diff --git a/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/web/integration/WebPrincipal.java b/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/web/integration/WebPrincipal.java index 5ea85e8d523..be67f6055f6 100644 --- a/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/web/integration/WebPrincipal.java +++ b/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/web/integration/WebPrincipal.java @@ -44,11 +44,14 @@ import java.security.cert.X509Certificate; import java.util.Arrays; +import com.sun.enterprise.security.auth.realm.certificate.CertificateRealm; import org.glassfish.security.common.PrincipalImpl; import com.sun.enterprise.security.SecurityContext; import com.sun.enterprise.security.SecurityContextProxy; +import javax.security.auth.x500.X500Principal; + public class WebPrincipal extends PrincipalImpl implements SecurityContextProxy { private static final long serialVersionUID = 1L; @@ -173,7 +176,7 @@ private static String getPrincipalName(X509Certificate[] certificates, SecurityC // Use the full DN name from the certificates. This should normally be the same as // context.getCallerPrincipal(), but a realm could have decided to map the name in which // case they will be different. - return certificates[0].getSubjectX500Principal().getName(); + return certificates[0].getSubjectX500Principal().getName(X500Principal.RFC2253, CertificateRealm.OID_MAP); } } diff --git a/appserver/security/ejb.security/src/main/java/com/sun/enterprise/iiop/security/SecServerRequestInterceptor.java b/appserver/security/ejb.security/src/main/java/com/sun/enterprise/iiop/security/SecServerRequestInterceptor.java index 0c484cd1cd9..ce13f54fe94 100644 --- a/appserver/security/ejb.security/src/main/java/com/sun/enterprise/iiop/security/SecServerRequestInterceptor.java +++ b/appserver/security/ejb.security/src/main/java/com/sun/enterprise/iiop/security/SecServerRequestInterceptor.java @@ -57,6 +57,7 @@ import javax.security.auth.Subject; +import com.sun.enterprise.security.auth.realm.certificate.CertificateRealm; import org.glassfish.enterprise.iiop.api.GlassFishORBHelper; import org.omg.CORBA.Any; import org.omg.CORBA.BAD_PARAM; @@ -342,7 +343,8 @@ private void createIdCred(SecurityContext securityContext, IdentityToken identit for (int i = 0; i < certchain.length; i++) { certchain[i] = new X509CertImpl(derval[i]); if (logger.isLoggable(FINE)) { - logger.log(FINE, " " + certchain[i].getSubjectDN().getName()); + logger.log(FINE, " " + certchain[i].getSubjectX500Principal() + .getName(X500Principal.RFC2253, CertificateRealm.OID_MAP)); } } if (logger.isLoggable(FINE)) { @@ -353,7 +355,8 @@ private void createIdCred(SecurityContext securityContext, IdentityToken identit * "dummy". * */ - X509CertificateCredential cred = new X509CertificateCredential(certchain, certchain[0].getSubjectDN().getName(), + X509CertificateCredential cred = new X509CertificateCredential(certchain, + certchain[0].getSubjectX500Principal().getName(X500Principal.RFC2253, CertificateRealm.OID_MAP), "default"); if (logger.isLoggable(FINE)) { logger.log(FINE, "Adding X509CertificateCredential to subject's PublicCredentials"); diff --git a/appserver/security/webintegration/src/main/java/com/sun/web/security/RealmAdapter.java b/appserver/security/webintegration/src/main/java/com/sun/web/security/RealmAdapter.java index 247972d05e7..d1e1f13c2bd 100644 --- a/appserver/security/webintegration/src/main/java/com/sun/web/security/RealmAdapter.java +++ b/appserver/security/webintegration/src/main/java/com/sun/web/security/RealmAdapter.java @@ -1372,7 +1372,7 @@ public void setCurrentSecurityContext(Principal principal) { private Subject createSubjectWithCerts(X509Certificate[] certificates) { Subject subject = new Subject(); - + // Specifically not using getName() as we aren't interested with the name here, we're interested in the X500Principal itself subject.getPublicCredentials().add(certificates[0].getSubjectX500Principal()); subject.getPublicCredentials().add(asList(certificates)); diff --git a/nucleus/common/amx-core/src/main/java/org/glassfish/admin/amx/util/stringifier/X509CertificateStringifier.java b/nucleus/common/amx-core/src/main/java/org/glassfish/admin/amx/util/stringifier/X509CertificateStringifier.java index 7b0840c4233..6c7dd1fc7ae 100644 --- a/nucleus/common/amx-core/src/main/java/org/glassfish/admin/amx/util/stringifier/X509CertificateStringifier.java +++ b/nucleus/common/amx-core/src/main/java/org/glassfish/admin/amx/util/stringifier/X509CertificateStringifier.java @@ -41,8 +41,10 @@ package org.glassfish.admin.amx.util.stringifier; +import com.sun.enterprise.security.auth.realm.certificate.CertificateRealm; import org.glassfish.admin.amx.util.StringUtil; +import javax.security.auth.x500.X500Principal; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.security.cert.X509Certificate; @@ -91,8 +93,10 @@ public final class X509CertificateStringifier implements Stringifier final StringBuilder buf = new StringBuilder(); final String NL = "\n"; - buf.append("Issuer: ").append(cert.getIssuerDN().getName()).append(NL); - buf.append("Issued to: ").append(cert.getSubjectDN().getName()).append(NL); + buf.append("Issuer: ").append(cert.getIssuerX500Principal() + .getName(X500Principal.RFC2253, CertificateRealm.OID_MAP)).append(NL); + buf.append("Issued to: ").append(cert.getSubjectX500Principal() + .getName(X500Principal.RFC2253, CertificateRealm.OID_MAP)).append(NL); buf.append("Version: ").append(cert.getVersion()).append(NL); buf.append("Not valid before: ").append(cert.getNotBefore()).append(NL); buf.append("Not valid after: ").append(cert.getNotAfter()).append(NL); diff --git a/nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/JaspicToJaasBridge.java b/nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/JaspicToJaasBridge.java index 94c4462855c..1761bcd1cd4 100644 --- a/nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/JaspicToJaasBridge.java +++ b/nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/JaspicToJaasBridge.java @@ -69,8 +69,6 @@ import com.sun.enterprise.security.auth.realm.Realm; import com.sun.enterprise.security.auth.realm.certificate.CertificateRealm; -import sun.security.x509.X500Name; - /** * This class contains a collection of methods used by the JASPIC implementation to interact * with the Payara JAAS/Realm system. @@ -138,7 +136,7 @@ public static Subject jaasX500Login(Subject subject, X500Principal x500Principal String callerPrincipalName = ""; try { - callerPrincipalName = x500Principal.getName(X500Principal.RFC1779); + callerPrincipalName = x500Principal.getName(X500Principal.RFC2253, CertificateRealm.OID_MAP); privileged(() -> validSubject.getPublicCredentials().add(x500Principal)); diff --git a/nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/WebAndEjbToJaasBridge.java b/nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/WebAndEjbToJaasBridge.java index 5b2bc5f3357..9f856762019 100644 --- a/nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/WebAndEjbToJaasBridge.java +++ b/nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/WebAndEjbToJaasBridge.java @@ -218,8 +218,8 @@ public static void doX500Login(Subject subject, String appModuleID) { // Should never happen return; } - - user = x500principal.getName(); + + user = x500principal.getName(X500Principal.RFC2253, CertificateRealm.OID_MAP); // In the RI-inherited implementation this directly creates // some credentials and sets the security context. diff --git a/nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/login/ClientCertificateLoginModule.java b/nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/login/ClientCertificateLoginModule.java index 1f65c74fc60..071b6bf787a 100644 --- a/nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/login/ClientCertificateLoginModule.java +++ b/nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/login/ClientCertificateLoginModule.java @@ -57,7 +57,9 @@ import javax.security.auth.callback.UnsupportedCallbackException; import javax.security.auth.login.LoginException; import javax.security.auth.spi.LoginModule; +import javax.security.auth.x500.X500Principal; +import com.sun.enterprise.security.auth.realm.certificate.CertificateRealm; import org.glassfish.internal.api.Globals; import org.glassfish.security.common.PrincipalImpl; @@ -160,7 +162,8 @@ public boolean login() throws LoginException { Enumeration aliases = keyStore.aliases(); for (int i = 0; i < keyStore.size(); i++) { aliasNames[i] = aliases.nextElement(); - certificateNames[i] = ((X509Certificate) keyStore.getCertificate(aliasNames[i])).getSubjectDN().getName(); + certificateNames[i] = ((X509Certificate) keyStore.getCertificate(aliasNames[i])) + .getSubjectX500Principal().getName(X500Principal.RFC2253, CertificateRealm.OID_MAP); } Callback[] callbacks = new Callback[] {createChoiceCallback(certificateNames)}; diff --git a/nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java b/nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java index 8dcfb9379cb..193c99c0f89 100644 --- a/nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java +++ b/nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java @@ -46,8 +46,10 @@ import java.security.Principal; import java.util.Collections; import java.util.Enumeration; +import java.util.HashMap; import java.util.LinkedList; import java.util.List; +import java.util.Map; import java.util.Properties; import java.util.Set; @@ -101,7 +103,30 @@ public final class CertificateRealm extends BaseRealm { // Descriptive string of the authentication type of this realm. public static final String AUTH_TYPE = "certificate"; - + public static final Map OID_MAP; + static { + Map oidMapInitialiser = new HashMap<>(); + oidMapInitialiser.put(OIDs.UID, "UID"); + oidMapInitialiser.put(OIDs.DC, "DC"); + oidMapInitialiser.put(OIDs.EMAILADDRESS, "EMAILADDRESS"); + oidMapInitialiser.put(OIDs.IP, "IP"); + oidMapInitialiser.put(OIDs.CN, "CN"); + oidMapInitialiser.put(OIDs.SURNAME, "SURNAME"); + oidMapInitialiser.put(OIDs.SERIALNUMBER, "SERIALNUMBER"); + oidMapInitialiser.put(OIDs.C, "C"); + oidMapInitialiser.put(OIDs.L, "L"); + oidMapInitialiser.put(OIDs.ST, "ST"); + oidMapInitialiser.put(OIDs.STREET, "STREET"); + oidMapInitialiser.put(OIDs.O, "O"); + oidMapInitialiser.put(OIDs.OU, "OU"); + oidMapInitialiser.put(OIDs.T, "T"); + oidMapInitialiser.put(OIDs.GIVENNAME, "GIVENNAME"); + oidMapInitialiser.put(OIDs.INITIALS, "INITIALS"); + oidMapInitialiser.put(OIDs.GENERATION, "GENERATION"); + oidMapInitialiser.put(OIDs.DNQUALIFIER, "DNQUALIFIER"); + OID_MAP = Collections.unmodifiableMap(oidMapInitialiser); + } + private List defaultGroups = new LinkedList<>(); /** @@ -175,8 +200,8 @@ public Enumeration getGroupNames(String username) throws NoSuchUserExcep public String authenticate(Subject subject, X500Principal callerPrincipal) { // It is important to use X500Principal.getName() as that will // return the LDAP name in RFC2253 - String callerPrincipalName = callerPrincipal.getName(); - + String callerPrincipalName = callerPrincipal.getName(X500Principal.RFC2253, OID_MAP); + // Checks if the property for using common name is set if (Boolean.valueOf(getProperty("useCommonName"))) { callerPrincipalName = extractCN(callerPrincipalName); diff --git a/nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/realm/certificate/OIDs.java b/nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/realm/certificate/OIDs.java new file mode 100644 index 00000000000..09858b96d37 --- /dev/null +++ b/nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/realm/certificate/OIDs.java @@ -0,0 +1,67 @@ +/* + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. + * + * Copyright (c) [2019] Payara Foundation and/or its affiliates. All rights reserved. + * + * The contents of this file are subject to the terms of either the GNU + * General Public License Version 2 only ("GPL") or the Common Development + * and Distribution License("CDDL") (collectively, the "License"). You + * may not use this file except in compliance with the License. You can + * obtain a copy of the License at + * https://github.com/payara/Payara/blob/master/LICENSE.txt + * See the License for the specific + * language governing permissions and limitations under the License. + * + * When distributing the software, include this License Header Notice in each + * file and include the License file at glassfish/legal/LICENSE.txt. + * + * GPL Classpath Exception: + * The Payara Foundation designates this particular file as subject to the "Classpath" + * exception as provided by the Payara Foundation in the GPL Version 2 section of the License + * file that accompanied this code. + * + * Modifications: + * If applicable, add the following below the License Header, with the fields + * enclosed by brackets [] replaced by your own identifying information: + * "Portions Copyright [year] [name of copyright owner]" + * + * Contributor(s): + * If you wish your version of this file to be governed by only the CDDL or + * only the GPL Version 2, indicate your decision by adding "[Contributor] + * elects to include this software in this distribution under the [CDDL or GPL + * Version 2] license." If you don't indicate a single choice of license, a + * recipient has the option to distribute your version of this file under + * either the CDDL, the GPL Version 2 or to extend the choice of license to + * its licensees as provided above. However, if you add GPL Version 2 code + * and therefore, elected the GPL Version 2 license, then the option applies + * only if the new code is made subject to such option by the copyright + * holder. + */ + +package com.sun.enterprise.security.auth.realm.certificate; + +/** + * Class that contains the OID constants of various DN attributes + */ +public class OIDs { + + public static final String UID = "0.9.2342.19200300.100.1.1"; // User ID + public static final String DC = "0.9.2342.19200300.100.1.25"; // Domain Component + public static final String EMAILADDRESS = "1.2.840.113549.1.9.1"; + public static final String IP = "1.3.6.1.4.1.42.2.11.2.1"; // IP Address + public static final String CN = "2.5.4.3"; // Common Name + public static final String SURNAME = "2.5.4.4"; + public static final String SERIALNUMBER = "2.5.4.5"; + public static final String C = "2.5.4.6"; // Country + public static final String L = "2.5.4.7"; // Locality + public static final String ST = "2.5.4.8"; // State + public static final String STREET = "2.5.4.9"; + public static final String O = "2.5.4.10"; // Organisation + public static final String OU = "2.5.4.11"; // Organisation Unit + public static final String T = "2.5.4.12"; // Title + public static final String GIVENNAME = "2.5.4.42"; + public static final String INITIALS = "2.5.4.43"; + public static final String GENERATION = "2.5.4.44"; + public static final String DNQUALIFIER = "2.5.4.46"; + +} diff --git a/nucleus/security/core/src/main/java/com/sun/enterprise/security/ssl/JarSigner.java b/nucleus/security/core/src/main/java/com/sun/enterprise/security/ssl/JarSigner.java index 75477eb4ffe..6ce6c12cd62 100644 --- a/nucleus/security/core/src/main/java/com/sun/enterprise/security/ssl/JarSigner.java +++ b/nucleus/security/core/src/main/java/com/sun/enterprise/security/ssl/JarSigner.java @@ -245,6 +245,7 @@ public void signJar(File input, ZipOutputStream zout, String alias, final Attrib sig.update(sigFileContent); // Create PKCS7 block + // Can't use X500Principal here as SignerInfo requires X500Name PKCS7 pkcs7 = new PKCS7(new AlgorithmId[] { AlgorithmId.get(digestAlgorithm) }, new ContentInfo(sigFileContent), certChain, new SignerInfo[] { new SignerInfo((X500Name) certChain[0].getIssuerDN(), certChain[0].getSerialNumber(), AlgorithmId.get(digestAlgorithm), AlgorithmId.get(keyAlgorithm), sig.sign()) });