Add Mutual SSL handling to AuthHandler

4.x.x
Janak Amarasena 8 years ago
parent 3a9986d054
commit e5bd7566d3

@ -76,6 +76,7 @@
<Bundle-Description>WSO2 Carbon - API Security Handler Component</Bundle-Description> <Bundle-Description>WSO2 Carbon - API Security Handler Component</Bundle-Description>
<Import-Package> <Import-Package>
org.apache.axiom.*, org.apache.axiom.*,
javax.security.cert.*,
javax.xml.parsers;version="${javax.xml.parsers.import.pkg.version}";resolution:=optional, javax.xml.parsers;version="${javax.xml.parsers.import.pkg.version}";resolution:=optional,
javax.xml.*, javax.xml.*,
org.apache.axis2.*, org.apache.axis2.*,
@ -90,7 +91,8 @@
org.w3c.dom, org.w3c.dom,
org.apache.synapse, org.apache.synapse,
org.apache.synapse.core.axis2, org.apache.synapse.core.axis2,
org.apache.synapse.rest org.apache.synapse.rest,
org.wso2.carbon.certificate.mgt.core.impl
</Import-Package> </Import-Package>
</instructions> </instructions>
</configuration> </configuration>

@ -31,11 +31,17 @@ import org.wso2.carbon.apimgt.handlers.invoker.RESTInvoker;
import org.wso2.carbon.apimgt.handlers.invoker.RESTResponse; import org.wso2.carbon.apimgt.handlers.invoker.RESTResponse;
import org.wso2.carbon.apimgt.handlers.utils.AuthConstants; import org.wso2.carbon.apimgt.handlers.utils.AuthConstants;
import org.wso2.carbon.apimgt.handlers.utils.Utils; import org.wso2.carbon.apimgt.handlers.utils.Utils;
import org.wso2.carbon.certificate.mgt.core.impl.CertificateGenerator;
import org.wso2.carbon.context.PrivilegedCarbonContext; import org.wso2.carbon.context.PrivilegedCarbonContext;
import javax.security.cert.CertificateEncodingException;
import java.io.ByteArrayInputStream;
import java.io.IOException; import java.io.IOException;
import java.net.URI; import java.net.URI;
import java.net.URISyntaxException; import java.net.URISyntaxException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
import java.util.StringTokenizer; import java.util.StringTokenizer;
@ -140,6 +146,18 @@ public class AuthenticationHandler extends AbstractHandler {
if (log.isDebugEnabled()) { if (log.isDebugEnabled()) {
log.debug("Verify response:" + response.getContent()); log.debug("Verify response:" + response.getContent());
} }
} else if (headers.containsKey(AuthConstants.MUTUAL_AUTH_HEADER)) {
javax.security.cert.X509Certificate[] certs =
(javax.security.cert.X509Certificate[])axisMC.getProperty(AuthConstants.CLIENT_CERTIFICATE);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream bais = new ByteArrayInputStream(certs[0].getEncoded());
X509Certificate x509 = (X509Certificate) cf.generateCertificate(bais);
if (x509 != null ) {
headers.put(AuthConstants.PROXY_MUTUAL_AUTH_HEADER, CertificateGenerator.getCommonName(x509));
return true;
}else {
response = null;
}
} else if (headers.containsKey(AuthConstants.ENCODED_PEM)) { } else if (headers.containsKey(AuthConstants.ENCODED_PEM)) {
String encodedPem = headers.get(AuthConstants.ENCODED_PEM).toString(); String encodedPem = headers.get(AuthConstants.ENCODED_PEM).toString();
if (log.isDebugEnabled()) { if (log.isDebugEnabled()) {
@ -178,6 +196,12 @@ public class AuthenticationHandler extends AbstractHandler {
} catch (APIMCertificateMGTException e) { } catch (APIMCertificateMGTException e) {
log.error("Error while processing certificate.", e); log.error("Error while processing certificate.", e);
return false; return false;
} catch (CertificateException e) {
e.printStackTrace();
return false;
} catch (CertificateEncodingException e) {
e.printStackTrace();
return false;
} }
} }
@ -191,7 +215,7 @@ public class AuthenticationHandler extends AbstractHandler {
private String getDeviceType(String url) { private String getDeviceType(String url) {
StringTokenizer parts = new StringTokenizer(url, "/"); StringTokenizer parts = new StringTokenizer(url, "/");
while (parts.hasMoreElements()) { while (parts.hasMoreElements()) {
if (parts.nextElement().equals("api")) { if (parts.nextElement().equals("device-mgt")) {
return (String) parts.nextElement(); return (String) parts.nextElement();
} }
} }

@ -35,6 +35,7 @@ public class AuthConstants {
// public static final String ANDROID_VERIFY_ENDPOINT = "android-verify-endpoint"; // public static final String ANDROID_VERIFY_ENDPOINT = "android-verify-endpoint";
public static final String MDM_SIGNATURE = "mdm-signature"; public static final String MDM_SIGNATURE = "mdm-signature";
public static final String PROXY_MUTUAL_AUTH_HEADER = "proxy-mutual-auth-header"; public static final String PROXY_MUTUAL_AUTH_HEADER = "proxy-mutual-auth-header";
public static final String MUTUAL_AUTH_HEADER = "mutual-auth-header";
public static final String ENCODED_PEM = "encoded-pem"; public static final String ENCODED_PEM = "encoded-pem";
public static final String CALLBACK_URL = ""; public static final String CALLBACK_URL = "";
public static final String CLIENT_NAME = "IOT-API-MANAGER"; public static final String CLIENT_NAME = "IOT-API-MANAGER";
@ -46,4 +47,5 @@ public class AuthConstants {
public static final String BASIC_AUTH_PREFIX = "Basic "; public static final String BASIC_AUTH_PREFIX = "Basic ";
public static final String CLIENT_ID = "clientId"; public static final String CLIENT_ID = "clientId";
public static final String CLIENT_SECRET = "clientSecret"; public static final String CLIENT_SECRET = "clientSecret";
public static final String CLIENT_CERTIFICATE = "ssl.client.auth.cert.X509";
} }

@ -30,6 +30,7 @@ import org.wso2.carbon.certificate.mgt.cert.jaxrs.api.util.RequestValidationUtil
import org.wso2.carbon.certificate.mgt.core.dto.CertificateResponse; import org.wso2.carbon.certificate.mgt.core.dto.CertificateResponse;
import org.wso2.carbon.certificate.mgt.core.exception.CertificateManagementException; import org.wso2.carbon.certificate.mgt.core.exception.CertificateManagementException;
import org.wso2.carbon.certificate.mgt.core.exception.KeystoreException; import org.wso2.carbon.certificate.mgt.core.exception.KeystoreException;
import org.wso2.carbon.certificate.mgt.core.impl.CertificateGenerator;
import org.wso2.carbon.certificate.mgt.core.scep.SCEPException; import org.wso2.carbon.certificate.mgt.core.scep.SCEPException;
import org.wso2.carbon.certificate.mgt.core.scep.SCEPManager; import org.wso2.carbon.certificate.mgt.core.scep.SCEPManager;
import org.wso2.carbon.certificate.mgt.core.scep.TenantedDeviceWrapper; import org.wso2.carbon.certificate.mgt.core.scep.TenantedDeviceWrapper;
@ -74,7 +75,7 @@ public class CertificateManagementAdminServiceImpl implements CertificateManagem
certificate.setTenantId(PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId()); certificate.setTenantId(PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId());
X509Certificate x509Certificate = certificateService X509Certificate x509Certificate = certificateService
.pemToX509Certificate(enrollmentCertificate.getPem()); .pemToX509Certificate(enrollmentCertificate.getPem());
certificate.setSerial(x509Certificate.getSerialNumber().toString()); certificate.setSerial(CertificateGenerator.getCommonName(x509Certificate));
certificate.setCertificate(x509Certificate); certificate.setCertificate(x509Certificate);
certificates.add(certificate); certificates.add(certificate);
} }
@ -293,7 +294,14 @@ public class CertificateManagementAdminServiceImpl implements CertificateManagem
if (certificate.getSerial().toLowerCase().contains(PROXY_AUTH_MUTUAL_HEADER)) { if (certificate.getSerial().toLowerCase().contains(PROXY_AUTH_MUTUAL_HEADER)) {
certificateResponse = certMgtService.verifySubjectDN(certificate.getPem()); certificateResponse = certMgtService.verifySubjectDN(certificate.getPem());
} else { } else {
X509Certificate clientCertificate = certMgtService.pemToX509Certificate(certificate.getPem()); //janak
X509Certificate clientCertificate;
if(certificate.getCertificate()!=null){
clientCertificate = certificate.getCertificate();
}else {
clientCertificate = certMgtService.pemToX509Certificate(certificate.getPem());
}
if (clientCertificate != null) { if (clientCertificate != null) {
certificateResponse = certMgtService.verifyPEMSignature(clientCertificate); certificateResponse = certMgtService.verifyPEMSignature(clientCertificate);
} }

Loading…
Cancel
Save