Changes in certificate managment

components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/pom.xml

@@ -71,6 +71,7 @@
                             org.bouncycastle.operator.jcajce,
                             org.bouncycastle.pkcs,
                             org.bouncycastle.util,
+                            org.bouncycastle.asn1.util,
                             org.jscep.message,
                             org.jscep.transaction,
                             org.w3c.dom,

components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java

@@ -20,7 +20,11 @@ package org.wso2.carbon.certificate.mgt.core.impl;
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.bouncycastle.asn1.ASN1Encodable;
+import org.bouncycastle.asn1.ASN1InputStream;
+import org.bouncycastle.asn1.ASN1Primitive;
 import org.bouncycastle.asn1.pkcs.Attribute;
+import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
 import org.bouncycastle.asn1.x500.X500Name;
 import org.bouncycastle.asn1.x509.KeyUsage;
 import org.bouncycastle.asn1.x509.X509Extension;
@@ -366,6 +370,16 @@ public class CertificateGenerator {
         try {
             certificateBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(
                     KeyUsage.digitalSignature | KeyUsage.keyEncipherment));
+
+            if(attributes != null) {
+                ASN1Encodable extractedValue = getChallengePassword(attributes);
+
+                if(extractedValue != null) {
+                    certificateBuilder.addExtension(PKCSObjectIdentifiers.pkcs_9_at_challengePassword, true,
+                            extractedValue);
+                }
+            }
+
             sigGen = new JcaContentSignerBuilder(ConfigurationUtil.SHA256_RSA)
                     .setProvider(ConfigurationUtil.PROVIDER).build(privateKey);
             issuedCert = new JcaX509CertificateConverter().setProvider(
@@ -390,6 +404,19 @@ public class CertificateGenerator {
         return issuedCert;
     }
 
+    private ASN1Encodable getChallengePassword(Attribute[] attributes) {
+
+        for (Attribute attribute : attributes) {
+            if (PKCSObjectIdentifiers.pkcs_9_at_challengePassword.equals(attribute.getAttrType())) {
+                if(attribute.getAttrValues() != null && attribute.getAttrValues().size() > 0) {
+                    return attribute.getAttrValues().getObjectAt(0);
+                }
+            }
+        }
+
+        return null;
+    }
+
     private CMSSignedData getMessageData(final List<X509Certificate> certs) throws KeystoreException {
 
         CMSSignedDataGenerator generator = new CMSSignedDataGenerator();
@@ -534,4 +561,39 @@ public class CertificateGenerator {
             throw new KeystoreException(errorMsg, e);
         }
     }
+
+    public String extractChallengeToken(X509Certificate certificate) {
+
+        byte[] challengePassword = certificate.getExtensionValue(
+                PKCSObjectIdentifiers.pkcs_9_at_challengePassword.toString());
+
+        if (challengePassword != null) {
+            return new String(challengePassword);
+        }
+
+        return null;
+    }
+
+    private ASN1Primitive toASN1Primitive(byte[] data) {
+
+        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(data);
+        ASN1InputStream inputStream = new ASN1InputStream(byteArrayInputStream);
+
+        try {
+            return inputStream.readObject();
+        } catch (IOException e) {
+            String errorMsg = "IOException occurred when converting binary array to ASN1Primitive";
+            log.error(errorMsg, e);
+        } finally {
+            try {
+                byteArrayInputStream.close();
+                inputStream.close();
+            } catch (IOException e) {
+                String errorMsg = "IOException occurred when closing streams";
+                log.error(errorMsg, e);
+            }
+        }
+
+        return null;
+    }
 }

components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementService.java

@@ -51,4 +51,6 @@ public interface CertificateManagementService {
     boolean verifySignature(String headerSignature) throws KeystoreException;
 
     public X509Certificate extractCertificateFromSignature(String headerSignature) throws KeystoreException;
+
+    String extractChallengeToken(X509Certificate certificate);
 }

components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/service/CertificateManagementServiceImpl.java

@@ -96,4 +96,8 @@ public class CertificateManagementServiceImpl implements CertificateManagementSe
     public X509Certificate extractCertificateFromSignature(String headerSignature) throws KeystoreException {
         return certificateGenerator.extractCertificateFromSignature(headerSignature);
     }
+
+    public String extractChallengeToken(X509Certificate certificate) {
+        return certificateGenerator.extractChallengeToken(certificate);
+    }
 }

components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/SCEPManagerServiceComponent.java

@@ -4,83 +4,40 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.osgi.framework.BundleContext;
 import org.osgi.service.component.ComponentContext;
-import org.wso2.carbon.certificate.mgt.core.service.CertificateManagementService;
+import org.wso2.carbon.device.mgt.core.scep.SCEPManager;
-import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService;
+import org.wso2.carbon.device.mgt.core.scep.SCEPManagerImpl;
-import org.wso2.carbon.device.mgt.ios.core.service.IOSEnrollmentService;
 
 /**
- * @scr.component name="org.wso2.carbon.device.ios.enrollment" immediate="true"
+ * @scr.component name="org.wso2.carbon.device.mgt.core.scep" immediate="true"
- * @scr.reference name="org.wso2.carbon.device.manager"
- * interface="org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService"
- * policy="dynamic"
- * cardinality="1..n"
- * bind="setDeviceManagementService"
- * unbind="unsetDeviceManagementService"
- * @scr.reference name="org.wso2.carbon.certificate.mgt"
- * interface="org.wso2.carbon.certificate.mgt.core.service.CertificateManagementService"
- * policy="dynamic"
- * cardinality="1..n"
- * bind="setCertificateManagementService"
- * unbind="unsetCertificateManagementService"
  */
 public class SCEPManagerServiceComponent {
 
-    private static final Log log = LogFactory.getLog(IOSEnrollmentServiceComponent.class);
+    private static final Log log = LogFactory.getLog(SCEPManagerServiceComponent.class);
 
     protected void activate(ComponentContext componentContext) {
 
         try {
             if (log.isDebugEnabled()) {
-                log.debug("Initializing iOS device management core bundle");
+                log.debug("Initializing SCEP core bundle");
             }
 
             BundleContext bundleContext = componentContext.getBundleContext();
-            bundleContext.registerService(IOSEnrollmentService.class.getName(),
+            bundleContext.registerService(SCEPManager.class.getName(),
-                    IOSEnrollmentService.getInstance(), null);
+                    new SCEPManagerImpl(), null);
 
             if (log.isDebugEnabled()) {
-                log.debug("iOS device management core bundle has been successfully initialized");
+                log.debug("SCEP core bundle has been successfully initialized");
             }
         } catch (Throwable e) {
-            String msg = "Error occurred while initializing ios device management core bundle";
+            String msg = "Error occurred while initializing SCEP core bundle";
             log.error(msg, e);
         }
     }
 
     protected void deactivate(ComponentContext ctx) {
         if (log.isDebugEnabled()) {
-            log.debug("Deactivating iOS device management core bundle");
+            log.debug("Deactivating SCEP core bundle");
         }
     }
 
-    protected void setDeviceManagementService(DeviceManagementProviderService deviceManagementService) {
-        if (log.isDebugEnabled()) {
-            log.debug("Setting device management service provider");
-        }
-        IOSEnrollmentServiceHolder.getInstance().setDeviceManagementService(deviceManagementService);
-    }
-
-    protected void unsetDeviceManagementService(DeviceManagementProviderService deviceManagementService) {
-        if (log.isDebugEnabled()) {
-            log.debug("Removing device management service provider");
-        }
-
-        IOSEnrollmentServiceHolder.getInstance().setDeviceManagementService(null);
-    }
-
-    protected void setCertificateManagementService(CertificateManagementService certificateManagementService) {
-        if (log.isDebugEnabled()) {
-            log.debug("Setting certificate management service");
-        }
-        IOSEnrollmentServiceHolder.getInstance().setCertificateManagementService(certificateManagementService);
-    }
-
-    protected void unsetCertificateManagementService(CertificateManagementService certificateManagementService) {
-        if (log.isDebugEnabled()) {
-            log.debug("Removing certificate management service");
-        }
-
-        IOSEnrollmentServiceHolder.getInstance().setCertificateManagementService(null);
-    }
-
 }

components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml

@@ -94,7 +94,9 @@
                             org.apache.axis2.transport.http,
                             org.wso2.carbon.apimgt.impl,
                             org.wso2.carbon.certificate.mgt.core.service,
-                            org.wso2.carbon.certificate.mgt.core.exception
+                            org.wso2.carbon.certificate.mgt.core.exception,
+                            org.wso2.carbon.device.mgt.common,
+                            org.wso2.carbon.device.mgt.core.scep
                         </Import-Package>
                         <!--<Fragment-Host>tomcat</Fragment-Host>-->
                     </instructions>
@@ -152,6 +154,14 @@
             <groupId>org.wso2.carbon.devicemgt</groupId>
             <artifactId>org.wso2.carbon.certificate.mgt.core</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.wso2.carbon.devicemgt</groupId>
+            <artifactId>org.wso2.carbon.device.mgt.core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.wso2.carbon.devicemgt</groupId>
+            <artifactId>org.wso2.carbon.device.mgt.common</artifactId>
+        </dependency>
     </dependencies>
 
 </project>

components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/DataHolder.java

@@ -19,6 +19,8 @@
 package org.wso2.carbon.webapp.authenticator.framework;
 
 import org.wso2.carbon.certificate.mgt.core.service.CertificateManagementService;
+import org.wso2.carbon.device.mgt.core.scep.SCEPManager;
+import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService;
 import org.wso2.carbon.user.core.service.RealmService;
 
 public class DataHolder {
@@ -26,11 +28,11 @@ public class DataHolder {
     private WebappAuthenticatorRepository repository;
     private RealmService realmService;
     private CertificateManagementService certificateManagementService;
+    private SCEPManager scepManager;
+    private static DataHolder thisInstance = new DataHolder();
 
     private DataHolder() {}
 
-    private static DataHolder thisInstance = new DataHolder();
-
     public static DataHolder getInstance() {
         return thisInstance;
     }
@@ -58,4 +60,12 @@ public class DataHolder {
     public void setCertificateManagementService(CertificateManagementService certificateManagementService) {
         this.certificateManagementService = certificateManagementService;
     }
+
+    public SCEPManager getScepManager() {
+        return scepManager;
+    }
+
+    public void setScepManager(SCEPManager scepManager) {
+        this.scepManager = scepManager;
+    }
 }

components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticatorFrameworkValve.java

@@ -27,13 +27,10 @@ import org.wso2.carbon.tomcat.ext.valves.CompositeValve;
 import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator;
 
 import javax.servlet.http.HttpServletResponse;
-import java.util.Arrays;
-import java.util.List;
 
 public class WebappAuthenticatorFrameworkValve extends CarbonTomcatValve {
 
     private static final String AUTHENTICATION_SCHEME = "authentication-scheme";
-    private static final String BYPASS_URIS = "bypass-uris";
     private static final Log log = LogFactory.getLog(WebappAuthenticatorFrameworkValve.class);
 
     @Override
@@ -46,22 +43,6 @@ public class WebappAuthenticatorFrameworkValve extends CarbonTomcatValve {
             return;
         }
 
-        String byPassURIs = request.getContext().findParameter(WebappAuthenticatorFrameworkValve.BYPASS_URIS);
-
-        if(byPassURIs != null && !byPassURIs.isEmpty()) {
-
-            List<String> requestURI = Arrays.asList(byPassURIs.split(","));
-
-            if(requestURI != null && requestURI.size() > 0) {
-                for (String pathURI : requestURI) {
-                    if (request.getRequestURI().equals(pathURI)) {
-                        this.getNext().invoke(request, response, compositeValve);
-                        return;
-                    }
-                }
-            }
-        }
-
         WebappAuthenticator authenticator = WebappAuthenticatorFactory.getAuthenticator(authScheme);
         if (authenticator == null) {
             String msg = "Failed to load an appropriate authenticator to authenticate the request";

components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java

@@ -5,8 +5,16 @@ import org.apache.catalina.connector.Response;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.certificate.mgt.core.exception.KeystoreException;
+import org.wso2.carbon.context.PrivilegedCarbonContext;
+import org.wso2.carbon.device.mgt.common.DeviceIdentifier;
+import org.wso2.carbon.device.mgt.common.DeviceManagementConstants;
+import org.wso2.carbon.device.mgt.core.scep.SCEPException;
+import org.wso2.carbon.device.mgt.core.scep.SCEPManager;
+import org.wso2.carbon.device.mgt.core.scep.TenantedDeviceWrapper;
 import org.wso2.carbon.webapp.authenticator.framework.DataHolder;
 
+import java.security.cert.X509Certificate;
+
 /**
  * This authenticator authenticates HTTP requests using certificates.
  */
@@ -47,12 +55,35 @@ public class CertificateAuthenticator implements WebappAuthenticator {
 
                 if (certHeader != null && DataHolder.getInstance().getCertificateManagementService().
                         verifySignature(certHeader)) {
-                    return Status.SUCCESS;
+
+                    X509Certificate certificate = DataHolder.getInstance().getCertificateManagementService().
+                            extractCertificateFromSignature(certHeader);
+                    String challengeToken = DataHolder.getInstance().getCertificateManagementService().
+                            extractChallengeToken(certificate);
+
+                    if(challengeToken != null) {
+
+                        challengeToken = challengeToken.substring(challengeToken.indexOf("(") + 1).trim();
+
+                        SCEPManager scepManager = DataHolder.getInstance().getScepManager();
+                        DeviceIdentifier deviceIdentifier = new DeviceIdentifier();
+                        deviceIdentifier.setId(challengeToken);
+                        deviceIdentifier.setType(DeviceManagementConstants.MobileDeviceTypes.MOBILE_DEVICE_TYPE_IOS);
+
+                        TenantedDeviceWrapper tenantedDeviceWrapper = scepManager.getValidatedDevice(deviceIdentifier);
+
+                        PrivilegedCarbonContext ctx = PrivilegedCarbonContext.getThreadLocalCarbonContext();
+                        ctx.setTenantId(tenantedDeviceWrapper.getTenantId());
+                        ctx.setTenantDomain(tenantedDeviceWrapper.getTenantDomain());
+
+                        return Status.SUCCESS;
+                    }
                 }
             }
         } catch (KeystoreException e) {
             log.error("KeystoreException occurred ", e);
-            return Status.FAILURE;
+        } catch (SCEPException e) {
+            log.error("SCEPException occurred ", e);
         }
 
         return Status.FAILURE;

components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/internal/WebappAuthenticatorFrameworkServiceComponent.java

@@ -22,6 +22,8 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.osgi.service.component.ComponentContext;
 import org.wso2.carbon.certificate.mgt.core.service.CertificateManagementService;
+import org.wso2.carbon.device.mgt.core.scep.SCEPManager;
+import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService;
 import org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve;
 import org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer;
 import org.wso2.carbon.user.core.service.RealmService;
@@ -50,6 +52,12 @@ import java.util.List;
  * cardinality="1..n"
  * bind="setCertificateManagementService"
  * unbind="unsetCertificateManagementService"
+ * @scr.reference name="org.wso2.carbon.device.mgt.core.scep"
+ * interface="org.wso2.carbon.device.mgt.core.scep.SCEPManager"
+ * policy="dynamic"
+ * cardinality="1..n"
+ * bind="setSCEPManagementService"
+ * unbind="unsetSCEPManagementService"
  */
 public class WebappAuthenticatorFrameworkServiceComponent {
 
@@ -112,4 +120,19 @@ public class WebappAuthenticatorFrameworkServiceComponent {
 
         DataHolder.getInstance().setCertificateManagementService(null);
     }
+
+    protected void setSCEPManagementService(SCEPManager scepManager) {
+        if (log.isDebugEnabled()) {
+            log.debug("Setting SCEP management service");
+        }
+        DataHolder.getInstance().setScepManager(scepManager);
+    }
+
+    protected void unsetSCEPManagementService(SCEPManager scepManager) {
+        if (log.isDebugEnabled()) {
+            log.debug("Removing SCEP management service");
+        }
+
+        DataHolder.getInstance().setScepManager(null);
+    }
 }