Skip to content

Commit

Permalink
Use cached keystore
Browse files Browse the repository at this point in the history
  • Loading branch information
hwupathum committed Aug 1, 2024
1 parent bd40a69 commit 391bdaa
Show file tree
Hide file tree
Showing 10 changed files with 40 additions and 27 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.x509.X509Credential;
import org.wso2.carbon.base.ServerConfiguration;
import org.wso2.carbon.core.util.CachedKeyStore;
import org.wso2.carbon.core.util.KeyStoreManager;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
Expand Down Expand Up @@ -134,7 +135,7 @@ private void initializeKeyDataForTenant(int tenantID, String tenantDomain) throw
String keyStoreName = SAMLSSOUtil.generateKSNameFromDomainName(tenantDomain);
String keyAlias = tenantDomain;
KeyStoreManager keyMan = KeyStoreManager.getInstance(tenantID);
KeyStore keyStore = keyMan.getKeyStore(keyStoreName);
CachedKeyStore keyStore = keyMan.getCachedKeyStore(keyStoreName);
issuerPrivateKey = (PrivateKey) keyMan.getPrivateKey(keyStoreName, tenantDomain);

Certificate[] certificates = keyStore.getCertificateChain(keyAlias);
Expand Down Expand Up @@ -170,7 +171,7 @@ private void initializeKeyDataForSuperTenantFromSystemKeyStore() throws Exceptio
KeyStoreManager keyMan = KeyStoreManager.getInstance(MultitenantConstants.SUPER_TENANT_ID);
issuerPrivateKey = (PrivateKey) keyAdmin.getPrivateKey(keyAlias, true);

Certificate[] certificates = keyMan.getPrimaryKeyStore().getCertificateChain(keyAlias);
Certificate[] certificates = keyMan.getCachedPrimaryKeyStore().getCertificateChain(keyAlias);
issuerCerts = Arrays.copyOf(certificates, certificates.length, X509Certificate[].class);

publicKey = issuerCerts[0].getPublicKey();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureValidator;
import org.opensaml.xmlsec.signature.support.Signer;
import org.wso2.carbon.core.util.CachedKeyStore;
import org.wso2.carbon.core.util.KeyStoreManager;
import org.wso2.carbon.identity.application.common.model.FederatedAuthenticatorConfig;
import org.wso2.carbon.identity.application.common.model.IdentityProvider;
Expand Down Expand Up @@ -308,14 +309,14 @@ public static X509CredentialImpl getX509CredentialImplForTenant(String tenantDom
// get an instance of the corresponding Key Store Manager instance
keyStoreManager = KeyStoreManager.getInstance(tenantId);
X509CredentialImpl credentialImpl = null;
KeyStore keyStore;
CachedKeyStore keyStore;
try {
if (tenantId != MultitenantConstants.SUPER_TENANT_ID) {// for tenants, load private key from their generated key store
keyStore = keyStoreManager.getKeyStore(generateKSNameFromDomainName(tenantDomain));
keyStore = keyStoreManager.getCachedKeyStore(generateKSNameFromDomainName(tenantDomain));
} else {
// for super tenant, load the default pub. cert using the
// config. in carbon.xml
keyStore = keyStoreManager.getPrimaryKeyStore();
keyStore = keyStoreManager.getCachedPrimaryKeyStore();
}
java.security.cert.X509Certificate cert =
(java.security.cert.X509Certificate) keyStore.getCertificate(alias);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -324,9 +324,7 @@ private X509Certificate getCertificateFromKeyStore(String alias) {

try {
KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(MultitenantConstants.SUPER_TENANT_ID);
KeyStore keyStore = keyStoreManager.getPrimaryKeyStore();
X509Certificate certificate = (X509Certificate)keyStore.getCertificate(alias);
return certificate;
return (X509Certificate) keyStoreManager.getCachedPrimaryKeyStore().getCertificate(alias);
} catch (Exception e) {
String errorMsg = String.format("Error occurred while retrieving the certificate for " +
"the alias '%s'." + alias);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -307,7 +307,7 @@ private void saveCertificateToKeyStore(SAMLSSOServiceProviderDO serviceProviderD

if (MultitenantConstants.SUPER_TENANT_ID == tenantId) {

KeyStore keyStore = manager.getPrimaryKeyStore();
KeyStore keyStore = manager.getCachedPrimaryKeyStore().getKeyStore();

// Admin should manually add the service provider signing certificate to the keystore file.
// If the certificate is available we will set the alias of that certificate.
Expand All @@ -320,7 +320,7 @@ private void saveCertificateToKeyStore(SAMLSSOServiceProviderDO serviceProviderD
} else {

String keyStoreName = getKeyStoreName(tenantId);
KeyStore keyStore = manager.getKeyStore(keyStoreName);
KeyStore keyStore = manager.getCachedKeyStore(keyStoreName).getKeyStore();

// Add new certificate
keyStore.setCertificateEntry(serviceProviderDO.getIssuer(), serviceProviderDO.getX509Certificate());
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
import org.opensaml.security.x509.X509Credential;
import org.wso2.carbon.base.ServerConfiguration;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.core.util.CachedKeyStore;
import org.wso2.carbon.core.util.KeyStoreManager;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
Expand Down Expand Up @@ -150,7 +151,7 @@ private void initializeKeyDataForTenant(int tenantID, String tenantDomain) throw
String keyStoreName = SAMLSSOUtil.generateKSNameFromDomainName(tenantDomain);
String keyAlias = tenantDomain;
KeyStoreManager keyMan = KeyStoreManager.getInstance(tenantID);
KeyStore keyStore = keyMan.getKeyStore(keyStoreName);
CachedKeyStore keyStore = keyMan.getCachedKeyStore(keyStoreName);
issuerPrivateKey = (PrivateKey) keyMan.getPrivateKey(keyStoreName, tenantDomain);

Certificate[] certificates = keyStore.getCertificateChain(keyAlias);
Expand Down Expand Up @@ -184,7 +185,7 @@ private void initializeKeyDataForSuperTenantFromSystemKeyStore() throws Exceptio
KeyStoreManager keyMan = KeyStoreManager.getInstance(MultitenantConstants.SUPER_TENANT_ID);
issuerPrivateKey = (PrivateKey) keyAdmin.getPrivateKey(keyAlias, true);

Certificate[] certificates = keyMan.getPrimaryKeyStore().getCertificateChain(keyAlias);
Certificate[] certificates = keyMan.getCachedPrimaryKeyStore().getCertificateChain(keyAlias);
issuerCerts = Arrays.copyOf(certificates, certificates.length, X509Certificate[].class);

signatureAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -208,7 +208,7 @@ private void initCredentialForTenant(String tenantDomain, KeyStoreManager keySto
// Derive key store name.
String jksName = KeystoreUtils.getKeyStoreFileLocation(tenantDomain);
privateKey = (PrivateKey) keyStoreManager.getPrivateKey(jksName, tenantDomain);
signingCert = (X509Certificate) keyStoreManager.getKeyStore(jksName).getCertificate(tenantDomain);
signingCert = (X509Certificate) keyStoreManager.getCachedKeyStore(jksName).getCertificate(tenantDomain);
// This Exception is thrown from the KeyStoreManager.
} catch (Exception e) {
throw new IdentityException("Error retrieving private key and the certificate for tenant " +
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@
import org.w3c.dom.ls.LSOutput;
import org.w3c.dom.ls.LSSerializer;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.core.util.CachedKeyStore;
import org.wso2.carbon.core.util.KeyStoreManager;
import org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
Expand Down Expand Up @@ -958,19 +959,19 @@ public static X509CredentialImpl getX509CredentialImplForTenant(String tenantDom
keyStoreManager = KeyStoreManager.getInstance(tenantId);

X509CredentialImpl credentialImpl = null;
KeyStore keyStore;
CachedKeyStore keyStore;

try {
if (tenantId != -1234) {// for tenants, load private key from their generated key store
try {
FrameworkUtils.startTenantFlow(tenantDomain);
keyStore = keyStoreManager.getKeyStore(generateKSNameFromDomainName(tenantDomain));
keyStore = keyStoreManager.getCachedKeyStore(generateKSNameFromDomainName(tenantDomain));
} finally {
FrameworkUtils.endTenantFlow();
}
} else { // for super tenant, load the default pub. cert using the
// config. in carbon.xml
keyStore = keyStoreManager.getPrimaryKeyStore();
keyStore = keyStoreManager.getCachedPrimaryKeyStore();
}
java.security.cert.X509Certificate cert =
(java.security.cert.X509Certificate) keyStore.getCertificate(alias);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
import org.testng.annotations.BeforeTest;
import org.testng.annotations.Test;
import org.wso2.carbon.base.ServerConfiguration;
import org.wso2.carbon.core.util.CachedKeyStore;
import org.wso2.carbon.core.util.KeyStoreManager;
import org.wso2.carbon.core.util.KeyStoreUtil;
import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
Expand All @@ -50,6 +51,7 @@
import org.wso2.carbon.utils.multitenancy.MultitenantConstants;

import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.util.HashMap;
import javax.net.ssl.KeyManager;
Expand Down Expand Up @@ -178,6 +180,7 @@ private void createMocks() throws Exception {

KeyStore keyStore = TestUtils.
loadKeyStoreFromFileSystem(TestUtils.getFilePath("wso2carbon.jks"), "wso2carbon", "JKS");
CachedKeyStore cachedKeyStore = new CachedKeyStore(keyStore);

SAMLSSOUtil.setRegistryService(registryService);
when(registryService.getGovernanceSystemRegistry()).thenReturn(registry);
Expand All @@ -187,7 +190,7 @@ private void createMocks() throws Exception {

mockStatic(KeyStoreManager.class);
when(KeyStoreManager.getInstance(MultitenantConstants.SUPER_TENANT_ID)).thenReturn(keyStoreManager);
when(keyStoreManager.getPrimaryKeyStore()).thenReturn(keyStore);
when(keyStoreManager.getCachedPrimaryKeyStore()).thenReturn(cachedKeyStore);
}

@Test
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
import org.powermock.core.classloader.annotations.PrepareForTest;
import org.powermock.modules.testng.PowerMockTestCase;
import org.testng.annotations.Test;
import org.wso2.carbon.core.util.CachedKeyStore;
import org.wso2.carbon.core.util.KeyStoreManager;
import org.wso2.carbon.identity.application.authentication.framework.internal.FrameworkServiceComponent;
import org.wso2.carbon.identity.core.util.IdentityUtil;
Expand Down Expand Up @@ -127,14 +128,16 @@ private void assertEncryptedSAMLAssertion(Assertion assertion, EncryptedAssertio

private void prepareForAssertionEncryption() throws Exception {

KeyStore keyStore = TestUtils.loadKeyStoreFromFileSystem(
TestUtils.getFilePath(TestConstants.KEY_STORE_NAME), TestConstants.WSO2_CARBON, "JKS");
CachedKeyStore cachedKeyStore = new CachedKeyStore(keyStore);

when(realmService.getTenantManager()).thenReturn(tenantManager);
when(tenantManager.getTenantId(anyString())).thenReturn(4567);
mockStatic(KeyStoreManager.class);
when(KeyStoreManager.getInstance(anyInt())).thenReturn(keyStoreManager);
when(keyStoreManager.getKeyStore(anyString())).thenReturn(TestUtils.loadKeyStoreFromFileSystem(
TestUtils.getFilePath(TestConstants.KEY_STORE_NAME), TestConstants.WSO2_CARBON, "JKS"));
when(keyStoreManager.getPrimaryKeyStore()).thenReturn(TestUtils.loadKeyStoreFromFileSystem(
TestUtils.getFilePath(TestConstants.KEY_STORE_NAME), TestConstants.WSO2_CARBON, "JKS"));
when(keyStoreManager.getCachedKeyStore(anyString())).thenReturn(cachedKeyStore);
when(keyStoreManager.getCachedPrimaryKeyStore()).thenReturn(cachedKeyStore);
SAMLSSOUtil.setRealmService(realmService);

mockStatic(IdentityUtil.class);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
import org.testng.annotations.DataProvider;
import org.testng.annotations.ObjectFactory;
import org.testng.annotations.Test;
import org.wso2.carbon.core.util.CachedKeyStore;
import org.wso2.carbon.core.util.KeyStoreManager;
import org.wso2.carbon.identity.application.authentication.framework.internal.FrameworkServiceComponent;
import org.wso2.carbon.identity.application.common.model.FederatedAuthenticatorConfig;
Expand Down Expand Up @@ -64,6 +65,7 @@
import org.wso2.carbon.utils.multitenancy.MultitenantConstants;
import org.wso2.carbon.utils.security.KeystoreUtils;

import java.security.KeyStore;
import java.util.ArrayList;
import java.util.List;

Expand Down Expand Up @@ -403,15 +405,18 @@ public void testGetDestinationException() throws Exception {
@Test
public void testGetX509CredentialImplForSuperTenant() throws Exception {

KeyStore keyStore = TestUtils.loadKeyStoreFromFileSystem(TestUtils
.getFilePath("wso2carbon.jks"), "wso2carbon", "JKS");
CachedKeyStore cachedKeyStore = new CachedKeyStore(keyStore);
prepareForGetIssuer();
mockStatic(FrameworkServiceComponent.class);
when(FrameworkServiceComponent.getRealmService()).thenReturn(realmService);
when(realmService.getTenantManager()).thenReturn(tenantManager);
when(tenantManager.getTenantId(anyString())).thenReturn(-1234);
mockStatic(KeyStoreManager.class);
when(KeyStoreManager.getInstance(eq(-1234))).thenReturn(keyStoreManager);
when(keyStoreManager.getPrimaryKeyStore()).thenReturn(TestUtils.loadKeyStoreFromFileSystem(TestUtils
.getFilePath("wso2carbon.jks"), "wso2carbon", "JKS"));
when(keyStoreManager.getCachedPrimaryKeyStore()).thenReturn(cachedKeyStore);
when(keyStoreManager.getCachedKeyStore(anyString())).thenReturn(cachedKeyStore);
X509CredentialImpl x509Credential = SAMLSSOUtil.getX509CredentialImplForTenant("carbon.super", "wso2carbon");
assertNotNull(x509Credential.getPublicKey(), "public key is missing");
}
Expand All @@ -427,9 +432,9 @@ public void testGetX509CredentialImplForTenant() throws Exception {
when(tenantManager.getTenantId(anyString())).thenReturn(1);
mockStatic(KeyStoreManager.class);
when(KeyStoreManager.getInstance(eq(1))).thenReturn(keyStoreManager);
when(keyStoreManager.getKeyStore(eq(SAMLSSOUtil.generateKSNameFromDomainName(TestConstants.WSO2_TENANT_DOMAIN)))).thenReturn
(TestUtils.loadKeyStoreFromFileSystem(TestUtils
.getFilePath(TestConstants.KEY_STORE_NAME), TestConstants.WSO2_CARBON, "JKS"));
when(keyStoreManager.getCachedKeyStore(eq(SAMLSSOUtil.generateKSNameFromDomainName(TestConstants.WSO2_TENANT_DOMAIN)))).thenReturn
(new CachedKeyStore(TestUtils.loadKeyStoreFromFileSystem(TestUtils
.getFilePath(TestConstants.KEY_STORE_NAME), TestConstants.WSO2_CARBON, "JKS")));
X509CredentialImpl x509Credential = SAMLSSOUtil.getX509CredentialImplForTenant(TestConstants
.WSO2_TENANT_DOMAIN, TestConstants.WSO2_CARBON);
assertNotNull(x509Credential.getPublicKey(), "public key is missing for tenant");
Expand All @@ -443,7 +448,7 @@ public void testGetX509CredentialImplException() throws Exception {
when(tenantManager.getTenantId(anyString())).thenReturn(1);
mockStatic(KeyStoreManager.class);
when(KeyStoreManager.getInstance(eq(1))).thenReturn(keyStoreManager);
when(keyStoreManager.getKeyStore(eq(SAMLSSOUtil.generateKSNameFromDomainName(TestConstants.WSO2_TENANT_DOMAIN)))).thenReturn
when(keyStoreManager.getCachedKeyStore(eq(SAMLSSOUtil.generateKSNameFromDomainName(TestConstants.WSO2_TENANT_DOMAIN)))).thenReturn
(null);
X509CredentialImpl x509Credential = SAMLSSOUtil.getX509CredentialImplForTenant(TestConstants
.WSO2_TENANT_DOMAIN, TestConstants.WSO2_CARBON);
Expand Down

0 comments on commit 391bdaa

Please sign in to comment.