Add x5c and x5t#S256 to jwks response

Author: msm1992

components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/dto/CertificateInfo.java

@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 2024, WSO2 LLC. (http://www.wso2.com) All Rights Reserved.
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.apimgt.gateway.dto;
+
+import java.security.cert.Certificate;
+
+/**
+ * Contains Certificate information
+ */
+public class CertificateInfo {
+
+    private Certificate certificate;
+    private Certificate[] certificateChain;
+    private String certificateAlias;
+
+    public CertificateInfo(Certificate certificate, String certificateAlias) {
+
+        this.certificate = certificate;
+        this.certificateAlias = certificateAlias;
+    }
+
+    public Certificate getCertificate() {
+
+        return certificate;
+    }
+
+    public Certificate[] getCertificateChain() {
+
+        return certificateChain;
+    }
+
+    public void setCertificateChain(Certificate[] certificateChain) {
+
+        this.certificateChain = certificateChain;
+    }
+
+    public String getCertificateAlias() {
+
+        return certificateAlias;
+    }
+}

components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/exception/OAuth2Exception.java

@@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 2024, WSO2 LLC. (http://www.wso2.com) All Rights Reserved.
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.apimgt.gateway.exception;
+
+import org.wso2.carbon.apimgt.api.APIManagementException;
+
+/**
+ * OAuth 2 exception.
+ */
+public class OAuth2Exception extends APIManagementException {
+
+    public OAuth2Exception(String message) {
+        super(message);
+    }
+
+    public OAuth2Exception(String message, Throwable e) {
+        super(message, e);
+    }
+
+}

components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/common/JwksHandler.java

@@ -21,6 +21,10 @@
 import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jose.jwk.KeyUse;
 import com.nimbusds.jose.jwk.RSAKey;
+import com.nimbusds.jose.util.Base64;
+import com.nimbusds.jose.util.Base64URL;
+import net.minidev.json.JSONArray;
+import net.minidev.json.JSONObject;
 import org.apache.axis2.AxisFault;
 import org.apache.axis2.Constants;
 import org.apache.commons.logging.Log;
@@ -29,10 +33,10 @@
 import org.apache.synapse.commons.json.JsonUtil;
 import org.apache.synapse.core.axis2.Axis2MessageContext;
 import org.apache.synapse.rest.AbstractHandler;
-import org.json.JSONArray;
-import org.json.JSONObject;
 import org.wso2.carbon.apimgt.api.APIManagementException;
 import org.wso2.carbon.apimgt.common.gateway.util.JWTUtil;
+import org.wso2.carbon.apimgt.gateway.dto.CertificateInfo;
+import org.wso2.carbon.apimgt.gateway.utils.GatewayUtils;
 import org.wso2.carbon.apimgt.impl.APIConstants;
 import org.wso2.carbon.apimgt.impl.dto.ExtendedJWTConfigurationDto;
 import org.wso2.carbon.apimgt.impl.internal.ServiceReferenceHolder;
@@ -44,6 +48,7 @@
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.cert.Certificate;
+import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
 import java.security.interfaces.RSAPublicKey;
 import java.text.ParseException;
@@ -63,7 +68,7 @@ public class JwksHandler extends AbstractHandler {
     private static final Log log = LogFactory.getLog(JwksHandler.class);
     private static final String KEY_USE = "sig";
     private static final String KEYS = "keys";
-    private final Map<String, Set<Certificate>> certificateMap = new HashMap<>();
+    private final Map<String, Set<CertificateInfo>> certificateMap = new HashMap<>();
     ExtendedJWTConfigurationDto jwtConfigurationDto;
 
     public boolean handleRequest(MessageContext messageContext) {
@@ -77,7 +82,7 @@ public boolean handleRequest(MessageContext messageContext) {
             axis2MsgContext.setProperty(Constants.Configuration.MESSAGE_TYPE, APIConstants.APPLICATION_JSON_MEDIA_TYPE);
             axis2MsgContext.setProperty(Constants.Configuration.CONTENT_TYPE, APIConstants.APPLICATION_JSON_MEDIA_TYPE);
             axis2MsgContext.removeProperty(APIConstants.NO_ENTITY_BODY);
-        } catch (ParseException | AxisFault | APIManagementException e) {
+        } catch (ParseException | AxisFault | APIManagementException | CertificateEncodingException e) {
             log.error("Error while generating payload " + axis2MsgContext.getLogIDString(), e);
         }
         return true;
@@ -92,7 +97,7 @@ public boolean handleResponse(MessageContext messageContext) {
      *
      * @return JWKS response
      */
-    public String getJwksEndpointResponse() throws ParseException, APIManagementException {
+    public String getJwksEndpointResponse() throws ParseException, APIManagementException, CertificateEncodingException {
         this.jwtConfigurationDto = org.wso2.carbon.apimgt.gateway.internal.ServiceReferenceHolder.getInstance()
                 .getAPIManagerConfiguration().getJwtConfigurationDto();
         boolean isTenantBasedSigningEnabled = jwtConfigurationDto.isTenantBasedSigningEnabled();
@@ -103,7 +108,7 @@ public String getJwksEndpointResponse() throws ParseException, APIManagementExce
             certMapKey = APIConstants.SUPER_TENANT_DOMAIN;
         }
 
-        Set<Certificate> certificateSet = null;
+        Set<CertificateInfo> certificateSet = null;
         if (certificateMap.containsKey(certMapKey)) {
             certificateSet = certificateMap.get(certMapKey);
         } else {
@@ -126,24 +131,30 @@ public String getJwksEndpointResponse() throws ParseException, APIManagementExce
      * @param certificates Set of certificates
      * @return JWKS response as a JSON string
      */
-    private String buildResponse(Set<Certificate> certificates) throws ParseException, APIManagementException {
+    private String buildResponse(Set<CertificateInfo> certificates) throws ParseException, APIManagementException,
+            CertificateEncodingException {
 
         JSONArray jwksArray = new JSONArray();
         JSONObject jwksJson = new JSONObject();
         JWSAlgorithm accessTokenSignAlgorithm = mapSignatureAlgorithmForJWSAlgorithm(
                 ServiceReferenceHolder.getInstance().getOauthServerConfiguration().getSignatureAlgorithm());
         List<JWSAlgorithm> diffAlgorithms = findDifferentAlgorithms(accessTokenSignAlgorithm);
 
-        for (Certificate certificate : certificates) {
+        for (CertificateInfo certificateInfo : certificates) {
             for (JWSAlgorithm algorithm : diffAlgorithms) {
-                RSAPublicKey publicKey = (RSAPublicKey) certificate.getPublicKey();
+                String alias = certificateInfo.getCertificateAlias();
+                X509Certificate x509Certificate = (X509Certificate) certificateInfo.getCertificate();
+                RSAPublicKey publicKey = (RSAPublicKey) x509Certificate.getPublicKey();
                 RSAKey.Builder jwk = new RSAKey.Builder(publicKey);
 
-                X509Certificate x509Certificate = (X509Certificate) certificate;
+                Certificate[] certChain = certificateInfo.getCertificateChain();
+                List<Base64> encodedCertList = generateEncodedCertList(certChain, alias);
                 jwk.keyID(JWTUtil.getKID(x509Certificate));
                 jwk.algorithm(algorithm);
                 jwk.keyUse(KeyUse.parse(KEY_USE));
-                jwksArray.put(jwk.build().toJSONObject());
+                jwk.x509CertChain(encodedCertList);
+                jwk.x509CertSHA256Thumbprint(new Base64URL(GatewayUtils.getThumbPrint(x509Certificate, alias)));
+                jwksArray.add(jwk.build().toJSONObject());
             }
         }
 
@@ -192,8 +203,8 @@ private String generateKSNameFromDomainName(String tenantDomain) {
      * @param tenantDomain tenant domain which is used to get the relevant key store and extract certificates
      * @return set of certificates
      */
-    private Set<Certificate> getCertificates(String tenantDomain) {
-        Set<Certificate> certificates = new HashSet<>();
+    private Set<CertificateInfo> getCertificates(String tenantDomain) {
+        Set<CertificateInfo> certificates = new HashSet<>();
         KeyStore keyStore;
         try {
             if (!APIConstants.SUPER_TENANT_DOMAIN.equals(tenantDomain)) {
@@ -232,13 +243,14 @@ private Set<Certificate> getCertificates(String tenantDomain) {
      * @param keyStore Key store
      * @return Set of certificates from the key store
      */
-    private Set<Certificate> getCertificatesFromKeyStore(KeyStore keyStore) throws KeyStoreException {
-        Set<Certificate> certs = new HashSet<>();
+    private Set<CertificateInfo> getCertificatesFromKeyStore(KeyStore keyStore) throws KeyStoreException {
+        Set<CertificateInfo> certs = new HashSet<>();
         Enumeration<String> enumeration = keyStore.aliases();
         while (enumeration.hasMoreElements()) {
             String alias = enumeration.nextElement();
             if (keyStore.isKeyEntry(alias)) {
-                Certificate publicCert = keyStore.getCertificate(alias);
+                CertificateInfo publicCert = new CertificateInfo(keyStore.getCertificate(alias), alias);
+                publicCert.setCertificateChain(keyStore.getCertificateChain(alias));
                 certs.add(publicCert);
             }
         }
@@ -277,4 +289,26 @@ private static JWSAlgorithm mapSignatureAlgorithmForJWSAlgorithm(String signatur
             return JWSAlgorithm.PS256;
         }
     }
+
+    /**
+     * This method generates the base64 encoded certificate list from a Certificate array
+     *
+     * @return base64 encoded certificate list
+     */
+    private List<Base64> generateEncodedCertList(Certificate[] certificates, String alias)
+            throws CertificateEncodingException {
+
+        List<Base64> certList = new ArrayList<>();
+        for (Certificate certificate : certificates) {
+            try {
+                certList.add(Base64.encode(certificate.getEncoded()));
+            } catch (CertificateEncodingException exception) {
+                String errorMessage = "Unable to encode the public certificate with alias: " + alias +
+                        " in the tenant domain: " + PrivilegedCarbonContext.getThreadLocalCarbonContext().
+                        getTenantDomain();
+                throw new CertificateEncodingException(errorMessage, exception);
+            }
+        }
+        return certList;
+    }
 }

components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/utils/GatewayUtils.java

@@ -38,6 +38,8 @@
 import org.apache.axis2.clustering.ClusteringAgent;
 import org.apache.axis2.context.MessageContext;
 import org.apache.axis2.description.AxisService;
+import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.io.Charsets;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -58,6 +60,7 @@
 import org.wso2.carbon.apimgt.common.gateway.dto.JWTValidationInfo;
 import org.wso2.carbon.apimgt.gateway.APIMgtGatewayConstants;
 import org.wso2.carbon.apimgt.gateway.dto.IPRange;
+import org.wso2.carbon.apimgt.gateway.exception.OAuth2Exception;
 import org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator;
 import org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityConstants;
 import org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException;
@@ -99,7 +102,10 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
 import java.security.cert.Certificate;
+import java.security.cert.CertificateEncodingException;
 import java.security.interfaces.RSAPublicKey;
 import java.text.ParseException;
 import java.util.ArrayList;
@@ -1783,4 +1789,49 @@ public static List<String> getTenantsToBeDeployed() throws APIManagementExceptio
         }
         return tenantsToBeDeployed;
     }
+
+    /**
+     * Helper method to add public certificate to JWT_HEADER to signature verification.
+     * This creates thumbPrints directly from given certificates
+     *
+     * @param certificate
+     * @param alias
+     * @return
+     * @throws OAuth2Exception
+     */
+    public static String getThumbPrint(Certificate certificate, String alias) throws OAuth2Exception {
+        return getThumbPrint(certificate);
+    }
+
+    /**
+     * Method to obtain certificate thumbprint.
+     *
+     * @param certificate java.security.cert type certificate.
+     * @return Certificate thumbprint as a String.
+     * @throws OAuth2Exception When failed to obtain the thumbprint.
+     */
+    public static String getThumbPrint(Certificate certificate) throws OAuth2Exception {
+
+        try {
+            MessageDigest digestValue = MessageDigest.getInstance("SHA-256");
+            byte[] der = certificate.getEncoded();
+            digestValue.update(der);
+            byte[] digestInBytes = digestValue.digest();
+
+            String publicCertThumbprint = APIUtil.hexify(digestInBytes);
+            String thumbprint = new String(new Base64(0, null, true).
+                    encode(publicCertThumbprint.getBytes(Charsets.UTF_8)), Charsets.UTF_8);
+            if (log.isDebugEnabled()) {
+                log.debug(String.format("Thumbprint value: %s calculated for Certificate: %s using algorithm: %s",
+                        thumbprint, certificate, digestValue.getAlgorithm()));
+            }
+            return thumbprint;
+        } catch (CertificateEncodingException e) {
+            String error = "Error occurred while encoding thumbPrint from certificate.";
+            throw new OAuth2Exception(error, e);
+        } catch (NoSuchAlgorithmException e) {
+            String error = "Error in obtaining SHA-256 thumbprint from certificate.";
+            throw new OAuth2Exception(error, e);
+        }
+    }
 }