/**
* Copyright (c) Codice Foundation
* <p/>
* This is free software: you can redistribute it and/or modify it under the terms of the GNU Lesser
* General Public License as published by the Free Software Foundation, either version 3 of the
* License, or any later version.
* <p/>
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details. A copy of the GNU Lesser General Public License
* is distributed along with this program and can be found at
* <http://www.gnu.org/licenses/lgpl.html>.
*/
package org.codice.ddf.security.handler.api;
import java.io.IOException;
import java.security.cert.X509Certificate;
import org.apache.wss4j.common.crypto.Merlin;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.xml.security.Init;
import org.opensaml.xml.util.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import ddf.security.PropertiesLoader;
public class PKIAuthenticationTokenFactory {
private static final Logger LOGGER = LoggerFactory
.getLogger(PKIAuthenticationTokenFactory.class);
private Merlin merlin;
private String signaturePropertiesPath;
/**
* Initializes Merlin crypto object.
*/
public void init() {
try {
merlin = new Merlin(PropertiesLoader.loadProperties(signaturePropertiesPath),
PKIAuthenticationTokenFactory.class.getClassLoader(), null);
} catch (WSSecurityException | IOException e) {
LOGGER.error("Unable to read merlin properties file.", e);
}
Init.init();
}
public PKIAuthenticationToken getTokenFromString(String certString, boolean isEncoded,
String realm) {
PKIAuthenticationToken token;
byte[] certBytes = isEncoded ? Base64.decode(certString) : certString.getBytes();
token = getTokenFromBytes(certBytes, realm);
return token;
}
public PKIAuthenticationToken getTokenFromBytes(byte[] certBytes, String realm) {
PKIAuthenticationToken token = null;
try {
X509Certificate[] certs = merlin.getCertificatesFromBytes(certBytes);
token = new PKIAuthenticationToken(certs[0].getSubjectDN(), certBytes, realm);
} catch (WSSecurityException e) {
LOGGER.error("Unable to extract certificates from bytes: {}", e.getMessage(), e);
}
return token;
}
public PKIAuthenticationToken getTokenFromCerts(X509Certificate[] certs, String realm) {
PKIAuthenticationToken token = null;
if (certs != null && certs.length > 0) {
byte[] certBytes = null;
try {
certBytes = getCertBytes(certs);
} catch (WSSecurityException e) {
LOGGER.error("Unable to convert PKI certs to byte array.", e);
}
if (certBytes != null) {
token = new PKIAuthenticationToken(certs[0].getSubjectDN(), certBytes, realm);
}
}
return token;
}
/**
* Returns a byte array representing a certificate chain.
*
* @param certs
* @return byte[]
* @throws WSSecurityException
*/
private byte[] getCertBytes(X509Certificate[] certs) throws WSSecurityException {
byte[] certBytes = null;
if (merlin != null) {
certBytes = merlin.getBytesFromCertificates(certs);
}
return certBytes;
}
public String getSignaturePropertiesPath() {
return signaturePropertiesPath;
}
public void setSignaturePropertiesPath(String path) {
this.signaturePropertiesPath = path;
}
}