Add an utility class for gateway certificate management

Add an utility class for gateway certificate management Add new configuration enable_certificate_chain_validation to api-manager.xml.j2
wso2 · Mar 20, 2024 · 60f0dab · 60f0dab
1 parent 0bea973
commit 60f0dab
Show file tree

Hide file tree

Showing 5 changed files with 85 additions and 47 deletions.
diff --git a/...o2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/Utils.java b/...o2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/Utils.java
@@ -60,6 +60,7 @@
 import org.wso2.carbon.apimgt.impl.caching.CacheProvider;
 import org.wso2.carbon.apimgt.impl.dto.APIKeyValidationInfoDTO;
 import org.wso2.carbon.apimgt.impl.utils.APIUtil;
+import org.wso2.carbon.apimgt.impl.utils.GatewayCertificateMgtUtil;
 import org.wso2.carbon.apimgt.keymgt.SubscriptionDataHolder;
 import org.wso2.carbon.apimgt.keymgt.model.SubscriptionDataStore;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
@@ -564,10 +565,10 @@ private static boolean isClientCertificateEncoded() {
     public static X509Certificate getCertificateFromListenerTrustStore(String certSubjectDN)
             throws APIManagementException {
 
-        Enumeration<String> aliases = APIUtil.getAliasesFromListenerTrustStore();
+        Enumeration<String> aliases = GatewayCertificateMgtUtil.getAliasesFromListenerTrustStore();
         while (aliases.hasMoreElements()) {
             String alias = aliases.nextElement();
-            Certificate certificate = APIUtil.getCertificateFromListenerTrustStore(alias);
+            Certificate certificate = GatewayCertificateMgtUtil.getCertificateFromListenerTrustStore(alias);
             if (certificate instanceof X509Certificate) {
                 X509Certificate x509Certificate = (X509Certificate) certificate;
                 if (StringUtils.equals(x509Certificate.getSubjectDN().getName(), certSubjectDN)) {

diff --git a/...rg/wso2/carbon/apimgt/gateway/handlers/security/authenticator/MutualSSLAuthenticator.java b/...rg/wso2/carbon/apimgt/gateway/handlers/security/authenticator/MutualSSLAuthenticator.java
@@ -207,7 +207,7 @@ private void setAuthContext(MessageContext messageContext, Certificate[] certifi
             subjectDNIdentifiers.add(subjectDNIdentifier);
             for (Map.Entry<String, String> entry : certificates.entrySet()) {
                 String key = entry.getKey();
-                if (key.contains(subjectDNIdentifier)) {
+                if (StringUtils.equals(subjectDNIdentifier, key)) {
                     uniqueIdentifier = key;
                     tier = entry.getValue();
                     break;

diff --git a/.../org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/utils/APIUtil.java b/.../org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/utils/APIUtil.java
@@ -8330,30 +8330,6 @@ public static Certificate getCertificateFromParentTrustStore(String certAlias) t
         return publicCert;
     }
 
-    /**
-     * Fetches certificate for given certificate alias from listener trust store.
-     * @param certAlias                 Certificate alias
-     * @return                          Certificate
-     * @throws APIManagementException
-     */
-    public static Certificate getCertificateFromListenerTrustStore(String certAlias) throws APIManagementException {
-
-        Certificate publicCert = null;
-        try {
-            KeyStore trustStore = ServiceReferenceHolder.getInstance().getListenerTrustStore();
-            if (trustStore != null) {
-                // Read public certificate from trust store
-                publicCert = trustStore.getCertificate(certAlias);
-            }
-        } catch (KeyStoreException e) {
-            String msg = "Error while retrieving public certificate with alias : "
-                    + certAlias;
-            log.error(msg, e);
-            throw new APIManagementException(msg, e);
-        }
-        return publicCert;
-    }
-
     /**
      * Verify the JWT token signature.
      * <p>
@@ -8785,26 +8761,6 @@ public static boolean isCertificateExistsInListenerTrustStore(Certificate certif
         return false;
     }
 
-    /**
-     * Fetches all the trusted certificate aliases from listener trust store.
-     * @return                          Trusted certificate aliases
-     * @throws APIManagementException
-     */
-    public static Enumeration<String> getAliasesFromListenerTrustStore() throws APIManagementException {
-
-        try {
-            KeyStore trustStore = ServiceReferenceHolder.getInstance().getListenerTrustStore();
-            if (trustStore != null) {
-                return trustStore.aliases();
-            }
-        } catch (KeyStoreException e) {
-            String msg = "Error getting certificate aliases from trust store";
-            log.error(msg, e);
-            throw new APIManagementException(msg, e);
-        }
-        return null;
-    }
-
     public static boolean isDevPortalAnonymous() {
 
         APIManagerConfiguration config = ServiceReferenceHolder.getInstance().

diff --git a/...pimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/utils/GatewayCertificateMgtUtil.java b/...pimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/utils/GatewayCertificateMgtUtil.java
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 2024, WSO2 LLC. (http://www.wso2.com) All Rights Reserved.
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.apimgt.impl.utils;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.apimgt.api.APIManagementException;
+import org.wso2.carbon.apimgt.impl.internal.ServiceReferenceHolder;
+
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.cert.Certificate;
+import java.util.Enumeration;
+
+public class GatewayCertificateMgtUtil {
+
+    private static final Log log = LogFactory.getLog(GatewayCertificateMgtUtil.class);
+
+    /**
+     * Fetches all the trusted certificate aliases from listener trust store.
+     *
+     * @return Trusted certificate aliases
+     * @throws APIManagementException
+     */
+    public static Enumeration<String> getAliasesFromListenerTrustStore() throws APIManagementException {
+
+        try {
+            KeyStore trustStore = ServiceReferenceHolder.getInstance().getListenerTrustStore();
+            if (trustStore != null) {
+                return trustStore.aliases();
+            }
+        } catch (KeyStoreException e) {
+            String msg = "Error getting certificate aliases from trust store";
+            log.error(msg, e);
+            throw new APIManagementException(msg, e);
+        }
+        return null;
+    }
+
+    /**
+     * Fetches certificate for given certificate alias from listener trust store.
+     *
+     * @param certAlias Certificate alias
+     * @return Certificate
+     * @throws APIManagementException
+     */
+    public static Certificate getCertificateFromListenerTrustStore(String certAlias) throws APIManagementException {
+
+        Certificate publicCert = null;
+        try {
+            KeyStore trustStore = ServiceReferenceHolder.getInstance().getListenerTrustStore();
+            if (trustStore != null) {
+                // Read public certificate from trust store
+                publicCert = trustStore.getCertificate(certAlias);
+            }
+        } catch (KeyStoreException e) {
+            String msg = "Error while retrieving public certificate with alias : " + certAlias;
+            log.error(msg, e);
+            throw new APIManagementException(msg, e);
+        }
+        return publicCert;
+    }
+}
diff --git a/...re.feature/src/main/resources/conf_templates/templates/repository/conf/api-manager.xml.j2 b/...re.feature/src/main/resources/conf_templates/templates/repository/conf/api-manager.xml.j2
@@ -1357,6 +1357,9 @@
      <MutualSSL>
         <ClientCertificateHeader>{{apimgt.mutual_ssl.certificate_header}}</ClientCertificateHeader>
         <EnableClientCertificateValidation>{{apimgt.mutual_ssl.enable_client_validation}}</EnableClientCertificateValidation>
+        {% if apimgt.mutual_ssl.enable_certificate_chain_validation is defined %}
+        <EnableCertificateChainValidation>{{apimgt.mutual_ssl.enable_certificate_chain_validation}}</EnableCertificateChainValidation>
+        {% endif %}
         {% if apimgt.mutual_ssl.client_certificate_encode is defined %}
         <ClientCertificateEncode>{{apimgt.mutual_ssl.client_certificate_encode}}</ClientCertificateEncode>
         {% endif %}