feat(sl20): add basic certificate-validity check into JWS validation

The check can be disabled by using the configuration property: modules.sl20.security.truststore.need.valid.certificate

1 files changed, 8 insertions, 2 deletions

diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java
index 4e939d55..668ce09a 100644
--- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java
@@ -154,8 +154,8 @@ public class JsonSecurityUtils implements IJoseTools {
   public VerificationResult validateSignature(@Nonnull final String serializedContent,
       @Nonnull final List<X509Certificate> trustedCerts, @Nonnull final AlgorithmConstraints constraints)
       throws JoseException, IOException {
-
-    final JwsResult result = JoseUtils.validateSignature(serializedContent, trustedCerts, constraints);
+    final JwsResult result = JoseUtils.validateSignature(serializedContent, trustedCerts, constraints,
+        isValidCertificateNeeded());
     return new VerificationResult(
         JsonMapper.getMapper().readTree(result.getFullJoseHeader().getFullHeaderAsJsonString()),
         JsonMapper.getMapper().readTree(result.getPayLoad()),
@@ -413,4 +413,10 @@ public class JsonSecurityUtils implements IJoseTools {
 
   }
 
+  private boolean isValidCertificateNeeded() {
+    return authConfig.getBasicConfigurationBoolean(
+        Constants.CONFIG_PROP_SECURITY_TRUSTSTORE_NEED_VALID_CERTIFICATE, true);
+
+  }
+
 }