diff options
| author | (no author) <(no author)@d688527b-c9ab-4aba-bd8d-4036d912da1d> | 2007-08-02 14:35:31 +0000 |
|---|---|---|
| committer | (no author) <(no author)@d688527b-c9ab-4aba-bd8d-4036d912da1d> | 2007-08-02 14:35:31 +0000 |
| commit | 33e7890166717f636014aa2c883083d8fc1b4ee8 (patch) | |
| tree | aa2295bd6540a04ea24915958e0260e5c0bd9d65 /id.server/src/at/gv/egovernment/moa/id/auth/validator | |
| parent | 86c1bd9b1a07d8c875b5304e78a5c75e9edecde7 (diff) | |
| download | moa-id-spss-tags/Build-SPSS-1_4_0.tar.gz moa-id-spss-tags/Build-SPSS-1_4_0.tar.bz2 moa-id-spss-tags/Build-SPSS-1_4_0.zip | |
This commit was manufactured by cvs2svn to create tagtags/Build-SPSS-1_4_0
'Build-SPSS-1_4_0'.
git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/tags/Build-SPSS-1_4_0@898 d688527b-c9ab-4aba-bd8d-4036d912da1d
Diffstat (limited to 'id.server/src/at/gv/egovernment/moa/id/auth/validator')
5 files changed, 0 insertions, 677 deletions
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java deleted file mode 100644 index e6c9f4bee..000000000 --- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ /dev/null @@ -1,274 +0,0 @@ -package at.gv.egovernment.moa.id.auth.validator; - -import java.util.Iterator; -import java.util.List; - -import org.w3c.dom.Element; - -import at.gv.egovernment.moa.id.auth.builder.AuthenticationBlockAssertionBuilder; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; -import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse; -import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; -import at.gv.egovernment.moa.id.auth.data.IdentityLink; -import at.gv.egovernment.moa.id.auth.data.SAMLAttribute; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.Constants; -import at.gv.egovernment.moa.util.StringUtils; -import at.gv.egovernment.moa.util.XPathUtils; - -/** - * - * This class is used to validate an {@link CreateXMLSignatureResponse} - * returned by the security layer. - * This class implements the Singleton pattern. - * @author Stefan Knirsch - * @version $Id$ - */ -public class CreateXMLSignatureResponseValidator { - - - /** Xpath expression to the dsig:Signature element */ - private static final String SIGNATURE_XPATH = Constants.DSIG_PREFIX + ":Signature"; - - - /** Singleton instance. <code>null</code>, if none has been created. */ - private static CreateXMLSignatureResponseValidator instance; - - /** - * Constructor for a singleton CreateXMLSignatureResponseValidator. - * @return an instance of CreateXMLSignatureResponseValidator - * @throws ValidateException if no instance can be created - */ - public static synchronized CreateXMLSignatureResponseValidator getInstance() - throws ValidateException { - if (instance == null) { - instance = new CreateXMLSignatureResponseValidator(); - } - return instance; - } - - - /** - * The Method validate is used for validating an explicit {@link CreateXMLSignatureResponse} - * @param createXMLSignatureResponse - * @param session - * @throws ValidateException - */ - public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, AuthenticationSession session) - throws ValidateException { - - // A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier - - String gbTarget = session.getTarget(); - String oaURL = session.getPublicOAURLPrefix(); - boolean businessService = session.getBusinessService(); - - IdentityLink identityLink = session.getIdentityLink(); - - Element samlAssertion = createXMLSignatureResponse.getSamlAssertion(); - String issuer = samlAssertion.getAttribute("Issuer"); - if (issuer == null) { - // should not happen, because parser would dedect this - throw new ValidateException("validator.32", null); - } - String issueInstant = samlAssertion.getAttribute("IssueInstant"); - if (!issueInstant.equals(session.getIssueInstant())) { - throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()}); - } - - String name = identityLink.getName(); - if (!issuer.equals(name)) { - throw new ValidateException("validator.33", new Object[] {issuer, name}); - } - - SAMLAttribute[] samlAttributes = createXMLSignatureResponse.getSamlAttributes(); - - boolean foundOA = false; - boolean foundGB = false; - boolean foundWBPK = false; - int offset = 0; - - // check number of SAML aatributes - List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH(); - int extendedSAMLAttributesNum = 0; - if (extendedSAMLAttributes != null) { - extendedSAMLAttributesNum = extendedSAMLAttributes.size(); - } - int expectedSAMLAttributeNumber = - AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + extendedSAMLAttributesNum; - if (!session.getSAMLAttributeGebeORwbpk()) expectedSAMLAttributeNumber--; - int actualSAMLAttributeNumber = samlAttributes.length; - if (actualSAMLAttributeNumber != expectedSAMLAttributeNumber) { - Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " + - expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber); - throw new ValidateException( - "validator.36", - new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)}); - } - - SAMLAttribute samlAttribute; - if (session.getSAMLAttributeGebeORwbpk()) { - // check the first attribute ("Geschaeftsbereich" or "wbPK") - samlAttribute = samlAttributes[0]; - if (businessService) { - if (!samlAttribute.getName().equals("wbPK")) { - if (samlAttribute.getName().equals("Geschaeftsbereich")) { - throw new ValidateException("validator.26", null); - } else { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "wbPK", String.valueOf(1)}); - } - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - foundWBPK = true; - try { - Element attrValue = (Element)samlAttribute.getValue(); - String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue(); - String type = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue(); - if (!value.equals(identityLink.getIdentificationValue())) { - throw new ValidateException("validator.28", null); - } - if (!type.equals(identityLink.getIdentificationType())) { - throw new ValidateException("validator.28", null); - } - } catch (Exception ex) { - throw new ValidateException("validator.29", null); - } - } else { - throw new ValidateException("validator.30", null); - } - } else { - if (!samlAttribute.getName().equals("Geschaeftsbereich")) { - if (samlAttribute.getName().equals("wbPK")) { - throw new ValidateException("validator.26", null); - } else { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "Geschaeftsbereich", String.valueOf(1)}); - } - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - foundGB = true; - if (!gbTarget.equals((String)samlAttribute.getValue())) { - throw new ValidateException("validator.13", null); - } - } else { - throw new ValidateException("validator.12", null); - } - } - } else { - offset--; - } - - // check the second attribute (must be "OA") - samlAttribute = samlAttributes[1 + offset]; - if (!samlAttribute.getName().equals("OA")) { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)}); - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - foundOA = true; - if (!oaURL.equals((String)samlAttribute.getValue())) { // CHECKS für die AttributeVALUES fehlen noch - throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()}); - } - } else { - throw new ValidateException("validator.15", null); - } - - // check the third attribute (must be "Geburtsdatum") - samlAttribute = samlAttributes[2 + offset]; - if (!samlAttribute.getName().equals("Geburtsdatum")) { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)}); - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - String samlDateOfBirth = (String)samlAttribute.getValue(); - String dateOfBirth = identityLink.getDateOfBirth(); - if (!samlDateOfBirth.equals(dateOfBirth)) { - throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth}); - } - } else { - throw new ValidateException("validator.35", null); - } - - // now check the extended SAML attributes - int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + offset; - if (extendedSAMLAttributes != null) { - Iterator it = extendedSAMLAttributes.iterator(); - while (it.hasNext()) { - ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next(); - samlAttribute = samlAttributes[i]; - String actualName = samlAttribute.getName(); - String expectedName = extendedSAMLAttribute.getName(); - if (!actualName.equals(expectedName)) { - throw new ValidateException( - "validator.38", - new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName }); - } - String actualNamespace = samlAttribute.getNamespace(); - String expectedNamespace = extendedSAMLAttribute.getNameSpace(); - if (!actualNamespace.equals(expectedNamespace)) { - throw new ValidateException( - "validator.38", - new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, }); - } - Object expectedValue = extendedSAMLAttribute.getValue(); - Object actualValue = samlAttribute.getValue(); - try { - if (expectedValue instanceof String) { - // replace \r\n because text might be base64-encoded - String expValue = StringUtils.replaceAll((String)expectedValue,"\r",""); - expValue = StringUtils.replaceAll(expValue,"\n",""); - String actValue = StringUtils.replaceAll((String)actualValue,"\r",""); - actValue = StringUtils.replaceAll(actValue,"\n",""); - if (!expValue.equals(actValue)) { - throw new ValidateException( - "validator.38", - new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue }); - } - } else if (expectedValue instanceof Element) { - // only check the name of the element - String actualElementName = ((Element)actualValue).getNodeName(); - String expectedElementName = ((Element)expectedValue).getNodeName(); - if (!(expectedElementName.equals(actualElementName))){ - throw new ValidateException( - "validator.38", - new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName}); - } - } else { - // should not happen - throw new ValidateException( - "validator.38", - new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()}); - } - } catch (ClassCastException e) { - throw new ValidateException( - "validator.38", - new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()}); - } - i++; - } - } - - - if (!foundOA) throw new ValidateException("validator.14", null); - if (businessService) { - if (session.getSAMLAttributeGebeORwbpk() && !foundWBPK) throw new ValidateException("validator.31", null); - } else { - if (!foundGB) throw new ValidateException("validator.11", null); - } - - //Check if dsig:Signature exists -// NodeList nl = createXMLSignatureResponse.getSamlAssertion().getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature"); -// if (nl.getLength() != 1) { -// throw new ValidateException("validator.05", null); -// } - Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH); - if (dsigSignature == null) { - throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ; - } - } -} diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/IdentityLinkValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/IdentityLinkValidator.java deleted file mode 100644 index 444f706e4..000000000 --- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/IdentityLinkValidator.java +++ /dev/null @@ -1,159 +0,0 @@ -package at.gv.egovernment.moa.id.auth.validator; - -import org.w3c.dom.Element; -import org.w3c.dom.NodeList; - -import at.gv.egovernment.moa.id.auth.data.IdentityLink; -import at.gv.egovernment.moa.util.Constants; -import at.gv.egovernment.moa.util.XPathUtils; - -/** - * This class is used to validate an {@link IdentityLink} - * returned by the security layer - * - * @author Stefan Knirsch - * @version $Id$ - */ -public class IdentityLinkValidator implements Constants { - - // - // XPath namespace prefix shortcuts - // - /** Xpath prefix for reaching PersonData Namespaces */ - private static final String PDATA = PD_PREFIX + ":"; - /** Xpath prefix for reaching SAML Namespaces */ - private static final String SAML = SAML_PREFIX + ":"; - /** Xpath prefix for reaching XML-DSIG Namespaces */ - private static final String DSIG = DSIG_PREFIX + ":"; - /** Xpath prefix for reaching ECDSA Namespaces */ - private static final String ECDSA = ECDSA_PREFIX + ":"; - /** Xpath expression to the root element */ - private static final String ROOT = ""; - /** Xpath expression to the SAML:SubjectConfirmationData element */ - private static final String SAML_SUBJECT_CONFIRMATION_DATA_XPATH = - ROOT - + SAML - + "AttributeStatement/" - + SAML - + "Subject/" - + SAML - + "SubjectConfirmation/" - + SAML - + "SubjectConfirmationData"; -/** Xpath expression to the PersonData:Person element */ - private static final String PERSON_XPATH = - SAML_SUBJECT_CONFIRMATION_DATA_XPATH + "/" + PDATA + "Person"; - /** Xpath expression to the SAML:Attribute element */ - private static final String ATTRIBUTE_XPATH = - ROOT + SAML + "AttributeStatement/" + SAML + "Attribute"; - /** Xpath expression to the SAML:AttributeName attribute */ - private static final String ATTRIBUTE_NAME_XPATH = - ROOT + SAML + "AttributeStatement/" + SAML + "Attribute/@AttributeName"; - /** Xpath expression to the SAML:AttributeNamespace attribute */ - private static final String ATTRIBUTE_NAMESPACE_XPATH = - ROOT - + SAML - + "AttributeStatement/" - + SAML - + "Attribute/@AttributeNamespace"; - /** Xpath expression to the SAML:AttributeValue element */ - private static final String ATTRIBUTE_VALUE_XPATH = - ROOT - + SAML - + "AttributeStatement/" - + SAML - + "Attribute/" - + SAML - + "AttributeValue"; - - /** Singleton instance. <code>null</code>, if none has been created. */ - private static IdentityLinkValidator instance; - - /** - * Constructor for a singleton IdentityLinkValidator. - * @return a new IdentityLinkValidator instance - * @throws ValidateException if no instance can be created - */ - public static synchronized IdentityLinkValidator getInstance() - throws ValidateException { - if (instance == null) { - instance = new IdentityLinkValidator(); - } - return instance; - } - - /** - * Method validate. Validates the {@link IdentityLink} - * @param identityLink The identityLink to validate - * @throws ValidateException on any validation error - */ - public void validate(IdentityLink identityLink) throws ValidateException { - - Element samlAssertion = identityLink.getSamlAssertion(); - //Search the SAML:ASSERTION Object (A2.054) - if (samlAssertion == null) { - throw new ValidateException("validator.00", null); - } - - // Check how many saml:Assertion/saml:AttributeStatement/ - // saml:Subject/ saml:SubjectConfirmation/ - // saml:SubjectConfirmationData/pr:Person of type - // PhysicalPersonType exist (A2.056) - NodeList nl = XPathUtils.selectNodeList(samlAssertion, PERSON_XPATH); - // If we have just one Person-Element we don't need to check the attributes - int counterPhysicalPersonType = 0; - if (nl.getLength() > 1) - for (int i = 0; i < nl.getLength(); i++) { - String xsiType = - ((Element) nl.item(i)) - .getAttributeNodeNS( - "http://www.w3.org/2001/XMLSchema-instance", - "type") - .getNodeValue(); - // We have to check if xsiType contains "PhysicalPersonType" - // An equal-check will fail because of the Namespace-prefix of the attribute value - if (xsiType.indexOf("PhysicalPersonType") > -1) - counterPhysicalPersonType++; - } - if (counterPhysicalPersonType > 1) - throw new ValidateException("validator.01", null); - - //Check the SAML:ATTRIBUTES - nl = XPathUtils.selectNodeList(samlAssertion, ATTRIBUTE_XPATH); - for (int i = 0; i < nl.getLength(); i++) { - String attributeName = - XPathUtils.getAttributeValue( - (Element) nl.item(i), - "@AttributeName", - null); - String attributeNS = - XPathUtils.getAttributeValue( - (Element) nl.item(i), - "@AttributeNamespace", - null); - if (attributeName.equals("CitizenPublicKey")) { - - if (attributeNS.equals("http://www.buergerkarte.at/namespaces/personenbindung/20020506#") || - attributeNS.equals("urn:publicid:gv.at:namespaces:identitylink:1.2")) { - Element attributeValue = - (Element) XPathUtils.selectSingleNode((Element) nl.item(i),nSMap, SAML + "AttributeValue/" + DSIG + "RSAKeyValue"); - if (attributeValue==null) - attributeValue = - (Element) XPathUtils.selectSingleNode((Element)nl.item(i), nSMap, SAML + "AttributeValue/" + ECDSA + "ECDSAKeyValue"); - if (attributeValue == null) - throw new ValidateException("validator.02", null); - - } - else - throw new ValidateException("validator.03", new Object [] {attributeNS} ); - } - else - throw new ValidateException("validator.04", new Object [] {attributeName} ); - } - - //Check if dsig:Signature exists - Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion,ROOT + DSIG + "Signature"); - if (dsigSignature==null) throw new ValidateException("validator.05", new Object[] {"in der Personenbindung"}); - } - -} diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/InfoboxValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/InfoboxValidator.java deleted file mode 100644 index c776418ab..000000000 --- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/InfoboxValidator.java +++ /dev/null @@ -1,32 +0,0 @@ -package at.gv.egovernment.moa.id.auth.validator; - -import at.gv.egovernment.moa.id.auth.data.InfoboxValidationResult; -import at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams; - -/** - * Validates an InfoboxReadResponse. - * An implementing class has to validate the content of the InfoboxReadResponse - * according to the type specific rules and guidelines of the underlying - * application. - */ -public interface InfoboxValidator { - - /** - * This method validates an InfoboxReadResponse. - * The method validates the content of the passed <code>infoboxReadResponse</code> - * according to the type specific rules and guidelines of the underlying - * application. - * - * @param params {@link at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams - * Parameters} needed by the validator. - * - * @return <code>True</code> if validation succeeds, - * otherwise <code>false</code>. - * - * @throws ValidateException If an error occurs on validating the - * InfoboxReadResponse. - */ - public InfoboxValidationResult validate (InfoboxValidatorParams params) - throws ValidateException; - -} diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/ValidateException.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/ValidateException.java deleted file mode 100644 index a6685fca8..000000000 --- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/ValidateException.java +++ /dev/null @@ -1,35 +0,0 @@ -package at.gv.egovernment.moa.id.auth.validator; - -import at.gv.egovernment.moa.id.MOAIDException; - -/** - * Exception thrown while validating an incoming XML structure - * - * @author Paul Ivancsics - * @version $Id$ - */ -public class ValidateException extends MOAIDException { - - /** - * Constructor for ValidateException. - * @param messageId - * @param parameters - */ - public ValidateException(String messageId, Object[] parameters) { - super(messageId, parameters); - } - - /** - * Constructor for ValidateException. - * @param messageId - * @param parameters - * @param wrapped - */ - public ValidateException( - String messageId, - Object[] parameters, - Throwable wrapped) { - super(messageId, parameters, wrapped); - } - -} diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java deleted file mode 100644 index 1f2ebc37c..000000000 --- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java +++ /dev/null @@ -1,177 +0,0 @@ -package at.gv.egovernment.moa.id.auth.validator; - -import iaik.asn1.structures.Name; -import iaik.security.ecc.ecdsa.ECPublicKey; -import iaik.utils.RFC2253NameParserException; -import iaik.x509.X509Certificate; -import iaik.x509.X509ExtensionInitException; - -import java.security.PublicKey; -import java.security.interfaces.RSAPublicKey; -import java.util.List; - -import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; -import at.gv.egovernment.moa.id.auth.data.IdentityLink; -import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; -import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; -import at.gv.egovernment.moa.logging.Logger; - -/** - * This class is used to validate an {@link VerifyXMLSignatureResponse} - * returned by MOA-SPSS - * - * @author Stefan Knirsch - * @version $Id$ - */ -public class VerifyXMLSignatureResponseValidator { - - /** Identification string for checking identity link */ - public static final String CHECK_IDENTITY_LINK = "IdentityLink"; - /** Identification string for checking authentication block */ - public static final String CHECK_AUTH_BLOCK = "AuthBlock"; - - /** Singleton instance. <code>null</code>, if none has been created. */ - private static VerifyXMLSignatureResponseValidator instance; - - /** - * Constructor for a singleton VerifyXMLSignatureResponseValidator. - */ - public static synchronized VerifyXMLSignatureResponseValidator getInstance() - throws ValidateException { - if (instance == null) { - instance = new VerifyXMLSignatureResponseValidator(); - } - return instance; - } - - /** - * Validates a {@link VerifyXMLSignatureResponse} returned by MOA-SPSS. - * - * @param verifyXMLSignatureResponse the <code><VerifyXMLSignatureResponse></code> - * @param identityLinkSignersSubjectDNNames subject names configured - * @param whatToCheck is used to identify whether the identityLink or the Auth-Block is validated - * @param ignoreManifestValidationResult specifies whether the validation result of the - * manifest has to be ignored (identityLink validation if - * the OA is a business service) or not - * @throws ValidateException on any validation error - */ - public void validate(VerifyXMLSignatureResponse verifyXMLSignatureResponse, - List identityLinkSignersSubjectDNNames, - String whatToCheck, - boolean ignoreManifestValidationResult) - throws ValidateException { - - if (verifyXMLSignatureResponse.getSignatureCheckCode() != 0) - throw new ValidateException("validator.06", null); - - if (verifyXMLSignatureResponse.getCertificateCheckCode() != 0) { - String checkFailedReason =""; - if (verifyXMLSignatureResponse.getCertificateCheckCode() == 1) - checkFailedReason = MOAIDMessageProvider.getInstance().getMessage("validator.21", null); - if (verifyXMLSignatureResponse.getCertificateCheckCode() == 2) - checkFailedReason = MOAIDMessageProvider.getInstance().getMessage("validator.22", null); - if (verifyXMLSignatureResponse.getCertificateCheckCode() == 3) - checkFailedReason = MOAIDMessageProvider.getInstance().getMessage("validator.23", null); - if (verifyXMLSignatureResponse.getCertificateCheckCode() == 4) - checkFailedReason = MOAIDMessageProvider.getInstance().getMessage("validator.24", null); - if (verifyXMLSignatureResponse.getCertificateCheckCode() == 5) - checkFailedReason = MOAIDMessageProvider.getInstance().getMessage("validator.25", null); - - if (whatToCheck.equals(CHECK_IDENTITY_LINK)) - throw new ValidateException("validator.07", new Object[] { checkFailedReason } ); - else - throw new ValidateException("validator.19", new Object[] { checkFailedReason } ); - } - - if (ignoreManifestValidationResult) { - Logger.debug("OA type is business service, thus ignoring DSIG manifest validation result"); - } else { - if (verifyXMLSignatureResponse.isXmlDSIGManigest()) - if (verifyXMLSignatureResponse.getXmlDSIGManifestCheckCode() != 0) - throw new ValidateException("validator.08", null); - } - - - // TODO See Bug #322 - // Check result of SignatureManifestCheck - - - //Check whether the returned X509 SubjectName is in the MOA-ID configuration or not - if (identityLinkSignersSubjectDNNames != null) { - String subjectDN = ""; - X509Certificate x509Cert = verifyXMLSignatureResponse.getX509certificate(); - try { - subjectDN = ((Name) x509Cert.getSubjectDN()).getRFC2253String(); - } - catch (RFC2253NameParserException e) { - throw new ValidateException("validator.17", null); - } - // check the authorisation to sign the identity link - if (!identityLinkSignersSubjectDNNames.contains(subjectDN)) { - // subject DN check failed, try OID check: - try { - if (x509Cert.getExtension(MOAIDAuthConstants.IDENTITY_LINK_SIGNER_OID) == null) { - throw new ValidateException("validator.18", new Object[] { subjectDN }); - } else { - Logger.debug("Identity link signer cert accepted for signing identity link: " + - "subjectDN check failed, but OID check successfully passed."); - } - } catch (X509ExtensionInitException e) { - throw new ValidateException("validator.49", null); - } - } else { - Logger.debug("Identity link signer cert accepted for signing identity link: " + - "subjectDN check successfully passed."); - } - - } - } - - /** - * Method validateCertificate. - * @param verifyXMLSignatureResponse The VerifyXMLSignatureResponse - * @param idl The Identitylink - * @throws ValidateException - */ - public void validateCertificate( - VerifyXMLSignatureResponse verifyXMLSignatureResponse, - IdentityLink idl) - throws ValidateException { - - X509Certificate x509Response = verifyXMLSignatureResponse.getX509certificate(); - PublicKey[] pubKeysIdentityLink = (PublicKey[]) idl.getPublicKey(); - - PublicKey pubKeySignature = x509Response.getPublicKey(); - - boolean found = false; - for (int i = 0; i < pubKeysIdentityLink.length; i++) { - - //compare RSAPublicKeys - if ((idl.getPublicKey()[i] instanceof java.security.interfaces.RSAPublicKey) && - (pubKeySignature instanceof java.security.interfaces.RSAPublicKey)) { - - RSAPublicKey rsaPubKeySignature = (RSAPublicKey) pubKeySignature; - RSAPublicKey rsakey = (RSAPublicKey) pubKeysIdentityLink[i]; - - if (rsakey.getModulus().equals(rsaPubKeySignature.getModulus()) - && rsakey.getPublicExponent().equals(rsaPubKeySignature.getPublicExponent())) - found = true; - } - - //compare ECDSAPublicKeys - if((idl.getPublicKey()[i] instanceof iaik.security.ecc.ecdsa.ECPublicKey) && - (pubKeySignature instanceof iaik.security.ecc.ecdsa.ECPublicKey)) { - - ECPublicKey ecdsaPubKeySignature = (ECPublicKey) pubKeySignature; - ECPublicKey ecdsakey = (ECPublicKey) pubKeysIdentityLink[i]; - - if(ecdsakey.equals(ecdsaPubKeySignature)) - found = true; - } - } - - if (!found) - throw new ValidateException("validator.09", null); - } - -} |