1 files changed, 25 insertions, 13 deletions

diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
index 218e26233..3f08f103c 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
@@ -1,13 +1,16 @@
 package at.gv.egovernment.moa.id.auth.validator;
 
-import java.security.PublicKey;
-import java.security.interfaces.RSAPublicKey;
-import iaik.security.ecc.ecdsa.ECPublicKey;
-
 import iaik.asn1.structures.Name;
+import iaik.security.ecc.ecdsa.ECPublicKey;
 import iaik.utils.RFC2253NameParserException;
 import iaik.x509.X509Certificate;
+import iaik.x509.X509ExtensionInitException;
 
+import java.security.PublicKey;
+import java.security.interfaces.RSAPublicKey;
+import java.util.List;
+
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.data.IdentityLink;
 import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse;
 import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
@@ -53,7 +56,7 @@ public class VerifyXMLSignatureResponseValidator {
    * @throws ValidateException on any validation error
    */
   public void validate(VerifyXMLSignatureResponse verifyXMLSignatureResponse,
-                       String[] identityLinkSignersSubjectDNNames, 
+                       List identityLinkSignersSubjectDNNames, 
                        String whatToCheck,
                        boolean ignoreManifestValidationResult)
     throws ValidateException {
@@ -103,15 +106,24 @@ public class VerifyXMLSignatureResponseValidator {
       catch (RFC2253NameParserException e) {
         throw new ValidateException("validator.17", null);
       }
-      boolean found = false;
-      for (int i = 0; i < identityLinkSignersSubjectDNNames.length; i++) {
-        if (identityLinkSignersSubjectDNNames[i].equals(subjectDN))
-          found = true;
+      // check the authorisation to sign the identity link
+      if (!identityLinkSignersSubjectDNNames.contains(subjectDN)) {
+        // subject DN check failed, try OID check:
+        try {
+          if (x509Cert.getExtension(MOAIDAuthConstants.IDENTITY_LINK_SIGNER_OID) == null) {
+            throw new ValidateException("validator.18", new Object[] { subjectDN });
+          } else {
+            Logger.debug("Identity link signer cert accepted for signing identity link: " +
+                         "subjectDN check failed, but OID check successfully passed.");
+          }
+        } catch (X509ExtensionInitException e) {
+          throw new ValidateException("validator.49", null);
+        }
+      } else {
+        Logger.debug("Identity link signer cert accepted for signing identity link: " +
+                     "subjectDN check successfully passed.");
       }
-      if (!found)
-        throw new ValidateException(
-          "validator.18",
-          new Object[] { subjectDN });
+      
     }
   }