diff --git a/components/org.wso2.carbon.identity.conditional.auth.functions.http/pom.xml b/components/org.wso2.carbon.identity.conditional.auth.functions.http/pom.xml
index d2450139..197a1bf5 100644
--- a/components/org.wso2.carbon.identity.conditional.auth.functions.http/pom.xml
+++ b/components/org.wso2.carbon.identity.conditional.auth.functions.http/pom.xml
@@ -111,6 +111,10 @@
org.wso2.carbon.identity.framework
org.wso2.carbon.identity.central.log.mgt
+
+ org.wso2.carbon.identity.framework
+ org.wso2.carbon.security.mgt
+
org.wso2.carbon.crypto
org.wso2.carbon.crypto.impl
@@ -183,6 +187,8 @@
version="${carbon.identity.package.import.version.range}",
org.wso2.carbon.identity.application.authentication.framework.config.model.graph;
version="${carbon.identity.package.import.version.range}",
+ org.wso2.carbon.security.keystore.service.*;
+ version="${carbon.identity.package.import.version.range}",
org.wso2.carbon.identity.core.util; version="${carbon.identity.package.import.version.range}",
org.wso2.carbon.identity.central.log.mgt.*; version="${carbon.identity.package.import.version.range}",
org.wso2.carbon.user.core; version="${carbon.kernel.package.import.version.range}",
diff --git a/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/CookieFunctionImpl.java b/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/CookieFunctionImpl.java
index 45cfc5b1..ae07cf27 100644
--- a/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/CookieFunctionImpl.java
+++ b/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/CookieFunctionImpl.java
@@ -34,6 +34,7 @@
import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.JsServletRequest;
import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.JsServletResponse;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants;
+import org.wso2.carbon.identity.conditional.auth.functions.http.internal.HTTPFunctionsServiceHolder;
import org.wso2.carbon.identity.conditional.auth.functions.http.util.HTTPConstants;
import org.wso2.carbon.identity.core.util.IdentityUtil;
@@ -43,6 +44,8 @@
import java.util.Optional;
import javax.servlet.http.Cookie;
+import static org.wso2.carbon.identity.conditional.auth.functions.http.util.HTTPConstants.KEY_STORE_CONTEXT;
+
/**
* Implementation of the setCookie and getCookieValue functions.
*/
@@ -74,7 +77,11 @@ public void setCookie(JsServletResponse response, String name, Object... params)
if (sign) {
try {
String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
- signature = Base64.encode(IdentityUtil.signWithTenantKey(value, tenantDomain));
+ // getCookie, setCookie functionalities uses a functionality specific keystore.
+ // The below code will create the keystore for this context on-demand if it does not exist.
+ HTTPFunctionsServiceHolder.getInstance().getIdentityKeyStoreGenerator()
+ .generateKeyStore(tenantDomain, KEY_STORE_CONTEXT);
+ signature = Base64.encode(IdentityUtil.signWithTenantKey(value, tenantDomain, KEY_STORE_CONTEXT));
} catch (Exception e) {
log.error("Error occurred when signing the cookie value.", e);
return;
@@ -186,11 +193,7 @@ public String getCookieValue(JsServletRequest request, Object... params) {
String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext()
.getTenantDomain();
boolean isValid = IdentityUtil.validateSignatureFromTenant(valueString, signature,
- tenantDomain);
- // Fallback mechanism for already signed cookies.
- if (!isValid) {
- isValid = SignatureUtil.validateSignature(valueString, signature);
- }
+ tenantDomain, KEY_STORE_CONTEXT);
if (!isValid) {
log.error("Cookie signature didn't matched with the cookie value.");
return null;
diff --git a/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/GetCookieFunctionImpl.java b/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/GetCookieFunctionImpl.java
index e70535a6..e5cdca4e 100644
--- a/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/GetCookieFunctionImpl.java
+++ b/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/GetCookieFunctionImpl.java
@@ -31,6 +31,7 @@
import org.wso2.carbon.core.util.CryptoUtil;
import org.wso2.carbon.core.util.SignatureUtil;
import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.JsServletRequest;
+import org.wso2.carbon.identity.conditional.auth.functions.http.internal.HTTPFunctionsServiceHolder;
import org.wso2.carbon.identity.conditional.auth.functions.http.util.HTTPConstants;
import org.wso2.carbon.identity.core.util.IdentityUtil;
@@ -40,6 +41,8 @@
import javax.servlet.http.Cookie;
+import static org.wso2.carbon.identity.conditional.auth.functions.http.util.HTTPConstants.KEY_STORE_CONTEXT;
+
/**
* Implementation of GetCookieFunction.
*/
@@ -103,11 +106,8 @@ public String getCookieValue(JsServletRequest request, Object... params) {
try {
String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext()
.getTenantDomain();
- boolean isValid = IdentityUtil.validateSignatureFromTenant(valueString, signature, tenantDomain);
- // Fallback mechanism for already signed cookies.
- if (!isValid) {
- isValid = SignatureUtil.validateSignature(valueString, signature);
- }
+ boolean isValid = IdentityUtil.validateSignatureFromTenant(valueString, signature,
+ tenantDomain, KEY_STORE_CONTEXT);
if (!isValid) {
log.error("Cookie signature didn't matched with the cookie value.");
return null;
diff --git a/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/SetCookieFunctionImpl.java b/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/SetCookieFunctionImpl.java
index 8eb4979a..0b2bb52c 100644
--- a/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/SetCookieFunctionImpl.java
+++ b/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/SetCookieFunctionImpl.java
@@ -31,6 +31,7 @@
import org.wso2.carbon.core.util.CryptoUtil;
import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.JsServletResponse;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants;
+import org.wso2.carbon.identity.conditional.auth.functions.http.internal.HTTPFunctionsServiceHolder;
import org.wso2.carbon.identity.conditional.auth.functions.http.util.HTTPConstants;
import org.wso2.carbon.identity.core.util.IdentityUtil;
@@ -38,6 +39,8 @@
import java.util.Map;
import java.util.Optional;
+import static org.wso2.carbon.identity.conditional.auth.functions.http.util.HTTPConstants.KEY_STORE_CONTEXT;
+
/**
* Implementation of SetCookieFunction.
*/
@@ -68,7 +71,11 @@ public void setCookie(JsServletResponse response, String name, Object... params)
if (sign) {
try {
String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
- signature = Base64.encode(IdentityUtil.signWithTenantKey(value, tenantDomain));
+ // getCookie, setCookie functionalities uses a functionality specific keystore.
+ // The below code will create the keystore for this context on-demand if it does not exist.
+ HTTPFunctionsServiceHolder.getInstance().getIdentityKeyStoreGenerator()
+ .generateKeyStore(tenantDomain, KEY_STORE_CONTEXT);
+ signature = Base64.encode(IdentityUtil.signWithTenantKey(value, tenantDomain, KEY_STORE_CONTEXT));
} catch (Exception e) {
log.error("Error occurred when signing the cookie value.", e);
return;
diff --git a/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/internal/HTTPFunctionsServiceComponent.java b/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/internal/HTTPFunctionsServiceComponent.java
index 670a074e..3040555e 100644
--- a/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/internal/HTTPFunctionsServiceComponent.java
+++ b/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/internal/HTTPFunctionsServiceComponent.java
@@ -35,6 +35,7 @@
import org.wso2.carbon.identity.conditional.auth.functions.http.HTTPPostFunctionImpl;
import org.wso2.carbon.identity.conditional.auth.functions.http.SetCookieFunctionImpl;
import org.wso2.carbon.identity.core.util.IdentityCoreInitializedEvent;
+import org.wso2.carbon.security.keystore.service.IdentityKeyStoreGenerator;
/**
* OSGi declarative services component which handle cookie related conditional auth functions.
@@ -112,4 +113,20 @@ protected void unsetIdentityCoreInitializedEventService(IdentityCoreInitializedE
/* reference IdentityCoreInitializedEvent service to guarantee that this component will wait until identity core
is started */
}
+
+ @Reference(
+ service = IdentityKeyStoreGenerator.class,
+ cardinality = ReferenceCardinality.MANDATORY,
+ policy = ReferencePolicy.DYNAMIC,
+ unbind = "unsetIdentityKeyStoreGenerator"
+ )
+ public void setIdentityKeyStoreGenerator(IdentityKeyStoreGenerator identityKeyStoreGenerator) {
+
+ HTTPFunctionsServiceHolder.getInstance().setIdentityKeyStoreGenerator(identityKeyStoreGenerator);
+ }
+
+ public void unsetIdentityKeyStoreGenerator(IdentityKeyStoreGenerator identityKeyStoreGenerator) {
+
+ HTTPFunctionsServiceHolder.getInstance().setIdentityKeyStoreGenerator(null);
+ }
}
diff --git a/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/internal/HTTPFunctionsServiceHolder.java b/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/internal/HTTPFunctionsServiceHolder.java
index d0d2f7c2..0fd2a383 100644
--- a/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/internal/HTTPFunctionsServiceHolder.java
+++ b/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/internal/HTTPFunctionsServiceHolder.java
@@ -19,12 +19,14 @@
package org.wso2.carbon.identity.conditional.auth.functions.http.internal;
import org.wso2.carbon.identity.application.authentication.framework.JsFunctionRegistry;
+import org.wso2.carbon.security.keystore.service.IdentityKeyStoreGenerator;
public class HTTPFunctionsServiceHolder {
private static HTTPFunctionsServiceHolder instance = new HTTPFunctionsServiceHolder();
private JsFunctionRegistry jsFunctionRegistry;
+ private IdentityKeyStoreGenerator identityKeyStoreGenerator;
public static HTTPFunctionsServiceHolder getInstance() {
@@ -44,4 +46,14 @@ public void setJsFunctionRegistry(JsFunctionRegistry jsFunctionRegistry) {
this.jsFunctionRegistry = jsFunctionRegistry;
}
+
+ public IdentityKeyStoreGenerator getIdentityKeyStoreGenerator() {
+
+ return identityKeyStoreGenerator;
+ }
+
+ public void setIdentityKeyStoreGenerator(IdentityKeyStoreGenerator identityKeyStoreGenerator) {
+
+ this.identityKeyStoreGenerator = identityKeyStoreGenerator;
+ }
}
diff --git a/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/util/HTTPConstants.java b/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/util/HTTPConstants.java
index 53d23445..4cbbc6fe 100644
--- a/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/util/HTTPConstants.java
+++ b/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/util/HTTPConstants.java
@@ -30,4 +30,5 @@ public class HTTPConstants {
public static final String DECRYPT = "decrypt";
public static final String VALUE = "value";
public static final String SIGNATURE = "signature";
+ public static final String KEY_STORE_CONTEXT = "cookie";
}
diff --git a/pom.xml b/pom.xml
index eea7dd6e..0c92618d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -293,6 +293,11 @@
org.wso2.carbon.identity.core
${carbon.identity.framework.version}
+
+ org.wso2.carbon.identity.framework
+ org.wso2.carbon.security.mgt
+ ${carbon.identity.framework.version}
+
org.openjdk.nashorn
nashorn-core
@@ -523,7 +528,7 @@
4.10.22
[4.6.0, 5.0.0)
[1.0.1, 2.0.0)
- 7.7.22
+ 7.7.34
1.0.89
5.20.447
[5.14.0, 8.0.0)