2 files changed, 47 insertions, 14 deletions

diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id.server/src/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
index 15d21b4b9..190b2cef9 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
@@ -1,5 +1,8 @@
 package at.gv.egovernment.moa.id.auth;
 
+import iaik.asn1.ObjectID;
+
+
 /**
  * Constants used throughout moa-id-auth component.
  * 
@@ -50,6 +53,24 @@ public interface MOAIDAuthConstants {
   public static final String HEADER_VALUE_CACHE_CONTROL = "no-store, no-cache, must-revalidate";
   /** Header Value for controlling the caching mechanism of the browser */
   public static final String HEADER_VALUE_CACHE_CONTROL_IE = "post-check=0, pre-check=0";
-  
+  /** 
+   * the identity link signer X509Subject names of those identity link signer certificates 
+   * not including the identity link signer OID. The authorisation for signing the identity
+   * link must be checked by using their issuer names. After february 19th 2007 the OID of
+   * the certificate will be used fo checking the authorisation for signing identity links.
+   */ 
+  public static final String[] IDENTITY_LINK_SIGNERS_WITHOUT_OID = 
+    new String[] {"T=Dr.,CN=Nikolaus Schwab,O=BM f. Inneres i.A. des gf. Mitgieds der Datenschutzkommission",
+                  "CN=zmr,OU=BMI-IV-2,O=BMI,C=AT",
+                  "T=Dr.,CN=Nikolaus Schwab,O=BM f. Inneres i.A. des gf. Mitglieds der Datenschutzkommission"};  
+  /**
+   * the number of the certifcate extension "Eigenschaft zur Ausstellung von Personenbindungen"
+   */
+  public static final String IDENTITY_LINK_SIGNER_OID_NUMBER = "1.2.40.0.10.1.7.1";
+  /** 
+   * the OID of the identity link signer certificate (Eigenschaft zur Ausstellung von Personenbindungen);
+   * used for checking the authorisation for signing the identity link for identity links signed after february 19th 2007
+   */
+  public static final ObjectID IDENTITY_LINK_SIGNER_OID = new ObjectID(IDENTITY_LINK_SIGNER_OID_NUMBER);
 
 }
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
index 218e26233..3f08f103c 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
@@ -1,13 +1,16 @@
 package at.gv.egovernment.moa.id.auth.validator;
 
-import java.security.PublicKey;
-import java.security.interfaces.RSAPublicKey;
-import iaik.security.ecc.ecdsa.ECPublicKey;
-
 import iaik.asn1.structures.Name;
+import iaik.security.ecc.ecdsa.ECPublicKey;
 import iaik.utils.RFC2253NameParserException;
 import iaik.x509.X509Certificate;
+import iaik.x509.X509ExtensionInitException;
 
+import java.security.PublicKey;
+import java.security.interfaces.RSAPublicKey;
+import java.util.List;
+
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.data.IdentityLink;
 import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse;
 import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
@@ -53,7 +56,7 @@ public class VerifyXMLSignatureResponseValidator {
    * @throws ValidateException on any validation error
    */
   public void validate(VerifyXMLSignatureResponse verifyXMLSignatureResponse,
-                       String[] identityLinkSignersSubjectDNNames, 
+                       List identityLinkSignersSubjectDNNames, 
                        String whatToCheck,
                        boolean ignoreManifestValidationResult)
     throws ValidateException {
@@ -103,15 +106,24 @@ public class VerifyXMLSignatureResponseValidator {
       catch (RFC2253NameParserException e) {
         throw new ValidateException("validator.17", null);
       }
-      boolean found = false;
-      for (int i = 0; i < identityLinkSignersSubjectDNNames.length; i++) {
-        if (identityLinkSignersSubjectDNNames[i].equals(subjectDN))
-          found = true;
+      // check the authorisation to sign the identity link
+      if (!identityLinkSignersSubjectDNNames.contains(subjectDN)) {
+        // subject DN check failed, try OID check:
+        try {
+          if (x509Cert.getExtension(MOAIDAuthConstants.IDENTITY_LINK_SIGNER_OID) == null) {
+            throw new ValidateException("validator.18", new Object[] { subjectDN });
+          } else {
+            Logger.debug("Identity link signer cert accepted for signing identity link: " +
+                         "subjectDN check failed, but OID check successfully passed.");
+          }
+        } catch (X509ExtensionInitException e) {
+          throw new ValidateException("validator.49", null);
+        }
+      } else {
+        Logger.debug("Identity link signer cert accepted for signing identity link: " +
+                     "subjectDN check successfully passed.");
       }
-      if (!found)
-        throw new ValidateException(
-          "validator.18",
-          new Object[] { subjectDN });
+      
     }
   }