From e5bd7566d3ad28f49cb012ebb77e044d58774e98 Mon Sep 17 00:00:00 2001 From: Janak Amarasena Date: Tue, 28 Mar 2017 14:42:17 +0530 Subject: [PATCH 1/3] Add Mutual SSL handling to AuthHandler --- .../org.wso2.carbon.apimgt.handlers/pom.xml | 4 ++- .../handlers/AuthenticationHandler.java | 28 +++++++++++++++++-- .../apimgt/handlers/utils/AuthConstants.java | 2 ++ ...CertificateManagementAdminServiceImpl.java | 12 ++++++-- .../CertificateAuthenticator.java | 2 +- 5 files changed, 42 insertions(+), 6 deletions(-) diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/pom.xml b/components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/pom.xml index bc5eca6bd1..755fc884c6 100644 --- a/components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/pom.xml +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/pom.xml @@ -76,6 +76,7 @@ WSO2 Carbon - API Security Handler Component org.apache.axiom.*, + javax.security.cert.*, javax.xml.parsers;version="${javax.xml.parsers.import.pkg.version}";resolution:=optional, javax.xml.*, org.apache.axis2.*, @@ -90,7 +91,8 @@ org.w3c.dom, org.apache.synapse, org.apache.synapse.core.axis2, - org.apache.synapse.rest + org.apache.synapse.rest, + org.wso2.carbon.certificate.mgt.core.impl diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/src/main/java/org/wso2/carbon/apimgt/handlers/AuthenticationHandler.java b/components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/src/main/java/org/wso2/carbon/apimgt/handlers/AuthenticationHandler.java index c5fe71dd4a..bb8783dec4 100644 --- a/components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/src/main/java/org/wso2/carbon/apimgt/handlers/AuthenticationHandler.java +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/src/main/java/org/wso2/carbon/apimgt/handlers/AuthenticationHandler.java @@ -31,11 +31,17 @@ import org.wso2.carbon.apimgt.handlers.invoker.RESTInvoker; import org.wso2.carbon.apimgt.handlers.invoker.RESTResponse; import org.wso2.carbon.apimgt.handlers.utils.AuthConstants; import org.wso2.carbon.apimgt.handlers.utils.Utils; +import org.wso2.carbon.certificate.mgt.core.impl.CertificateGenerator; import org.wso2.carbon.context.PrivilegedCarbonContext; +import javax.security.cert.CertificateEncodingException; +import java.io.ByteArrayInputStream; import java.io.IOException; import java.net.URI; import java.net.URISyntaxException; +import java.security.cert.CertificateException; +import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; import java.util.HashMap; import java.util.Map; import java.util.StringTokenizer; @@ -140,6 +146,18 @@ public class AuthenticationHandler extends AbstractHandler { if (log.isDebugEnabled()) { log.debug("Verify response:" + response.getContent()); } + } else if (headers.containsKey(AuthConstants.MUTUAL_AUTH_HEADER)) { + javax.security.cert.X509Certificate[] certs = + (javax.security.cert.X509Certificate[])axisMC.getProperty(AuthConstants.CLIENT_CERTIFICATE); + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + ByteArrayInputStream bais = new ByteArrayInputStream(certs[0].getEncoded()); + X509Certificate x509 = (X509Certificate) cf.generateCertificate(bais); + if (x509 != null ) { + headers.put(AuthConstants.PROXY_MUTUAL_AUTH_HEADER, CertificateGenerator.getCommonName(x509)); + return true; + }else { + response = null; + } } else if (headers.containsKey(AuthConstants.ENCODED_PEM)) { String encodedPem = headers.get(AuthConstants.ENCODED_PEM).toString(); if (log.isDebugEnabled()) { @@ -178,6 +196,12 @@ public class AuthenticationHandler extends AbstractHandler { } catch (APIMCertificateMGTException e) { log.error("Error while processing certificate.", e); return false; + } catch (CertificateException e) { + e.printStackTrace(); + return false; + } catch (CertificateEncodingException e) { + e.printStackTrace(); + return false; } } @@ -191,7 +215,7 @@ public class AuthenticationHandler extends AbstractHandler { private String getDeviceType(String url) { StringTokenizer parts = new StringTokenizer(url, "/"); while (parts.hasMoreElements()) { - if (parts.nextElement().equals("api")) { + if (parts.nextElement().equals("device-mgt")) { return (String) parts.nextElement(); } } @@ -205,4 +229,4 @@ public class AuthenticationHandler extends AbstractHandler { map.put(CONTENT_TYPE, "application/json"); return map; } -} +} \ No newline at end of file diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/src/main/java/org/wso2/carbon/apimgt/handlers/utils/AuthConstants.java b/components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/src/main/java/org/wso2/carbon/apimgt/handlers/utils/AuthConstants.java index a1343c312b..74870c131f 100644 --- a/components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/src/main/java/org/wso2/carbon/apimgt/handlers/utils/AuthConstants.java +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/src/main/java/org/wso2/carbon/apimgt/handlers/utils/AuthConstants.java @@ -35,6 +35,7 @@ public class AuthConstants { // public static final String ANDROID_VERIFY_ENDPOINT = "android-verify-endpoint"; public static final String MDM_SIGNATURE = "mdm-signature"; public static final String PROXY_MUTUAL_AUTH_HEADER = "proxy-mutual-auth-header"; + public static final String MUTUAL_AUTH_HEADER = "mutual-auth-header"; public static final String ENCODED_PEM = "encoded-pem"; public static final String CALLBACK_URL = ""; public static final String CLIENT_NAME = "IOT-API-MANAGER"; @@ -46,4 +47,5 @@ public class AuthConstants { public static final String BASIC_AUTH_PREFIX = "Basic "; public static final String CLIENT_ID = "clientId"; public static final String CLIENT_SECRET = "clientSecret"; + public static final String CLIENT_CERTIFICATE = "ssl.client.auth.cert.X509"; } diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.cert.admin.api/src/main/java/org/wso2/carbon/certificate/mgt/cert/jaxrs/api/impl/CertificateManagementAdminServiceImpl.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.cert.admin.api/src/main/java/org/wso2/carbon/certificate/mgt/cert/jaxrs/api/impl/CertificateManagementAdminServiceImpl.java index 3206d56a6d..34740e5dff 100644 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.cert.admin.api/src/main/java/org/wso2/carbon/certificate/mgt/cert/jaxrs/api/impl/CertificateManagementAdminServiceImpl.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.cert.admin.api/src/main/java/org/wso2/carbon/certificate/mgt/cert/jaxrs/api/impl/CertificateManagementAdminServiceImpl.java @@ -30,6 +30,7 @@ import org.wso2.carbon.certificate.mgt.cert.jaxrs.api.util.RequestValidationUtil import org.wso2.carbon.certificate.mgt.core.dto.CertificateResponse; import org.wso2.carbon.certificate.mgt.core.exception.CertificateManagementException; import org.wso2.carbon.certificate.mgt.core.exception.KeystoreException; +import org.wso2.carbon.certificate.mgt.core.impl.CertificateGenerator; import org.wso2.carbon.certificate.mgt.core.scep.SCEPException; import org.wso2.carbon.certificate.mgt.core.scep.SCEPManager; import org.wso2.carbon.certificate.mgt.core.scep.TenantedDeviceWrapper; @@ -74,7 +75,7 @@ public class CertificateManagementAdminServiceImpl implements CertificateManagem certificate.setTenantId(PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId()); X509Certificate x509Certificate = certificateService .pemToX509Certificate(enrollmentCertificate.getPem()); - certificate.setSerial(x509Certificate.getSerialNumber().toString()); + certificate.setSerial(CertificateGenerator.getCommonName(x509Certificate)); certificate.setCertificate(x509Certificate); certificates.add(certificate); } @@ -293,7 +294,14 @@ public class CertificateManagementAdminServiceImpl implements CertificateManagem if (certificate.getSerial().toLowerCase().contains(PROXY_AUTH_MUTUAL_HEADER)) { certificateResponse = certMgtService.verifySubjectDN(certificate.getPem()); } else { - X509Certificate clientCertificate = certMgtService.pemToX509Certificate(certificate.getPem()); + //janak + X509Certificate clientCertificate; + if(certificate.getCertificate()!=null){ + clientCertificate = certificate.getCertificate(); + }else { + clientCertificate = certMgtService.pemToX509Certificate(certificate.getPem()); + } + if (clientCertificate != null) { certificateResponse = certMgtService.verifyPEMSignature(clientCertificate); } diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java index a402f18e7c..e47208a490 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java @@ -164,4 +164,4 @@ public class CertificateAuthenticator implements WebappAuthenticator { return null; } -} +} \ No newline at end of file From 3ecb6da5756b86aad346f550f53fe3e76063d5b0 Mon Sep 17 00:00:00 2001 From: Janak Amarasena Date: Mon, 24 Apr 2017 16:21:37 +0530 Subject: [PATCH 2/3] Remove unwanted code --- .../api/impl/CertificateManagementAdminServiceImpl.java | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.cert.admin.api/src/main/java/org/wso2/carbon/certificate/mgt/cert/jaxrs/api/impl/CertificateManagementAdminServiceImpl.java b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.cert.admin.api/src/main/java/org/wso2/carbon/certificate/mgt/cert/jaxrs/api/impl/CertificateManagementAdminServiceImpl.java index 34740e5dff..1380bc8cba 100644 --- a/components/certificate-mgt/org.wso2.carbon.certificate.mgt.cert.admin.api/src/main/java/org/wso2/carbon/certificate/mgt/cert/jaxrs/api/impl/CertificateManagementAdminServiceImpl.java +++ b/components/certificate-mgt/org.wso2.carbon.certificate.mgt.cert.admin.api/src/main/java/org/wso2/carbon/certificate/mgt/cert/jaxrs/api/impl/CertificateManagementAdminServiceImpl.java @@ -294,14 +294,7 @@ public class CertificateManagementAdminServiceImpl implements CertificateManagem if (certificate.getSerial().toLowerCase().contains(PROXY_AUTH_MUTUAL_HEADER)) { certificateResponse = certMgtService.verifySubjectDN(certificate.getPem()); } else { - //janak - X509Certificate clientCertificate; - if(certificate.getCertificate()!=null){ - clientCertificate = certificate.getCertificate(); - }else { - clientCertificate = certMgtService.pemToX509Certificate(certificate.getPem()); - } - + X509Certificate clientCertificate = certMgtService.pemToX509Certificate(certificate.getPem()); if (clientCertificate != null) { certificateResponse = certMgtService.verifyPEMSignature(clientCertificate); } From 2b0800794de38ddf6cc7c90ed9daea73f2555cec Mon Sep 17 00:00:00 2001 From: Janak Amarasena Date: Fri, 28 Apr 2017 16:28:45 +0530 Subject: [PATCH 3/3] Minor improvements to the code --- .../apimgt/handlers/AuthenticationHandler.java | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/src/main/java/org/wso2/carbon/apimgt/handlers/AuthenticationHandler.java b/components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/src/main/java/org/wso2/carbon/apimgt/handlers/AuthenticationHandler.java index bb8783dec4..2891e06179 100644 --- a/components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/src/main/java/org/wso2/carbon/apimgt/handlers/AuthenticationHandler.java +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/src/main/java/org/wso2/carbon/apimgt/handlers/AuthenticationHandler.java @@ -148,14 +148,17 @@ public class AuthenticationHandler extends AbstractHandler { } } else if (headers.containsKey(AuthConstants.MUTUAL_AUTH_HEADER)) { javax.security.cert.X509Certificate[] certs = - (javax.security.cert.X509Certificate[])axisMC.getProperty(AuthConstants.CLIENT_CERTIFICATE); + (javax.security.cert.X509Certificate[]) axisMC.getProperty(AuthConstants.CLIENT_CERTIFICATE); CertificateFactory cf = CertificateFactory.getInstance("X.509"); ByteArrayInputStream bais = new ByteArrayInputStream(certs[0].getEncoded()); - X509Certificate x509 = (X509Certificate) cf.generateCertificate(bais); - if (x509 != null ) { + X509Certificate x509 = (X509Certificate) cf.generateCertificate(bais); + if (bais != null) { + bais.close(); + } + if (x509 != null) { headers.put(AuthConstants.PROXY_MUTUAL_AUTH_HEADER, CertificateGenerator.getCommonName(x509)); return true; - }else { + } else { response = null; } } else if (headers.containsKey(AuthConstants.ENCODED_PEM)) { @@ -197,13 +200,12 @@ public class AuthenticationHandler extends AbstractHandler { log.error("Error while processing certificate.", e); return false; } catch (CertificateException e) { - e.printStackTrace(); + log.error("Certificate issue occurred when generating converting PEM to x509Certificate", e); return false; } catch (CertificateEncodingException e) { - e.printStackTrace(); + log.error("Error while attempting to encode certificate.", e); return false; } - } @Override @@ -215,7 +217,7 @@ public class AuthenticationHandler extends AbstractHandler { private String getDeviceType(String url) { StringTokenizer parts = new StringTokenizer(url, "/"); while (parts.hasMoreElements()) { - if (parts.nextElement().equals("device-mgt")) { + if (parts.nextElement().equals("api")) { return (String) parts.nextElement(); } }