diff options
Diffstat (limited to 'id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java')
-rw-r--r-- | id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java | 38 |
1 files changed, 25 insertions, 13 deletions
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java index 218e26233..3f08f103c 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java @@ -1,13 +1,16 @@ package at.gv.egovernment.moa.id.auth.validator; -import java.security.PublicKey; -import java.security.interfaces.RSAPublicKey; -import iaik.security.ecc.ecdsa.ECPublicKey; - import iaik.asn1.structures.Name; +import iaik.security.ecc.ecdsa.ECPublicKey; import iaik.utils.RFC2253NameParserException; import iaik.x509.X509Certificate; +import iaik.x509.X509ExtensionInitException; +import java.security.PublicKey; +import java.security.interfaces.RSAPublicKey; +import java.util.List; + +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; @@ -53,7 +56,7 @@ public class VerifyXMLSignatureResponseValidator { * @throws ValidateException on any validation error */ public void validate(VerifyXMLSignatureResponse verifyXMLSignatureResponse, - String[] identityLinkSignersSubjectDNNames, + List identityLinkSignersSubjectDNNames, String whatToCheck, boolean ignoreManifestValidationResult) throws ValidateException { @@ -103,15 +106,24 @@ public class VerifyXMLSignatureResponseValidator { catch (RFC2253NameParserException e) { throw new ValidateException("validator.17", null); } - boolean found = false; - for (int i = 0; i < identityLinkSignersSubjectDNNames.length; i++) { - if (identityLinkSignersSubjectDNNames[i].equals(subjectDN)) - found = true; + // check the authorisation to sign the identity link + if (!identityLinkSignersSubjectDNNames.contains(subjectDN)) { + // subject DN check failed, try OID check: + try { + if (x509Cert.getExtension(MOAIDAuthConstants.IDENTITY_LINK_SIGNER_OID) == null) { + throw new ValidateException("validator.18", new Object[] { subjectDN }); + } else { + Logger.debug("Identity link signer cert accepted for signing identity link: " + + "subjectDN check failed, but OID check successfully passed."); + } + } catch (X509ExtensionInitException e) { + throw new ValidateException("validator.49", null); + } + } else { + Logger.debug("Identity link signer cert accepted for signing identity link: " + + "subjectDN check successfully passed."); } - if (!found) - throw new ValidateException( - "validator.18", - new Object[] { subjectDN }); + } } |