From 7a110a8eb5b23cbc181b155ffe4788aa21206225 Mon Sep 17 00:00:00 2001 From: hasuniea Date: Mon, 19 Oct 2015 20:49:26 +0530 Subject: [PATCH 1/4] implemented certificateGenerater --- .../pom.xml | 5 +- .../mgt/core/impl/CertificateGenerator.java | 96 ++++++++++++++++++- .../service/CertificateManagementService.java | 3 + .../CertificateManagementServiceImpl.java | 7 ++ .../mgt/core/util/ConfigurationUtil.java | 3 +- .../pom.xml | 1 + .../CertificateAuthenticator.java | 3 +- 7 files changed, 112 insertions(+), 6 deletions(-) diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/pom.xml b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/pom.xml index a253cc9a7f..a38c8ca3db 100644 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/pom.xml +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/pom.xml @@ -71,11 +71,12 @@ org.bouncycastle.operator.jcajce, org.bouncycastle.pkcs, org.bouncycastle.util, - org.bouncycastle.asn1.util, org.jscep.message, org.jscep.transaction, org.w3c.dom, - org.xml.sax + org.xml.sax, + javax.xml.bind, + org.bouncycastle.pkcs.jcajce !org.wso2.carbon.certificate.mgt.core.internal.*, diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java index c97d84472d..853741206d 100755 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java @@ -26,8 +26,7 @@ import org.bouncycastle.asn1.ASN1Primitive; import org.bouncycastle.asn1.pkcs.Attribute; import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; import org.bouncycastle.asn1.x500.X500Name; -import org.bouncycastle.asn1.x509.KeyUsage; -import org.bouncycastle.asn1.x509.X509Extension; +import org.bouncycastle.asn1.x509.*; import org.bouncycastle.cert.CertIOException; import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cert.X509v3CertificateBuilder; @@ -43,6 +42,7 @@ import org.bouncycastle.operator.ContentSigner; import org.bouncycastle.operator.OperatorCreationException; import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; import org.bouncycastle.pkcs.PKCS10CertificationRequest; +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest; import org.bouncycastle.util.Store; import org.jscep.message.CertRep; import org.jscep.message.MessageDecodingException; @@ -62,6 +62,7 @@ import org.wso2.carbon.certificate.mgt.core.util.CommonUtil; import org.wso2.carbon.certificate.mgt.core.util.ConfigurationUtil; import javax.security.auth.x500.X500Principal; +import javax.xml.bind.DatatypeConverter; import java.io.ByteArrayInputStream; import java.io.DataInputStream; import java.io.File; @@ -69,6 +70,7 @@ import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStream; +import java.math.BigInteger; import java.security.InvalidKeyException; import java.security.KeyFactory; import java.security.KeyPair; @@ -97,6 +99,20 @@ import java.util.List; public class CertificateGenerator { + private enum PropertyIndex { + COMMON_NAME_INDEX(0), + NOT_BEFORE_DAYS_INDEX(1), + NOT_AFTER_DAYS_INDEX(2); + + private final int itemPosition; + private PropertyIndex(final int itemPosition) { + this.itemPosition = itemPosition; + } + public int getValue() { + return this.itemPosition; + } + } + private static final Log log = LogFactory.getLog(CertificateGenerator.class); public List getRootCertificates(byte[] ca, byte[] ra) throws KeystoreException { @@ -596,4 +612,80 @@ public class CertificateGenerator { return null; } + + public X509Certificate getSignCertificateFromCSR(String binarySecurityToken, + X509Certificate caCert, List certPropertyList) + throws KeystoreException { + byte[] byteArrayBst = DatatypeConverter.parseBase64Binary(binarySecurityToken); + PKCS10CertificationRequest certificationRequest = null; + KeyStoreReader keyStoreReader = new KeyStoreReader(); + PrivateKey privateKeyCA = keyStoreReader.getCAPrivateKey(); + + try { + certificationRequest = new PKCS10CertificationRequest(byteArrayBst); + } catch (IOException e) { + String msg = "CSR cannot be recovered."; + log.error(msg, e); + } + JcaPKCS10CertificationRequest csr = new JcaPKCS10CertificationRequest(certificationRequest); + X509Certificate signedCertificate = signCSR(csr, privateKeyCA, caCert, certPropertyList); + saveCertInKeyStore(signedCertificate); + return signedCertificate; + } + + private static X509Certificate signCSR(JcaPKCS10CertificationRequest jcaRequest, + PrivateKey privateKey, X509Certificate caCert, + List certParameterList) { + + String commonName = + (String) certParameterList.get(PropertyIndex.COMMON_NAME_INDEX.getValue()); + int notBeforeDays = + (Integer) certParameterList.get(PropertyIndex.NOT_BEFORE_DAYS_INDEX.getValue()); + int notAfterDays = + (Integer) certParameterList.get(PropertyIndex.NOT_AFTER_DAYS_INDEX.getValue()); + X509v3CertificateBuilder certificateBuilder; + X509Certificate signedCertificate = null; + + try { + ContentSigner signer; + BigInteger serialNumber = BigInteger.valueOf(new SecureRandom(). + nextInt(Integer.MAX_VALUE)); + Date notBeforeDate = new Date(System.currentTimeMillis() - + (ConfigurationUtil.MILLI_SECONDS * notBeforeDays)); + Date notAfterDate = new Date(System.currentTimeMillis() + + (ConfigurationUtil.MILLI_SECONDS * notAfterDays)); + certificateBuilder = + new JcaX509v3CertificateBuilder(caCert, serialNumber, notBeforeDate, notAfterDate, + new X500Principal(commonName), + jcaRequest.getPublicKey()); + + //Adding extensions to the signed certificate. + certificateBuilder.addExtension(Extension.keyUsage, true, + new KeyUsage(KeyUsage.digitalSignature)); + certificateBuilder.addExtension(Extension.extendedKeyUsage, false, + new ExtendedKeyUsage(KeyPurposeId.id_kp_clientAuth)); + certificateBuilder.addExtension(Extension.basicConstraints, true, + new BasicConstraints(false)); + + signer = new JcaContentSignerBuilder(ConfigurationUtil.SIGNATURE_ALGORITHM). + setProvider(ConfigurationUtil.PROVIDER).build(privateKey); + + signedCertificate = new JcaX509CertificateConverter().setProvider( + ConfigurationUtil.PROVIDER).getCertificate( + certificateBuilder.build(signer)); + } catch (InvalidKeyException e) { + //throw new CertificateGenerationException("CSR's public key is invalid", e); + } catch (NoSuchAlgorithmException e) { + //throw new CertificateGenerationException("Certificate cannot be generated", e); + } catch (CertIOException e) { + // throw new CertificateGenerationException( + // "Cannot add extension(s) to signed certificate", e); + } catch (OperatorCreationException e) { + // throw new CertificateGenerationException("Content signer cannot be created", e); + } catch (CertificateException e) { + //throw new CertificateGenerationException("Signed certificate cannot be generated", e); + } + return signedCertificate; + } + } \ No newline at end of file diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java index 00a8a68e74..2a969bfa1a 100644 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java @@ -53,4 +53,7 @@ public interface CertificateManagementService { public X509Certificate extractCertificateFromSignature(String headerSignature) throws KeystoreException; String extractChallengeToken(X509Certificate certificate); + + X509Certificate getSignCertificateFromCSR(String binarySecurityToken, X509Certificate caCert, + List certParameterList) throws KeystoreException; } diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java index cc3fb3efeb..71b1d32db7 100644 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java @@ -100,4 +100,11 @@ public class CertificateManagementServiceImpl implements CertificateManagementSe public String extractChallengeToken(X509Certificate certificate) { return certificateGenerator.extractChallengeToken(certificate); } + + public X509Certificate getSignCertificateFromCSR(String binarySecurityToken, + X509Certificate caCert, List certParameterList) + throws KeystoreException { + return certificateGenerator.getSignCertificateFromCSR(binarySecurityToken, caCert, + certParameterList); + } } diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/util/ConfigurationUtil.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/util/ConfigurationUtil.java index 3767d82824..36d9182c10 100644 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/util/ConfigurationUtil.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/util/ConfigurationUtil.java @@ -37,7 +37,7 @@ public class ConfigurationUtil { public static final String KEYSTORE_RA_CERT_PRIV_PASSWORD = "RAPrivateKeyPassword"; public static final String CA_CERT_ALIAS = "CACertAlias"; public static final String RA_CERT_ALIAS = "RACertAlias"; - public static final String SIGNATUREALGO = "SHA1withRSA"; + public static final String SIGNATURE_ALGORITHM = "SHA1withRSA"; public static final String PROVIDER = "BC"; public static final String KEYSTORE = "Type"; public static final String CERTIFICATE_KEYSTORE = "CertificateKeystoreType"; @@ -56,6 +56,7 @@ public class ConfigurationUtil { public static final String RSA_PRIVATE_KEY_END_TEXT = "-----END RSA PRIVATE KEY-----"; public static final String EMPTY_TEXT = ""; public static final int RSA_KEY_LENGTH = 1024; + public static final long MILLI_SECONDS = 1000L * 60 * 60 * 24; private static ConfigurationUtil configurationUtil; diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml index 2053ed89ad..4c28efc1f5 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml @@ -90,6 +90,7 @@ org.wso2.carbon.utils, org.wso2.carbon.utils.multitenancy, org.xml.sax, + javax.servlet, javax.servlet.http, javax.xml, org.apache.axis2.transport.http, diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java index 83631d49fd..88d695cf16 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java @@ -51,7 +51,8 @@ public class CertificateAuthenticator implements WebappAuthenticator { if (certHeader != null && AuthenticatorFrameworkDataHolder.getInstance().getCertificateManagementService(). verifySignature(certHeader)) { - + AuthenticatorFrameworkDataHolder.getInstance().getCertificateManagementService(). + extractCertificateFromSignature(certHeader); X509Certificate certificate = AuthenticatorFrameworkDataHolder.getInstance().getCertificateManagementService(). extractCertificateFromSignature(certHeader); From 2c2216e48d5d73161f684db0853a86dc623bae0b Mon Sep 17 00:00:00 2001 From: hasuniea Date: Wed, 21 Oct 2015 10:38:09 +0530 Subject: [PATCH 2/4] implement certificateManagement service --- .../mgt/core/impl/CertificateGenerator.java | 22 +++++++++++-------- .../service/CertificateManagementService.java | 2 +- .../CertificateManagementServiceImpl.java | 5 ++--- 3 files changed, 16 insertions(+), 13 deletions(-) diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java index 853741206d..fb09454df0 100755 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java @@ -613,7 +613,7 @@ public class CertificateGenerator { return null; } - public X509Certificate getSignCertificateFromCSR(String binarySecurityToken, + public X509Certificate getSignedCertificateFromCSR(String binarySecurityToken, X509Certificate caCert, List certPropertyList) throws KeystoreException { byte[] byteArrayBst = DatatypeConverter.parseBase64Binary(binarySecurityToken); @@ -635,7 +635,7 @@ public class CertificateGenerator { private static X509Certificate signCSR(JcaPKCS10CertificationRequest jcaRequest, PrivateKey privateKey, X509Certificate caCert, - List certParameterList) { + List certParameterList) throws KeystoreException { String commonName = (String) certParameterList.get(PropertyIndex.COMMON_NAME_INDEX.getValue()); @@ -644,7 +644,7 @@ public class CertificateGenerator { int notAfterDays = (Integer) certParameterList.get(PropertyIndex.NOT_AFTER_DAYS_INDEX.getValue()); X509v3CertificateBuilder certificateBuilder; - X509Certificate signedCertificate = null; + X509Certificate signedCertificate; try { ContentSigner signer; @@ -674,16 +674,20 @@ public class CertificateGenerator { ConfigurationUtil.PROVIDER).getCertificate( certificateBuilder.build(signer)); } catch (InvalidKeyException e) { - //throw new CertificateGenerationException("CSR's public key is invalid", e); + String errorMsg = "CSR's public key is invalid"; + throw new KeystoreException(errorMsg, e); } catch (NoSuchAlgorithmException e) { - //throw new CertificateGenerationException("Certificate cannot be generated", e); + String errorMsg = "Certificate cannot be generated"; + throw new KeystoreException(errorMsg, e); } catch (CertIOException e) { - // throw new CertificateGenerationException( - // "Cannot add extension(s) to signed certificate", e); + String errorMsg = "Cannot add extension(s) to signed certificate"; + throw new KeystoreException(errorMsg, e); } catch (OperatorCreationException e) { - // throw new CertificateGenerationException("Content signer cannot be created", e); + String errorMsg = "Content signer cannot be created"; + throw new KeystoreException(errorMsg, e); } catch (CertificateException e) { - //throw new CertificateGenerationException("Signed certificate cannot be generated", e); + String errorMsg = "Signed certificate cannot be generated"; + throw new KeystoreException(errorMsg, e); } return signedCertificate; } diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java index 2a969bfa1a..7810878bcf 100644 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java @@ -54,6 +54,6 @@ public interface CertificateManagementService { String extractChallengeToken(X509Certificate certificate); - X509Certificate getSignCertificateFromCSR(String binarySecurityToken, X509Certificate caCert, + X509Certificate getSignedCertificateFromCSR(String binarySecurityToken, X509Certificate caCert, List certParameterList) throws KeystoreException; } diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java index 71b1d32db7..dc8487219e 100644 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java @@ -101,10 +101,9 @@ public class CertificateManagementServiceImpl implements CertificateManagementSe return certificateGenerator.extractChallengeToken(certificate); } - public X509Certificate getSignCertificateFromCSR(String binarySecurityToken, + public X509Certificate getSignedCertificateFromCSR(String binarySecurityToken, X509Certificate caCert, List certParameterList) throws KeystoreException { - return certificateGenerator.getSignCertificateFromCSR(binarySecurityToken, caCert, - certParameterList); + return certificateGenerator.getSignedCertificateFromCSR(binarySecurityToken, caCert, certParameterList); } } From e1a24abfa3e8336c4e8608211050ae6cdbdbb042 Mon Sep 17 00:00:00 2001 From: hasuniea Date: Fri, 23 Oct 2015 14:46:56 +0530 Subject: [PATCH 3/4] refactored certificate service --- .../mgt/core/impl/CertificateGenerator.java | 112 ++---------------- .../service/CertificateManagementService.java | 3 +- .../CertificateManagementServiceImpl.java | 8 +- pom.xml | 2 +- 4 files changed, 18 insertions(+), 107 deletions(-) diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java index fb09454df0..1bb973e76d 100755 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java @@ -26,7 +26,8 @@ import org.bouncycastle.asn1.ASN1Primitive; import org.bouncycastle.asn1.pkcs.Attribute; import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; import org.bouncycastle.asn1.x500.X500Name; -import org.bouncycastle.asn1.x509.*; +import org.bouncycastle.asn1.x509.KeyUsage; +import org.bouncycastle.asn1.x509.X509Extension; import org.bouncycastle.cert.CertIOException; import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cert.X509v3CertificateBuilder; @@ -44,14 +45,7 @@ import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; import org.bouncycastle.pkcs.PKCS10CertificationRequest; import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest; import org.bouncycastle.util.Store; -import org.jscep.message.CertRep; -import org.jscep.message.MessageDecodingException; -import org.jscep.message.MessageEncodingException; -import org.jscep.message.PkcsPkiEnvelopeDecoder; -import org.jscep.message.PkcsPkiEnvelopeEncoder; -import org.jscep.message.PkiMessage; -import org.jscep.message.PkiMessageDecoder; -import org.jscep.message.PkiMessageEncoder; +import org.jscep.message.*; import org.jscep.transaction.FailInfo; import org.jscep.transaction.Nonce; import org.jscep.transaction.TransactionId; @@ -63,33 +57,10 @@ import org.wso2.carbon.certificate.mgt.core.util.ConfigurationUtil; import javax.security.auth.x500.X500Principal; import javax.xml.bind.DatatypeConverter; -import java.io.ByteArrayInputStream; -import java.io.DataInputStream; -import java.io.File; -import java.io.FileInputStream; -import java.io.FileNotFoundException; -import java.io.IOException; -import java.io.InputStream; -import java.math.BigInteger; -import java.security.InvalidKeyException; -import java.security.KeyFactory; -import java.security.KeyPair; -import java.security.KeyPairGenerator; -import java.security.KeyStore; -import java.security.KeyStoreException; -import java.security.NoSuchAlgorithmException; -import java.security.NoSuchProviderException; -import java.security.PrivateKey; -import java.security.SecureRandom; -import java.security.Security; -import java.security.SignatureException; +import java.io.*; +import java.security.*; import java.security.cert.Certificate; -import java.security.cert.CertificateEncodingException; -import java.security.cert.CertificateException; -import java.security.cert.CertificateExpiredException; -import java.security.cert.CertificateFactory; -import java.security.cert.CertificateNotYetValidException; -import java.security.cert.X509Certificate; +import java.security.cert.*; import java.security.spec.InvalidKeySpecException; import java.security.spec.PKCS8EncodedKeySpec; import java.util.ArrayList; @@ -613,83 +584,24 @@ public class CertificateGenerator { return null; } - public X509Certificate getSignedCertificateFromCSR(String binarySecurityToken, - X509Certificate caCert, List certPropertyList) + public X509Certificate getSignedCertificateFromCSR(String binarySecurityToken) throws KeystoreException { byte[] byteArrayBst = DatatypeConverter.parseBase64Binary(binarySecurityToken); - PKCS10CertificationRequest certificationRequest = null; + PKCS10CertificationRequest certificationRequest; KeyStoreReader keyStoreReader = new KeyStoreReader(); PrivateKey privateKeyCA = keyStoreReader.getCAPrivateKey(); + X509Certificate certCA = (X509Certificate) keyStoreReader.getCACertificate(); try { certificationRequest = new PKCS10CertificationRequest(byteArrayBst); } catch (IOException e) { String msg = "CSR cannot be recovered."; log.error(msg, e); + throw new KeystoreException(msg, e); } JcaPKCS10CertificationRequest csr = new JcaPKCS10CertificationRequest(certificationRequest); - X509Certificate signedCertificate = signCSR(csr, privateKeyCA, caCert, certPropertyList); - saveCertInKeyStore(signedCertificate); + X509Certificate signedCertificate = generateCertificateFromCSR(privateKeyCA, certificationRequest, + certCA.getIssuerX500Principal().getName()); return signedCertificate; } - - private static X509Certificate signCSR(JcaPKCS10CertificationRequest jcaRequest, - PrivateKey privateKey, X509Certificate caCert, - List certParameterList) throws KeystoreException { - - String commonName = - (String) certParameterList.get(PropertyIndex.COMMON_NAME_INDEX.getValue()); - int notBeforeDays = - (Integer) certParameterList.get(PropertyIndex.NOT_BEFORE_DAYS_INDEX.getValue()); - int notAfterDays = - (Integer) certParameterList.get(PropertyIndex.NOT_AFTER_DAYS_INDEX.getValue()); - X509v3CertificateBuilder certificateBuilder; - X509Certificate signedCertificate; - - try { - ContentSigner signer; - BigInteger serialNumber = BigInteger.valueOf(new SecureRandom(). - nextInt(Integer.MAX_VALUE)); - Date notBeforeDate = new Date(System.currentTimeMillis() - - (ConfigurationUtil.MILLI_SECONDS * notBeforeDays)); - Date notAfterDate = new Date(System.currentTimeMillis() + - (ConfigurationUtil.MILLI_SECONDS * notAfterDays)); - certificateBuilder = - new JcaX509v3CertificateBuilder(caCert, serialNumber, notBeforeDate, notAfterDate, - new X500Principal(commonName), - jcaRequest.getPublicKey()); - - //Adding extensions to the signed certificate. - certificateBuilder.addExtension(Extension.keyUsage, true, - new KeyUsage(KeyUsage.digitalSignature)); - certificateBuilder.addExtension(Extension.extendedKeyUsage, false, - new ExtendedKeyUsage(KeyPurposeId.id_kp_clientAuth)); - certificateBuilder.addExtension(Extension.basicConstraints, true, - new BasicConstraints(false)); - - signer = new JcaContentSignerBuilder(ConfigurationUtil.SIGNATURE_ALGORITHM). - setProvider(ConfigurationUtil.PROVIDER).build(privateKey); - - signedCertificate = new JcaX509CertificateConverter().setProvider( - ConfigurationUtil.PROVIDER).getCertificate( - certificateBuilder.build(signer)); - } catch (InvalidKeyException e) { - String errorMsg = "CSR's public key is invalid"; - throw new KeystoreException(errorMsg, e); - } catch (NoSuchAlgorithmException e) { - String errorMsg = "Certificate cannot be generated"; - throw new KeystoreException(errorMsg, e); - } catch (CertIOException e) { - String errorMsg = "Cannot add extension(s) to signed certificate"; - throw new KeystoreException(errorMsg, e); - } catch (OperatorCreationException e) { - String errorMsg = "Content signer cannot be created"; - throw new KeystoreException(errorMsg, e); - } catch (CertificateException e) { - String errorMsg = "Signed certificate cannot be generated"; - throw new KeystoreException(errorMsg, e); - } - return signedCertificate; - } - } \ No newline at end of file diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java index 7810878bcf..f89ab4f986 100644 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java @@ -54,6 +54,5 @@ public interface CertificateManagementService { String extractChallengeToken(X509Certificate certificate); - X509Certificate getSignedCertificateFromCSR(String binarySecurityToken, X509Certificate caCert, - List certParameterList) throws KeystoreException; + X509Certificate getSignedCertificateFromCSR(String binarySecurityToken) throws KeystoreException; } diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java index dc8487219e..6ac4ee9192 100644 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java @@ -101,9 +101,9 @@ public class CertificateManagementServiceImpl implements CertificateManagementSe return certificateGenerator.extractChallengeToken(certificate); } - public X509Certificate getSignedCertificateFromCSR(String binarySecurityToken, - X509Certificate caCert, List certParameterList) - throws KeystoreException { - return certificateGenerator.getSignedCertificateFromCSR(binarySecurityToken, caCert, certParameterList); + @Override + public X509Certificate getSignedCertificateFromCSR(String binarySecurityToken) throws KeystoreException { + return certificateGenerator.getSignedCertificateFromCSR(binarySecurityToken); } + } diff --git a/pom.xml b/pom.xml index ca47a56a5c..ccf063dbdb 100644 --- a/pom.xml +++ b/pom.xml @@ -1427,7 +1427,7 @@ 6.1.1 - 4.4.1 + 4.4.2 1.5.4 1.3 From 3de4718ab517d37d3c3e1640fe46d1e12ad13771 Mon Sep 17 00:00:00 2001 From: hasuniea Date: Thu, 29 Oct 2015 10:04:13 +0530 Subject: [PATCH 4/4] refactored certificate generator --- .../mgt/core/impl/CertificateGenerator.java | 23 ++++++------------- .../CertificateManagementServiceImpl.java | 1 - pom.xml | 2 +- 3 files changed, 8 insertions(+), 18 deletions(-) diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java index 1bb973e76d..cda449e1ab 100755 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java @@ -43,7 +43,6 @@ import org.bouncycastle.operator.ContentSigner; import org.bouncycastle.operator.OperatorCreationException; import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; import org.bouncycastle.pkcs.PKCS10CertificationRequest; -import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest; import org.bouncycastle.util.Store; import org.jscep.message.*; import org.jscep.transaction.FailInfo; @@ -70,20 +69,6 @@ import java.util.List; public class CertificateGenerator { - private enum PropertyIndex { - COMMON_NAME_INDEX(0), - NOT_BEFORE_DAYS_INDEX(1), - NOT_AFTER_DAYS_INDEX(2); - - private final int itemPosition; - private PropertyIndex(final int itemPosition) { - this.itemPosition = itemPosition; - } - public int getValue() { - return this.itemPosition; - } - } - private static final Log log = LogFactory.getLog(CertificateGenerator.class); public List getRootCertificates(byte[] ca, byte[] ra) throws KeystoreException { @@ -584,6 +569,13 @@ public class CertificateGenerator { return null; } + /** + * Get Signed certificate by parsing certificate. + * @param binarySecurityToken CSR that comes from the client as a String value.It is base 64 encoded request + * security token. + * @return Return signed certificate in X508Certificate type object. + * @throws KeystoreException + */ public X509Certificate getSignedCertificateFromCSR(String binarySecurityToken) throws KeystoreException { byte[] byteArrayBst = DatatypeConverter.parseBase64Binary(binarySecurityToken); @@ -599,7 +591,6 @@ public class CertificateGenerator { log.error(msg, e); throw new KeystoreException(msg, e); } - JcaPKCS10CertificationRequest csr = new JcaPKCS10CertificationRequest(certificationRequest); X509Certificate signedCertificate = generateCertificateFromCSR(privateKeyCA, certificationRequest, certCA.getIssuerX500Principal().getName()); return signedCertificate; diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java index 6ac4ee9192..77dfe1686c 100644 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java @@ -101,7 +101,6 @@ public class CertificateManagementServiceImpl implements CertificateManagementSe return certificateGenerator.extractChallengeToken(certificate); } - @Override public X509Certificate getSignedCertificateFromCSR(String binarySecurityToken) throws KeystoreException { return certificateGenerator.getSignedCertificateFromCSR(binarySecurityToken); } diff --git a/pom.xml b/pom.xml index 316508d24c..40d1b95b4b 100644 --- a/pom.xml +++ b/pom.xml @@ -1427,7 +1427,7 @@ 6.1.1 - 4.4.2 + 4.4.1 1.5.4 1.3