aboutsummaryrefslogtreecommitdiff
path: root/id.server/src/at/gv/egovernment/moa/id/auth
diff options
context:
space:
mode:
authorharald.bratko <harald.bratko@d688527b-c9ab-4aba-bd8d-4036d912da1d>2007-01-18 14:29:56 +0000
committerharald.bratko <harald.bratko@d688527b-c9ab-4aba-bd8d-4036d912da1d>2007-01-18 14:29:56 +0000
commitc51641d057e5db708ef90bee2da271532da6d939 (patch)
treeaf9ab7e97d38c90cc315642b7f18ddc47e89f145 /id.server/src/at/gv/egovernment/moa/id/auth
parent64967f241e637a13f157f207f6b132efe1383f3d (diff)
downloadmoa-id-spss-c51641d057e5db708ef90bee2da271532da6d939.tar.gz
moa-id-spss-c51641d057e5db708ef90bee2da271532da6d939.tar.bz2
moa-id-spss-c51641d057e5db708ef90bee2da271532da6d939.zip
.) OID check for identity link signer certificates (needed for certificates after february 19th 2007)
.) hard coded subjectDN check for identity link signer certificates (for certificates before february 19th 2007) to make configuration entries optional git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@788 d688527b-c9ab-4aba-bd8d-4036d912da1d
Diffstat (limited to 'id.server/src/at/gv/egovernment/moa/id/auth')
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java23
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java38
2 files changed, 47 insertions, 14 deletions
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id.server/src/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
index 15d21b4b9..190b2cef9 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
@@ -1,5 +1,8 @@
package at.gv.egovernment.moa.id.auth;
+import iaik.asn1.ObjectID;
+
+
/**
* Constants used throughout moa-id-auth component.
*
@@ -50,6 +53,24 @@ public interface MOAIDAuthConstants {
public static final String HEADER_VALUE_CACHE_CONTROL = "no-store, no-cache, must-revalidate";
/** Header Value for controlling the caching mechanism of the browser */
public static final String HEADER_VALUE_CACHE_CONTROL_IE = "post-check=0, pre-check=0";
-
+ /**
+ * the identity link signer X509Subject names of those identity link signer certificates
+ * not including the identity link signer OID. The authorisation for signing the identity
+ * link must be checked by using their issuer names. After february 19th 2007 the OID of
+ * the certificate will be used fo checking the authorisation for signing identity links.
+ */
+ public static final String[] IDENTITY_LINK_SIGNERS_WITHOUT_OID =
+ new String[] {"T=Dr.,CN=Nikolaus Schwab,O=BM f. Inneres i.A. des gf. Mitgieds der Datenschutzkommission",
+ "CN=zmr,OU=BMI-IV-2,O=BMI,C=AT",
+ "T=Dr.,CN=Nikolaus Schwab,O=BM f. Inneres i.A. des gf. Mitglieds der Datenschutzkommission"};
+ /**
+ * the number of the certifcate extension "Eigenschaft zur Ausstellung von Personenbindungen"
+ */
+ public static final String IDENTITY_LINK_SIGNER_OID_NUMBER = "1.2.40.0.10.1.7.1";
+ /**
+ * the OID of the identity link signer certificate (Eigenschaft zur Ausstellung von Personenbindungen);
+ * used for checking the authorisation for signing the identity link for identity links signed after february 19th 2007
+ */
+ public static final ObjectID IDENTITY_LINK_SIGNER_OID = new ObjectID(IDENTITY_LINK_SIGNER_OID_NUMBER);
}
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
index 218e26233..3f08f103c 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
@@ -1,13 +1,16 @@
package at.gv.egovernment.moa.id.auth.validator;
-import java.security.PublicKey;
-import java.security.interfaces.RSAPublicKey;
-import iaik.security.ecc.ecdsa.ECPublicKey;
-
import iaik.asn1.structures.Name;
+import iaik.security.ecc.ecdsa.ECPublicKey;
import iaik.utils.RFC2253NameParserException;
import iaik.x509.X509Certificate;
+import iaik.x509.X509ExtensionInitException;
+import java.security.PublicKey;
+import java.security.interfaces.RSAPublicKey;
+import java.util.List;
+
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.auth.data.IdentityLink;
import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse;
import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
@@ -53,7 +56,7 @@ public class VerifyXMLSignatureResponseValidator {
* @throws ValidateException on any validation error
*/
public void validate(VerifyXMLSignatureResponse verifyXMLSignatureResponse,
- String[] identityLinkSignersSubjectDNNames,
+ List identityLinkSignersSubjectDNNames,
String whatToCheck,
boolean ignoreManifestValidationResult)
throws ValidateException {
@@ -103,15 +106,24 @@ public class VerifyXMLSignatureResponseValidator {
catch (RFC2253NameParserException e) {
throw new ValidateException("validator.17", null);
}
- boolean found = false;
- for (int i = 0; i < identityLinkSignersSubjectDNNames.length; i++) {
- if (identityLinkSignersSubjectDNNames[i].equals(subjectDN))
- found = true;
+ // check the authorisation to sign the identity link
+ if (!identityLinkSignersSubjectDNNames.contains(subjectDN)) {
+ // subject DN check failed, try OID check:
+ try {
+ if (x509Cert.getExtension(MOAIDAuthConstants.IDENTITY_LINK_SIGNER_OID) == null) {
+ throw new ValidateException("validator.18", new Object[] { subjectDN });
+ } else {
+ Logger.debug("Identity link signer cert accepted for signing identity link: " +
+ "subjectDN check failed, but OID check successfully passed.");
+ }
+ } catch (X509ExtensionInitException e) {
+ throw new ValidateException("validator.49", null);
+ }
+ } else {
+ Logger.debug("Identity link signer cert accepted for signing identity link: " +
+ "subjectDN check successfully passed.");
}
- if (!found)
- throw new ValidateException(
- "validator.18",
- new Object[] { subjectDN });
+
}
}