From 209f2b66c94cc64c361d19a35feb4b341c4b97b5 Mon Sep 17 00:00:00 2001 From: Pahansith Date: Sat, 13 May 2023 12:56:56 +0530 Subject: [PATCH] Add tenant based storing and loading SCEP certificates --- .../mgt/core/dao/CertificateDAO.java | 10 +++++ .../dao/impl/AbstractCertificateDAOImpl.java | 36 +++++++++++++++++ .../mgt/core/impl/CertificateGenerator.java | 39 ++++++++++++++----- .../mgt/core/impl/KeyStoreReader.java | 37 ++++++++++++++++++ .../exception/StorageManagementException.java | 32 +++++++++++++++ 5 files changed, 145 insertions(+), 9 deletions(-) diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/dao/CertificateDAO.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/dao/CertificateDAO.java index cb97cf8892..fe1d829a82 100644 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/dao/CertificateDAO.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/dao/CertificateDAO.java @@ -51,6 +51,16 @@ public interface CertificateDAO { */ CertificateResponse retrieveCertificate(String serialNumber) throws CertificateManagementDAOException; + /** + * Obtain a certificated stored in the database by providing the common name and the tenant ID + * + * @param serialNumber Serial number (Common name) of the certificate + * @param tenantId ID of the certificate owning tenant + * @return representation of the certificate. + * @throws CertificateManagementDAOException if fails to read the certificate from the database + */ + CertificateResponse retrieveCertificate(String serialNumber, int tenantId) throws CertificateManagementDAOException; + /** * Get all the certificates in a paginated manner. * diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/dao/impl/AbstractCertificateDAOImpl.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/dao/impl/AbstractCertificateDAOImpl.java index 4af136c987..e536eaf646 100644 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/dao/impl/AbstractCertificateDAOImpl.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/dao/impl/AbstractCertificateDAOImpl.java @@ -119,6 +119,42 @@ public abstract class AbstractCertificateDAOImpl implements CertificateDAO{ return certificateResponse; } + @Override + public CertificateResponse retrieveCertificate(String serialNumber, int tenantId) throws CertificateManagementDAOException { + Connection conn; + PreparedStatement stmt = null; + ResultSet resultSet = null; + CertificateResponse certificateResponse = null; + try { + conn = this.getConnection(); + String query = + "SELECT CERTIFICATE, SERIAL_NUMBER, TENANT_ID, USERNAME FROM" + + " DM_DEVICE_CERTIFICATE WHERE SERIAL_NUMBER = ? AND TENANT_ID = ? "; + stmt = conn.prepareStatement(query); + stmt.setString(1, serialNumber); + stmt.setInt(2, tenantId); + resultSet = stmt.executeQuery(); + + if (resultSet.next()) { + certificateResponse = new CertificateResponse(); + byte[] certificateBytes = resultSet.getBytes("CERTIFICATE"); + certificateResponse.setCertificate(certificateBytes); + certificateResponse.setSerialNumber(resultSet.getString("SERIAL_NUMBER")); + certificateResponse.setTenantId(resultSet.getInt("TENANT_ID")); + certificateResponse.setUsername(resultSet.getString("USERNAME")); + CertificateGenerator.extractCertificateDetails(certificateBytes, certificateResponse); + } + } catch (SQLException e) { + String errorMsg = + "Unable to get the read the certificate with serial" + serialNumber; + log.error(errorMsg, e); + throw new CertificateManagementDAOException(errorMsg, e); + } finally { + CertificateManagementDAOUtil.cleanupResources(stmt, resultSet); + } + return certificateResponse; + } + @Override public List searchCertificate(String serialNumber) throws CertificateManagementDAOException { diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java index d686ff5115..5c9bbfad45 100755 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java @@ -358,15 +358,31 @@ public class CertificateGenerator { CertificateResponse lookUpCertificate = null; KeyStoreReader keyStoreReader = new KeyStoreReader(); if (distinguishedName != null && !distinguishedName.isEmpty()) { - if (distinguishedName.contains("/CN=")) { - String[] dnSplits = distinguishedName.split("/"); - for (String dnPart : dnSplits) { - if (dnPart.contains("CN=")) { - String commonNameExtracted = dnPart.replace("CN=", ""); - lookUpCertificate = keyStoreReader.getCertificateBySerial(commonNameExtracted); - break; + if (distinguishedName.contains("CN=")) { + String[] dnSplits = null; + if (distinguishedName.contains("/")) { + dnSplits = distinguishedName.split("/"); + } else if (distinguishedName.contains(",")) { + //some older versions of nginx will forward the client certificate subject dn separated with commas + dnSplits = distinguishedName.split(","); + } + String commonNameExtracted = null; + int tenantId = 0; + if (dnSplits != null && dnSplits.length >= 1) { + for (String dnPart : dnSplits) { + if (dnPart.contains("CN=")) { + commonNameExtracted = dnPart.replace("CN=", ""); + } else if (dnPart.contains("OU=")) { + //the OU of the certificate will be like OU=tenant_ ex: OU=tenant_-1234 + //splitting by underscore to extract the tenant domain + String[] orgUnitSplits = dnPart.split("_"); + tenantId = Integer.parseInt(orgUnitSplits[1]); + } } } + + lookUpCertificate = keyStoreReader.getCertificateBySerial(commonNameExtracted, tenantId); + } else { LdapName ldapName; try { @@ -807,8 +823,9 @@ public class CertificateGenerator { X500Name issuerName = new X500Name(subjectDn); String commonName = certificationRequest.getSubject().getRDNs(BCStyle.CN)[0].getFirst() .getValue().toString(); - X500Name subjectName = new X500Name("O=" + commonName + "O=AndroidDevice,CN=" + - serialNumber); + int tenantId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId(); + X500Name subjectName = new X500Name("O=" + commonName + ",CN=" + + serialNumber + ", OU=tenant_"+tenantId); Date startDate = new Date(System.currentTimeMillis()); Date endDate = new Date(System.currentTimeMillis() + TimeUnit.DAYS.toMillis(365 * 100)); @@ -826,6 +843,10 @@ public class CertificateGenerator { issuedCert = (X509Certificate) certificateFactory .generateCertificate(new ByteArrayInputStream(encodedCertificate)); + io.entgra.device.mgt.core.certificate.mgt.core.bean.Certificate certificate = + new io.entgra.device.mgt.core.certificate.mgt.core.bean.Certificate(); + List certificates = new ArrayList<>(); + certificate.setTenantId(tenantId); org.wso2.carbon.certificate.mgt.core.bean.Certificate certificate = new org.wso2.carbon.certificate.mgt.core.bean.Certificate(); List certificates = new ArrayList<>(); diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/KeyStoreReader.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/KeyStoreReader.java index 60a7800863..921f11e794 100755 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/KeyStoreReader.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/KeyStoreReader.java @@ -275,6 +275,43 @@ public class KeyStoreReader { return raPrivateKey; } + public CertificateResponse getCertificateBySerial(String serialNumber, int tenantId) throws KeystoreException { + CertificateResponse certificateResponse = null; + try { + CertificateCacheManager cacheManager = CertificateCacheManagerImpl.getInstance(); + certificateResponse = cacheManager.getCertificateBySerial(serialNumber); + if (certificateResponse == null) { + try { + CertificateManagementDAOFactory.openConnection(); + certificateResponse = certDao.retrieveCertificate(serialNumber, tenantId); + } catch (SQLException e) { + String errorMsg = "Error when making a connection to the database."; + throw new KeystoreException(errorMsg, e); + } finally { + CertificateManagementDAOFactory.closeConnection(); + } + if (certificateResponse != null && certificateResponse.getCertificate() != null) { + Certificate certificate = (Certificate) Serializer.deserialize(certificateResponse.getCertificate()); + if (certificate instanceof X509Certificate) { + X509Certificate x509cert = (X509Certificate) certificate; + String commonName = CertificateGenerator.getCommonName(x509cert); + certificateResponse.setCommonName(commonName); + cacheManager.addCertificateBySerial(serialNumber, certificateResponse); + } + } + } + } catch (CertificateManagementDAOException e) { + String errorMsg = "Error when retrieving certificate from the the database for the serial number: " + + serialNumber; + throw new KeystoreException(errorMsg, e); + + } catch (ClassNotFoundException | IOException e) { + String errorMsg = "Error when de-serializing saved certificate."; + throw new KeystoreException(errorMsg, e); + } + return certificateResponse; + } + public CertificateResponse getCertificateBySerial(String serialNumber) throws KeystoreException { CertificateResponse certificateResponse = null; try { diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/common/exception/StorageManagementException.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/common/exception/StorageManagementException.java index e69de29bb2..38985716de 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/common/exception/StorageManagementException.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/common/exception/StorageManagementException.java @@ -0,0 +1,32 @@ +/* Copyright (c) 2023, Entgra (Pvt) Ltd. (http://www.entgra.io) All Rights Reserved. + * + * Entgra (Pvt) Ltd. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.wso2.carbon.device.mgt.core.common.exception; + +/** + * Represents the exception thrown during storing and retrieving the artifacts. + */ +public class StorageManagementException extends Exception { + public StorageManagementException(String message, Throwable ex) { + super(message, ex); + } + + public StorageManagementException(String message) { + super(message); + } +} +