Example 1 with X509CertificateCredential
use of org.apereo.cas.adaptors.x509.authentication.principal.X509CertificateCredential in project cas by apereo.
the class X509CredentialsAuthenticationHandlerTests method getTestParameters.
/**
* Gets the unit test parameters.
*
* @return Test parameter data.
* @throws Exception On test data setup errors.
*/
@Parameters
public static Collection<Object[]> getTestParameters() throws Exception {
final Collection<Object[]> params = new ArrayList<>();
X509CredentialsAuthenticationHandler handler;
X509CertificateCredential credential;
// Test case #1: Unsupported credential type
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"));
params.add(new Object[] { handler, new UsernamePasswordCredential(), false, null });
// Test case #2:Valid certificate
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"));
credential = new X509CertificateCredential(createCertificates(USER_VALID_CRT));
params.add(new Object[] { handler, credential, true, new DefaultHandlerResult(handler, credential, new DefaultPrincipalFactory().createPrincipal(credential.getId())) });
// Test case #3: Expired certificate
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"));
params.add(new Object[] { handler, new X509CertificateCredential(createCertificates("user-expired.crt")), true, new CertificateExpiredException() });
// Test case #4: Untrusted issuer
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern("CN=\\w+,OU=CAS,O=Jasig,L=Westminster,ST=Colorado,C=US"), true, false, false);
params.add(new Object[] { handler, new X509CertificateCredential(createCertificates("snake-oil.crt")), true, new FailedLoginException() });
// Test case #5: Disallowed subject
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), true, RegexUtils.createPattern("CN=\\w+,OU=CAS,O=Jasig,L=Westminster,ST=Colorado,C=US"));
params.add(new Object[] { handler, new X509CertificateCredential(createCertificates("snake-oil.crt")), true, new FailedLoginException() });
// Test case #6: Check key usage on a cert without keyUsage extension
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, false);
credential = new X509CertificateCredential(createCertificates(USER_VALID_CRT));
params.add(new Object[] { handler, credential, true, new DefaultHandlerResult(handler, credential, new DefaultPrincipalFactory().createPrincipal(credential.getId())) });
// Test case #7: Require key usage on a cert without keyUsage extension
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, true);
params.add(new Object[] { handler, new X509CertificateCredential(createCertificates(USER_VALID_CRT)), true, new FailedLoginException() });
// Test case #8: Require key usage on a cert with acceptable keyUsage extension values
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, true);
credential = new X509CertificateCredential(createCertificates("user-valid-keyUsage.crt"));
params.add(new Object[] { handler, credential, true, new DefaultHandlerResult(handler, credential, new DefaultPrincipalFactory().createPrincipal(credential.getId())) });
// Test case #9: Require key usage on a cert with unacceptable keyUsage extension values
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, true);
params.add(new Object[] { handler, new X509CertificateCredential(createCertificates("user-invalid-keyUsage.crt")), true, new FailedLoginException() });
//===================================
// Revocation tests
//===================================
ResourceCRLRevocationChecker checker;
// Test case #10: Valid certificate with CRL checking
checker = new ResourceCRLRevocationChecker(new ClassPathResource("userCA-valid.crl"));
checker.init();
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), checker);
credential = new X509CertificateCredential(createCertificates(USER_VALID_CRT));
params.add(new Object[] { handler, new X509CertificateCredential(createCertificates(USER_VALID_CRT)), true, new DefaultHandlerResult(handler, credential, new DefaultPrincipalFactory().createPrincipal(credential.getId())) });
// Test case #11: Revoked end user certificate
checker = new ResourceCRLRevocationChecker(new ClassPathResource("userCA-valid.crl"));
checker.init();
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), checker);
params.add(new Object[] { handler, new X509CertificateCredential(createCertificates("user-revoked.crt")), true, new RevokedCertificateException(ZonedDateTime.now(ZoneOffset.UTC), null) });
// Test case #12: Valid certificate on expired CRL data
final ThresholdExpiredCRLRevocationPolicy zeroThresholdPolicy = new ThresholdExpiredCRLRevocationPolicy(0);
checker = new ResourceCRLRevocationChecker(new ClassPathResource("userCA-expired.crl"), null, zeroThresholdPolicy);
checker.init();
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), checker);
params.add(new Object[] { handler, new X509CertificateCredential(createCertificates(USER_VALID_CRT)), true, new ExpiredCRLException(null, ZonedDateTime.now(ZoneOffset.UTC)) });
return params;
}
Also used :
RevokedCertificateException(org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException)
CertificateExpiredException(java.security.cert.CertificateExpiredException)
ArrayList(java.util.ArrayList)
DefaultPrincipalFactory(org.apereo.cas.authentication.principal.DefaultPrincipalFactory)
ClassPathResource(org.springframework.core.io.ClassPathResource)
ThresholdExpiredCRLRevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy)
ExpiredCRLException(org.apereo.cas.adaptors.x509.authentication.ExpiredCRLException)
FailedLoginException(javax.security.auth.login.FailedLoginException)
X509CertificateCredential(org.apereo.cas.adaptors.x509.authentication.principal.X509CertificateCredential)
ResourceCRLRevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.ResourceCRLRevocationChecker)
DefaultHandlerResult(org.apereo.cas.authentication.DefaultHandlerResult)
UsernamePasswordCredential(org.apereo.cas.authentication.UsernamePasswordCredential)
Parameters(org.junit.runners.Parameterized.Parameters)
Example 2 with X509CertificateCredential
use of org.apereo.cas.adaptors.x509.authentication.principal.X509CertificateCredential in project cas by apereo.
the class X509CredentialFactoryTests method createX509Credential.
@Test
public void createX509Credential() throws IOException {
final MultiValueMap<String, String> requestBody = new LinkedMultiValueMap<>();
final Scanner scan = new Scanner(new ClassPathResource("ldap-crl.crt").getFile());
final String certStr = scan.useDelimiter("\\Z").next();
scan.close();
requestBody.add("cert", certStr);
final Credential cred = factory.fromRequestBody(requestBody);
assertTrue(cred instanceof X509CertificateCredential);
}
Also used :
Scanner(java.util.Scanner)
X509CertificateCredential(org.apereo.cas.adaptors.x509.authentication.principal.X509CertificateCredential)
UsernamePasswordCredential(org.apereo.cas.authentication.UsernamePasswordCredential)
Credential(org.apereo.cas.authentication.Credential)
LinkedMultiValueMap(org.springframework.util.LinkedMultiValueMap)
X509CertificateCredential(org.apereo.cas.adaptors.x509.authentication.principal.X509CertificateCredential)
ClassPathResource(org.springframework.core.io.ClassPathResource)
Test(org.junit.Test)
Example 3 with X509CertificateCredential
use of org.apereo.cas.adaptors.x509.authentication.principal.X509CertificateCredential in project cas by apereo.
the class X509CredentialFactory method fromRequestBody.
@Override
public Credential fromRequestBody(final MultiValueMap<String, String> requestBody) {
final String cert = requestBody.getFirst(CERTIFICATE);
LOGGER.trace("cert: {}", cert);
if (cert == null) {
LOGGER.debug("cert is null fallback to username/passwd");
return super.fromRequestBody(requestBody);
}
final InputStream is = new ByteArrayInputStream(cert.getBytes());
final InputStreamSource iso = new InputStreamResource(is);
final X509Certificate certificate = CertUtils.readCertificate(iso);
final X509CertificateCredential credential = new X509CertificateCredential(new X509Certificate[] { certificate });
credential.setCertificate(certificate);
return credential;
}
Also used :
InputStreamSource(org.springframework.core.io.InputStreamSource)
ByteArrayInputStream(java.io.ByteArrayInputStream)
ByteArrayInputStream(java.io.ByteArrayInputStream)
InputStream(java.io.InputStream)
X509CertificateCredential(org.apereo.cas.adaptors.x509.authentication.principal.X509CertificateCredential)
X509Certificate(java.security.cert.X509Certificate)
InputStreamResource(org.springframework.core.io.InputStreamResource)
Example 4 with X509CertificateCredential
use of org.apereo.cas.adaptors.x509.authentication.principal.X509CertificateCredential in project cas by apereo.
the class X509CredentialsAuthenticationHandler method doAuthentication.
@Override
protected HandlerResult doAuthentication(final Credential credential) throws GeneralSecurityException, PreventedException {
final X509CertificateCredential x509Credential = (X509CertificateCredential) credential;
final X509Certificate[] certificates = x509Credential.getCertificates();
X509Certificate clientCert = null;
boolean hasTrustedIssuer = false;
for (int i = certificates.length - 1; i >= 0; i--) {
final X509Certificate certificate = certificates[i];
LOGGER.debug("Evaluating [{}]", CertUtils.toString(certificate));
validate(certificate);
if (!hasTrustedIssuer) {
hasTrustedIssuer = isCertificateFromTrustedIssuer(certificate);
}
// getBasicConstraints returns pathLenConstraints which is generally
// >=0 when this is a CA cert and -1 when it's not
final int pathLength = certificate.getBasicConstraints();
if (pathLength < 0) {
LOGGER.debug("Found valid client certificate");
clientCert = certificate;
} else {
LOGGER.debug("Found valid CA certificate");
}
}
if (hasTrustedIssuer && clientCert != null) {
x509Credential.setCertificate(clientCert);
return new DefaultHandlerResult(this, x509Credential, this.principalFactory.createPrincipal(x509Credential.getId()));
}
LOGGER.warn("Either client certificate could not be determined, or a trusted issuer could not be located");
throw new FailedLoginException();
}
Also used :
FailedLoginException(javax.security.auth.login.FailedLoginException)
X509CertificateCredential(org.apereo.cas.adaptors.x509.authentication.principal.X509CertificateCredential)
DefaultHandlerResult(org.apereo.cas.authentication.DefaultHandlerResult)
X509Certificate(java.security.cert.X509Certificate)
Example 5 with X509CertificateCredential
use of org.apereo.cas.adaptors.x509.authentication.principal.X509CertificateCredential in project cas by apereo.
the class X509CertificateCredentialJsonDeserializer method deserialize.
@Override
public X509CertificateCredential deserialize(final JsonParser jp, final DeserializationContext deserializationContext) throws IOException {
final ObjectCodec oc = jp.getCodec();
final JsonNode node = oc.readTree(jp);
final List<X509Certificate> certs = new ArrayList<>();
node.findValues("certificates").forEach(n -> {
final String cert = n.get(0).textValue();
final byte[] data = EncodingUtils.decodeBase64(cert);
certs.add(CertUtils.readCertificate(new InputStreamResource(new ByteArrayInputStream(data))));
});
final X509CertificateCredential c = new X509CertificateCredential(certs.toArray(new X509Certificate[] {}));
return c;
}
Also used :
ByteArrayInputStream(java.io.ByteArrayInputStream)
X509CertificateCredential(org.apereo.cas.adaptors.x509.authentication.principal.X509CertificateCredential)
ArrayList(java.util.ArrayList)
JsonNode(com.fasterxml.jackson.databind.JsonNode)
ObjectCodec(com.fasterxml.jackson.core.ObjectCodec)
X509Certificate(java.security.cert.X509Certificate)
InputStreamResource(org.springframework.core.io.InputStreamResource)
Aggregations
X509CertificateCredential (org.apereo.cas.adaptors.x509.authentication.principal.X509CertificateCredential)5
X509Certificate (java.security.cert.X509Certificate)3
ByteArrayInputStream (java.io.ByteArrayInputStream)2
ArrayList (java.util.ArrayList)2
FailedLoginException (javax.security.auth.login.FailedLoginException)2
DefaultHandlerResult (org.apereo.cas.authentication.DefaultHandlerResult)2
UsernamePasswordCredential (org.apereo.cas.authentication.UsernamePasswordCredential)2
ClassPathResource (org.springframework.core.io.ClassPathResource)2
InputStreamResource (org.springframework.core.io.InputStreamResource)2
ObjectCodec (com.fasterxml.jackson.core.ObjectCodec)1
JsonNode (com.fasterxml.jackson.databind.JsonNode)1
InputStream (java.io.InputStream)1
CertificateExpiredException (java.security.cert.CertificateExpiredException)1
Scanner (java.util.Scanner)1
ExpiredCRLException (org.apereo.cas.adaptors.x509.authentication.ExpiredCRLException)1
RevokedCertificateException (org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException)1
ResourceCRLRevocationChecker (org.apereo.cas.adaptors.x509.authentication.revocation.checker.ResourceCRLRevocationChecker)1
ThresholdExpiredCRLRevocationPolicy (org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy)1
Credential (org.apereo.cas.authentication.Credential)1
DefaultPrincipalFactory (org.apereo.cas.authentication.principal.DefaultPrincipalFactory)1
