saml2: Fixes #2548 SAML2 cert encoding and decoding

This fixes SAML2 certificate encoding/decoding issue due to refactoring
regression introduced in 7ce54bf that
did not account for base64 based encoding/decoding. The changes
effectively restore the same logic as used in previous versions.

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>

Author: yadvr

plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java

@@ -32,7 +32,6 @@
 import java.security.SignatureException;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
-import java.security.spec.InvalidKeySpecException;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.HashMap;
@@ -147,11 +146,11 @@ protected boolean initSP() {
             try {
                 KeyPair keyPair = CertUtils.generateRandomKeyPair(4096);
                 _ksDao.save(SAMLPluginConstants.SAMLSP_KEYPAIR,
-                        CertUtils.privateKeyToPem(keyPair.getPrivate()),
-                        CertUtils.publicKeyToPem(keyPair.getPublic()), "samlsp-keypair");
+                        SAMLUtils.encodePrivateKey(keyPair.getPrivate()),
+                        SAMLUtils.encodePublicKey(keyPair.getPublic()), "samlsp-keypair");
                 keyStoreVO = _ksDao.findByName(SAMLPluginConstants.SAMLSP_KEYPAIR);
                 s_logger.info("No SAML keystore found, created and saved a new Service Provider keypair");
-            } catch (final NoSuchProviderException | NoSuchAlgorithmException | IOException e) {
+            } catch (final NoSuchProviderException | NoSuchAlgorithmException e) {
                 s_logger.error("Unable to create and save SAML keypair, due to: ", e);
             }
         }
@@ -166,19 +165,8 @@ protected boolean initSP() {
         KeyPair spKeyPair = null;
         X509Certificate spX509Key = null;
         if (keyStoreVO != null) {
-
-            PrivateKey privateKey = null;
-            try {
-                privateKey = CertUtils.pemToPrivateKey(keyStoreVO.getCertificate());
-            } catch (final InvalidKeySpecException | IOException e) {
-                s_logger.error("Failed to read private key, due to error: ", e);
-            }
-            PublicKey publicKey = null;
-            try {
-                publicKey = CertUtils.pemToPublicKey(keyStoreVO.getKey());
-            } catch (final InvalidKeySpecException | IOException e) {
-                s_logger.error("Failed to read public key, due to error: ", e);
-            }
+            final PrivateKey privateKey = SAMLUtils.decodePrivateKey(keyStoreVO.getCertificate());
+            final PublicKey publicKey = SAMLUtils.decodePublicKey(keyStoreVO.getKey());
             if (privateKey != null && publicKey != null) {
                 spKeyPair = new KeyPair(publicKey, privateKey);
                 KeystoreVO x509VO = _ksDao.findByName(SAMLPluginConstants.SAMLSP_X509CERT);

plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAMLUtils.java

@@ -28,15 +28,20 @@
 import java.net.URLEncoder;
 import java.nio.charset.Charset;
 import java.security.InvalidKeyException;
+import java.security.KeyFactory;
 import java.security.KeyPair;
 import java.security.NoSuchAlgorithmException;
 import java.security.NoSuchProviderException;
 import java.security.PrivateKey;
+import java.security.PublicKey;
 import java.security.SecureRandom;
 import java.security.Signature;
 import java.security.SignatureException;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.security.spec.X509EncodedKeySpec;
 import java.util.List;
 import java.util.zip.Deflater;
 import java.util.zip.DeflaterOutputStream;
@@ -264,12 +269,6 @@ public static String generateSAMLRequestSignature(final String urlEncodedString,
         return url;
     }
 
-    public static X509Certificate generateRandomX509Certificate(KeyPair keyPair) throws NoSuchAlgorithmException, NoSuchProviderException, CertificateException, SignatureException, InvalidKeyException, OperatorCreationException {
-        return CertUtils.generateV1Certificate(keyPair,
-                "CN=ApacheCloudStack", "CN=ApacheCloudStack",
-                3, "SHA256WithRSA");
-    }
-
     public static void setupSamlUserCookies(final LoginCmdResponse loginResponse, final HttpServletResponse resp) throws IOException {
         resp.addCookie(new Cookie("userid", URLEncoder.encode(loginResponse.getUserId(), HttpUtils.UTF_8)));
         resp.addCookie(new Cookie("domainid", URLEncoder.encode(loginResponse.getDomainId(), HttpUtils.UTF_8)));
@@ -284,4 +283,82 @@ public static void setupSamlUserCookies(final LoginCmdResponse loginResponse, fi
         resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly", ApiConstants.SESSIONKEY, loginResponse.getSessionKey()));
     }
 
+    /**
+     * Returns base64 encoded PublicKey
+     * @param key PublicKey
+     * @return public key encoded string
+     */
+    public static String encodePublicKey(PublicKey key) {
+        try {
+            KeyFactory keyFactory = CertUtils.getKeyFactory();
+            if (keyFactory == null) return null;
+            X509EncodedKeySpec spec = keyFactory.getKeySpec(key, X509EncodedKeySpec.class);
+            return new String(org.bouncycastle.util.encoders.Base64.encode(spec.getEncoded()), Charset.forName("UTF-8"));
+        } catch (InvalidKeySpecException e) {
+            s_logger.error("Unable to create KeyFactory:" + e.getMessage());
+        }
+        return null;
+    }
+
+    /**
+     * Returns base64 encoded PrivateKey
+     * @param key PrivateKey
+     * @return privatekey encoded string
+     */
+    public static String encodePrivateKey(PrivateKey key) {
+        try {
+            KeyFactory keyFactory = CertUtils.getKeyFactory();
+            if (keyFactory == null) return null;
+            PKCS8EncodedKeySpec spec = keyFactory.getKeySpec(key,
+                    PKCS8EncodedKeySpec.class);
+            return new String(org.bouncycastle.util.encoders.Base64.encode(spec.getEncoded()), Charset.forName("UTF-8"));
+        } catch (InvalidKeySpecException e) {
+            s_logger.error("Unable to create KeyFactory:" + e.getMessage());
+        }
+        return null;
+    }
+
+    /**
+     * Decodes base64 encoded public key to PublicKey
+     * @param publicKey encoded public key string
+     * @return returns PublicKey
+     */
+    public static PublicKey decodePublicKey(String publicKey) {
+        byte[] sigBytes = org.bouncycastle.util.encoders.Base64.decode(publicKey);
+        X509EncodedKeySpec x509KeySpec = new X509EncodedKeySpec(sigBytes);
+        KeyFactory keyFactory = CertUtils.getKeyFactory();
+        if (keyFactory == null)
+            return null;
+        try {
+            return keyFactory.generatePublic(x509KeySpec);
+        } catch (InvalidKeySpecException e) {
+            s_logger.error("Unable to create PrivateKey from privateKey string:" + e.getMessage());
+        }
+        return null;
+    }
+
+    /**
+     * Decodes base64 encoded private key to PrivateKey
+     * @param privateKey encoded private key string
+     * @return returns PrivateKey
+     */
+    public static PrivateKey decodePrivateKey(String privateKey) {
+        byte[] sigBytes = org.bouncycastle.util.encoders.Base64.decode(privateKey);
+        PKCS8EncodedKeySpec pkscs8KeySpec = new PKCS8EncodedKeySpec(sigBytes);
+        KeyFactory keyFactory = CertUtils.getKeyFactory();
+        if (keyFactory == null)
+            return null;
+        try {
+            return keyFactory.generatePrivate(pkscs8KeySpec);
+        } catch (InvalidKeySpecException e) {
+            s_logger.error("Unable to create PrivateKey from privateKey string:" + e.getMessage());
+        }
+        return null;
+    }
+
+    public static X509Certificate generateRandomX509Certificate(KeyPair keyPair) throws NoSuchAlgorithmException, NoSuchProviderException, CertificateException, SignatureException, InvalidKeyException, OperatorCreationException {
+        return CertUtils.generateV1Certificate(keyPair,
+                "CN=ApacheCloudStack", "CN=ApacheCloudStack",
+                3, "SHA256WithRSA");
+    }
 }

plugins/user-authenticators/saml2/test/org/apache/cloudstack/SAMLUtilsTest.java

@@ -64,12 +64,14 @@ public void testBuildLogoutRequest() throws Exception {
     public void testX509Helpers() throws Exception {
         KeyPair keyPair = CertUtils.generateRandomKeyPair(4096);
 
-        String privateKeyString = CertUtils.privateKeyToPem(keyPair.getPrivate());
-        String publicKeyString = CertUtils.publicKeyToPem(keyPair.getPublic());
+        String privateKeyString = SAMLUtils.encodePrivateKey(keyPair.getPrivate());
+        String publicKeyString = SAMLUtils.encodePublicKey(keyPair.getPublic());
 
-        PrivateKey privateKey = CertUtils.pemToPrivateKey(privateKeyString);
-        PublicKey publicKey = CertUtils.pemToPublicKey(publicKeyString);
+        PrivateKey privateKey = SAMLUtils.decodePrivateKey(privateKeyString);
+        PublicKey publicKey = SAMLUtils.decodePublicKey(publicKeyString);
 
+        assertNotNull(privateKey);
+        assertNotNull(publicKey);
         assertTrue(privateKey.equals(keyPair.getPrivate()));
         assertTrue(publicKey.equals(keyPair.getPublic()));
     }

ui/index.html

@@ -1881,7 +1881,6 @@ <h3><translate key="label.set.up.zone.type"/></h3>
         <script type="text/javascript" src="scripts/network.js"></script>
         <script type="text/javascript" src="scripts/domains.js"></script>
         <script type="text/javascript" src="scripts/docs.js"></script>
-        <script type="text/javascript" src="scripts/vm_snapshots.js"></script>
         <script type="text/javascript" src="scripts/ui-custom/projectSelect.js"></script>
         <script type="text/javascript" src="scripts/ui-custom/saml.js"></script>
         <script type="text/javascript" src="scripts/ui-custom/ca.js"></script>