Example 1 with CRLManager
use of com.tremolosecurity.proxy.auth.ssl.CRLManager in project OpenUnison by TremoloSecurity.
the class CrlChecker method doGet.
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
// SharedSession.getSharedSession().getSession(req.getSession().getId());
HttpSession session = ((HttpServletRequest) request).getSession();
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
RequestHolder reqHolder = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
Attribute issuersParam = authParams.get("issuer");
HashSet<X500Principal> issuers = new HashSet<X500Principal>();
for (String dn : issuersParam.getValues()) {
issuers.add(new X500Principal(dn));
}
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
AuthMechType amt = act.getAuthMech().get(as.getId());
X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
if (certs == null) {
if (amt.getRequired().equals("required")) {
as.setSuccess(false);
}
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
return;
}
X509Certificate cert = certs[0];
DN dn = new DN(cert.getSubjectX500Principal().getName());
Vector<RDN> rdns = dn.getRDNs();
HashMap<String, String> subject = new HashMap<String, String>();
for (RDN rdn : rdns) {
subject.put(rdn.getType(), rdn.getValue());
}
// Load SANS
try {
if (cert.getSubjectAlternativeNames() != null) {
java.util.Collection altNames = cert.getSubjectAlternativeNames();
Iterator iter = altNames.iterator();
while (iter.hasNext()) {
java.util.List item = (java.util.List) iter.next();
Integer type = (Integer) item.get(0);
subject.put(SAN_NAMES[type.intValue()], item.get(1).toString());
}
}
} catch (CertificateParsingException e1) {
throw new ServletException("Could not parse certificate", e1);
}
for (CertificateExtractSubjectAttribute cesa : this.extracts) {
cesa.addSubjects(subject, certs);
}
MyVDConnection myvd = cfgMgr.getMyVD();
// HttpSession session = (HttpSession) req.getAttribute(ConfigFilter.AUTOIDM_SESSION);//((HttpServletRequest) req).getSession(); //SharedSession.getSharedSession().getSession(req.getSession().getId());
boolean OK = false;
boolean certOK = true;
int i = 0;
for (X509Certificate certx : certs) {
if (issuers.contains(certx.getIssuerX500Principal())) {
OK = true;
}
if (certOK) {
for (CRLManager crlM : this.crls) {
X509Certificate issuer = null;
if (i + 1 < certs.length) {
issuer = certs[i + 1];
} else {
try {
Enumeration<String> enumer = cfgMgr.getKeyStore().aliases();
while (enumer.hasMoreElements()) {
String alias = enumer.nextElement();
X509Certificate lissuer = (X509Certificate) cfgMgr.getKeyStore().getCertificate(alias);
if (lissuer != null && lissuer.getSubjectX500Principal().equals(certs[i].getIssuerX500Principal())) {
try {
certs[i].verify(lissuer.getPublicKey());
issuer = lissuer;
} catch (Exception e) {
logger.warn("Issuer with wrong public key", e);
}
}
}
} catch (KeyStoreException e) {
throw new ServletException("Could not process CRLs", e);
}
}
if (issuer != null) {
if (!crlM.isValid(certx, issuer)) {
certOK = false;
break;
}
} else {
logger.warn("No issuer! not performing CRL check");
}
}
}
}
if (!OK || !certOK) {
as.setSuccess(false);
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
return;
}
String uidAttr = "uid";
if (authParams.get("uidAttr") != null) {
uidAttr = authParams.get("uidAttr").getValues().get(0);
}
boolean uidIsFilter = false;
if (authParams.get("uidIsFilter") != null) {
uidIsFilter = authParams.get("uidIsFilter").getValues().get(0).equalsIgnoreCase("true");
}
String filter = "";
if (uidIsFilter) {
StringBuffer b = new StringBuffer();
int lastIndex = 0;
int index = uidAttr.indexOf('$');
while (index >= 0) {
b.append(uidAttr.substring(lastIndex, index));
lastIndex = uidAttr.indexOf('}', index) + 1;
String reqName = uidAttr.substring(index + 2, lastIndex - 1);
b.append(subject.get(reqName));
index = uidAttr.indexOf('$', index + 1);
}
b.append(uidAttr.substring(lastIndex));
filter = b.toString();
} else {
StringBuffer b = new StringBuffer();
if (subject.get(uidAttr) == null) {
filter = "(!(objectClass=*))";
} else {
filter = equal(uidAttr, subject.get(uidAttr)).toString();
}
}
String rdnAttr = authParams.get("rdnAttribute").getValues().get(0);
ArrayList<String> rdnAttrs = new ArrayList<String>();
StringTokenizer toker = new StringTokenizer(rdnAttr, ",", false);
while (toker.hasMoreTokens()) {
rdnAttrs.add(toker.nextToken());
}
String defaultOC = authParams.get("defaultOC").getValues().get(0);
String dnLabel = authParams.get("dnLabel").getValues().get(0);
as.setSuccess(true);
try {
LDAPSearchResults res = myvd.search(AuthUtil.getChainRoot(cfgMgr, act), 2, filter, new ArrayList<String>());
if (res.hasMore()) {
createUserFromDir(session, act, res);
} else {
createUnlinkedUser(session, act, rdnAttrs, dnLabel, defaultOC, subject);
}
} catch (LDAPException e) {
if (e.getResultCode() == 32) {
createUnlinkedUser(session, act, rdnAttrs, dnLabel, defaultOC, subject);
} else {
throw new ServletException("Could not search for user", e);
}
}
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
/*try {
for (String oid : cert.getCriticalExtensionOIDs()) {
byte[] derEncoded = cert.getExtensionValue(oid);
//System.out.println("critical : " + oid);
}
for (String oid : cert.getNonCriticalExtensionOIDs()) {
byte[] derEncoded = cert.getExtensionValue(oid);
//System.out.println("noncritical : " + oid);
ASN1InputStream ain = new ASN1InputStream(new ByteArrayInputStream(derEncoded));
DEREncodable obj = ain.readObject();
do {
DEROctetString deros = (DEROctetString) obj;
//System.out.println(deros.toString());
X509Extension extension = new X509Extension(false,deros);
//System.out.println(extension.toString());
obj = ain.readObject();
} while (obj != null);
}
} catch (Exception e) {
throw new ServletException("Error parsing certificate",e);
}*/
}
Also used :
CertificateParsingException(java.security.cert.CertificateParsingException)
LDAPAttribute(com.novell.ldap.LDAPAttribute)
Attribute(com.tremolosecurity.saml.Attribute)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
DN(com.novell.ldap.util.DN)
RDN(com.novell.ldap.util.RDN)
CRLManager(com.tremolosecurity.proxy.auth.ssl.CRLManager)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
ServletException(javax.servlet.ServletException)
Iterator(java.util.Iterator)
ArrayList(java.util.ArrayList)
List(java.util.List)
AuthChainType(com.tremolosecurity.config.xml.AuthChainType)
RDN(com.novell.ldap.util.RDN)
HashSet(java.util.HashSet)
MyVDConnection(com.tremolosecurity.proxy.myvd.MyVDConnection)
HttpSession(javax.servlet.http.HttpSession)
Collection(java.util.Collection)
AuthMechType(com.tremolosecurity.config.xml.AuthMechType)
KeyStoreException(java.security.KeyStoreException)
X509Certificate(java.security.cert.X509Certificate)
LDAPException(com.novell.ldap.LDAPException)
ServletException(javax.servlet.ServletException)
CertificateParsingException(java.security.cert.CertificateParsingException)
KeyStoreException(java.security.KeyStoreException)
IOException(java.io.IOException)
List(java.util.List)
StringTokenizer(java.util.StringTokenizer)
LDAPSearchResults(com.novell.ldap.LDAPSearchResults)
LDAPException(com.novell.ldap.LDAPException)
X500Principal(javax.security.auth.x500.X500Principal)
Example 2 with CRLManager
use of com.tremolosecurity.proxy.auth.ssl.CRLManager in project OpenUnison by TremoloSecurity.
the class CrlChecker method init.
@Override
public void init(ServletContext ctx, HashMap<String, Attribute> init) {
this.cfgMgr = (ConfigManager) ctx.getAttribute(ProxyConstants.TREMOLO_CONFIG);
this.crls = new ArrayList<CRLManager>();
if (init.get("crl.names") != null) {
for (String crlName : init.get("crl.names").getValues()) {
if (crlName.isEmpty()) {
break;
}
String type = init.get("crl." + crlName + ".type").getValues().get(0);
try {
CRLManager crl = (CRLManager) Class.forName(type).newInstance();
crl.init(crlName, init, cfgMgr);
this.crls.add(crl);
} catch (Exception e) {
logger.error("could not initialize crl : " + type, e);
}
}
StopableThread crlChecker = new CrlChecker(this.crls);
Thread t = new Thread(crlChecker);
this.cfgMgr.addThread(crlChecker);
t.start();
}
this.extracts = new ArrayList<CertificateExtractSubjectAttribute>();
if (init.get("extracts") != null) {
Attribute attr = init.get("extracts");
for (String className : attr.getValues()) {
try {
this.extracts.add((CertificateExtractSubjectAttribute) Class.forName(className).newInstance());
} catch (InstantiationException | IllegalAccessException | ClassNotFoundException e) {
logger.warn("Could not load : '" + className + "'", e);
}
}
}
}
Also used :
LDAPAttribute(com.novell.ldap.LDAPAttribute)
Attribute(com.tremolosecurity.saml.Attribute)
LDAPException(com.novell.ldap.LDAPException)
ServletException(javax.servlet.ServletException)
CertificateParsingException(java.security.cert.CertificateParsingException)
KeyStoreException(java.security.KeyStoreException)
IOException(java.io.IOException)
CRLManager(com.tremolosecurity.proxy.auth.ssl.CRLManager)
StopableThread(com.tremolosecurity.server.StopableThread)
StopableThread(com.tremolosecurity.server.StopableThread)
Aggregations
LDAPAttribute (com.novell.ldap.LDAPAttribute)2
LDAPException (com.novell.ldap.LDAPException)2
CRLManager (com.tremolosecurity.proxy.auth.ssl.CRLManager)2
Attribute (com.tremolosecurity.saml.Attribute)2
IOException (java.io.IOException)2
KeyStoreException (java.security.KeyStoreException)2
CertificateParsingException (java.security.cert.CertificateParsingException)2
ServletException (javax.servlet.ServletException)2
LDAPSearchResults (com.novell.ldap.LDAPSearchResults)1
DN (com.novell.ldap.util.DN)1
RDN (com.novell.ldap.util.RDN)1
UrlHolder (com.tremolosecurity.config.util.UrlHolder)1
AuthChainType (com.tremolosecurity.config.xml.AuthChainType)1
AuthMechType (com.tremolosecurity.config.xml.AuthMechType)1
MyVDConnection (com.tremolosecurity.proxy.myvd.MyVDConnection)1
StopableThread (com.tremolosecurity.server.StopableThread)1
X509Certificate (java.security.cert.X509Certificate)1
ArrayList (java.util.ArrayList)1
Collection (java.util.Collection)1
HashMap (java.util.HashMap)1
