Search in sources :

Example 1 with CertificateInfo

use of org.platformlayer.auth.model.CertificateInfo in project platformlayer by platformlayer.

the class RootResource method requireSystemAccess.

protected void requireSystemAccess() throws AuthenticatorException {
    X509Certificate[] certChain = getCertificateChain();
    if (certChain != null && certChain.length != 0) {
        CertificateChainInfo chain = new CertificateChainInfo();
        for (X509Certificate cert : certChain) {
            CertificateInfo info = new CertificateInfo();
            info.publicKey = Hex.toHex(cert.getPublicKey().getEncoded());
            info.subjectDN = Certificates.getSubject(cert);
            // Md5Hash hash = OpenSshUtils.getSignature(cert.getPublicKey());
            // certificateInfo.setPublicKeyHash(hash.toHex());
            chain.certificates.add(info);
        }
        ServiceAccount auth = systemAuthenticator.authenticate(chain);
        if (auth != null) {
            log.debug("Certificate authentication SUCCESS for " + chain);
            return;
        }
        log.debug("Certificate authentication FAIL for " + chain);
    } else {
        log.debug("Certificate authentication FAIL (no certificate presented)");
    }
    throwUnauthorized();
// return myTokenInfo;
}
Also used : ServiceAccount(org.platformlayer.auth.ServiceAccount) CertificateChainInfo(org.platformlayer.auth.model.CertificateChainInfo) CertificateInfo(org.platformlayer.auth.model.CertificateInfo) X509Certificate(java.security.cert.X509Certificate)

Example 2 with CertificateInfo

use of org.platformlayer.auth.model.CertificateInfo in project platformlayer by platformlayer.

the class ClientCertificateSystemAuthenticator method authenticate.

@Override
public ServiceAccountEntity authenticate(CertificateChainInfo certChainInfo) throws AuthenticatorException {
    if (certChainInfo.certificates.size() == 0) {
        log.debug("Chain empty; can't authenticate");
        return null;
    }
    // If it's a single cert; we check the cert.
    // Otherwise, we assume a CA signed the tail cert, so we check the penultimate cert
    CertificateInfo inspect;
    if (certChainInfo.certificates.size() == 1) {
        inspect = certChainInfo.certificates.get(0);
    } else {
        inspect = certChainInfo.certificates.get(1);
    }
    String subject = inspect.subjectDN;
    if (Strings.isNullOrEmpty(inspect.publicKey)) {
        throw new IllegalArgumentException();
    }
    byte[] publicKey = Hex.fromHex(inspect.publicKey);
    ServiceAccountEntity auth;
    try {
        auth = repository.findServiceAccount(subject, publicKey);
    } catch (RepositoryException e) {
        throw new AuthenticatorException("Error while authenticating user", e);
    }
    if (auth == null) {
        log.debug("Certificate validation failed (though the caller was authenticated)");
        log.debug("Certificate validation failed - public key not recognized: " + Hex.toHex(publicKey));
        log.debug("Certificate validation failed - chain: " + certChainInfo);
    }
    return auth;
}
Also used : CertificateInfo(org.platformlayer.auth.model.CertificateInfo) AuthenticatorException(org.platformlayer.auth.AuthenticatorException) ServiceAccountEntity(org.platformlayer.auth.ServiceAccountEntity) RepositoryException(org.platformlayer.RepositoryException)

Aggregations

CertificateInfo (org.platformlayer.auth.model.CertificateInfo)2 X509Certificate (java.security.cert.X509Certificate)1 RepositoryException (org.platformlayer.RepositoryException)1 AuthenticatorException (org.platformlayer.auth.AuthenticatorException)1 ServiceAccount (org.platformlayer.auth.ServiceAccount)1 ServiceAccountEntity (org.platformlayer.auth.ServiceAccountEntity)1 CertificateChainInfo (org.platformlayer.auth.model.CertificateChainInfo)1