHolder.getInstance().getScepManager();
DeviceIdentifier deviceIdentifier = new DeviceIdentifier();
deviceIdentifier.setId(challengeToken);
deviceIdentifier.setType(DeviceManagementConstants.MobileDeviceTypes.MOBILE_DEVICE_TYPE_IOS);
TenantedDeviceWrapper tenantedDeviceWrapper = scepManager.getValidatedDevice(deviceIdentifier);
PrivilegedCarbonContext ctx = PrivilegedCarbonContext.getThreadLocalCarbonContext();
ctx.setTenantId(tenantedDeviceWrapper.getTenantId());
ctx.setTenantDomain(tenantedDeviceWrapper.getTenantDomain());
return Status.SUCCESS; return Status.SUCCESS;
} }
} }
}
} catch (KeystoreException e) { } catch (KeystoreException e) {
log.error("KeystoreException occurred ", e); log.error("KeystoreException occurred ", e);
return Status.FAILURE; } catch (SCEPException e) {
log.error("SCEPException occurred ", e);
} }
return Status.FAILURE; return Status.FAILURE;

@ -22,6 +22,8 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.osgi.service.component.ComponentContext; import org.osgi.service.component.ComponentContext;
import org.wso2.carbon.certificate.mgt.core.service.CertificateManagementService; import org.wso2.carbon.certificate.mgt.core.service.CertificateManagementService;
import org.wso2.carbon.device.mgt.core.scep.SCEPManager;
import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService;
import org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve; import org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve;
import org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer; import org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer;
import org.wso2.carbon.user.core.service.RealmService; import org.wso2.carbon.user.core.service.RealmService;
@ -50,6 +52,12 @@ import java.util.List;
* cardinality="1..n" * cardinality="1..n"
* bind="setCertificateManagementService" * bind="setCertificateManagementService"
* unbind="unsetCertificateManagementService" * unbind="unsetCertificateManagementService"
* @scr.reference name="org.wso2.carbon.device.mgt.core.scep"
* interface="org.wso2.carbon.device.mgt.core.scep.SCEPManager"
* policy="dynamic"
* cardinality="1..n"
* bind="setSCEPManagementService"
* unbind="unsetSCEPManagementService"
*/ */
public class WebappAuthenticatorFrameworkServiceComponent { public class WebappAuthenticatorFrameworkServiceComponent {
@ -112,4 +120,19 @@ public class WebappAuthenticatorFrameworkServiceComponent {
DataHolder.getInstance().setCertificateManagementService(null); DataHolder.getInstance().setCertificateManagementService(null);
} }
protected void setSCEPManagementService(SCEPManager scepManager) {
if (log.isDebugEnabled()) {
log.debug("Setting SCEP management service");
}
DataHolder.getInstance().setScepManager(scepManager);
}
protected void unsetSCEPManagementService(SCEPManager scepManager) {
if (log.isDebugEnabled()) {
log.debug("Removing SCEP management service");
}
DataHolder.getInstance().setScepManager(null);
}
} }

Loading…
Cancel
Save