Merge pull request #162 from sumadhav/future

Modification: P12 certificate's CN name verification

Author: mahendya1002

README.md

@@ -252,6 +252,12 @@ Retry Pattern allows to retry sending a failed request and it will only work wit
 
 ## Changes
 _______________________________
+Version Cybersource-sdk-java 6.2.13 (AUGUST,2022)
+_______________________________
+    1)Modified the CYBS P12 certificate's CN name verification to case insensitive.
+_______________________________
+
+_______________________________    
 Version Cybersource-sdk-java 6.2.12 (JULY,2022)
 _______________________________
     1) Mitigation of Apache WSS4j Security Vulnerability (CVE-2016-1000343, CVE-2018-1000180).

java/src/main/java/com/cybersource/ws/client/Identity.java

@@ -39,8 +39,6 @@ public class Identity {
 
 	private long lastModifiedDate;
 
-    private static final String SERVER_ALIAS = "CyberSource_SJC_US";
-
     private char[] pswd;
 
     /**
@@ -51,7 +49,7 @@ public class Identity {
      * @param x509Certificate
      * @throws SignException
      */
-    public Identity(MerchantConfig merchantConfig,X509Certificate x509Certificate,Logger logger) throws SignException {
+    public Identity(MerchantConfig merchantConfig, X509Certificate x509Certificate) throws SignException {
         this.merchantConfig = merchantConfig;
         this.x509Cert=x509Certificate;
         if(merchantConfig.isJdkCertEnabled() || merchantConfig.isCacertEnabled()){
@@ -66,13 +64,13 @@ private void setupJdkServerCerts() throws SignException {
         if (x509Cert != null) {
             String subjectDN = x509Cert.getSubjectDN().getName();
             if (subjectDN != null) {
-                String subjectDNrray[] = subjectDN.split("SERIALNUMBER=");
-                if (subjectDNrray.length == 1 && subjectDNrray[0].contains("CyberSourceCertAuth")){
-                    name = keyAlias = "CyberSourceCertAuth";
+                String[] subjectDNArray = subjectDN.split("SERIALNUMBER=");
+                if (subjectDNArray.length == 1 && subjectDNArray[0].toLowerCase().contains(Utility.CYBS_CERT_AUTH.toLowerCase())){
+                    name = keyAlias = subjectDNArray[0].split("=")[1];
                 }
-                else if (subjectDNrray.length == 2 && subjectDNrray[1].contains(SERVER_ALIAS)) {
-                    name = SERVER_ALIAS;
-                    serialNumber = subjectDNrray[1].split(",")[0];
+                else if (subjectDNArray.length == 2 && subjectDNArray[1].toLowerCase().contains(Utility.SERVER_ALIAS.toLowerCase())) {
+                    name = subjectDNArray[1].split("=")[1];
+                    serialNumber = subjectDNArray[1].split(",")[0];
                     keyAlias = "serialNumber=" + serialNumber + ",CN=" + name;
                 }else{
                     throw new SignException("Exception while obtaining private key from KeyStore with alias, '" + merchantConfig.getKeyAlias() + "'");
@@ -147,13 +145,14 @@ private void setUpServer() throws SignException {
         if (serialNumber == null && x509Cert != null) {
             String subjectDN = x509Cert.getSubjectDN().getName();
             if (subjectDN != null) {
-                String[] subjectDNrray = subjectDN.split("SERIALNUMBER=");
-                if (subjectDNrray.length == 1 && subjectDNrray[0].contains("CyberSourceCertAuth")){
-                    name = keyAlias = "CyberSourceCertAuth";
+                String[] subjectDNArray = subjectDN.split("SERIALNUMBER=");
+                if (subjectDNArray.length == 1 && subjectDNArray[0].toLowerCase().contains(Utility.CYBS_CERT_AUTH.toLowerCase())){
+                    name = keyAlias = subjectDNArray[0].split("=")[1];
                 }
-                else if (subjectDNrray.length == 2 && subjectDNrray[0].contains(SERVER_ALIAS)) {
-                    name = SERVER_ALIAS;
-                    serialNumber = subjectDNrray[1];
+                else if (subjectDNArray.length == 2 && subjectDNArray[0].toLowerCase().contains(Utility.SERVER_ALIAS.toLowerCase())) {
+                    String subjectDName = subjectDNArray[0].split("=")[1];
+                    name = subjectDName.substring(0, subjectDName.length()-1);
+                    serialNumber = subjectDNArray[1];
                     keyAlias = "serialNumber=" + serialNumber + ",CN=" + name;
                 }else{
                     throw new SignException("Exception while obtaining private key from KeyStore with alias, '" + merchantConfig.getKeyAlias() + "'");

java/src/main/java/com/cybersource/ws/client/MessageHandlerKeyStore.java

@@ -28,8 +28,9 @@ public MessageHandlerKeyStore() {
      * @throws SignEncryptException
      */
     public void addIdentityToKeyStore(Identity id, Logger logger) throws SignEncryptException {
-        if (id == null)
+        if (id == null) {
             return;
+        }
         X509Certificate certificate = id.getX509Cert();
         PrivateKey privateKey = id.getPrivateKey();
         try {

java/src/main/java/com/cybersource/ws/client/SecurityUtil.java

@@ -21,8 +21,8 @@
 import java.security.cert.X509Certificate;
 import java.util.Collections;
 import java.util.Enumeration;
+import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
-import java.util.concurrent.TimeUnit;
 
 /**
  * Utility class for security related functions like loading p12 key, create signed or encrypted doc,
@@ -32,7 +32,6 @@ public class SecurityUtil {
 
     private static final String KEY_FILE_TYPE = "PKCS12";
 
-    private static final String SERVER_ALIAS = "CyberSource_SJC_US";
     private static final String FAILED_TO_LOAD_KEY_STORE = "Exception while loading KeyStore";
     private static final String FAILED_TO_OBTAIN_PRIVATE_KEY = "Exception while obtaining private key from KeyStore with alias";
 
@@ -173,7 +172,7 @@ private static void readAndStoreCertificateAndPrivateKey(MerchantConfig merchant
                     identities.put(identity.getKeyAlias(), identity);
                     continue;
                 }
-                Identity identity = new Identity(merchantConfig, (X509Certificate) merchantKeyStore.getCertificate(merchantKeyAlias),logger);
+                Identity identity = new Identity(merchantConfig, (X509Certificate) merchantKeyStore.getCertificate(merchantKeyAlias));
                 localKeyStoreHandler.addIdentityToKeyStore(identity, logger);
                 identities.put(identity.getName(), identity);
             }
@@ -208,7 +207,8 @@ public static Document handleMessageCreation(Document signedDoc, String merchant
         WSSecEncrypt encrBuilder = new WSSecEncrypt(secHeader);
         //Set the user name to get the encryption certificate.
         //The public key of this certificate is used, thus no password necessary. The user name is a keystore alias usually.
-        encrBuilder.setUserInfo(identities.get(SERVER_ALIAS).getKeyAlias());
+        String serverAlias = getServerAlias(identities);
+        encrBuilder.setUserInfo(identities.get(serverAlias).getKeyAlias());
 
         /*This is to reference a public key or certificate when signing or encrypting a SOAP message.
          *The following valid values for these configuration items are:
@@ -234,8 +234,8 @@ public static Document handleMessageCreation(Document signedDoc, String merchant
             KeyGenerator keyGen = KeyUtils.getKeyGenerator(WSConstants.AES_256);
             signedEncryptedDoc = encrBuilder.build(localKeyStoreHandler, keyGen.generateKey());
         } catch (WSSecurityException e) {
-            logger.log(Logger.LT_EXCEPTION, "Failed while encrypting signed requeest for , '" + merchantId + "'" + " with " + SERVER_ALIAS);
-            throw new SignEncryptException("Failed while encrypting signed requeest for , '" + merchantId + "'" + " with " + SERVER_ALIAS, e);
+            logger.log(Logger.LT_EXCEPTION, "Failed while encrypting signed request for , '" + merchantId + "'" + " with " + serverAlias);
+            throw new SignEncryptException("Failed while encrypting signed request for , '" + merchantId + "'" + " with " + serverAlias, e);
         }
         encrBuilder.prependToHeader();
         return signedEncryptedDoc;
@@ -343,7 +343,7 @@ public static void readJdkCert(MerchantConfig merchantConfig, Logger logger)
 					continue;
 				}
 				Identity identity = new Identity(merchantConfig,
-						(X509Certificate) keystore.getCertificate(merchantKeyAlias), logger);
+						(X509Certificate) keystore.getCertificate(merchantKeyAlias));
 				localKeyStoreHandler.addIdentityToKeyStore(identity, logger);
 				identities.put(identity.getName(), identity);
 			}
@@ -363,8 +363,6 @@ private static void loadJavaKeystore(MerchantConfig merchantConfig, Logger logge
 			KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
 			keystore.load(is, merchantConfig.getCacertPassword().toCharArray());
 
-			Identity identity;
-
 			java.security.cert.Certificate[] cert = keystore.getCertificateChain(merchantConfig.getKeyAlias());
 			if (cert == null) {
 				throw new SignException("Empty Keystore or Missing Certificate ");
@@ -378,23 +376,23 @@ private static void loadJavaKeystore(MerchantConfig merchantConfig, Logger logge
 						+ merchantConfig.getKeyAlias() + "'");
 				throw new SignException(e);
 			}
-
-            for (int i = 0; i < cert.length; i++) {
-                if (merchantConfig.getKeyAlias().equals(keystore.getCertificateAlias(cert[i]))) {
-                    identity = new Identity(merchantConfig, (X509Certificate) cert[i], key, logger);
+            Identity identity;
+            for (java.security.cert.Certificate certificate : cert) {
+                if (merchantConfig.getKeyAlias().equals(keystore.getCertificateAlias(certificate))) {
+                    identity = new Identity(merchantConfig, (X509Certificate) certificate, key, logger);
                     localKeyStoreHandler.addIdentityToKeyStore(identity, logger);
                     identities.put(identity.getKeyAlias(), identity);
                 } else {
-                    identity = new Identity(merchantConfig, (X509Certificate) cert[i], logger);
+                    identity = new Identity(merchantConfig, (X509Certificate) certificate);
                     localKeyStoreHandler.addIdentityToKeyStore(identity, logger);
                     identities.put(identity.getName(), identity);
                 }
             }
-			java.security.cert.Certificate serverCert = keystore.getCertificate(SERVER_ALIAS);
+			java.security.cert.Certificate serverCert = keystore.getCertificate(getServerAlias(identities));
 			if (serverCert == null) {
 				throw new SignException("Missing Server Certificate ");
 			}
-			identity = new Identity(merchantConfig, (X509Certificate) serverCert, logger);
+			identity = new Identity(merchantConfig, (X509Certificate) serverCert);
 			localKeyStoreHandler.addIdentityToKeyStore(identity, logger);
 			identities.put(identity.getName(), identity);
 
@@ -427,4 +425,23 @@ private static void loadJavaKeystore(MerchantConfig merchantConfig, Logger logge
 		}
 
 	}
+
+    protected static String getServerAlias(Map<String, Identity> identitiesMapper) {
+        String serverAlias = Utility.SERVER_ALIAS;
+        if(!identitiesMapper.containsKey(serverAlias)) {
+            if(identitiesMapper.containsKey(serverAlias.toLowerCase())) {
+                serverAlias = serverAlias.toLowerCase();
+            } else if(identitiesMapper.containsKey(serverAlias.toUpperCase())) {
+                serverAlias = serverAlias.toUpperCase();
+            } else {
+                for(String identityKey :identitiesMapper.keySet()) {
+                    if(identityKey.equalsIgnoreCase(serverAlias)) {
+                        serverAlias = identityKey;
+                        break;
+                    }
+                }
+            }
+        }
+        return serverAlias;
+    }
 }

java/src/main/java/com/cybersource/ws/client/Utility.java

@@ -45,6 +45,8 @@ private Utility() {
     /**
      * Version number of this release.
      */
+    public static final String SERVER_ALIAS = "CyberSource_SJC_US";
+    public static final String CYBS_CERT_AUTH = "CyberSourceCertAuth";
     public static final String VERSION = "6.2.13";
     public static final String ORIGIN_TIMESTAMP = "v-c-client-iat";
     public static final String SDK_ELAPSED_TIMESTAMP = "v-c-client-computetime";

java/src/test/java/com/cybersource/ws/client/IdentityTest.java

@@ -1,74 +1,82 @@
 package com.cybersource.ws.client;
 
-import org.junit.Before;
 import org.junit.Test;
 import org.mockito.Mockito;
 
 import static org.junit.Assert.*;
 
 import java.io.File;
+import java.io.IOException;
 import java.io.InputStream;
 import java.security.Principal;
 import java.security.PrivateKey;
 import java.security.cert.X509Certificate;
 import java.util.*;
 
-public class IdentityTest{
+public class IdentityTest {
 
-    private MerchantConfig config;
-    
-    @Before
-    public void setUp() throws Exception {
-    	//Loading the properties file from src/test/resources
-        Properties merchantProperties = new Properties();
-        InputStream in = Thread.currentThread().getContextClassLoader().getResourceAsStream("test_cybs.properties");
-		if (in == null) {
-			throw new RuntimeException("Unable to load test_cybs.properties file");
-		}
-		merchantProperties.load(in);
-	    config = new MerchantConfig(merchantProperties, merchantProperties.getProperty("merchantID"));
-    }
+	@Test
+	public void testSetUpMerchant() throws SignException, ConfigException{
+		File p12file = Mockito.mock(File.class);
+		MerchantConfig mc = Mockito.mock(MerchantConfig.class);
+
+		String keyAlias = "CN="+mc.getMerchantID()+",SERIALNUMBER=400000009910179089277";
+		X509Certificate x509Cert = Mockito.mock(X509Certificate.class);
+		Principal principal =  Mockito.mock(Principal.class);
+		PrivateKey pkey = Mockito.mock(PrivateKey.class);
+		Logger logger = Mockito.mock(Logger.class);
+		Mockito.when(x509Cert.getSubjectDN()).thenReturn(principal);
+		Mockito.when(principal.getName()).thenReturn(keyAlias);
 
-    @Test
-    public void testSetUpMerchant() throws SignException, ConfigException{
-    	File p12file = Mockito.mock(File.class);
-    	MerchantConfig mc = Mockito.mock(MerchantConfig.class);
-    	
-    	String keyAlias = "CN="+mc.getMerchantID()+",SERIALNUMBER=400000009910179089277";
-    	X509Certificate x509Cert = Mockito.mock(X509Certificate.class);
-    	Principal principal =  Mockito.mock(Principal.class);
-    	PrivateKey pkey = Mockito.mock(PrivateKey.class);
-    	Logger logger = Mockito.mock(Logger.class);
-    	Mockito.when(x509Cert.getSubjectDN()).thenReturn(principal);
-    	Mockito.when(principal.getName()).thenReturn(keyAlias);
-    	
-    	Mockito.when(mc.getKeyFile()).thenReturn(p12file);
+		Mockito.when(mc.getKeyFile()).thenReturn(p12file);
 		Mockito.when(mc.getKeyPassword()).thenReturn("testPwd");
-    	Identity identity = new Identity(mc,x509Cert,pkey,logger);
-    	assertEquals(identity.getName(), mc.getMerchantID());
-    	assertEquals(identity.getSerialNumber(), "400000009910179089277");
+		Identity identity = new Identity(mc,x509Cert,pkey,logger);
+		assertEquals(identity.getName(), mc.getMerchantID());
+		assertEquals(identity.getSerialNumber(), "400000009910179089277");
 		assertEquals(String.valueOf(identity.getPswd()), "testPwd");
-    	assertNotNull(identity.getPrivateKey());
-    }
-    
-    @Test
-    public void testsetUpServer() throws SignException {
-		String keyAlias;
-    	if(config.isJdkCertEnabled() || config.isCacertEnabled()) {
-			keyAlias = "SERIALNUMBER=400000009910179089277,CN=CyberSource_SJC_US";
-		} else {
-    		keyAlias = "CN=CyberSource_SJC_US,SERIALNUMBER=400000009910179089277";
-		}
+		assertNotNull(identity.getPrivateKey());
+	}
 
-    	X509Certificate x509Cert = Mockito.mock(X509Certificate.class);
-    	Principal principal =  Mockito.mock(Principal.class);
-    	Logger logger = Mockito.mock(Logger.class);
-    	Mockito.when(x509Cert.getSubjectDN()).thenReturn(principal);
-    	Mockito.when(principal.getName()).thenReturn(keyAlias);
-    	Identity identity = new Identity(config,x509Cert,logger);
-    	assertEquals(identity.getName(), "CyberSource_SJC_US");
-    	assertEquals(identity.getSerialNumber(), "400000009910179089277");
-    	assertNull(identity.getPrivateKey());
-    }
+	@Test
+	public void testSetUpServerForP12Certs() throws SignException, IOException, ConfigException {
+		Properties merchantProps = getConfigProps();
+		merchantProps.setProperty("enableCacert", "false");
+		MerchantConfig customConfig = new MerchantConfig(merchantProps, merchantProps.getProperty("merchantID"));
+		String keyAlias = "CN=CyberSource_SJC_US,SERIALNUMBER=400000009910179089277";
+		X509Certificate x509Cert = Mockito.mock(X509Certificate.class);
+		Principal principal =  Mockito.mock(Principal.class);
+		Mockito.when(x509Cert.getSubjectDN()).thenReturn(principal);
+		Mockito.when(principal.getName()).thenReturn(keyAlias);
+		Identity identity = new Identity(customConfig, x509Cert);
+		assertEquals(identity.getName(), Utility.SERVER_ALIAS);
+		assertEquals(identity.getSerialNumber(), "400000009910179089277");
+		assertNull(identity.getPrivateKey());
+	}
+
+	@Test
+	public void testSetUpServerForCaCerts() throws SignException, IOException, ConfigException {
+		Properties merchantProps = getConfigProps();
+		merchantProps.setProperty("enableCacert", "true");
+		MerchantConfig customConfig = new MerchantConfig(merchantProps, merchantProps.getProperty("merchantID"));
+		String keyAlias = "SERIALNUMBER=400000009910179089277,CN=CyberSource_SJC_US";
+		X509Certificate x509Cert = Mockito.mock(X509Certificate.class);
+		Principal principal =  Mockito.mock(Principal.class);
+		Mockito.when(x509Cert.getSubjectDN()).thenReturn(principal);
+		Mockito.when(principal.getName()).thenReturn(keyAlias);
+		Identity identity = new Identity(customConfig, x509Cert);
+		assertEquals(identity.getName(), Utility.SERVER_ALIAS);
+		assertEquals(identity.getSerialNumber(), "400000009910179089277");
+		assertNull(identity.getPrivateKey());
+	}
+
+	private Properties getConfigProps() throws IOException {
+		Properties merchantProperties = new Properties();
+		InputStream in = Thread.currentThread().getContextClassLoader().getResourceAsStream("test_cybs.properties");
+		if (in == null) {
+			throw new RuntimeException("Unable to load test_cybs.properties file");
+		}
+		merchantProperties.load(in);
+		return merchantProperties;
+	}
 
-}
+}