From 0140974487b85e51f865b33e98c9cf62a9568e5d Mon Sep 17 00:00:00 2001 From: Dilshan Edirisuriya Date: Wed, 2 Sep 2015 10:39:51 +0530 Subject: [PATCH] Certificate verification --- .../pom.xml | 1 - .../mgt/core/impl/CertificateGenerator.java | 48 +++++++++++++++++++ .../mgt/core/impl/KeyStoreReader.java | 19 ++++++++ .../service/CertificateManagementService.java | 17 ++++--- .../CertificateManagementServiceImpl.java | 8 ++++ 5 files changed, 85 insertions(+), 8 deletions(-) diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/pom.xml b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/pom.xml index 72647601ae..81d6be9ba4 100644 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/pom.xml +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/pom.xml @@ -27,7 +27,6 @@ 4.0.0 - org.wso2.carbon.devicemgt org.wso2.carbon.certificate.mgt.core 0.9.2-SNAPSHOT bundle diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java index a1ddb3c20e..e0c999ad07 100755 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java @@ -77,6 +77,7 @@ import java.security.PrivateKey; import java.security.SecureRandom; import java.security.Security; import java.security.SignatureException; +import java.security.cert.Certificate; import java.security.cert.CertificateEncodingException; import java.security.cert.CertificateException; import java.security.cert.CertificateExpiredException; @@ -283,6 +284,53 @@ public class CertificateGenerator { } } + public boolean verifySignature(String headerSignature) throws KeystoreException { + + if (headerSignature == null || headerSignature.isEmpty()) { + return false; + } + + try { + KeyStoreReader keyStoreReader = new KeyStoreReader(); + CMSSignedData signedData = new CMSSignedData(Base64.decodeBase64(headerSignature.getBytes())); + Store reqStore = signedData.getCertificates(); + @SuppressWarnings("unchecked") + Collection reqCerts = reqStore.getMatches(null); + + if (reqCerts != null && reqCerts.size() > 0) { + CertificateFactory certificateFactory = CertificateFactory.getInstance(ConfigurationUtil.X_509); + X509CertificateHolder holder = reqCerts.iterator().next(); + ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(holder.getEncoded()); + X509Certificate reqCert = (X509Certificate) certificateFactory. + generateCertificate(byteArrayInputStream); + + if(reqCert != null && reqCert.getSerialNumber() != null) { + Certificate lookUpCertificate = keyStoreReader.getCertificateByAlias( + reqCert.getSerialNumber().toString()); + + if (lookUpCertificate != null) { + return true; + } + } + + } + } catch (CMSException e) { + String errorMsg = "CMSException when decoding certificate signature"; + log.error(errorMsg, e); + throw new KeystoreException(errorMsg, e); + } catch (IOException e) { + String errorMsg = "IOException when decoding certificate signature"; + log.error(errorMsg, e); + throw new KeystoreException(errorMsg, e); + } catch (CertificateException e) { + String errorMsg = "CertificateException when decoding certificate signature"; + log.error(errorMsg, e); + throw new KeystoreException(errorMsg, e); + } + + return false; + } + public X509Certificate generateCertificateFromCSR(PrivateKey privateKey, PKCS10CertificationRequest request, String issueSubject) diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/KeyStoreReader.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/KeyStoreReader.java index f714a4746b..1b82bb9683 100755 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/KeyStoreReader.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/KeyStoreReader.java @@ -204,6 +204,25 @@ public class KeyStoreReader { return raCertificate; } + public Certificate getCertificateByAlias(String alias) throws KeystoreException { + + KeyStore keystore = loadCertificateKeyStore(); + Certificate raCertificate; + try { + raCertificate = keystore.getCertificate(alias); + } catch (KeyStoreException e) { + String errorMsg = "KeyStore issue occurred when retrieving RA private key"; + log.error(errorMsg, e); + throw new KeystoreException(errorMsg, e); + } + + if (raCertificate == null) { + throw new KeystoreException("RA certificate not found in KeyStore"); + } + + return raCertificate; + } + PrivateKey getRAPrivateKey() throws KeystoreException { KeyStore keystore = loadCertificateKeyStore(); diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java index c9b1ca5c96..67171a3f93 100644 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java @@ -33,17 +33,20 @@ public interface CertificateManagementService { Certificate getRACertificate() throws KeystoreException; - public List getRootCertificates(byte[] ca, byte[] ra) throws KeystoreException; + List getRootCertificates(byte[] ca, byte[] ra) throws KeystoreException; - public X509Certificate generateX509Certificate() throws KeystoreException; + X509Certificate generateX509Certificate() throws KeystoreException; - public SCEPResponse getCACertSCEP() throws KeystoreException; + SCEPResponse getCACertSCEP() throws KeystoreException; - public byte[] getCACapsSCEP(); + byte[] getCACapsSCEP(); - public byte[] getPKIMessageSCEP(InputStream inputStream) throws KeystoreException; + byte[] getPKIMessageSCEP(InputStream inputStream) throws KeystoreException; - public X509Certificate generateCertificateFromCSR(PrivateKey privateKey, - PKCS10CertificationRequest request, + X509Certificate generateCertificateFromCSR(PrivateKey privateKey, PKCS10CertificationRequest request, String issueSubject) throws KeystoreException; + + Certificate getCertificateByAlias(String alias) throws KeystoreException; + + boolean verifySignature(String headerSignature) throws KeystoreException; } diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java index a294acbc16..014363e90d 100644 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java @@ -84,4 +84,12 @@ public class CertificateManagementServiceImpl implements CertificateManagementSe String issueSubject) throws KeystoreException { return certificateGenerator.generateCertificateFromCSR(privateKey, request, issueSubject); } + + public Certificate getCertificateByAlias(String alias) throws KeystoreException { + return keyStoreReader.getCertificateByAlias(alias); + } + + public boolean verifySignature(String headerSignature) throws KeystoreException { + return certificateGenerator.verifySignature(headerSignature); + } }