From 7a110a8eb5b23cbc181b155ffe4788aa21206225 Mon Sep 17 00:00:00 2001 From: hasuniea Date: Mon, 19 Oct 2015 20:49:26 +0530 Subject: [PATCH] implemented certificateGenerater --- .../pom.xml | 5 +- .../mgt/core/impl/CertificateGenerator.java | 96 ++++++++++++++++++- .../service/CertificateManagementService.java | 3 + .../CertificateManagementServiceImpl.java | 7 ++ .../mgt/core/util/ConfigurationUtil.java | 3 +- .../pom.xml | 1 + .../CertificateAuthenticator.java | 3 +- 7 files changed, 112 insertions(+), 6 deletions(-) diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/pom.xml b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/pom.xml index a253cc9a7f3..a38c8ca3db9 100644 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/pom.xml +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/pom.xml @@ -71,11 +71,12 @@ org.bouncycastle.operator.jcajce, org.bouncycastle.pkcs, org.bouncycastle.util, - org.bouncycastle.asn1.util, org.jscep.message, org.jscep.transaction, org.w3c.dom, - org.xml.sax + org.xml.sax, + javax.xml.bind, + org.bouncycastle.pkcs.jcajce !org.wso2.carbon.certificate.mgt.core.internal.*, diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java index c97d84472d1..853741206d7 100755 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java @@ -26,8 +26,7 @@ import org.bouncycastle.asn1.ASN1Primitive; import org.bouncycastle.asn1.pkcs.Attribute; import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; import org.bouncycastle.asn1.x500.X500Name; -import org.bouncycastle.asn1.x509.KeyUsage; -import org.bouncycastle.asn1.x509.X509Extension; +import org.bouncycastle.asn1.x509.*; import org.bouncycastle.cert.CertIOException; import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cert.X509v3CertificateBuilder; @@ -43,6 +42,7 @@ import org.bouncycastle.operator.ContentSigner; import org.bouncycastle.operator.OperatorCreationException; import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; import org.bouncycastle.pkcs.PKCS10CertificationRequest; +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest; import org.bouncycastle.util.Store; import org.jscep.message.CertRep; import org.jscep.message.MessageDecodingException; @@ -62,6 +62,7 @@ import org.wso2.carbon.certificate.mgt.core.util.CommonUtil; import org.wso2.carbon.certificate.mgt.core.util.ConfigurationUtil; import javax.security.auth.x500.X500Principal; +import javax.xml.bind.DatatypeConverter; import java.io.ByteArrayInputStream; import java.io.DataInputStream; import java.io.File; @@ -69,6 +70,7 @@ import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStream; +import java.math.BigInteger; import java.security.InvalidKeyException; import java.security.KeyFactory; import java.security.KeyPair; @@ -97,6 +99,20 @@ import java.util.List; public class CertificateGenerator { + private enum PropertyIndex { + COMMON_NAME_INDEX(0), + NOT_BEFORE_DAYS_INDEX(1), + NOT_AFTER_DAYS_INDEX(2); + + private final int itemPosition; + private PropertyIndex(final int itemPosition) { + this.itemPosition = itemPosition; + } + public int getValue() { + return this.itemPosition; + } + } + private static final Log log = LogFactory.getLog(CertificateGenerator.class); public List getRootCertificates(byte[] ca, byte[] ra) throws KeystoreException { @@ -596,4 +612,80 @@ public class CertificateGenerator { return null; } + + public X509Certificate getSignCertificateFromCSR(String binarySecurityToken, + X509Certificate caCert, List certPropertyList) + throws KeystoreException { + byte[] byteArrayBst = DatatypeConverter.parseBase64Binary(binarySecurityToken); + PKCS10CertificationRequest certificationRequest = null; + KeyStoreReader keyStoreReader = new KeyStoreReader(); + PrivateKey privateKeyCA = keyStoreReader.getCAPrivateKey(); + + try { + certificationRequest = new PKCS10CertificationRequest(byteArrayBst); + } catch (IOException e) { + String msg = "CSR cannot be recovered."; + log.error(msg, e); + } + JcaPKCS10CertificationRequest csr = new JcaPKCS10CertificationRequest(certificationRequest); + X509Certificate signedCertificate = signCSR(csr, privateKeyCA, caCert, certPropertyList); + saveCertInKeyStore(signedCertificate); + return signedCertificate; + } + + private static X509Certificate signCSR(JcaPKCS10CertificationRequest jcaRequest, + PrivateKey privateKey, X509Certificate caCert, + List certParameterList) { + + String commonName = + (String) certParameterList.get(PropertyIndex.COMMON_NAME_INDEX.getValue()); + int notBeforeDays = + (Integer) certParameterList.get(PropertyIndex.NOT_BEFORE_DAYS_INDEX.getValue()); + int notAfterDays = + (Integer) certParameterList.get(PropertyIndex.NOT_AFTER_DAYS_INDEX.getValue()); + X509v3CertificateBuilder certificateBuilder; + X509Certificate signedCertificate = null; + + try { + ContentSigner signer; + BigInteger serialNumber = BigInteger.valueOf(new SecureRandom(). + nextInt(Integer.MAX_VALUE)); + Date notBeforeDate = new Date(System.currentTimeMillis() - + (ConfigurationUtil.MILLI_SECONDS * notBeforeDays)); + Date notAfterDate = new Date(System.currentTimeMillis() + + (ConfigurationUtil.MILLI_SECONDS * notAfterDays)); + certificateBuilder = + new JcaX509v3CertificateBuilder(caCert, serialNumber, notBeforeDate, notAfterDate, + new X500Principal(commonName), + jcaRequest.getPublicKey()); + + //Adding extensions to the signed certificate. + certificateBuilder.addExtension(Extension.keyUsage, true, + new KeyUsage(KeyUsage.digitalSignature)); + certificateBuilder.addExtension(Extension.extendedKeyUsage, false, + new ExtendedKeyUsage(KeyPurposeId.id_kp_clientAuth)); + certificateBuilder.addExtension(Extension.basicConstraints, true, + new BasicConstraints(false)); + + signer = new JcaContentSignerBuilder(ConfigurationUtil.SIGNATURE_ALGORITHM). + setProvider(ConfigurationUtil.PROVIDER).build(privateKey); + + signedCertificate = new JcaX509CertificateConverter().setProvider( + ConfigurationUtil.PROVIDER).getCertificate( + certificateBuilder.build(signer)); + } catch (InvalidKeyException e) { + //throw new CertificateGenerationException("CSR's public key is invalid", e); + } catch (NoSuchAlgorithmException e) { + //throw new CertificateGenerationException("Certificate cannot be generated", e); + } catch (CertIOException e) { + // throw new CertificateGenerationException( + // "Cannot add extension(s) to signed certificate", e); + } catch (OperatorCreationException e) { + // throw new CertificateGenerationException("Content signer cannot be created", e); + } catch (CertificateException e) { + //throw new CertificateGenerationException("Signed certificate cannot be generated", e); + } + return signedCertificate; + } + } \ No newline at end of file diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java index 00a8a68e745..2a969bfa1a3 100644 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java @@ -53,4 +53,7 @@ public interface CertificateManagementService { public X509Certificate extractCertificateFromSignature(String headerSignature) throws KeystoreException; String extractChallengeToken(X509Certificate certificate); + + X509Certificate getSignCertificateFromCSR(String binarySecurityToken, X509Certificate caCert, + List certParameterList) throws KeystoreException; } diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java index cc3fb3efeb5..71b1d32db74 100644 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java @@ -100,4 +100,11 @@ public class CertificateManagementServiceImpl implements CertificateManagementSe public String extractChallengeToken(X509Certificate certificate) { return certificateGenerator.extractChallengeToken(certificate); } + + public X509Certificate getSignCertificateFromCSR(String binarySecurityToken, + X509Certificate caCert, List certParameterList) + throws KeystoreException { + return certificateGenerator.getSignCertificateFromCSR(binarySecurityToken, caCert, + certParameterList); + } } diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/util/ConfigurationUtil.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/util/ConfigurationUtil.java index 3767d828241..36d9182c10b 100644 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/util/ConfigurationUtil.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/util/ConfigurationUtil.java @@ -37,7 +37,7 @@ public class ConfigurationUtil { public static final String KEYSTORE_RA_CERT_PRIV_PASSWORD = "RAPrivateKeyPassword"; public static final String CA_CERT_ALIAS = "CACertAlias"; public static final String RA_CERT_ALIAS = "RACertAlias"; - public static final String SIGNATUREALGO = "SHA1withRSA"; + public static final String SIGNATURE_ALGORITHM = "SHA1withRSA"; public static final String PROVIDER = "BC"; public static final String KEYSTORE = "Type"; public static final String CERTIFICATE_KEYSTORE = "CertificateKeystoreType"; @@ -56,6 +56,7 @@ public class ConfigurationUtil { public static final String RSA_PRIVATE_KEY_END_TEXT = "-----END RSA PRIVATE KEY-----"; public static final String EMPTY_TEXT = ""; public static final int RSA_KEY_LENGTH = 1024; + public static final long MILLI_SECONDS = 1000L * 60 * 60 * 24; private static ConfigurationUtil configurationUtil; diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml index 2053ed89ad1..4c28efc1f5e 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml @@ -90,6 +90,7 @@ org.wso2.carbon.utils, org.wso2.carbon.utils.multitenancy, org.xml.sax, + javax.servlet, javax.servlet.http, javax.xml, org.apache.axis2.transport.http, diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java index 83631d49fd8..88d695cf16e 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java @@ -51,7 +51,8 @@ public class CertificateAuthenticator implements WebappAuthenticator { if (certHeader != null && AuthenticatorFrameworkDataHolder.getInstance().getCertificateManagementService(). verifySignature(certHeader)) { - + AuthenticatorFrameworkDataHolder.getInstance().getCertificateManagementService(). + extractCertificateFromSignature(certHeader); X509Certificate certificate = AuthenticatorFrameworkDataHolder.getInstance().getCertificateManagementService(). extractCertificateFromSignature(certHeader);