From c51641d057e5db708ef90bee2da271532da6d939 Mon Sep 17 00:00:00 2001 From: "harald.bratko" Date: Thu, 18 Jan 2007 14:29:56 +0000 Subject: .) OID check for identity link signer certificates (needed for certificates after february 19th 2007) .) hard coded subjectDN check for identity link signer certificates (for certificates before february 19th 2007) to make configuration entries optional git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@788 d688527b-c9ab-4aba-bd8d-4036d912da1d --- .../VerifyXMLSignatureResponseValidator.java | 38 ++++++++++++++-------- 1 file changed, 25 insertions(+), 13 deletions(-) (limited to 'id.server/src/at/gv/egovernment/moa/id/auth/validator') diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java index 218e26233..3f08f103c 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java @@ -1,13 +1,16 @@ package at.gv.egovernment.moa.id.auth.validator; -import java.security.PublicKey; -import java.security.interfaces.RSAPublicKey; -import iaik.security.ecc.ecdsa.ECPublicKey; - import iaik.asn1.structures.Name; +import iaik.security.ecc.ecdsa.ECPublicKey; import iaik.utils.RFC2253NameParserException; import iaik.x509.X509Certificate; +import iaik.x509.X509ExtensionInitException; +import java.security.PublicKey; +import java.security.interfaces.RSAPublicKey; +import java.util.List; + +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; @@ -53,7 +56,7 @@ public class VerifyXMLSignatureResponseValidator { * @throws ValidateException on any validation error */ public void validate(VerifyXMLSignatureResponse verifyXMLSignatureResponse, - String[] identityLinkSignersSubjectDNNames, + List identityLinkSignersSubjectDNNames, String whatToCheck, boolean ignoreManifestValidationResult) throws ValidateException { @@ -103,15 +106,24 @@ public class VerifyXMLSignatureResponseValidator { catch (RFC2253NameParserException e) { throw new ValidateException("validator.17", null); } - boolean found = false; - for (int i = 0; i < identityLinkSignersSubjectDNNames.length; i++) { - if (identityLinkSignersSubjectDNNames[i].equals(subjectDN)) - found = true; + // check the authorisation to sign the identity link + if (!identityLinkSignersSubjectDNNames.contains(subjectDN)) { + // subject DN check failed, try OID check: + try { + if (x509Cert.getExtension(MOAIDAuthConstants.IDENTITY_LINK_SIGNER_OID) == null) { + throw new ValidateException("validator.18", new Object[] { subjectDN }); + } else { + Logger.debug("Identity link signer cert accepted for signing identity link: " + + "subjectDN check failed, but OID check successfully passed."); + } + } catch (X509ExtensionInitException e) { + throw new ValidateException("validator.49", null); + } + } else { + Logger.debug("Identity link signer cert accepted for signing identity link: " + + "subjectDN check successfully passed."); } - if (!found) - throw new ValidateException( - "validator.18", - new Object[] { subjectDN }); + } } -- cgit v1.2.3