Fix client cert verification issue in sub tenants

appbr1
commit 7f06804823

@ -29,6 +29,7 @@ import io.entgra.device.mgt.core.certificate.mgt.core.util.CertificateManagement
import io.entgra.device.mgt.core.certificate.mgt.core.util.CommonUtil; import io.entgra.device.mgt.core.certificate.mgt.core.util.CommonUtil;
import io.entgra.device.mgt.core.certificate.mgt.core.util.Serializer; import io.entgra.device.mgt.core.certificate.mgt.core.util.Serializer;
import org.apache.commons.codec.binary.Base64; import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.bouncycastle.asn1.ASN1Encodable; import org.bouncycastle.asn1.ASN1Encodable;
@ -429,20 +430,35 @@ public class CertificateGenerator {
generateCertificate(byteArrayInputStream); generateCertificate(byteArrayInputStream);
if (reqCert != null && reqCert.getSerialNumber() != null) { if (reqCert != null && reqCert.getSerialNumber() != null) {
if (log.isDebugEnabled()) {
log.debug("looking up certificate for serial: " + reqCert.getSerialNumber().toString()); log.debug("looking up certificate for serial: " + reqCert.getSerialNumber().toString());
CertificateResponse lookUpCertificate = keyStoreReader.getCertificateBySerial( }
String orgUnit = CommonUtil.getSubjectDnAttribute(reqCert,
CertificateManagementConstants.ORG_UNIT_ATTRIBUTE);
CertificateResponse lookUpCertificate;
if (StringUtils.isNotEmpty(orgUnit)) {
int tenantId = Integer.parseInt(orgUnit.split(("_"))[1]);
lookUpCertificate = keyStoreReader.getCertificateBySerial(reqCert.getSerialNumber().toString(),
tenantId);
} else {
lookUpCertificate = keyStoreReader.getCertificateBySerial(
reqCert.getSerialNumber().toString()); reqCert.getSerialNumber().toString());
}
if (lookUpCertificate != null && lookUpCertificate.getCertificate() != null) { if (lookUpCertificate != null && lookUpCertificate.getCertificate() != null) {
if (log.isDebugEnabled()) {
log.debug("certificate found for serial: " + reqCert.getSerialNumber() log.debug("certificate found for serial: " + reqCert.getSerialNumber()
.toString()); .toString());
}
Certificate certificate = (Certificate) Serializer.deserialize(lookUpCertificate.getCertificate()); Certificate certificate = (Certificate) Serializer.deserialize(lookUpCertificate.getCertificate());
if (certificate instanceof X509Certificate) { if (certificate instanceof X509Certificate) {
return (X509Certificate) certificate; return (X509Certificate) certificate;
} }
} else { } else {
if (log.isDebugEnabled()) {
log.debug("certificate not found for serial: " + reqCert.getSerialNumber() log.debug("certificate not found for serial: " + reqCert.getSerialNumber()
.toString()); .toString());
} }
}
} }
@ -464,7 +480,6 @@ public class CertificateGenerator {
log.error(errorMsg); log.error(errorMsg);
throw new KeystoreException(errorMsg, e); throw new KeystoreException(errorMsg, e);
} }
return null; return null;
} }

@ -35,6 +35,7 @@ public final class CertificateManagementConstants {
public static final String DES_EDE = "DESede"; public static final String DES_EDE = "DESede";
public static final String CONF_LOCATION = "conf.location"; public static final String CONF_LOCATION = "conf.location";
public static final String DEFAULT_PRINCIPAL = "O=WSO2, OU=Mobile, C=LK"; public static final String DEFAULT_PRINCIPAL = "O=WSO2, OU=Mobile, C=LK";
public static final String ORG_UNIT_ATTRIBUTE = "OU=";
public static final String RSA_PRIVATE_KEY_BEGIN_TEXT = "-----BEGIN RSA PRIVATE KEY-----\n"; public static final String RSA_PRIVATE_KEY_BEGIN_TEXT = "-----BEGIN RSA PRIVATE KEY-----\n";
public static final String RSA_PRIVATE_KEY_END_TEXT = "-----END RSA PRIVATE KEY-----"; public static final String RSA_PRIVATE_KEY_END_TEXT = "-----END RSA PRIVATE KEY-----";
public static final String EMPTY_TEXT = ""; public static final String EMPTY_TEXT = "";

@ -17,7 +17,10 @@
*/ */
package io.entgra.device.mgt.core.certificate.mgt.core.util; package io.entgra.device.mgt.core.certificate.mgt.core.util;
import org.apache.commons.lang.StringUtils;
import java.math.BigInteger; import java.math.BigInteger;
import java.security.cert.X509Certificate;
import java.util.Calendar; import java.util.Calendar;
import java.util.Date; import java.util.Date;
@ -42,4 +45,27 @@ public class CommonUtil {
public static synchronized BigInteger generateSerialNumber() { public static synchronized BigInteger generateSerialNumber() {
return BigInteger.valueOf(System.currentTimeMillis()); return BigInteger.valueOf(System.currentTimeMillis());
} }
/**
* Returns the value of the given attribute from the subject distinguished name. eg: "entgra.net"
* from "CN=entgra.net"
* @param requestCertificate {@link X509Certificate} that needs to extract an attribute from
* @param attribute the attribute name that needs to be extracted from the cert. eg: "CN="
* @return the value of the attribute
*/
public static String getSubjectDnAttribute(X509Certificate requestCertificate, String attribute) {
String distinguishedName = requestCertificate.getSubjectDN().getName();
if (StringUtils.isNotEmpty(distinguishedName)) {
String[] dnSplits = distinguishedName.split(",");
for (String dnSplit : dnSplits) {
if (dnSplit.contains(attribute)) {
String[] cnSplits = dnSplit.split("=");
if (StringUtils.isNotEmpty(cnSplits[1])) {
return cnSplits[1];
}
}
}
}
return null;
}
} }

Loading…
Cancel
Save