.) OID check for identity link signer certificates (needed for certificates after february 19th 2007)

.) hard coded subjectDN check for identity link signer certificates (for certificates before february 19th 2007) to make configuration entries optional git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@788 d688527b-c9ab-4aba-bd8d-4036d912da1d
author: harald.bratko <harald.bratko@d688527b-c9ab-4aba-bd8d-4036d912da1d> 2007-01-18 14:29:56 +0000
committer: harald.bratko <harald.bratko@d688527b-c9ab-4aba-bd8d-4036d912da1d> 2007-01-18 14:29:56 +0000
commit: c51641d057e5db708ef90bee2da271532da6d939 (patch)
tree: af9ab7e97d38c90cc315642b7f18ddc47e89f145
parent: 64967f241e637a13f157f207f6b132efe1383f3d (diff)
download: moa-id-spss-c51641d057e5db708ef90bee2da271532da6d939.tar.gz
moa-id-spss-c51641d057e5db708ef90bee2da271532da6d939.tar.bz2
moa-id-spss-c51641d057e5db708ef90bee2da271532da6d939.zip
5 files changed, 71 insertions, 27 deletions
diff --git a/id.server/res/resources/properties/id_messages_de.properties b/id.server/res/resources/properties/id_messages_de.properties
index 4c03625ad..56bd53968 100644
--- a/id.server/res/resources/properties/id_messages_de.properties
+++ b/id.server/res/resources/properties/id_messages_de.properties
@@ -113,7 +113,8 @@ validator.15=Der Namespace des SAML-Attributs "OA" ist ungültig {0}
 validator.16=Die vorkonfigurierte URL der OnlineApplikation ist fehlerhaft {0}
 
 validator.17= Der SubjectDN-Name des von MOA-SP retournierten Zertifikats ist ungültig {0}
-validator.18= Der SubjectDN-Name des von MOA-SP retournierten Zertifikats ist nicht als gültiger SubjectDN-Name für eine Personenbindung konfiguriert. <b>{0}</b> wurde NICHT in der Konfiguration gefunden
+#validator.18= Der SubjectDN-Name des von MOA-SP retournierten Zertifikats ist nicht als gültiger SubjectDN-Name für eine Personenbindung konfiguriert. <b>{0}</b> wurde NICHT in der Konfiguration gefunden
+validator.18= Das Zertifikat mit dem die Personenbindung signiert wurde, ist nicht zum Signieren der Personenbindung zulässig. Es konnte weder der SubjectDN ({0}) einem berechtigten Namen zugeordnet werden, noch enthält das Zertifikat die Erweiterung "Eigenschaft zur Ausstellung von Personenbindungen".
 
 validator.19=Das verwendete Zertifikat zum Signieren ist ungültig.<br>{0}
 
@@ -151,6 +152,7 @@ validator.46=Überprüfung der {0}-Infobox fehlgeschlagen: Der Wert des von der Pr
 validator.47=Überprüfung der {0}-Infobox fehlgeschlagen: Das von der Prüfapplikation zurückgegebene SAML-Attribut Nummer {1} kann nicht eindeutig zugeordnet werden.
 validator.48={0}-Infobox wurde nicht von der BKU übermittelt: Für die Anmeldung an dieser Online-Applikation ist die {0}-Infobox erforderlich. Bitte melden Sie sich erneut an, und selektieren Sie in Ihrer BKU die {0}-Infobox.
 
+validator.49=Beim Ermitteln der Personenbindungs-OID im Zertifikat, mit dem die Personenbindung signiert wurde, ist ein Fehler aufgetreten.
 
 
 ssl.01=Validierung des SSL-Server-Endzertifikates hat fehlgeschlagen
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id.server/src/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
index 15d21b4b9..190b2cef9 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
@@ -1,5 +1,8 @@
 package at.gv.egovernment.moa.id.auth;
 
+import iaik.asn1.ObjectID;
+
+
 /**
  * Constants used throughout moa-id-auth component.
  * 
@@ -50,6 +53,24 @@ public interface MOAIDAuthConstants {
   public static final String HEADER_VALUE_CACHE_CONTROL = "no-store, no-cache, must-revalidate";
   /** Header Value for controlling the caching mechanism of the browser */
   public static final String HEADER_VALUE_CACHE_CONTROL_IE = "post-check=0, pre-check=0";
-  
+  /** 
+   * the identity link signer X509Subject names of those identity link signer certificates 
+   * not including the identity link signer OID. The authorisation for signing the identity
+   * link must be checked by using their issuer names. After february 19th 2007 the OID of
+   * the certificate will be used fo checking the authorisation for signing identity links.
+   */ 
+  public static final String[] IDENTITY_LINK_SIGNERS_WITHOUT_OID = 
+    new String[] {"T=Dr.,CN=Nikolaus Schwab,O=BM f. Inneres i.A. des gf. Mitgieds der Datenschutzkommission",
+                  "CN=zmr,OU=BMI-IV-2,O=BMI,C=AT",
+                  "T=Dr.,CN=Nikolaus Schwab,O=BM f. Inneres i.A. des gf. Mitglieds der Datenschutzkommission"};  
+  /**
+   * the number of the certifcate extension "Eigenschaft zur Ausstellung von Personenbindungen"
+   */
+  public static final String IDENTITY_LINK_SIGNER_OID_NUMBER = "1.2.40.0.10.1.7.1";
+  /** 
+   * the OID of the identity link signer certificate (Eigenschaft zur Ausstellung von Personenbindungen);
+   * used for checking the authorisation for signing the identity link for identity links signed after february 19th 2007
+   */
+  public static final ObjectID IDENTITY_LINK_SIGNER_OID = new ObjectID(IDENTITY_LINK_SIGNER_OID_NUMBER);
 
 }
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
index 218e26233..3f08f103c 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
@@ -1,13 +1,16 @@
 package at.gv.egovernment.moa.id.auth.validator;
 
-import java.security.PublicKey;
-import java.security.interfaces.RSAPublicKey;
-import iaik.security.ecc.ecdsa.ECPublicKey;
-
 import iaik.asn1.structures.Name;
+import iaik.security.ecc.ecdsa.ECPublicKey;
 import iaik.utils.RFC2253NameParserException;
 import iaik.x509.X509Certificate;
+import iaik.x509.X509ExtensionInitException;
 
+import java.security.PublicKey;
+import java.security.interfaces.RSAPublicKey;
+import java.util.List;
+
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.data.IdentityLink;
 import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse;
 import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
@@ -53,7 +56,7 @@ public class VerifyXMLSignatureResponseValidator {
    * @throws ValidateException on any validation error
    */
   public void validate(VerifyXMLSignatureResponse verifyXMLSignatureResponse,
-                       String[] identityLinkSignersSubjectDNNames, 
+                       List identityLinkSignersSubjectDNNames, 
                        String whatToCheck,
                        boolean ignoreManifestValidationResult)
     throws ValidateException {
@@ -103,15 +106,24 @@ public class VerifyXMLSignatureResponseValidator {
       catch (RFC2253NameParserException e) {
         throw new ValidateException("validator.17", null);
       }
-      boolean found = false;
-      for (int i = 0; i < identityLinkSignersSubjectDNNames.length; i++) {
-        if (identityLinkSignersSubjectDNNames[i].equals(subjectDN))
-          found = true;
+      // check the authorisation to sign the identity link
+      if (!identityLinkSignersSubjectDNNames.contains(subjectDN)) {
+        // subject DN check failed, try OID check:
+        try {
+          if (x509Cert.getExtension(MOAIDAuthConstants.IDENTITY_LINK_SIGNER_OID) == null) {
+            throw new ValidateException("validator.18", new Object[] { subjectDN });
+          } else {
+            Logger.debug("Identity link signer cert accepted for signing identity link: " +
+                         "subjectDN check failed, but OID check successfully passed.");
+          }
+        } catch (X509ExtensionInitException e) {
+          throw new ValidateException("validator.49", null);
+        }
+      } else {
+        Logger.debug("Identity link signer cert accepted for signing identity link: " +
+                     "subjectDN check successfully passed.");
       }
-      if (!found)
-        throw new ValidateException(
-          "validator.18",
-          new Object[] { subjectDN });
+      
     }
   }
 
diff --git a/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java b/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java
index 6a9aee0ca..ebb29c26d 100644
--- a/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java
+++ b/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java
@@ -22,6 +22,7 @@ import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 import org.w3c.dom.traversal.NodeIterator;
 
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.data.Schema;
 import at.gv.egovernment.moa.id.auth.data.SchemaImpl;
 import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
@@ -383,13 +384,13 @@ public class ConfigurationBuilder {
 
 
   /**
-   * Return a string array containing all X509 Subject Names 
+   * Returns a list containing all X509 Subject Names 
    * of the Identity Link Signers
-   * @return String with a url-reference to the VerifyAuthBlock trust profile ID
+   * @return a list containing the configured identity-link signer X509 subject names
    */
-  public String[] getIdentityLink_X509SubjectNames() {
+  public List getIdentityLink_X509SubjectNames() {
 
-    List x509SubjectNameList = new ArrayList();
+    Vector x509SubjectNameList = new Vector();
     NodeIterator x509Iter =
       XPathUtils.selectNodeIterator(
         configElem_,
@@ -397,14 +398,20 @@ public class ConfigurationBuilder {
     Element x509Elem;
 
     while ((x509Elem = (Element) x509Iter.nextNode()) != null) {
-
       String vtInfoIDs = DOMUtils.getText(x509Elem);
       x509SubjectNameList.add(vtInfoIDs);
     }
-    String[] result = new String[x509SubjectNameList.size()];
-    x509SubjectNameList.toArray(result);
-
-    return result;
+    
+    // now add the default identity link signers
+    String[] identityLinkSignersWithoutOID = MOAIDAuthConstants.IDENTITY_LINK_SIGNERS_WITHOUT_OID;
+    for (int i=0; i<identityLinkSignersWithoutOID.length; i++) {
+      String identityLinkSigner = identityLinkSignersWithoutOID[i];
+      if (!x509SubjectNameList.contains(identityLinkSigner)) {
+        x509SubjectNameList.add(identityLinkSigner);
+      }
+    }
+   
+    return x509SubjectNameList;
   }
 
   /**
diff --git a/id.server/src/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id.server/src/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
index e45d7cba8..b4af6592c 100644
--- a/id.server/src/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
+++ b/id.server/src/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
@@ -6,6 +6,8 @@ import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.MalformedURLException;
+import java.util.List;
+
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 
@@ -117,7 +119,7 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
   /**
    * X509 SubjectNames which will be trusted
    */
-  private String[] identityLinkX509SubjectNames;
+  private List identityLinkX509SubjectNames;
   /**
    * default parameters for verifying additional infoboxes.
    */
@@ -370,9 +372,9 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
 
   /**
    * Returns the identityLinkX509SubjectNames.
-   * @return String[]
+   * @return List
    */
-  public String[] getIdentityLinkX509SubjectNames() {
+  public List getIdentityLinkX509SubjectNames() {
     return identityLinkX509SubjectNames;
   }
author	harald.bratko <harald.bratko@d688527b-c9ab-4aba-bd8d-4036d912da1d>	2007-01-18 14:29:56 +0000
committer	harald.bratko <harald.bratko@d688527b-c9ab-4aba-bd8d-4036d912da1d>	2007-01-18 14:29:56 +0000
commit	c51641d057e5db708ef90bee2da271532da6d939 (patch)
tree	af9ab7e97d38c90cc315642b7f18ddc47e89f145
parent	64967f241e637a13f157f207f6b132efe1383f3d (diff)
download	moa-id-spss-c51641d057e5db708ef90bee2da271532da6d939.tar.gz moa-id-spss-c51641d057e5db708ef90bee2da271532da6d939.tar.bz2 moa-id-spss-c51641d057e5db708ef90bee2da271532da6d939.zip