Add Mutual SSL handling to AuthHandler

8 years ago · e5bd7566d3
parent 3a9986d054
commit e5bd7566d3
5 changed files with 42 additions and 6 deletions
--- a/components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/pom.xml
+++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/pom.xml
@ -76,6 +76,7 @@
                        <Bundle-Description>WSO2 Carbon - API Security Handler Component</Bundle-Description>
                        <Import-Package>
                            org.apache.axiom.*,
+                            javax.security.cert.*,
                            javax.xml.parsers;version="${javax.xml.parsers.import.pkg.version}";resolution:=optional,
                            javax.xml.*,
                            org.apache.axis2.*,
@ -90,7 +91,8 @@
                            org.w3c.dom,
                            org.apache.synapse,
                            org.apache.synapse.core.axis2,
-                            org.apache.synapse.rest
+                            org.apache.synapse.rest,
+                            org.wso2.carbon.certificate.mgt.core.impl
                        </Import-Package>
                    </instructions>
                </configuration>
--- a/components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/src/main/java/org/wso2/carbon/apimgt/handlers/AuthenticationHandler.java
+++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/src/main/java/org/wso2/carbon/apimgt/handlers/AuthenticationHandler.java
@ -31,11 +31,17 @@ import org.wso2.carbon.apimgt.handlers.invoker.RESTInvoker;
 import org.wso2.carbon.apimgt.handlers.invoker.RESTResponse;
 import org.wso2.carbon.apimgt.handlers.utils.AuthConstants;
 import org.wso2.carbon.apimgt.handlers.utils.Utils;
+import org.wso2.carbon.certificate.mgt.core.impl.CertificateGenerator;
 import org.wso2.carbon.context.PrivilegedCarbonContext;

+import javax.security.cert.CertificateEncodingException;
+import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.net.URI;
 import java.net.URISyntaxException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.StringTokenizer;
@ -140,6 +146,18 @@ public class AuthenticationHandler extends AbstractHandler {
                if (log.isDebugEnabled()) {
                    log.debug("Verify response:" + response.getContent());
                }
+            } else if (headers.containsKey(AuthConstants.MUTUAL_AUTH_HEADER)) {
+                javax.security.cert.X509Certificate[] certs =
+                        (javax.security.cert.X509Certificate[])axisMC.getProperty(AuthConstants.CLIENT_CERTIFICATE);
+                CertificateFactory cf = CertificateFactory.getInstance("X.509");
+                ByteArrayInputStream bais = new ByteArrayInputStream(certs[0].getEncoded());
+                X509Certificate x509 =  (X509Certificate) cf.generateCertificate(bais);
+                if (x509 != null ) {
+                    headers.put(AuthConstants.PROXY_MUTUAL_AUTH_HEADER, CertificateGenerator.getCommonName(x509));
+                    return true;
+                }else {
+                    response = null;
+                }
            } else if (headers.containsKey(AuthConstants.ENCODED_PEM)) {
                String encodedPem = headers.get(AuthConstants.ENCODED_PEM).toString();
                if (log.isDebugEnabled()) {
@ -178,6 +196,12 @@ public class AuthenticationHandler extends AbstractHandler {
        } catch (APIMCertificateMGTException e) {
            log.error("Error while processing certificate.", e);
            return false;
+        } catch (CertificateException e) {
+            e.printStackTrace();
+            return false;
+        } catch (CertificateEncodingException e) {
+            e.printStackTrace();
+            return false;
        }

    }
@ -191,7 +215,7 @@ public class AuthenticationHandler extends AbstractHandler {
    private String getDeviceType(String url) {
        StringTokenizer parts = new StringTokenizer(url, "/");
        while (parts.hasMoreElements()) {
-            if (parts.nextElement().equals("api")) {
+            if (parts.nextElement().equals("device-mgt")) {
                return (String) parts.nextElement();
            }
        }
--- a/components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/src/main/java/org/wso2/carbon/apimgt/handlers/utils/AuthConstants.java
+++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/src/main/java/org/wso2/carbon/apimgt/handlers/utils/AuthConstants.java
@ -35,6 +35,7 @@ public class AuthConstants {
 //    public static final String ANDROID_VERIFY_ENDPOINT = "android-verify-endpoint";
    public static final String MDM_SIGNATURE = "mdm-signature";
    public static final String PROXY_MUTUAL_AUTH_HEADER = "proxy-mutual-auth-header";
+    public static final String MUTUAL_AUTH_HEADER = "mutual-auth-header";
    public static final String ENCODED_PEM = "encoded-pem";
    public static final String CALLBACK_URL = "";
    public static final String CLIENT_NAME = "IOT-API-MANAGER";
@ -46,4 +47,5 @@ public class AuthConstants {
    public static final String BASIC_AUTH_PREFIX = "Basic ";
    public static final String CLIENT_ID = "clientId";
    public static final String CLIENT_SECRET = "clientSecret";
+    public static final String CLIENT_CERTIFICATE = "ssl.client.auth.cert.X509";
 }
--- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.cert.admin.api/src/main/java/org/wso2/carbon/certificate/mgt/cert/jaxrs/api/impl/CertificateManagementAdminServiceImpl.java
+++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.cert.admin.api/src/main/java/org/wso2/carbon/certificate/mgt/cert/jaxrs/api/impl/CertificateManagementAdminServiceImpl.java
@ -30,6 +30,7 @@ import org.wso2.carbon.certificate.mgt.cert.jaxrs.api.util.RequestValidationUtil
 import org.wso2.carbon.certificate.mgt.core.dto.CertificateResponse;
 import org.wso2.carbon.certificate.mgt.core.exception.CertificateManagementException;
 import org.wso2.carbon.certificate.mgt.core.exception.KeystoreException;
+import org.wso2.carbon.certificate.mgt.core.impl.CertificateGenerator;
 import org.wso2.carbon.certificate.mgt.core.scep.SCEPException;
 import org.wso2.carbon.certificate.mgt.core.scep.SCEPManager;
 import org.wso2.carbon.certificate.mgt.core.scep.TenantedDeviceWrapper;
@ -74,7 +75,7 @@ public class CertificateManagementAdminServiceImpl implements CertificateManagem
                certificate.setTenantId(PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId());
                X509Certificate x509Certificate = certificateService
                        .pemToX509Certificate(enrollmentCertificate.getPem());
-                certificate.setSerial(x509Certificate.getSerialNumber().toString());
+                certificate.setSerial(CertificateGenerator.getCommonName(x509Certificate));
                certificate.setCertificate(x509Certificate);
                certificates.add(certificate);
            }
@ -293,7 +294,14 @@ public class CertificateManagementAdminServiceImpl implements CertificateManagem
                if (certificate.getSerial().toLowerCase().contains(PROXY_AUTH_MUTUAL_HEADER)) {
                    certificateResponse = certMgtService.verifySubjectDN(certificate.getPem());
                } else {
-                    X509Certificate clientCertificate = certMgtService.pemToX509Certificate(certificate.getPem());
+                    //janak
+                    X509Certificate clientCertificate;
+                    if(certificate.getCertificate()!=null){
+                        clientCertificate = certificate.getCertificate();
+                    }else {
+                        clientCertificate = certMgtService.pemToX509Certificate(certificate.getPem());
+                    }
+
                    if (clientCertificate != null) {
                        certificateResponse = certMgtService.verifyPEMSignature(clientCertificate);
                    }