PAYARA-3789 Unify DN Representation

appserver/security/core-ee/src/main/java/com/sun/enterprise/security/web/integration/WebPrincipal.java

@@ -44,11 +44,14 @@
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
 
+import com.sun.enterprise.security.auth.realm.certificate.CertificateRealm;
 import org.glassfish.security.common.PrincipalImpl;
 
 import com.sun.enterprise.security.SecurityContext;
 import com.sun.enterprise.security.SecurityContextProxy;
 
+import javax.security.auth.x500.X500Principal;
+
 public class WebPrincipal extends PrincipalImpl implements SecurityContextProxy {
 
     private static final long serialVersionUID = 1L;
@@ -173,7 +176,7 @@ private static String getPrincipalName(X509Certificate[] certificates, SecurityC
         // Use the full DN name from the certificates. This should normally be the same as 
         // context.getCallerPrincipal(), but a realm could have decided to map the name in which
         // case they will be different.
-        return certificates[0].getSubjectX500Principal().getName();
+        return certificates[0].getSubjectX500Principal().getName(X500Principal.RFC2253, CertificateRealm.OID_MAP);
     }
 
 }

appserver/security/ejb.security/src/main/java/com/sun/enterprise/iiop/security/SecServerRequestInterceptor.java

@@ -57,6 +57,7 @@
 
 import javax.security.auth.Subject;
 
+import com.sun.enterprise.security.auth.realm.certificate.CertificateRealm;
 import org.glassfish.enterprise.iiop.api.GlassFishORBHelper;
 import org.omg.CORBA.Any;
 import org.omg.CORBA.BAD_PARAM;
@@ -342,7 +343,8 @@ private void createIdCred(SecurityContext securityContext, IdentityToken identit
             for (int i = 0; i < certchain.length; i++) {
                 certchain[i] = new X509CertImpl(derval[i]);
                 if (logger.isLoggable(FINE)) {
-                    logger.log(FINE, "    " + certchain[i].getSubjectDN().getName());
+                    logger.log(FINE, "    " + certchain[i].getSubjectX500Principal()
+                            .getName(X500Principal.RFC2253, CertificateRealm.OID_MAP));
                 }
             }
             if (logger.isLoggable(FINE)) {
@@ -353,7 +355,8 @@ private void createIdCred(SecurityContext securityContext, IdentityToken identit
              * "dummy".
              * 
              */
-            X509CertificateCredential cred = new X509CertificateCredential(certchain, certchain[0].getSubjectDN().getName(),
+            X509CertificateCredential cred = new X509CertificateCredential(certchain,
+                    certchain[0].getSubjectX500Principal().getName(X500Principal.RFC2253, CertificateRealm.OID_MAP),
                     "default");
             if (logger.isLoggable(FINE)) {
                 logger.log(FINE, "Adding X509CertificateCredential to subject's PublicCredentials");

appserver/security/webintegration/src/main/java/com/sun/web/security/RealmAdapter.java

@@ -1372,7 +1372,7 @@ public void setCurrentSecurityContext(Principal principal) {
 
     private Subject createSubjectWithCerts(X509Certificate[] certificates) {
         Subject subject = new Subject();
-
+        // Specifically not using getName() as we aren't interested with the name here, we're interested in the X500Principal itself
         subject.getPublicCredentials().add(certificates[0].getSubjectX500Principal());
         subject.getPublicCredentials().add(asList(certificates));
 

nucleus/common/amx-core/src/main/java/org/glassfish/admin/amx/util/stringifier/X509CertificateStringifier.java

@@ -41,8 +41,10 @@
 
 package org.glassfish.admin.amx.util.stringifier;
 
+import com.sun.enterprise.security.auth.realm.certificate.CertificateRealm;
 import org.glassfish.admin.amx.util.StringUtil;
 
+import javax.security.auth.x500.X500Principal;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.X509Certificate;
@@ -91,8 +93,10 @@ public final class X509CertificateStringifier implements Stringifier
 		final StringBuilder	buf	= new StringBuilder();
 		final String		NL	= "\n";
 
-		buf.append("Issuer: ").append(cert.getIssuerDN().getName()).append(NL);
-		buf.append("Issued to: ").append(cert.getSubjectDN().getName()).append(NL);
+		buf.append("Issuer: ").append(cert.getIssuerX500Principal()
+				.getName(X500Principal.RFC2253, CertificateRealm.OID_MAP)).append(NL);
+		buf.append("Issued to: ").append(cert.getSubjectX500Principal()
+				.getName(X500Principal.RFC2253, CertificateRealm.OID_MAP)).append(NL);
 		buf.append("Version: ").append(cert.getVersion()).append(NL);
 		buf.append("Not valid before: ").append(cert.getNotBefore()).append(NL);
 		buf.append("Not valid after: ").append(cert.getNotAfter()).append(NL);

nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/JaspicToJaasBridge.java

@@ -69,8 +69,6 @@
 import com.sun.enterprise.security.auth.realm.Realm;
 import com.sun.enterprise.security.auth.realm.certificate.CertificateRealm;
 
-import sun.security.x509.X500Name;
-
 /**
  * This class contains a collection of methods used by the JASPIC implementation to interact
  * with the Payara JAAS/Realm system.
@@ -138,7 +136,7 @@ public static Subject jaasX500Login(Subject subject, X500Principal x500Principal
 
         String callerPrincipalName = "";
         try {
-            callerPrincipalName = x500Principal.getName(X500Principal.RFC1779);
+            callerPrincipalName = x500Principal.getName(X500Principal.RFC2253, CertificateRealm.OID_MAP);
 
             privileged(() -> validSubject.getPublicCredentials().add(x500Principal));
 

nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/WebAndEjbToJaasBridge.java

@@ -218,8 +218,8 @@ public static void doX500Login(Subject subject, String appModuleID) {
                 // Should never happen
                 return;
             }
-            
-            user = x500principal.getName();
+
+            user = x500principal.getName(X500Principal.RFC2253, CertificateRealm.OID_MAP);
 
             // In the RI-inherited implementation this directly creates
             // some credentials and sets the security context. 

nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/login/ClientCertificateLoginModule.java

@@ -57,7 +57,9 @@
 import javax.security.auth.callback.UnsupportedCallbackException;
 import javax.security.auth.login.LoginException;
 import javax.security.auth.spi.LoginModule;
+import javax.security.auth.x500.X500Principal;
 
+import com.sun.enterprise.security.auth.realm.certificate.CertificateRealm;
 import org.glassfish.internal.api.Globals;
 import org.glassfish.security.common.PrincipalImpl;
 
@@ -160,7 +162,8 @@ public boolean login() throws LoginException {
             Enumeration<String> aliases = keyStore.aliases();
             for (int i = 0; i < keyStore.size(); i++) {
                 aliasNames[i] = aliases.nextElement();
-                certificateNames[i] = ((X509Certificate) keyStore.getCertificate(aliasNames[i])).getSubjectDN().getName();
+                certificateNames[i] = ((X509Certificate) keyStore.getCertificate(aliasNames[i]))
+                        .getSubjectX500Principal().getName(X500Principal.RFC2253, CertificateRealm.OID_MAP);
             }
 
             Callback[] callbacks = new Callback[] {createChoiceCallback(certificateNames)};

nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java

@@ -46,8 +46,10 @@
 import java.security.Principal;
 import java.util.Collections;
 import java.util.Enumeration;
+import java.util.HashMap;
 import java.util.LinkedList;
 import java.util.List;
+import java.util.Map;
 import java.util.Properties;
 import java.util.Set;
 
@@ -101,7 +103,30 @@ public final class CertificateRealm extends BaseRealm {
 
     // Descriptive string of the authentication type of this realm.
     public static final String AUTH_TYPE = "certificate";
-
+    public static final Map<String, String> OID_MAP;
+    static {
+        Map<String, String> oidMapInitialiser = new HashMap<>();
+        oidMapInitialiser.put(OIDs.UID, "UID");
+        oidMapInitialiser.put(OIDs.DC, "DC");
+        oidMapInitialiser.put(OIDs.EMAILADDRESS, "EMAILADDRESS");
+        oidMapInitialiser.put(OIDs.IP, "IP");
+        oidMapInitialiser.put(OIDs.CN, "CN");
+        oidMapInitialiser.put(OIDs.SURNAME, "SURNAME");
+        oidMapInitialiser.put(OIDs.SERIALNUMBER, "SERIALNUMBER");
+        oidMapInitialiser.put(OIDs.C, "C");
+        oidMapInitialiser.put(OIDs.L, "L");
+        oidMapInitialiser.put(OIDs.ST, "ST");
+        oidMapInitialiser.put(OIDs.STREET, "STREET");
+        oidMapInitialiser.put(OIDs.O, "O");
+        oidMapInitialiser.put(OIDs.OU, "OU");
+        oidMapInitialiser.put(OIDs.T, "T");
+        oidMapInitialiser.put(OIDs.GIVENNAME, "GIVENNAME");
+        oidMapInitialiser.put(OIDs.INITIALS, "INITIALS");
+        oidMapInitialiser.put(OIDs.GENERATION, "GENERATION");
+        oidMapInitialiser.put(OIDs.DNQUALIFIER, "DNQUALIFIER");
+        OID_MAP = Collections.unmodifiableMap(oidMapInitialiser);
+    }
+
     private List<String> defaultGroups = new LinkedList<>();
 
     /**
@@ -175,8 +200,8 @@ public Enumeration<String> getGroupNames(String username) throws NoSuchUserExcep
     public String authenticate(Subject subject, X500Principal callerPrincipal) {
         // It is important to use X500Principal.getName() as that will
         // return the LDAP name in RFC2253
-        String callerPrincipalName = callerPrincipal.getName();
-        
+        String callerPrincipalName = callerPrincipal.getName(X500Principal.RFC2253, OID_MAP);
+
         // Checks if the property for using common name is set
         if (Boolean.valueOf(getProperty("useCommonName"))) {
             callerPrincipalName = extractCN(callerPrincipalName);

nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/realm/certificate/OIDs.java

@@ -0,0 +1,67 @@
+/*
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ *
+ * Copyright (c) [2019] Payara Foundation and/or its affiliates. All rights reserved.
+ *
+ * The contents of this file are subject to the terms of either the GNU
+ * General Public License Version 2 only ("GPL") or the Common Development
+ * and Distribution License("CDDL") (collectively, the "License").  You
+ * may not use this file except in compliance with the License.  You can
+ * obtain a copy of the License at
+ * https://github.com/payara/Payara/blob/master/LICENSE.txt
+ * See the License for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing the software, include this License Header Notice in each
+ * file and include the License file at glassfish/legal/LICENSE.txt.
+ *
+ * GPL Classpath Exception:
+ * The Payara Foundation designates this particular file as subject to the "Classpath"
+ * exception as provided by the Payara Foundation in the GPL Version 2 section of the License
+ * file that accompanied this code.
+ *
+ * Modifications:
+ * If applicable, add the following below the License Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyright [year] [name of copyright owner]"
+ *
+ * Contributor(s):
+ * If you wish your version of this file to be governed by only the CDDL or
+ * only the GPL Version 2, indicate your decision by adding "[Contributor]
+ * elects to include this software in this distribution under the [CDDL or GPL
+ * Version 2] license."  If you don't indicate a single choice of license, a
+ * recipient has the option to distribute your version of this file under
+ * either the CDDL, the GPL Version 2 or to extend the choice of license to
+ * its licensees as provided above.  However, if you add GPL Version 2 code
+ * and therefore, elected the GPL Version 2 license, then the option applies
+ * only if the new code is made subject to such option by the copyright
+ * holder.
+ */
+
+package com.sun.enterprise.security.auth.realm.certificate;
+
+/**
+ * Class that contains the OID constants of various DN attributes
+ */
+public class OIDs {
+
+    public static final String UID = "0.9.2342.19200300.100.1.1";   // User ID
+    public static final String DC = "0.9.2342.19200300.100.1.25";   // Domain Component
+    public static final String EMAILADDRESS = "1.2.840.113549.1.9.1";
+    public static final String IP = "1.3.6.1.4.1.42.2.11.2.1";  // IP Address
+    public static final String CN = "2.5.4.3";  // Common Name
+    public static final String SURNAME = "2.5.4.4";
+    public static final String SERIALNUMBER = "2.5.4.5";
+    public static final String C = "2.5.4.6";   // Country
+    public static final String L = "2.5.4.7";   // Locality
+    public static final String ST = "2.5.4.8";   // State
+    public static final String STREET = "2.5.4.9";
+    public static final String O = "2.5.4.10";  // Organisation
+    public static final String OU = "2.5.4.11"; // Organisation Unit
+    public static final String T = "2.5.4.12";  // Title
+    public static final String GIVENNAME = "2.5.4.42";
+    public static final String INITIALS = "2.5.4.43";
+    public static final String GENERATION = "2.5.4.44";
+    public static final String DNQUALIFIER = "2.5.4.46";
+
+}

nucleus/security/core/src/main/java/com/sun/enterprise/security/ssl/JarSigner.java

@@ -245,6 +245,7 @@ public void signJar(File input, ZipOutputStream zout, String alias, final Attrib
             sig.update(sigFileContent);
 
             // Create PKCS7 block
+            // Can't use X500Principal here as SignerInfo requires X500Name
             PKCS7 pkcs7 = new PKCS7(new AlgorithmId[] { AlgorithmId.get(digestAlgorithm) }, new ContentInfo(sigFileContent), certChain,
                     new SignerInfo[] { new SignerInfo((X500Name) certChain[0].getIssuerDN(), certChain[0].getSerialNumber(),
                             AlgorithmId.get(digestAlgorithm), AlgorithmId.get(keyAlgorithm), sig.sign()) });