From 0140974487b85e51f865b33e98c9cf62a9568e5d Mon Sep 17 00:00:00 2001 From: Dilshan Edirisuriya Date: Wed, 2 Sep 2015 10:39:51 +0530 Subject: [PATCH 1/2] Certificate verification --- .../pom.xml | 1 - .../mgt/core/impl/CertificateGenerator.java | 48 +++++++++++++++++++ .../mgt/core/impl/KeyStoreReader.java | 19 ++++++++ .../service/CertificateManagementService.java | 17 ++++--- .../CertificateManagementServiceImpl.java | 8 ++++ 5 files changed, 85 insertions(+), 8 deletions(-) diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/pom.xml b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/pom.xml index 72647601aec..81d6be9ba4f 100644 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/pom.xml +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/pom.xml @@ -27,7 +27,6 @@ 4.0.0 - org.wso2.carbon.devicemgt org.wso2.carbon.certificate.mgt.core 0.9.2-SNAPSHOT bundle diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java index a1ddb3c20e8..e0c999ad071 100755 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java @@ -77,6 +77,7 @@ import java.security.PrivateKey; import java.security.SecureRandom; import java.security.Security; import java.security.SignatureException; +import java.security.cert.Certificate; import java.security.cert.CertificateEncodingException; import java.security.cert.CertificateException; import java.security.cert.CertificateExpiredException; @@ -283,6 +284,53 @@ public class CertificateGenerator { } } + public boolean verifySignature(String headerSignature) throws KeystoreException { + + if (headerSignature == null || headerSignature.isEmpty()) { + return false; + } + + try { + KeyStoreReader keyStoreReader = new KeyStoreReader(); + CMSSignedData signedData = new CMSSignedData(Base64.decodeBase64(headerSignature.getBytes())); + Store reqStore = signedData.getCertificates(); + @SuppressWarnings("unchecked") + Collection reqCerts = reqStore.getMatches(null); + + if (reqCerts != null && reqCerts.size() > 0) { + CertificateFactory certificateFactory = CertificateFactory.getInstance(ConfigurationUtil.X_509); + X509CertificateHolder holder = reqCerts.iterator().next(); + ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(holder.getEncoded()); + X509Certificate reqCert = (X509Certificate) certificateFactory. + generateCertificate(byteArrayInputStream); + + if(reqCert != null && reqCert.getSerialNumber() != null) { + Certificate lookUpCertificate = keyStoreReader.getCertificateByAlias( + reqCert.getSerialNumber().toString()); + + if (lookUpCertificate != null) { + return true; + } + } + + } + } catch (CMSException e) { + String errorMsg = "CMSException when decoding certificate signature"; + log.error(errorMsg, e); + throw new KeystoreException(errorMsg, e); + } catch (IOException e) { + String errorMsg = "IOException when decoding certificate signature"; + log.error(errorMsg, e); + throw new KeystoreException(errorMsg, e); + } catch (CertificateException e) { + String errorMsg = "CertificateException when decoding certificate signature"; + log.error(errorMsg, e); + throw new KeystoreException(errorMsg, e); + } + + return false; + } + public X509Certificate generateCertificateFromCSR(PrivateKey privateKey, PKCS10CertificationRequest request, String issueSubject) diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/KeyStoreReader.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/KeyStoreReader.java index f714a4746b2..1b82bb96831 100755 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/KeyStoreReader.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/KeyStoreReader.java @@ -204,6 +204,25 @@ public class KeyStoreReader { return raCertificate; } + public Certificate getCertificateByAlias(String alias) throws KeystoreException { + + KeyStore keystore = loadCertificateKeyStore(); + Certificate raCertificate; + try { + raCertificate = keystore.getCertificate(alias); + } catch (KeyStoreException e) { + String errorMsg = "KeyStore issue occurred when retrieving RA private key"; + log.error(errorMsg, e); + throw new KeystoreException(errorMsg, e); + } + + if (raCertificate == null) { + throw new KeystoreException("RA certificate not found in KeyStore"); + } + + return raCertificate; + } + PrivateKey getRAPrivateKey() throws KeystoreException { KeyStore keystore = loadCertificateKeyStore(); diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java index c9b1ca5c967..67171a3f93d 100644 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java @@ -33,17 +33,20 @@ public interface CertificateManagementService { Certificate getRACertificate() throws KeystoreException; - public List getRootCertificates(byte[] ca, byte[] ra) throws KeystoreException; + List getRootCertificates(byte[] ca, byte[] ra) throws KeystoreException; - public X509Certificate generateX509Certificate() throws KeystoreException; + X509Certificate generateX509Certificate() throws KeystoreException; - public SCEPResponse getCACertSCEP() throws KeystoreException; + SCEPResponse getCACertSCEP() throws KeystoreException; - public byte[] getCACapsSCEP(); + byte[] getCACapsSCEP(); - public byte[] getPKIMessageSCEP(InputStream inputStream) throws KeystoreException; + byte[] getPKIMessageSCEP(InputStream inputStream) throws KeystoreException; - public X509Certificate generateCertificateFromCSR(PrivateKey privateKey, - PKCS10CertificationRequest request, + X509Certificate generateCertificateFromCSR(PrivateKey privateKey, PKCS10CertificationRequest request, String issueSubject) throws KeystoreException; + + Certificate getCertificateByAlias(String alias) throws KeystoreException; + + boolean verifySignature(String headerSignature) throws KeystoreException; } diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java index a294acbc16a..014363e90d9 100644 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java @@ -84,4 +84,12 @@ public class CertificateManagementServiceImpl implements CertificateManagementSe String issueSubject) throws KeystoreException { return certificateGenerator.generateCertificateFromCSR(privateKey, request, issueSubject); } + + public Certificate getCertificateByAlias(String alias) throws KeystoreException { + return keyStoreReader.getCertificateByAlias(alias); + } + + public boolean verifySignature(String headerSignature) throws KeystoreException { + return certificateGenerator.verifySignature(headerSignature); + } } From 454c459172aa4092d1767bc5c8aa81f657a5fc99 Mon Sep 17 00:00:00 2001 From: Dilshan Edirisuriya Date: Wed, 2 Sep 2015 16:46:51 +0530 Subject: [PATCH 2/2] Extract certificate from signature --- .../mgt/core/impl/CertificateGenerator.java | 19 +++++++++++-------- .../service/CertificateManagementService.java | 2 ++ .../CertificateManagementServiceImpl.java | 4 ++++ .../certificate/mgt/core/util/CommonUtil.java | 5 +++++ .../pom.xml | 6 +++++- 5 files changed, 27 insertions(+), 9 deletions(-) diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java index e0c999ad071..7a2538af224 100755 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java @@ -64,7 +64,6 @@ import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStream; -import java.math.BigInteger; import java.security.InvalidKeyException; import java.security.KeyFactory; import java.security.KeyPair; @@ -158,10 +157,9 @@ public class CertificateGenerator { keyPairGenerator.initialize(ConfigurationUtil.RSA_KEY_LENGTH, new SecureRandom()); KeyPair pair = keyPairGenerator.generateKeyPair(); X500Principal principal = new X500Principal(ConfigurationUtil.DEFAULT_PRINCIPAL); - BigInteger serial = BigInteger.valueOf(System.currentTimeMillis()); X509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder( - principal, serial, validityBeginDate, validityEndDate, + principal, CommonUtil.generateSerialNumber(), validityBeginDate, validityEndDate, principal, pair.getPublic()); ContentSigner contentSigner = new JcaContentSignerBuilder(ConfigurationUtil.SHA256_RSA) .setProvider(ConfigurationUtil.PROVIDER).build( @@ -285,9 +283,14 @@ public class CertificateGenerator { } public boolean verifySignature(String headerSignature) throws KeystoreException { + Certificate certificate = extractCertificateFromSignature(headerSignature); + return (certificate != null); + } + + public X509Certificate extractCertificateFromSignature(String headerSignature) throws KeystoreException { if (headerSignature == null || headerSignature.isEmpty()) { - return false; + return null; } try { @@ -308,8 +311,8 @@ public class CertificateGenerator { Certificate lookUpCertificate = keyStoreReader.getCertificateByAlias( reqCert.getSerialNumber().toString()); - if (lookUpCertificate != null) { - return true; + if (lookUpCertificate != null && (lookUpCertificate instanceof X509Certificate)) { + return (X509Certificate)lookUpCertificate; } } @@ -328,7 +331,7 @@ public class CertificateGenerator { throw new KeystoreException(errorMsg, e); } - return false; + return null; } public X509Certificate generateCertificateFromCSR(PrivateKey privateKey, @@ -353,7 +356,7 @@ public class CertificateGenerator { } X509v3CertificateBuilder certificateBuilder = new X509v3CertificateBuilder( - new X500Name(issueSubject), BigInteger.valueOf(System.currentTimeMillis()), + new X500Name(issueSubject), CommonUtil.generateSerialNumber(), validityBeginDate, validityEndDate, certSubject, request.getSubjectPublicKeyInfo()); ContentSigner sigGen; diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java index 67171a3f93d..0b47c43707f 100644 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java @@ -49,4 +49,6 @@ public interface CertificateManagementService { Certificate getCertificateByAlias(String alias) throws KeystoreException; boolean verifySignature(String headerSignature) throws KeystoreException; + + public X509Certificate extractCertificateFromSignature(String headerSignature) throws KeystoreException; } diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java index 014363e90d9..c379df42646 100644 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java @@ -92,4 +92,8 @@ public class CertificateManagementServiceImpl implements CertificateManagementSe public boolean verifySignature(String headerSignature) throws KeystoreException { return certificateGenerator.verifySignature(headerSignature); } + + public X509Certificate extractCertificateFromSignature(String headerSignature) throws KeystoreException { + return certificateGenerator.extractCertificateFromSignature(headerSignature); + } } diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/util/CommonUtil.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/util/CommonUtil.java index a149c925698..6b9bc5897e0 100755 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/util/CommonUtil.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/util/CommonUtil.java @@ -17,6 +17,7 @@ */ package org.wso2.carbon.certificate.mgt.core.util; +import java.math.BigInteger; import java.util.Calendar; import java.util.Date; @@ -40,4 +41,8 @@ public class CommonUtil { return calendar.getTime(); } + public static synchronized BigInteger generateSerialNumber() { + return BigInteger.valueOf(System.currentTimeMillis()); + } + } diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml index 34051486391..edca5ac9554 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml @@ -88,7 +88,11 @@ org.wso2.carbon.user.core.tenant, org.wso2.carbon.utils, org.wso2.carbon.utils.multitenancy, - org.xml.sax + org.xml.sax, + javax.servlet.http, + javax.xml, + org.apache.axis2.transport.http, + org.wso2.carbon.apimgt.impl