feat(sl20): add basic certificate-validity check into JWS validation

The check can be disabled by using the configuration property: modules.sl20.security.truststore.need.valid.certificate
author: Thomas <> 2023-08-21 16:49:20 +0200
committer: Thomas <> 2023-08-21 16:49:20 +0200
commit: f41a899539773146907eef25b459b4360719fd14 (patch)
tree: ca8cac40d2414415f904ef88b30febf483913ca0 /eaaf_modules
parent: 958770eff456f5724e29166123c7e5c32391e3f4 (diff)
download: EAAF-Components-f41a899539773146907eef25b459b4360719fd14.tar.gz
EAAF-Components-f41a899539773146907eef25b459b4360719fd14.tar.bz2
EAAF-Components-f41a899539773146907eef25b459b4360719fd14.zip
2 files changed, 10 insertions, 2 deletions
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/Constants.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/Constants.java
index 74d67d01..b454558a 100644
--- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/Constants.java
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/Constants.java
@@ -36,6 +36,8 @@ public class Constants {
       CONFIG_PROP_PREFIX + ".security.truststore.path";
   public static final String CONFIG_PROP_SECURITY_TRUSTSTORE_PASSWORD =
       CONFIG_PROP_PREFIX + ".security.truststore.password";
+  public static final String CONFIG_PROP_SECURITY_TRUSTSTORE_NEED_VALID_CERTIFICATE =
+      CONFIG_PROP_PREFIX + ".security.truststore.need.valid.certificate";
 
   public static final String CONFIG_PROP_SECURITY_SIG_ALG_RSA =
       CONFIG_PROP_PREFIX + ".security.sigalg.rsa";
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java
index 4e939d55..668ce09a 100644
--- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java
@@ -154,8 +154,8 @@ public class JsonSecurityUtils implements IJoseTools {
   public VerificationResult validateSignature(@Nonnull final String serializedContent,
       @Nonnull final List<X509Certificate> trustedCerts, @Nonnull final AlgorithmConstraints constraints)
       throws JoseException, IOException {
-
-    final JwsResult result = JoseUtils.validateSignature(serializedContent, trustedCerts, constraints);
+    final JwsResult result = JoseUtils.validateSignature(serializedContent, trustedCerts, constraints,
+        isValidCertificateNeeded());
     return new VerificationResult(
         JsonMapper.getMapper().readTree(result.getFullJoseHeader().getFullHeaderAsJsonString()),
         JsonMapper.getMapper().readTree(result.getPayLoad()),
@@ -413,4 +413,10 @@ public class JsonSecurityUtils implements IJoseTools {
 
   }
 
+  private boolean isValidCertificateNeeded() {
+    return authConfig.getBasicConfigurationBoolean(
+        Constants.CONFIG_PROP_SECURITY_TRUSTSTORE_NEED_VALID_CERTIFICATE, true);
+
+  }
+
 }
author	Thomas <>	2023-08-21 16:49:20 +0200
committer	Thomas <>	2023-08-21 16:49:20 +0200
commit	f41a899539773146907eef25b459b4360719fd14 (patch)
tree	ca8cac40d2414415f904ef88b30febf483913ca0 /eaaf_modules
parent	958770eff456f5724e29166123c7e5c32391e3f4 (diff)
download	EAAF-Components-f41a899539773146907eef25b459b4360719fd14.tar.gz EAAF-Components-f41a899539773146907eef25b459b4360719fd14.tar.bz2 EAAF-Components-f41a899539773146907eef25b459b4360719fd14.zip