diff options
| author | harald.bratko <harald.bratko@d688527b-c9ab-4aba-bd8d-4036d912da1d> | 2007-01-18 14:29:56 +0000 |
|---|---|---|
| committer | harald.bratko <harald.bratko@d688527b-c9ab-4aba-bd8d-4036d912da1d> | 2007-01-18 14:29:56 +0000 |
| commit | c51641d057e5db708ef90bee2da271532da6d939 (patch) | |
| tree | af9ab7e97d38c90cc315642b7f18ddc47e89f145 /id.server/src/at/gv/egovernment/moa/id/auth/validator | |
| parent | 64967f241e637a13f157f207f6b132efe1383f3d (diff) | |
| download | moa-id-spss-c51641d057e5db708ef90bee2da271532da6d939.tar.gz moa-id-spss-c51641d057e5db708ef90bee2da271532da6d939.tar.bz2 moa-id-spss-c51641d057e5db708ef90bee2da271532da6d939.zip | |
.) OID check for identity link signer certificates (needed for certificates after february 19th 2007)
.) hard coded subjectDN check for identity link signer certificates (for certificates before february 19th 2007) to make configuration entries optional
git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@788 d688527b-c9ab-4aba-bd8d-4036d912da1d
Diffstat (limited to 'id.server/src/at/gv/egovernment/moa/id/auth/validator')
| -rw-r--r-- | id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java | 38 |
1 files changed, 25 insertions, 13 deletions
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java index 218e26233..3f08f103c 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java @@ -1,13 +1,16 @@ package at.gv.egovernment.moa.id.auth.validator; -import java.security.PublicKey; -import java.security.interfaces.RSAPublicKey; -import iaik.security.ecc.ecdsa.ECPublicKey; - import iaik.asn1.structures.Name; +import iaik.security.ecc.ecdsa.ECPublicKey; import iaik.utils.RFC2253NameParserException; import iaik.x509.X509Certificate; +import iaik.x509.X509ExtensionInitException; +import java.security.PublicKey; +import java.security.interfaces.RSAPublicKey; +import java.util.List; + +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; @@ -53,7 +56,7 @@ public class VerifyXMLSignatureResponseValidator { * @throws ValidateException on any validation error */ public void validate(VerifyXMLSignatureResponse verifyXMLSignatureResponse, - String[] identityLinkSignersSubjectDNNames, + List identityLinkSignersSubjectDNNames, String whatToCheck, boolean ignoreManifestValidationResult) throws ValidateException { @@ -103,15 +106,24 @@ public class VerifyXMLSignatureResponseValidator { catch (RFC2253NameParserException e) { throw new ValidateException("validator.17", null); } - boolean found = false; - for (int i = 0; i < identityLinkSignersSubjectDNNames.length; i++) { - if (identityLinkSignersSubjectDNNames[i].equals(subjectDN)) - found = true; + // check the authorisation to sign the identity link + if (!identityLinkSignersSubjectDNNames.contains(subjectDN)) { + // subject DN check failed, try OID check: + try { + if (x509Cert.getExtension(MOAIDAuthConstants.IDENTITY_LINK_SIGNER_OID) == null) { + throw new ValidateException("validator.18", new Object[] { subjectDN }); + } else { + Logger.debug("Identity link signer cert accepted for signing identity link: " + + "subjectDN check failed, but OID check successfully passed."); + } + } catch (X509ExtensionInitException e) { + throw new ValidateException("validator.49", null); + } + } else { + Logger.debug("Identity link signer cert accepted for signing identity link: " + + "subjectDN check successfully passed."); } - if (!found) - throw new ValidateException( - "validator.18", - new Object[] { subjectDN }); + } } |