Add Mutual SSL handling to AuthHandler

components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/pom.xml

@@ -76,6 +76,7 @@
                         <Bundle-Description>WSO2 Carbon - API Security Handler Component</Bundle-Description>
                         <Import-Package>
                             org.apache.axiom.*,
+                            javax.security.cert.*,
                             javax.xml.parsers;version="${javax.xml.parsers.import.pkg.version}";resolution:=optional,
                             javax.xml.*,
                             org.apache.axis2.*,
@@ -90,7 +91,8 @@
                             org.w3c.dom,
                             org.apache.synapse,
                             org.apache.synapse.core.axis2,
-                            org.apache.synapse.rest
+                            org.apache.synapse.rest,
+                            org.wso2.carbon.certificate.mgt.core.impl
                         </Import-Package>
                     </instructions>
                 </configuration>

components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/src/main/java/org/wso2/carbon/apimgt/handlers/AuthenticationHandler.java

@@ -31,11 +31,17 @@ import org.wso2.carbon.apimgt.handlers.invoker.RESTInvoker;
 import org.wso2.carbon.apimgt.handlers.invoker.RESTResponse;
 import org.wso2.carbon.apimgt.handlers.utils.AuthConstants;
 import org.wso2.carbon.apimgt.handlers.utils.Utils;
+import org.wso2.carbon.certificate.mgt.core.impl.CertificateGenerator;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
 
+import javax.security.cert.CertificateEncodingException;
+import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.net.URI;
 import java.net.URISyntaxException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.StringTokenizer;
@@ -140,6 +146,18 @@ public class AuthenticationHandler extends AbstractHandler {
                 if (log.isDebugEnabled()) {
                     log.debug("Verify response:" + response.getContent());
                 }
+            } else if (headers.containsKey(AuthConstants.MUTUAL_AUTH_HEADER)) {
+                javax.security.cert.X509Certificate[] certs =
+                        (javax.security.cert.X509Certificate[])axisMC.getProperty(AuthConstants.CLIENT_CERTIFICATE);
+                CertificateFactory cf = CertificateFactory.getInstance("X.509");
+                ByteArrayInputStream bais = new ByteArrayInputStream(certs[0].getEncoded());
+                X509Certificate x509 =  (X509Certificate) cf.generateCertificate(bais);
+                if (x509 != null ) {
+                    headers.put(AuthConstants.PROXY_MUTUAL_AUTH_HEADER, CertificateGenerator.getCommonName(x509));
+                    return true;
+                }else {
+                    response = null;
+                }
             } else if (headers.containsKey(AuthConstants.ENCODED_PEM)) {
                 String encodedPem = headers.get(AuthConstants.ENCODED_PEM).toString();
                 if (log.isDebugEnabled()) {
@@ -178,6 +196,12 @@ public class AuthenticationHandler extends AbstractHandler {
         } catch (APIMCertificateMGTException e) {
             log.error("Error while processing certificate.", e);
             return false;
+        } catch (CertificateException e) {
+            e.printStackTrace();
+            return false;
+        } catch (CertificateEncodingException e) {
+            e.printStackTrace();
+            return false;
         }
 
     }
@@ -191,7 +215,7 @@ public class AuthenticationHandler extends AbstractHandler {
     private String getDeviceType(String url) {
         StringTokenizer parts = new StringTokenizer(url, "/");
         while (parts.hasMoreElements()) {
-            if (parts.nextElement().equals("api")) {
+            if (parts.nextElement().equals("device-mgt")) {
                 return (String) parts.nextElement();
             }
         }
@@ -205,4 +229,4 @@ public class AuthenticationHandler extends AbstractHandler {
         map.put(CONTENT_TYPE, "application/json");
         return map;
     }
-}
+}

components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/src/main/java/org/wso2/carbon/apimgt/handlers/utils/AuthConstants.java

@@ -35,6 +35,7 @@ public class AuthConstants {
 //    public static final String ANDROID_VERIFY_ENDPOINT = "android-verify-endpoint";
     public static final String MDM_SIGNATURE = "mdm-signature";
     public static final String PROXY_MUTUAL_AUTH_HEADER = "proxy-mutual-auth-header";
+    public static final String MUTUAL_AUTH_HEADER = "mutual-auth-header";
     public static final String ENCODED_PEM = "encoded-pem";
     public static final String CALLBACK_URL = "";
     public static final String CLIENT_NAME = "IOT-API-MANAGER";
@@ -46,4 +47,5 @@ public class AuthConstants {
     public static final String BASIC_AUTH_PREFIX = "Basic ";
     public static final String CLIENT_ID = "clientId";
     public static final String CLIENT_SECRET = "clientSecret";
+    public static final String CLIENT_CERTIFICATE = "ssl.client.auth.cert.X509";
 }

components/certificate-mgt/org.wso2.carbon.certificate.mgt.cert.admin.api/src/main/java/org/wso2/carbon/certificate/mgt/cert/jaxrs/api/impl/CertificateManagementAdminServiceImpl.java

@@ -30,6 +30,7 @@ import org.wso2.carbon.certificate.mgt.cert.jaxrs.api.util.RequestValidationUtil
 import org.wso2.carbon.certificate.mgt.core.dto.CertificateResponse;
 import org.wso2.carbon.certificate.mgt.core.exception.CertificateManagementException;
 import org.wso2.carbon.certificate.mgt.core.exception.KeystoreException;
+import org.wso2.carbon.certificate.mgt.core.impl.CertificateGenerator;
 import org.wso2.carbon.certificate.mgt.core.scep.SCEPException;
 import org.wso2.carbon.certificate.mgt.core.scep.SCEPManager;
 import org.wso2.carbon.certificate.mgt.core.scep.TenantedDeviceWrapper;
@@ -74,7 +75,7 @@ public class CertificateManagementAdminServiceImpl implements CertificateManagem
                 certificate.setTenantId(PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId());
                 X509Certificate x509Certificate = certificateService
                         .pemToX509Certificate(enrollmentCertificate.getPem());
-                certificate.setSerial(x509Certificate.getSerialNumber().toString());
+                certificate.setSerial(CertificateGenerator.getCommonName(x509Certificate));
                 certificate.setCertificate(x509Certificate);
                 certificates.add(certificate);
             }
@@ -293,7 +294,14 @@ public class CertificateManagementAdminServiceImpl implements CertificateManagem
                 if (certificate.getSerial().toLowerCase().contains(PROXY_AUTH_MUTUAL_HEADER)) {
                     certificateResponse = certMgtService.verifySubjectDN(certificate.getPem());
                 } else {
-                    X509Certificate clientCertificate = certMgtService.pemToX509Certificate(certificate.getPem());
+                    //janak
+                    X509Certificate clientCertificate;
+                    if(certificate.getCertificate()!=null){
+                        clientCertificate = certificate.getCertificate();
+                    }else {
+                        clientCertificate = certMgtService.pemToX509Certificate(certificate.getPem());
+                    }
+
                     if (clientCertificate != null) {
                         certificateResponse = certMgtService.verifyPEMSignature(clientCertificate);
                     }

components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java

@@ -164,4 +164,4 @@ public class CertificateAuthenticator implements WebappAuthenticator {
         return null;
     }
 
-}
+}