aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--id.server/res/resources/properties/id_messages_de.properties4
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java23
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java38
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java25
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java8
5 files changed, 71 insertions, 27 deletions
diff --git a/id.server/res/resources/properties/id_messages_de.properties b/id.server/res/resources/properties/id_messages_de.properties
index 4c03625ad..56bd53968 100644
--- a/id.server/res/resources/properties/id_messages_de.properties
+++ b/id.server/res/resources/properties/id_messages_de.properties
@@ -113,7 +113,8 @@ validator.15=Der Namespace des SAML-Attributs "OA" ist ungültig {0}
validator.16=Die vorkonfigurierte URL der OnlineApplikation ist fehlerhaft {0}
validator.17= Der SubjectDN-Name des von MOA-SP retournierten Zertifikats ist ungültig {0}
-validator.18= Der SubjectDN-Name des von MOA-SP retournierten Zertifikats ist nicht als gültiger SubjectDN-Name für eine Personenbindung konfiguriert. <b>{0}</b> wurde NICHT in der Konfiguration gefunden
+#validator.18= Der SubjectDN-Name des von MOA-SP retournierten Zertifikats ist nicht als gültiger SubjectDN-Name für eine Personenbindung konfiguriert. <b>{0}</b> wurde NICHT in der Konfiguration gefunden
+validator.18= Das Zertifikat mit dem die Personenbindung signiert wurde, ist nicht zum Signieren der Personenbindung zulässig. Es konnte weder der SubjectDN ({0}) einem berechtigten Namen zugeordnet werden, noch enthält das Zertifikat die Erweiterung "Eigenschaft zur Ausstellung von Personenbindungen".
validator.19=Das verwendete Zertifikat zum Signieren ist ungültig.<br>{0}
@@ -151,6 +152,7 @@ validator.46=Überprüfung der {0}-Infobox fehlgeschlagen: Der Wert des von der Pr
validator.47=Überprüfung der {0}-Infobox fehlgeschlagen: Das von der Prüfapplikation zurückgegebene SAML-Attribut Nummer {1} kann nicht eindeutig zugeordnet werden.
validator.48={0}-Infobox wurde nicht von der BKU übermittelt: Für die Anmeldung an dieser Online-Applikation ist die {0}-Infobox erforderlich. Bitte melden Sie sich erneut an, und selektieren Sie in Ihrer BKU die {0}-Infobox.
+validator.49=Beim Ermitteln der Personenbindungs-OID im Zertifikat, mit dem die Personenbindung signiert wurde, ist ein Fehler aufgetreten.
ssl.01=Validierung des SSL-Server-Endzertifikates hat fehlgeschlagen
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id.server/src/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
index 15d21b4b9..190b2cef9 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
@@ -1,5 +1,8 @@
package at.gv.egovernment.moa.id.auth;
+import iaik.asn1.ObjectID;
+
+
/**
* Constants used throughout moa-id-auth component.
*
@@ -50,6 +53,24 @@ public interface MOAIDAuthConstants {
public static final String HEADER_VALUE_CACHE_CONTROL = "no-store, no-cache, must-revalidate";
/** Header Value for controlling the caching mechanism of the browser */
public static final String HEADER_VALUE_CACHE_CONTROL_IE = "post-check=0, pre-check=0";
-
+ /**
+ * the identity link signer X509Subject names of those identity link signer certificates
+ * not including the identity link signer OID. The authorisation for signing the identity
+ * link must be checked by using their issuer names. After february 19th 2007 the OID of
+ * the certificate will be used fo checking the authorisation for signing identity links.
+ */
+ public static final String[] IDENTITY_LINK_SIGNERS_WITHOUT_OID =
+ new String[] {"T=Dr.,CN=Nikolaus Schwab,O=BM f. Inneres i.A. des gf. Mitgieds der Datenschutzkommission",
+ "CN=zmr,OU=BMI-IV-2,O=BMI,C=AT",
+ "T=Dr.,CN=Nikolaus Schwab,O=BM f. Inneres i.A. des gf. Mitglieds der Datenschutzkommission"};
+ /**
+ * the number of the certifcate extension "Eigenschaft zur Ausstellung von Personenbindungen"
+ */
+ public static final String IDENTITY_LINK_SIGNER_OID_NUMBER = "1.2.40.0.10.1.7.1";
+ /**
+ * the OID of the identity link signer certificate (Eigenschaft zur Ausstellung von Personenbindungen);
+ * used for checking the authorisation for signing the identity link for identity links signed after february 19th 2007
+ */
+ public static final ObjectID IDENTITY_LINK_SIGNER_OID = new ObjectID(IDENTITY_LINK_SIGNER_OID_NUMBER);
}
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
index 218e26233..3f08f103c 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
@@ -1,13 +1,16 @@
package at.gv.egovernment.moa.id.auth.validator;
-import java.security.PublicKey;
-import java.security.interfaces.RSAPublicKey;
-import iaik.security.ecc.ecdsa.ECPublicKey;
-
import iaik.asn1.structures.Name;
+import iaik.security.ecc.ecdsa.ECPublicKey;
import iaik.utils.RFC2253NameParserException;
import iaik.x509.X509Certificate;
+import iaik.x509.X509ExtensionInitException;
+import java.security.PublicKey;
+import java.security.interfaces.RSAPublicKey;
+import java.util.List;
+
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.auth.data.IdentityLink;
import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse;
import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
@@ -53,7 +56,7 @@ public class VerifyXMLSignatureResponseValidator {
* @throws ValidateException on any validation error
*/
public void validate(VerifyXMLSignatureResponse verifyXMLSignatureResponse,
- String[] identityLinkSignersSubjectDNNames,
+ List identityLinkSignersSubjectDNNames,
String whatToCheck,
boolean ignoreManifestValidationResult)
throws ValidateException {
@@ -103,15 +106,24 @@ public class VerifyXMLSignatureResponseValidator {
catch (RFC2253NameParserException e) {
throw new ValidateException("validator.17", null);
}
- boolean found = false;
- for (int i = 0; i < identityLinkSignersSubjectDNNames.length; i++) {
- if (identityLinkSignersSubjectDNNames[i].equals(subjectDN))
- found = true;
+ // check the authorisation to sign the identity link
+ if (!identityLinkSignersSubjectDNNames.contains(subjectDN)) {
+ // subject DN check failed, try OID check:
+ try {
+ if (x509Cert.getExtension(MOAIDAuthConstants.IDENTITY_LINK_SIGNER_OID) == null) {
+ throw new ValidateException("validator.18", new Object[] { subjectDN });
+ } else {
+ Logger.debug("Identity link signer cert accepted for signing identity link: " +
+ "subjectDN check failed, but OID check successfully passed.");
+ }
+ } catch (X509ExtensionInitException e) {
+ throw new ValidateException("validator.49", null);
+ }
+ } else {
+ Logger.debug("Identity link signer cert accepted for signing identity link: " +
+ "subjectDN check successfully passed.");
}
- if (!found)
- throw new ValidateException(
- "validator.18",
- new Object[] { subjectDN });
+
}
}
diff --git a/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java b/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java
index 6a9aee0ca..ebb29c26d 100644
--- a/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java
+++ b/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java
@@ -22,6 +22,7 @@ import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import org.w3c.dom.traversal.NodeIterator;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.auth.data.Schema;
import at.gv.egovernment.moa.id.auth.data.SchemaImpl;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
@@ -383,13 +384,13 @@ public class ConfigurationBuilder {
/**
- * Return a string array containing all X509 Subject Names
+ * Returns a list containing all X509 Subject Names
* of the Identity Link Signers
- * @return String with a url-reference to the VerifyAuthBlock trust profile ID
+ * @return a list containing the configured identity-link signer X509 subject names
*/
- public String[] getIdentityLink_X509SubjectNames() {
+ public List getIdentityLink_X509SubjectNames() {
- List x509SubjectNameList = new ArrayList();
+ Vector x509SubjectNameList = new Vector();
NodeIterator x509Iter =
XPathUtils.selectNodeIterator(
configElem_,
@@ -397,14 +398,20 @@ public class ConfigurationBuilder {
Element x509Elem;
while ((x509Elem = (Element) x509Iter.nextNode()) != null) {
-
String vtInfoIDs = DOMUtils.getText(x509Elem);
x509SubjectNameList.add(vtInfoIDs);
}
- String[] result = new String[x509SubjectNameList.size()];
- x509SubjectNameList.toArray(result);
-
- return result;
+
+ // now add the default identity link signers
+ String[] identityLinkSignersWithoutOID = MOAIDAuthConstants.IDENTITY_LINK_SIGNERS_WITHOUT_OID;
+ for (int i=0; i<identityLinkSignersWithoutOID.length; i++) {
+ String identityLinkSigner = identityLinkSignersWithoutOID[i];
+ if (!x509SubjectNameList.contains(identityLinkSigner)) {
+ x509SubjectNameList.add(identityLinkSigner);
+ }
+ }
+
+ return x509SubjectNameList;
}
/**
diff --git a/id.server/src/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id.server/src/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
index e45d7cba8..b4af6592c 100644
--- a/id.server/src/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
+++ b/id.server/src/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
@@ -6,6 +6,8 @@ import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
+import java.util.List;
+
import org.w3c.dom.Element;
import org.w3c.dom.Node;
@@ -117,7 +119,7 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
/**
* X509 SubjectNames which will be trusted
*/
- private String[] identityLinkX509SubjectNames;
+ private List identityLinkX509SubjectNames;
/**
* default parameters for verifying additional infoboxes.
*/
@@ -370,9 +372,9 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
/**
* Returns the identityLinkX509SubjectNames.
- * @return String[]
+ * @return List
*/
- public String[] getIdentityLinkX509SubjectNames() {
+ public List getIdentityLinkX509SubjectNames() {
return identityLinkX509SubjectNames;
}