From 391bdaad0c7eec95f4b58e2abdcc33e69d9f380b Mon Sep 17 00:00:00 2001 From: Udara Pathum <46132469+hwupathum@users.noreply.github.com> Date: Thu, 1 Aug 2024 14:22:45 +0530 Subject: [PATCH] Use cached keystore --- .../identity/query/saml/SignKeyDataHolder.java | 5 +++-- .../identity/query/saml/util/OpenSAML3Util.java | 7 ++++--- .../sso/saml/admin/FileBasedConfigManager.java | 4 +--- .../sso/saml/admin/SAMLSSOConfigAdmin.java | 4 ++-- .../sso/saml/builders/SignKeyDataHolder.java | 5 +++-- .../sso/saml/builders/X509CredentialImpl.java | 2 +- .../identity/sso/saml/util/SAMLSSOUtil.java | 7 ++++--- .../sso/saml/SAMLLogoutHandlerTest.java | 5 ++++- .../identity/sso/saml/util/EncryptionTests.java | 11 +++++++---- .../identity/sso/saml/util/SAMLSSOUtilTest.java | 17 +++++++++++------ 10 files changed, 40 insertions(+), 27 deletions(-) diff --git a/components/org.wso2.carbon.identity.query.saml/src/main/java/org/wso2/carbon/identity/query/saml/SignKeyDataHolder.java b/components/org.wso2.carbon.identity.query.saml/src/main/java/org/wso2/carbon/identity/query/saml/SignKeyDataHolder.java index fdd6701c8..19dede533 100644 --- a/components/org.wso2.carbon.identity.query.saml/src/main/java/org/wso2/carbon/identity/query/saml/SignKeyDataHolder.java +++ b/components/org.wso2.carbon.identity.query.saml/src/main/java/org/wso2/carbon/identity/query/saml/SignKeyDataHolder.java @@ -27,6 +27,7 @@ import org.opensaml.security.credential.UsageType; import org.opensaml.security.x509.X509Credential; import org.wso2.carbon.base.ServerConfiguration; +import org.wso2.carbon.core.util.CachedKeyStore; import org.wso2.carbon.core.util.KeyStoreManager; import org.wso2.carbon.identity.base.IdentityException; import org.wso2.carbon.identity.core.util.IdentityTenantUtil; @@ -134,7 +135,7 @@ private void initializeKeyDataForTenant(int tenantID, String tenantDomain) throw String keyStoreName = SAMLSSOUtil.generateKSNameFromDomainName(tenantDomain); String keyAlias = tenantDomain; KeyStoreManager keyMan = KeyStoreManager.getInstance(tenantID); - KeyStore keyStore = keyMan.getKeyStore(keyStoreName); + CachedKeyStore keyStore = keyMan.getCachedKeyStore(keyStoreName); issuerPrivateKey = (PrivateKey) keyMan.getPrivateKey(keyStoreName, tenantDomain); Certificate[] certificates = keyStore.getCertificateChain(keyAlias); @@ -170,7 +171,7 @@ private void initializeKeyDataForSuperTenantFromSystemKeyStore() throws Exceptio KeyStoreManager keyMan = KeyStoreManager.getInstance(MultitenantConstants.SUPER_TENANT_ID); issuerPrivateKey = (PrivateKey) keyAdmin.getPrivateKey(keyAlias, true); - Certificate[] certificates = keyMan.getPrimaryKeyStore().getCertificateChain(keyAlias); + Certificate[] certificates = keyMan.getCachedPrimaryKeyStore().getCertificateChain(keyAlias); issuerCerts = Arrays.copyOf(certificates, certificates.length, X509Certificate[].class); publicKey = issuerCerts[0].getPublicKey(); diff --git a/components/org.wso2.carbon.identity.query.saml/src/main/java/org/wso2/carbon/identity/query/saml/util/OpenSAML3Util.java b/components/org.wso2.carbon.identity.query.saml/src/main/java/org/wso2/carbon/identity/query/saml/util/OpenSAML3Util.java index af9d8e80b..3e5e768fc 100644 --- a/components/org.wso2.carbon.identity.query.saml/src/main/java/org/wso2/carbon/identity/query/saml/util/OpenSAML3Util.java +++ b/components/org.wso2.carbon.identity.query.saml/src/main/java/org/wso2/carbon/identity/query/saml/util/OpenSAML3Util.java @@ -42,6 +42,7 @@ import org.opensaml.xmlsec.signature.support.SignatureException; import org.opensaml.xmlsec.signature.support.SignatureValidator; import org.opensaml.xmlsec.signature.support.Signer; +import org.wso2.carbon.core.util.CachedKeyStore; import org.wso2.carbon.core.util.KeyStoreManager; import org.wso2.carbon.identity.application.common.model.FederatedAuthenticatorConfig; import org.wso2.carbon.identity.application.common.model.IdentityProvider; @@ -308,14 +309,14 @@ public static X509CredentialImpl getX509CredentialImplForTenant(String tenantDom // get an instance of the corresponding Key Store Manager instance keyStoreManager = KeyStoreManager.getInstance(tenantId); X509CredentialImpl credentialImpl = null; - KeyStore keyStore; + CachedKeyStore keyStore; try { if (tenantId != MultitenantConstants.SUPER_TENANT_ID) {// for tenants, load private key from their generated key store - keyStore = keyStoreManager.getKeyStore(generateKSNameFromDomainName(tenantDomain)); + keyStore = keyStoreManager.getCachedKeyStore(generateKSNameFromDomainName(tenantDomain)); } else { // for super tenant, load the default pub. cert using the // config. in carbon.xml - keyStore = keyStoreManager.getPrimaryKeyStore(); + keyStore = keyStoreManager.getCachedPrimaryKeyStore(); } java.security.cert.X509Certificate cert = (java.security.cert.X509Certificate) keyStore.getCertificate(alias); diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/admin/FileBasedConfigManager.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/admin/FileBasedConfigManager.java index 0a457e2a6..4c13c401b 100644 --- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/admin/FileBasedConfigManager.java +++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/admin/FileBasedConfigManager.java @@ -324,9 +324,7 @@ private X509Certificate getCertificateFromKeyStore(String alias) { try { KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(MultitenantConstants.SUPER_TENANT_ID); - KeyStore keyStore = keyStoreManager.getPrimaryKeyStore(); - X509Certificate certificate = (X509Certificate)keyStore.getCertificate(alias); - return certificate; + return (X509Certificate) keyStoreManager.getCachedPrimaryKeyStore().getCertificate(alias); } catch (Exception e) { String errorMsg = String.format("Error occurred while retrieving the certificate for " + "the alias '%s'." + alias); diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/admin/SAMLSSOConfigAdmin.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/admin/SAMLSSOConfigAdmin.java index 0c98ed85f..2228aa4ad 100644 --- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/admin/SAMLSSOConfigAdmin.java +++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/admin/SAMLSSOConfigAdmin.java @@ -307,7 +307,7 @@ private void saveCertificateToKeyStore(SAMLSSOServiceProviderDO serviceProviderD if (MultitenantConstants.SUPER_TENANT_ID == tenantId) { - KeyStore keyStore = manager.getPrimaryKeyStore(); + KeyStore keyStore = manager.getCachedPrimaryKeyStore().getKeyStore(); // Admin should manually add the service provider signing certificate to the keystore file. // If the certificate is available we will set the alias of that certificate. @@ -320,7 +320,7 @@ private void saveCertificateToKeyStore(SAMLSSOServiceProviderDO serviceProviderD } else { String keyStoreName = getKeyStoreName(tenantId); - KeyStore keyStore = manager.getKeyStore(keyStoreName); + KeyStore keyStore = manager.getCachedKeyStore(keyStoreName).getKeyStore(); // Add new certificate keyStore.setCertificateEntry(serviceProviderDO.getIssuer(), serviceProviderDO.getX509Certificate()); diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/builders/SignKeyDataHolder.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/builders/SignKeyDataHolder.java index 474327a79..094ff99eb 100644 --- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/builders/SignKeyDataHolder.java +++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/builders/SignKeyDataHolder.java @@ -27,6 +27,7 @@ import org.opensaml.security.x509.X509Credential; import org.wso2.carbon.base.ServerConfiguration; import org.wso2.carbon.context.PrivilegedCarbonContext; +import org.wso2.carbon.core.util.CachedKeyStore; import org.wso2.carbon.core.util.KeyStoreManager; import org.wso2.carbon.identity.base.IdentityException; import org.wso2.carbon.identity.core.util.IdentityTenantUtil; @@ -150,7 +151,7 @@ private void initializeKeyDataForTenant(int tenantID, String tenantDomain) throw String keyStoreName = SAMLSSOUtil.generateKSNameFromDomainName(tenantDomain); String keyAlias = tenantDomain; KeyStoreManager keyMan = KeyStoreManager.getInstance(tenantID); - KeyStore keyStore = keyMan.getKeyStore(keyStoreName); + CachedKeyStore keyStore = keyMan.getCachedKeyStore(keyStoreName); issuerPrivateKey = (PrivateKey) keyMan.getPrivateKey(keyStoreName, tenantDomain); Certificate[] certificates = keyStore.getCertificateChain(keyAlias); @@ -184,7 +185,7 @@ private void initializeKeyDataForSuperTenantFromSystemKeyStore() throws Exceptio KeyStoreManager keyMan = KeyStoreManager.getInstance(MultitenantConstants.SUPER_TENANT_ID); issuerPrivateKey = (PrivateKey) keyAdmin.getPrivateKey(keyAlias, true); - Certificate[] certificates = keyMan.getPrimaryKeyStore().getCertificateChain(keyAlias); + Certificate[] certificates = keyMan.getCachedPrimaryKeyStore().getCertificateChain(keyAlias); issuerCerts = Arrays.copyOf(certificates, certificates.length, X509Certificate[].class); signatureAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA; diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/builders/X509CredentialImpl.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/builders/X509CredentialImpl.java index 8a5d1f7c3..5ede996e8 100644 --- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/builders/X509CredentialImpl.java +++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/builders/X509CredentialImpl.java @@ -208,7 +208,7 @@ private void initCredentialForTenant(String tenantDomain, KeyStoreManager keySto // Derive key store name. String jksName = KeystoreUtils.getKeyStoreFileLocation(tenantDomain); privateKey = (PrivateKey) keyStoreManager.getPrivateKey(jksName, tenantDomain); - signingCert = (X509Certificate) keyStoreManager.getKeyStore(jksName).getCertificate(tenantDomain); + signingCert = (X509Certificate) keyStoreManager.getCachedKeyStore(jksName).getCertificate(tenantDomain); // This Exception is thrown from the KeyStoreManager. } catch (Exception e) { throw new IdentityException("Error retrieving private key and the certificate for tenant " + diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/util/SAMLSSOUtil.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/util/SAMLSSOUtil.java index 3e4ee5fb6..58b8aaf80 100644 --- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/util/SAMLSSOUtil.java +++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/util/SAMLSSOUtil.java @@ -59,6 +59,7 @@ import org.w3c.dom.ls.LSOutput; import org.w3c.dom.ls.LSSerializer; import org.wso2.carbon.context.PrivilegedCarbonContext; +import org.wso2.carbon.core.util.CachedKeyStore; import org.wso2.carbon.core.util.KeyStoreManager; import org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException; import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser; @@ -958,19 +959,19 @@ public static X509CredentialImpl getX509CredentialImplForTenant(String tenantDom keyStoreManager = KeyStoreManager.getInstance(tenantId); X509CredentialImpl credentialImpl = null; - KeyStore keyStore; + CachedKeyStore keyStore; try { if (tenantId != -1234) {// for tenants, load private key from their generated key store try { FrameworkUtils.startTenantFlow(tenantDomain); - keyStore = keyStoreManager.getKeyStore(generateKSNameFromDomainName(tenantDomain)); + keyStore = keyStoreManager.getCachedKeyStore(generateKSNameFromDomainName(tenantDomain)); } finally { FrameworkUtils.endTenantFlow(); } } else { // for super tenant, load the default pub. cert using the // config. in carbon.xml - keyStore = keyStoreManager.getPrimaryKeyStore(); + keyStore = keyStoreManager.getCachedPrimaryKeyStore(); } java.security.cert.X509Certificate cert = (java.security.cert.X509Certificate) keyStore.getCertificate(alias); diff --git a/components/org.wso2.carbon.identity.sso.saml/src/test/java/org/wso2/carbon/identity/sso/saml/SAMLLogoutHandlerTest.java b/components/org.wso2.carbon.identity.sso.saml/src/test/java/org/wso2/carbon/identity/sso/saml/SAMLLogoutHandlerTest.java index 4fff4d4b9..fc1af9968 100644 --- a/components/org.wso2.carbon.identity.sso.saml/src/test/java/org/wso2/carbon/identity/sso/saml/SAMLLogoutHandlerTest.java +++ b/components/org.wso2.carbon.identity.sso.saml/src/test/java/org/wso2/carbon/identity/sso/saml/SAMLLogoutHandlerTest.java @@ -28,6 +28,7 @@ import org.testng.annotations.BeforeTest; import org.testng.annotations.Test; import org.wso2.carbon.base.ServerConfiguration; +import org.wso2.carbon.core.util.CachedKeyStore; import org.wso2.carbon.core.util.KeyStoreManager; import org.wso2.carbon.core.util.KeyStoreUtil; import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext; @@ -50,6 +51,7 @@ import org.wso2.carbon.utils.multitenancy.MultitenantConstants; import java.security.KeyStore; +import java.security.PrivateKey; import java.security.SecureRandom; import java.util.HashMap; import javax.net.ssl.KeyManager; @@ -178,6 +180,7 @@ private void createMocks() throws Exception { KeyStore keyStore = TestUtils. loadKeyStoreFromFileSystem(TestUtils.getFilePath("wso2carbon.jks"), "wso2carbon", "JKS"); + CachedKeyStore cachedKeyStore = new CachedKeyStore(keyStore); SAMLSSOUtil.setRegistryService(registryService); when(registryService.getGovernanceSystemRegistry()).thenReturn(registry); @@ -187,7 +190,7 @@ private void createMocks() throws Exception { mockStatic(KeyStoreManager.class); when(KeyStoreManager.getInstance(MultitenantConstants.SUPER_TENANT_ID)).thenReturn(keyStoreManager); - when(keyStoreManager.getPrimaryKeyStore()).thenReturn(keyStore); + when(keyStoreManager.getCachedPrimaryKeyStore()).thenReturn(cachedKeyStore); } @Test diff --git a/components/org.wso2.carbon.identity.sso.saml/src/test/java/org/wso2/carbon/identity/sso/saml/util/EncryptionTests.java b/components/org.wso2.carbon.identity.sso.saml/src/test/java/org/wso2/carbon/identity/sso/saml/util/EncryptionTests.java index e0fedb3fb..e3f4f3f7d 100644 --- a/components/org.wso2.carbon.identity.sso.saml/src/test/java/org/wso2/carbon/identity/sso/saml/util/EncryptionTests.java +++ b/components/org.wso2.carbon.identity.sso.saml/src/test/java/org/wso2/carbon/identity/sso/saml/util/EncryptionTests.java @@ -26,6 +26,7 @@ import org.powermock.core.classloader.annotations.PrepareForTest; import org.powermock.modules.testng.PowerMockTestCase; import org.testng.annotations.Test; +import org.wso2.carbon.core.util.CachedKeyStore; import org.wso2.carbon.core.util.KeyStoreManager; import org.wso2.carbon.identity.application.authentication.framework.internal.FrameworkServiceComponent; import org.wso2.carbon.identity.core.util.IdentityUtil; @@ -127,14 +128,16 @@ private void assertEncryptedSAMLAssertion(Assertion assertion, EncryptedAssertio private void prepareForAssertionEncryption() throws Exception { + KeyStore keyStore = TestUtils.loadKeyStoreFromFileSystem( + TestUtils.getFilePath(TestConstants.KEY_STORE_NAME), TestConstants.WSO2_CARBON, "JKS"); + CachedKeyStore cachedKeyStore = new CachedKeyStore(keyStore); + when(realmService.getTenantManager()).thenReturn(tenantManager); when(tenantManager.getTenantId(anyString())).thenReturn(4567); mockStatic(KeyStoreManager.class); when(KeyStoreManager.getInstance(anyInt())).thenReturn(keyStoreManager); - when(keyStoreManager.getKeyStore(anyString())).thenReturn(TestUtils.loadKeyStoreFromFileSystem( - TestUtils.getFilePath(TestConstants.KEY_STORE_NAME), TestConstants.WSO2_CARBON, "JKS")); - when(keyStoreManager.getPrimaryKeyStore()).thenReturn(TestUtils.loadKeyStoreFromFileSystem( - TestUtils.getFilePath(TestConstants.KEY_STORE_NAME), TestConstants.WSO2_CARBON, "JKS")); + when(keyStoreManager.getCachedKeyStore(anyString())).thenReturn(cachedKeyStore); + when(keyStoreManager.getCachedPrimaryKeyStore()).thenReturn(cachedKeyStore); SAMLSSOUtil.setRealmService(realmService); mockStatic(IdentityUtil.class); diff --git a/components/org.wso2.carbon.identity.sso.saml/src/test/java/org/wso2/carbon/identity/sso/saml/util/SAMLSSOUtilTest.java b/components/org.wso2.carbon.identity.sso.saml/src/test/java/org/wso2/carbon/identity/sso/saml/util/SAMLSSOUtilTest.java index 6e2dd33ea..25f01da07 100644 --- a/components/org.wso2.carbon.identity.sso.saml/src/test/java/org/wso2/carbon/identity/sso/saml/util/SAMLSSOUtilTest.java +++ b/components/org.wso2.carbon.identity.sso.saml/src/test/java/org/wso2/carbon/identity/sso/saml/util/SAMLSSOUtilTest.java @@ -30,6 +30,7 @@ import org.testng.annotations.DataProvider; import org.testng.annotations.ObjectFactory; import org.testng.annotations.Test; +import org.wso2.carbon.core.util.CachedKeyStore; import org.wso2.carbon.core.util.KeyStoreManager; import org.wso2.carbon.identity.application.authentication.framework.internal.FrameworkServiceComponent; import org.wso2.carbon.identity.application.common.model.FederatedAuthenticatorConfig; @@ -64,6 +65,7 @@ import org.wso2.carbon.utils.multitenancy.MultitenantConstants; import org.wso2.carbon.utils.security.KeystoreUtils; +import java.security.KeyStore; import java.util.ArrayList; import java.util.List; @@ -403,6 +405,9 @@ public void testGetDestinationException() throws Exception { @Test public void testGetX509CredentialImplForSuperTenant() throws Exception { + KeyStore keyStore = TestUtils.loadKeyStoreFromFileSystem(TestUtils + .getFilePath("wso2carbon.jks"), "wso2carbon", "JKS"); + CachedKeyStore cachedKeyStore = new CachedKeyStore(keyStore); prepareForGetIssuer(); mockStatic(FrameworkServiceComponent.class); when(FrameworkServiceComponent.getRealmService()).thenReturn(realmService); @@ -410,8 +415,8 @@ public void testGetX509CredentialImplForSuperTenant() throws Exception { when(tenantManager.getTenantId(anyString())).thenReturn(-1234); mockStatic(KeyStoreManager.class); when(KeyStoreManager.getInstance(eq(-1234))).thenReturn(keyStoreManager); - when(keyStoreManager.getPrimaryKeyStore()).thenReturn(TestUtils.loadKeyStoreFromFileSystem(TestUtils - .getFilePath("wso2carbon.jks"), "wso2carbon", "JKS")); + when(keyStoreManager.getCachedPrimaryKeyStore()).thenReturn(cachedKeyStore); + when(keyStoreManager.getCachedKeyStore(anyString())).thenReturn(cachedKeyStore); X509CredentialImpl x509Credential = SAMLSSOUtil.getX509CredentialImplForTenant("carbon.super", "wso2carbon"); assertNotNull(x509Credential.getPublicKey(), "public key is missing"); } @@ -427,9 +432,9 @@ public void testGetX509CredentialImplForTenant() throws Exception { when(tenantManager.getTenantId(anyString())).thenReturn(1); mockStatic(KeyStoreManager.class); when(KeyStoreManager.getInstance(eq(1))).thenReturn(keyStoreManager); - when(keyStoreManager.getKeyStore(eq(SAMLSSOUtil.generateKSNameFromDomainName(TestConstants.WSO2_TENANT_DOMAIN)))).thenReturn - (TestUtils.loadKeyStoreFromFileSystem(TestUtils - .getFilePath(TestConstants.KEY_STORE_NAME), TestConstants.WSO2_CARBON, "JKS")); + when(keyStoreManager.getCachedKeyStore(eq(SAMLSSOUtil.generateKSNameFromDomainName(TestConstants.WSO2_TENANT_DOMAIN)))).thenReturn + (new CachedKeyStore(TestUtils.loadKeyStoreFromFileSystem(TestUtils + .getFilePath(TestConstants.KEY_STORE_NAME), TestConstants.WSO2_CARBON, "JKS"))); X509CredentialImpl x509Credential = SAMLSSOUtil.getX509CredentialImplForTenant(TestConstants .WSO2_TENANT_DOMAIN, TestConstants.WSO2_CARBON); assertNotNull(x509Credential.getPublicKey(), "public key is missing for tenant"); @@ -443,7 +448,7 @@ public void testGetX509CredentialImplException() throws Exception { when(tenantManager.getTenantId(anyString())).thenReturn(1); mockStatic(KeyStoreManager.class); when(KeyStoreManager.getInstance(eq(1))).thenReturn(keyStoreManager); - when(keyStoreManager.getKeyStore(eq(SAMLSSOUtil.generateKSNameFromDomainName(TestConstants.WSO2_TENANT_DOMAIN)))).thenReturn + when(keyStoreManager.getCachedKeyStore(eq(SAMLSSOUtil.generateKSNameFromDomainName(TestConstants.WSO2_TENANT_DOMAIN)))).thenReturn (null); X509CredentialImpl x509Credential = SAMLSSOUtil.getX509CredentialImplForTenant(TestConstants .WSO2_TENANT_DOMAIN, TestConstants.WSO2_CARBON);