Fix client cert verification issue in sub tenants

components/certificate-mgt/io.entgra.device.mgt.core.certificate.mgt.core/src/main/java/io/entgra/device/mgt/core/certificate/mgt/core/impl/CertificateGenerator.java

@@ -29,6 +29,7 @@ import io.entgra.device.mgt.core.certificate.mgt.core.util.CertificateManagement
 import io.entgra.device.mgt.core.certificate.mgt.core.util.CommonUtil;
 import io.entgra.device.mgt.core.certificate.mgt.core.util.Serializer;
 import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.bouncycastle.asn1.ASN1Encodable;
@@ -429,20 +430,35 @@ public class CertificateGenerator {
                         generateCertificate(byteArrayInputStream);
 
                 if (reqCert != null && reqCert.getSerialNumber() != null) {
+                    if (log.isDebugEnabled()) {
                         log.debug("looking up certificate for serial: " + reqCert.getSerialNumber().toString());
-                    CertificateResponse lookUpCertificate = keyStoreReader.getCertificateBySerial(
+                    }
+                    String orgUnit = CommonUtil.getSubjectDnAttribute(reqCert,
+                            CertificateManagementConstants.ORG_UNIT_ATTRIBUTE);
+                    CertificateResponse lookUpCertificate;
+                    if (StringUtils.isNotEmpty(orgUnit)) {
+                        int tenantId = Integer.parseInt(orgUnit.split(("_"))[1]);
+                        lookUpCertificate = keyStoreReader.getCertificateBySerial(reqCert.getSerialNumber().toString(),
+                                tenantId);
+                    } else {
+                        lookUpCertificate = keyStoreReader.getCertificateBySerial(
                                 reqCert.getSerialNumber().toString());
+                    }
                     if (lookUpCertificate != null && lookUpCertificate.getCertificate() != null) {
+                        if (log.isDebugEnabled()) {
                             log.debug("certificate found for serial: " + reqCert.getSerialNumber()
                                     .toString());
+                        }
                         Certificate certificate = (Certificate) Serializer.deserialize(lookUpCertificate.getCertificate());
                         if (certificate instanceof X509Certificate) {
                             return (X509Certificate) certificate;
                         }
                     } else {
+                        if (log.isDebugEnabled()) {
                             log.debug("certificate not found for serial: " + reqCert.getSerialNumber()
                                     .toString());
                         }
+                    }
 
                 }
 
@@ -464,7 +480,6 @@ public class CertificateGenerator {
             log.error(errorMsg);
             throw new KeystoreException(errorMsg, e);
         }
-
         return null;
     }
 

components/certificate-mgt/io.entgra.device.mgt.core.certificate.mgt.core/src/main/java/io/entgra/device/mgt/core/certificate/mgt/core/util/CertificateManagementConstants.java

@@ -35,6 +35,7 @@ public final class CertificateManagementConstants {
     public static final String DES_EDE = "DESede";
     public static final String CONF_LOCATION = "conf.location";
     public static final String DEFAULT_PRINCIPAL = "O=WSO2, OU=Mobile, C=LK";
+    public static final String ORG_UNIT_ATTRIBUTE = "OU=";
     public static final String RSA_PRIVATE_KEY_BEGIN_TEXT = "-----BEGIN RSA PRIVATE KEY-----\n";
     public static final String RSA_PRIVATE_KEY_END_TEXT = "-----END RSA PRIVATE KEY-----";
     public static final String EMPTY_TEXT = "";

components/certificate-mgt/io.entgra.device.mgt.core.certificate.mgt.core/src/main/java/io/entgra/device/mgt/core/certificate/mgt/core/util/CommonUtil.java

@@ -17,7 +17,10 @@
  */
 package io.entgra.device.mgt.core.certificate.mgt.core.util;
 
+import org.apache.commons.lang.StringUtils;
+
 import java.math.BigInteger;
+import java.security.cert.X509Certificate;
 import java.util.Calendar;
 import java.util.Date;
 
@@ -42,4 +45,27 @@ public class CommonUtil {
     public static synchronized BigInteger generateSerialNumber() {
         return BigInteger.valueOf(System.currentTimeMillis());
     }
+
+    /**
+     * Returns the value of the given attribute from the subject distinguished name. eg: "entgra.net"
+     * from "CN=entgra.net"
+     * @param requestCertificate {@link X509Certificate} that needs to extract an attribute from
+     * @param attribute the attribute name that needs to be extracted from the cert. eg: "CN="
+     * @return the value of the attribute
+     */
+    public static String getSubjectDnAttribute(X509Certificate requestCertificate, String attribute) {
+        String distinguishedName = requestCertificate.getSubjectDN().getName();
+        if (StringUtils.isNotEmpty(distinguishedName)) {
+            String[] dnSplits = distinguishedName.split(",");
+            for (String dnSplit : dnSplits) {
+                if (dnSplit.contains(attribute)) {
+                    String[] cnSplits = dnSplit.split("=");
+                    if (StringUtils.isNotEmpty(cnSplits[1])) {
+                        return cnSplits[1];
+                    }
+                }
+            }
+        }
+        return null;
+    }
 }