1 files changed, 99 insertions, 17 deletions

diff --git a/spss.server/src/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java b/spss.server/src/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java
index e192b66a2..e8b2a5e10 100644
--- a/spss.server/src/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java
+++ b/spss.server/src/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java
@@ -1,20 +1,9 @@
 package at.gv.egovernment.moa.spss.server.invoke;
 
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Date;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-
-import org.w3c.dom.Element;
-import org.w3c.dom.Node;
-
 import iaik.IAIKException;
 import iaik.IAIKRuntimeException;
+import iaik.ixsil.exceptions.URIException;
+import iaik.ixsil.util.URI;
 import iaik.server.modules.xml.DataObject;
 import iaik.server.modules.xml.XMLDataObject;
 import iaik.server.modules.xml.XMLSignature;
@@ -26,18 +15,33 @@ import iaik.server.modules.xmlverify.XMLSignatureVerificationModule;
 import iaik.server.modules.xmlverify.XMLSignatureVerificationModuleFactory;
 import iaik.server.modules.xmlverify.XMLSignatureVerificationProfile;
 import iaik.server.modules.xmlverify.XMLSignatureVerificationResult;
+import iaik.x509.X509Certificate;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
 
 import at.gv.egovernment.moa.logging.LogMsg;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.logging.LoggingContext;
 import at.gv.egovernment.moa.logging.LoggingContextManager;
-import at.gv.egovernment.moa.util.CollectionUtils;
-import at.gv.egovernment.moa.util.Constants;
-
 import at.gv.egovernment.moa.spss.MOAApplicationException;
 import at.gv.egovernment.moa.spss.MOAException;
 import at.gv.egovernment.moa.spss.MOASystemException;
 import at.gv.egovernment.moa.spss.api.SPSSFactory;
+import at.gv.egovernment.moa.spss.api.common.CheckResult;
 import at.gv.egovernment.moa.spss.api.common.XMLDataObjectAssociation;
 import at.gv.egovernment.moa.spss.api.xmlverify.ReferenceInfo;
 import at.gv.egovernment.moa.spss.api.xmlverify.ReferencesCheckResult;
@@ -50,12 +54,15 @@ import at.gv.egovernment.moa.spss.api.xmlverify.VerifyTransformsInfoProfileExpli
 import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureRequest;
 import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureResponse;
 import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider;
+import at.gv.egovernment.moa.spss.server.config.TrustProfile;
 import at.gv.egovernment.moa.spss.server.iaik.xml.XMLSignatureImpl;
 import at.gv.egovernment.moa.spss.server.logging.IaikLog;
 import at.gv.egovernment.moa.spss.server.logging.TransactionId;
 import at.gv.egovernment.moa.spss.server.transaction.TransactionContext;
 import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager;
 import at.gv.egovernment.moa.spss.util.MessageProvider;
+import at.gv.egovernment.moa.util.CollectionUtils;
+import at.gv.egovernment.moa.util.Constants;
 
 /**
  * A class providing a DOM based interface to the
@@ -208,13 +215,88 @@ public class XMLSignatureVerificationInvoker {
     signatureManifestCheck =
       validateSignatureManifest(request, result, profile);
 
+    // Check if signer certificate is in trust profile's allowed signer certificates pool
+    TrustProfile trustProfile = context.getConfiguration().getTrustProfile(request.getTrustProfileId());
+    CheckResult certificateCheck = validateSignerCertificate(result, trustProfile);
+    
     // build the response
-    responseBuilder.setResult(result, profile, signatureManifestCheck);
+    responseBuilder.setResult(result, profile, signatureManifestCheck, certificateCheck);
 
     return responseBuilder.getResponse();
   }
 
   /**
+   * Checks if the signer certificate matches one of the allowed signer certificates specified 
+   * in the provided <code>trustProfile</code>.
+   * 
+   * @param result The result produced by the <code>XMLSignatureVerificationModule</code>.
+   * 
+   * @param trustProfile The trust profile the signer certificate is validated against.
+   * 
+   * @return The overal result of the certificate validation for the signer certificate.
+   * 
+   * @throws MOAException if one of the signer certificates specified in the <code>trustProfile</code>
+   *                      cannot be read from the file system.
+   */
+  private CheckResult validateSignerCertificate(XMLSignatureVerificationResult result, TrustProfile trustProfile)
+    throws MOAException
+  {
+    int resultCode = result.getCertificateValidationResult().getValidationResultCode().intValue();
+    if (resultCode == 0 && trustProfile.getSignerCertsUri() != null)
+    {
+      X509Certificate signerCertificate = (X509Certificate) result.getCertificateValidationResult().getCertificateChain().get(0); 
+      
+      File signerCertsDir = null;
+      try
+      {
+        signerCertsDir = new File(new URI(trustProfile.getSignerCertsUri()).getPath());
+      }
+      catch (URIException e)
+      {
+        throw new MOASystemException("2900", null, e); // Should not happen, already checked at loading the MOA configuration
+      }
+      
+      File[] files = signerCertsDir.listFiles();
+      if (files == null) resultCode = 1;
+      int i;
+      for (i = 0; i < files.length; i++)
+      {
+        if (!files[i].isDirectory())
+        {
+          FileInputStream currentFIS = null;
+          try
+          {
+            currentFIS = new FileInputStream(files[i]);
+          }
+          catch (FileNotFoundException e) {
+            throw new MOASystemException("2900", null, e); 
+          }
+          
+          try
+          {
+            X509Certificate currentCert = new X509Certificate(currentFIS);
+            if (currentCert.equals(signerCertificate)) break;
+          }
+          catch (Exception e)
+          {
+            // Simply ignore file if it cannot be interpreted as certificate
+            Logger.warn("Signatorzertifiat aus Trustprofile mit id=" + 
+              trustProfile.getId() + " kann nicht geparst werden: " +
+              e.getMessage());
+          }
+        }
+      }
+      if (i >= files.length)
+      {
+        resultCode = 1; // No signer certificate from the trustprofile pool matches the actual signer certificate
+      }
+    }
+    
+    SPSSFactory factory = SPSSFactory.getInstance();
+    return factory.createCheckResult(resultCode, null);
+  }
+
+  /**
    * Select the <code>dsig:Signature</code> DOM element within the signature
    * environment.
    *