Search in sources :

Example 96 with X500Name

use of org.bouncycastle.asn1.x500.X500Name in project Payara by payara.

the class Counter method createIdCred.

/**
 * Create an identity from an Identity Token and stores it as a public credential in the JAAS
 * subject in a security context.
 *
 * Set the identcls field in the security context.
 */
private void createIdCred(SecurityContext securityContext, IdentityToken identityToken) throws Exception {
    // used to hold DER encodings
    byte[] derEncoding;
    // Any object returned from codec.decode_value()
    Any any;
    switch(identityToken.discriminator()) {
        case ITTAbsent.value:
            if (logger.isLoggable(FINE)) {
                logger.log(FINE, "Identity token type is Absent");
            }
            securityContext.identcls = null;
            break;
        case ITTAnonymous.value:
            if (logger.isLoggable(FINE)) {
                logger.log(FINE, "Identity token type is Anonymous");
                logger.log(FINE, "Adding AnonyCredential to subject's PublicCredentials");
            }
            securityContext.subject.getPublicCredentials().add(new AnonCredential());
            securityContext.identcls = AnonCredential.class;
            break;
        case ITTDistinguishedName.value:
            // Construct a X500Name
            derEncoding = identityToken.dn();
            // Issue 5766: Decode CDR encoding if necessary
            if (isCDR(derEncoding)) {
                any = codec.decode_value(derEncoding, X501DistinguishedNameHelper.type());
                // Extract CDR encoding
                derEncoding = X501DistinguishedNameHelper.extract(any);
            }
            if (logger.isLoggable(FINE)) {
                logger.log(FINE, "Create an X500Name object from identity token");
            }
            X500Name xname = new X500Name(derEncoding);
            if (logger.isLoggable(FINE)) {
                logger.log(FINE, "Identity to be asserted is " + xname.toString());
                logger.log(FINE, "Adding X500Name to subject's PublicCredentials");
            }
            securityContext.subject.getPublicCredentials().add(xname);
            securityContext.identcls = X500Name.class;
            break;
        case ITTX509CertChain.value:
            // Construct a X509CertificateChain
            if (logger.isLoggable(FINE)) {
                logger.log(FINE, "Identity token type is a X509 Certificate Chain");
            }
            derEncoding = identityToken.certificate_chain();
            // Issue 5766: Decode CDR encoding if necessary
            if (isCDR(derEncoding)) {
                // Decode CDR encoding
                any = codec.decode_value(derEncoding, X509CertificateChainHelper.type());
                // Extract DER encoding
                derEncoding = X509CertificateChainHelper.extract(any);
            }
            DerInputStream din = new DerInputStream(derEncoding);
            /**
             * Size specified for getSequence() is 1 and is just used as a guess by the method getSequence().
             */
            DerValue[] derval = din.getSequence(1);
            X509Certificate[] certchain = new X509CertImpl[derval.length];
            /**
             * X509Certificate does not have a constructor which can be used to instantiate objects from DER
             * encodings. So use X509CertImpl extends X509Cerificate and also implements DerEncoder interface.
             */
            if (logger.isLoggable(Level.FINE)) {
                logger.log(Level.FINE, "Contents of X509 Certificate chain:");
            }
            for (int i = 0; i < certchain.length; i++) {
                certchain[i] = new X509CertImpl(derval[i]);
                if (logger.isLoggable(FINE)) {
                    logger.log(FINE, "    " + certchain[i].getSubjectDN().getName());
                }
            }
            if (logger.isLoggable(FINE)) {
                logger.log(FINE, "Creating a X509CertificateCredential object from certchain");
            }
            /**
             * The alias field in the X509CertificateCredential is currently ignored by the RI. So it is set to
             * "dummy".
             */
            X509CertificateCredential cred = new X509CertificateCredential(certchain, certchain[0].getSubjectDN().getName(), "default");
            if (logger.isLoggable(FINE)) {
                logger.log(FINE, "Adding X509CertificateCredential to subject's PublicCredentials");
            }
            securityContext.subject.getPublicCredentials().add(cred);
            securityContext.identcls = X509CertificateCredential.class;
            break;
        case ITTPrincipalName.value:
            if (logger.isLoggable(FINE)) {
                logger.log(FINE, "Identity token type is GSS Exported Name");
            }
            byte[] expname = identityToken.principal_name();
            // Issue 5766: Decode CDR encoding if necessary
            if (isCDR(expname)) {
                // Decode CDR encoding
                any = codec.decode_value(expname, GSS_NT_ExportedNameHelper.type());
                expname = GSS_NT_ExportedNameHelper.extract(any);
            }
            if (!verifyMechOID(GSSUP_MECH_OID, expname)) {
                throw new SecurityException(localStrings.getLocalString("secserverreqinterceptor.err_unknown_idassert_type", "Unknown identity assertion type."));
            }
            GSSUPName gssname = new GSSUPName(expname);
            securityContext.subject.getPublicCredentials().add(gssname);
            securityContext.identcls = GSSUPName.class;
            logger.log(FINE, "Adding GSSUPName credential to subject");
            break;
        default:
            logger.log(SEVERE, "iiop.unknown_identity");
            throw new SecurityException(localStrings.getLocalString("secserverreqinterceptor.err_unknown_idassert_type", "Unknown identity assertion type."));
    }
}
Also used : X500Name(sun.security.x509.X500Name) Any(org.omg.CORBA.Any) X509Certificate(java.security.cert.X509Certificate) GSSUPName(com.sun.enterprise.common.iiop.security.GSSUPName) X509CertificateCredential(com.sun.enterprise.security.auth.login.common.X509CertificateCredential) DerValue(sun.security.util.DerValue) X509CertImpl(sun.security.x509.X509CertImpl) DerInputStream(sun.security.util.DerInputStream) AnonCredential(com.sun.enterprise.common.iiop.security.AnonCredential)

Example 97 with X500Name

use of org.bouncycastle.asn1.x500.X500Name in project Payara by payara.

the class SecurityMechanismSelector method evaluateTrust.

/**
 * Called by the target to interpret client credentials after validation.
 */
public SecurityContext evaluateTrust(SecurityContext ctx, byte[] object_id, Socket socket) throws SecurityMechanismException {
    SecurityContext ssc = null;
    // ssl_used is true if SSL was used.
    boolean ssl_used = false;
    // X509 Certificicate chain is non null if client has authenticated at
    // the SSL level.
    X509Certificate[] certChain = null;
    // security context.
    if ((socket != null) && (socket instanceof SSLSocket)) {
        // SSL was used
        ssl_used = true;
        // checkif there is a transport principal
        SSLSocket sslSock = (SSLSocket) socket;
        SSLSession sslSession = sslSock.getSession();
        try {
            certChain = (X509Certificate[]) sslSession.getPeerCertificates();
        } catch (Exception e) {
            if (_logger.isLoggable(Level.FINE)) {
                _logger.log(Level.FINE, "iiop.cannot_get_peercert", e);
            }
        }
    }
    // For a local invocation - we don't need to check the security
    // policies. The following condition guarantees the call is local
    // and thus bypassing policy checks.
    // XXX: Workaround for non-null connection object ri for local invocation.
    // if (socket == null && ctx == null)
    Long ClientID = ConnectionExecutionContext.readClientThreadID();
    if (ClientID != null && ClientID == Thread.currentThread().getId() && ctx == null)
        return null;
    if (evaluate_client_conformance(ctx, object_id, ssl_used, certChain) == false) {
        String msg = "Trust evaluation failed because ";
        msg = msg + "client does not conform to configured security policies";
        throw new SecurityMechanismException(msg);
    }
    if (ctx == null) {
        if (socket == null || !ssl_used || certChain == null) {
            // no security ctx is needed.
            return null;
        } else {
            // Set the transport principal in subject and
            // return the X500Name class
            ssc = new SecurityContext();
            X500Name x500Name = (X500Name) certChain[0].getSubjectDN();
            ssc.subject = new Subject();
            ssc.subject.getPublicCredentials().add(x500Name);
            ssc.identcls = X500Name.class;
            ssc.authcls = null;
            return ssc;
        }
    } else {
        ssc = ctx;
    }
    Class authCls = ctx.authcls;
    Class identCls = ctx.identcls;
    ssc.authcls = null;
    ssc.identcls = null;
    if (identCls != null)
        ssc.identcls = identCls;
    else if (authCls != null)
        ssc.authcls = authCls;
    else
        ssc.identcls = AnonCredential.class;
    return ssc;
}
Also used : SSLSocket(javax.net.ssl.SSLSocket) SSLSession(javax.net.ssl.SSLSession) X500Name(sun.security.x509.X500Name) X509Certificate(java.security.cert.X509Certificate) LoginException(com.sun.enterprise.security.auth.login.common.LoginException) Subject(javax.security.auth.Subject) ClientSecurityContext(com.sun.enterprise.security.common.ClientSecurityContext) SecurityContext(com.sun.enterprise.common.iiop.security.SecurityContext)

Example 98 with X500Name

use of org.bouncycastle.asn1.x500.X500Name in project Payara by payara.

the class LoginContextDriver method doX500Login.

/**
 * A special case login for X500Name credentials.
 * This is invoked for certificate login because the containers
 * extract the X.500 name from the X.509 certificate before calling
 * into this class.
 */
public static void doX500Login(Subject s, String appModuleID) throws LoginException {
    if (_logger.isLoggable(Level.FINE)) {
        _logger.fine("Processing X.500 name login.");
    }
    String user = null;
    String realm_name = null;
    try {
        X500Name x500name = (X500Name) getPublicCredentials(s, X500Name.class);
        user = x500name.getName();
        // In the RI-inherited implementation this directly creates
        // some credentials and sets the security context. This means
        // that the certificate realm does not get an opportunity to
        // process the request. While the realm will not do any
        // authentication (already done by this point) it can choose
        // to adjust the groups or principal name or other variables
        // of the security context. Of course, bug 4646134 needs to be
        // kept in mind at all times.
        Realm realm = Realm.getInstance(CertificateRealm.AUTH_TYPE);
        if (realm instanceof CertificateRealm) {
            // should always be true
            CertificateRealm certRealm = (CertificateRealm) realm;
            String jaasCtx = certRealm.getJAASContext();
            if (jaasCtx != null) {
                // The subject has the Cretificate Credential.
                LoginContext lg = new LoginContext(jaasCtx, s, new ServerLoginCallbackHandler(user, null, appModuleID));
                lg.login();
            }
            certRealm.authenticate(s, x500name);
            realm_name = CertificateRealm.AUTH_TYPE;
            if (getAuditManager().isAuditOn()) {
                getAuditManager().authentication(user, realm_name, true);
            }
        } else {
            _logger.warning(SecurityLoggerInfo.certLoginBadRealmError);
            realm_name = realm.getName();
            setSecurityContext(user, s, realm_name);
        }
        if (_logger.isLoggable(Level.FINE)) {
            _logger.fine("X.500 name login succeeded for : " + user);
        }
    } catch (LoginException le) {
        if (getAuditManager().isAuditOn()) {
            getAuditManager().authentication(user, realm_name, false);
        }
        throw le;
    } catch (Exception ex) {
        throw (LoginException) new LoginException(ex.toString()).initCause(ex);
    }
}
Also used : LoginContext(javax.security.auth.login.LoginContext) LoginException(com.sun.enterprise.security.auth.login.common.LoginException) X500Name(sun.security.x509.X500Name) CertificateRealm(com.sun.enterprise.security.auth.realm.certificate.CertificateRealm) Realm(com.sun.enterprise.security.auth.realm.Realm) CertificateRealm(com.sun.enterprise.security.auth.realm.certificate.CertificateRealm) ServerLoginCallbackHandler(com.sun.enterprise.security.auth.login.common.ServerLoginCallbackHandler) LoginException(com.sun.enterprise.security.auth.login.common.LoginException) NoSuchRealmException(com.sun.enterprise.security.auth.realm.NoSuchRealmException) InvalidOperationException(com.sun.enterprise.security.auth.realm.InvalidOperationException) NoSuchUserException(com.sun.enterprise.security.auth.realm.NoSuchUserException)

Example 99 with X500Name

use of org.bouncycastle.asn1.x500.X500Name in project Payara by payara.

the class LDAPRealm method getGroups.

private List<String> getGroups(String userDN) {
    // no authentication has happened through the realm.
    DirContext ctx = null;
    String srcFilter = null;
    String dynFilter = null;
    String dynMember = getProperty(PARAM_DYNAMIC_GRP_TARGET);
    try {
        ctx = new InitialDirContext(getLdapBindProps());
        String _username = userDN;
        try {
            X500Name name = new X500Name(userDN);
            _username = name.getCommonName();
        } catch (IOException e) {
        // Ignoring the exception to suppot simple group names as userDN
        // Issue GLASSFISH-19595
        }
        if (_username == null && userDN != null && userDN.startsWith("uid")) {
            // handle uid=XXX here where cn is not present
            // TODO :maybe there is a better way to handle this??
            int first = userDN.indexOf("uid=");
            int last = userDN.indexOf(",");
            if (first != -1 && last != -1) {
                _username = userDN.substring(first + 4, last);
            }
        }
        StringBuffer sb = new StringBuffer(getProperty(PARAM_GRP_SEARCH_FILTER));
        StringBuffer dynSb = new StringBuffer(getProperty(PARAM_DYNAMIC_GRP_FILTER));
        substitute(sb, SUBST_SUBJECT_NAME, _username);
        substitute(sb, SUBST_SUBJECT_DN, userDN);
        substitute(dynSb, SUBST_SUBJECT_NAME, _username);
        substitute(dynSb, SUBST_SUBJECT_DN, userDN);
        srcFilter = sb.toString();
        dynFilter = dynSb.toString();
        List<String> groupsList = new ArrayList<String>();
        groupsList.addAll(groupSearch(ctx, getProperty(PARAM_GRPDN), srcFilter, getProperty(PARAM_GRP_TARGET)));
        // search filter is constructed internally as
        // as a groupofURLS
        groupsList.addAll(dynamicGroupSearch(ctx, getProperty(PARAM_GRPDN), dynMember, dynFilter, getProperty(PARAM_GRP_TARGET)));
        return groupsList;
    } catch (Exception e) {
        _logger.log(Level.WARNING, "ldaprealm.groupsearcherror", e);
    } finally {
        if (ctx != null) {
            try {
                ctx.close();
            } catch (NamingException e) {
                _logger.log(Level.WARNING, "ldaprealm.exception", e);
            }
        }
    }
    return null;
}
Also used : StringBuffer(java.lang.StringBuffer) NamingException(javax.naming.NamingException) InitialDirContext(javax.naming.directory.InitialDirContext) DirContext(javax.naming.directory.DirContext) InitialDirContext(javax.naming.directory.InitialDirContext) X500Name(sun.security.x509.X500Name) IOException(java.io.IOException) LoginException(javax.security.auth.login.LoginException) BadRealmException(com.sun.enterprise.security.auth.realm.BadRealmException) NamingException(javax.naming.NamingException) NoSuchRealmException(com.sun.enterprise.security.auth.realm.NoSuchRealmException) InvalidOperationException(com.sun.enterprise.security.auth.realm.InvalidOperationException) IOException(java.io.IOException) NoSuchUserException(com.sun.enterprise.security.auth.realm.NoSuchUserException)

Aggregations

X500Name (org.bouncycastle.asn1.x500.X500Name)58 X509Certificate (java.security.cert.X509Certificate)45 X500Name (sun.security.x509.X500Name)39 IOException (java.io.IOException)25 Date (java.util.Date)25 JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)23 BigInteger (java.math.BigInteger)20 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)20 X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)19 SecureRandom (java.security.SecureRandom)18 JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)18 JcaX509v3CertificateBuilder (org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)17 PrivateKey (java.security.PrivateKey)14 CertificateEncodingException (java.security.cert.CertificateEncodingException)14 KeyPair (java.security.KeyPair)13 KeyStore (java.security.KeyStore)13 RDN (org.bouncycastle.asn1.x500.RDN)13 ContentSigner (org.bouncycastle.operator.ContentSigner)13 ArrayList (java.util.ArrayList)11 GeneralName (org.bouncycastle.asn1.x509.GeneralName)10