From c51641d057e5db708ef90bee2da271532da6d939 Mon Sep 17 00:00:00 2001 From: "harald.bratko" Date: Thu, 18 Jan 2007 14:29:56 +0000 Subject: .) OID check for identity link signer certificates (needed for certificates after february 19th 2007) .) hard coded subjectDN check for identity link signer certificates (for certificates before february 19th 2007) to make configuration entries optional git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@788 d688527b-c9ab-4aba-bd8d-4036d912da1d --- .../moa/id/auth/MOAIDAuthConstants.java | 23 ++++++++++++- .../VerifyXMLSignatureResponseValidator.java | 38 ++++++++++++++-------- .../moa/id/config/ConfigurationBuilder.java | 25 +++++++++----- .../id/config/auth/AuthConfigurationProvider.java | 8 +++-- 4 files changed, 68 insertions(+), 26 deletions(-) (limited to 'id.server/src/at/gv') diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id.server/src/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java index 15d21b4b9..190b2cef9 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java @@ -1,5 +1,8 @@ package at.gv.egovernment.moa.id.auth; +import iaik.asn1.ObjectID; + + /** * Constants used throughout moa-id-auth component. * @@ -50,6 +53,24 @@ public interface MOAIDAuthConstants { public static final String HEADER_VALUE_CACHE_CONTROL = "no-store, no-cache, must-revalidate"; /** Header Value for controlling the caching mechanism of the browser */ public static final String HEADER_VALUE_CACHE_CONTROL_IE = "post-check=0, pre-check=0"; - + /** + * the identity link signer X509Subject names of those identity link signer certificates + * not including the identity link signer OID. The authorisation for signing the identity + * link must be checked by using their issuer names. After february 19th 2007 the OID of + * the certificate will be used fo checking the authorisation for signing identity links. + */ + public static final String[] IDENTITY_LINK_SIGNERS_WITHOUT_OID = + new String[] {"T=Dr.,CN=Nikolaus Schwab,O=BM f. Inneres i.A. des gf. Mitgieds der Datenschutzkommission", + "CN=zmr,OU=BMI-IV-2,O=BMI,C=AT", + "T=Dr.,CN=Nikolaus Schwab,O=BM f. Inneres i.A. des gf. Mitglieds der Datenschutzkommission"}; + /** + * the number of the certifcate extension "Eigenschaft zur Ausstellung von Personenbindungen" + */ + public static final String IDENTITY_LINK_SIGNER_OID_NUMBER = "1.2.40.0.10.1.7.1"; + /** + * the OID of the identity link signer certificate (Eigenschaft zur Ausstellung von Personenbindungen); + * used for checking the authorisation for signing the identity link for identity links signed after february 19th 2007 + */ + public static final ObjectID IDENTITY_LINK_SIGNER_OID = new ObjectID(IDENTITY_LINK_SIGNER_OID_NUMBER); } diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java index 218e26233..3f08f103c 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java @@ -1,13 +1,16 @@ package at.gv.egovernment.moa.id.auth.validator; -import java.security.PublicKey; -import java.security.interfaces.RSAPublicKey; -import iaik.security.ecc.ecdsa.ECPublicKey; - import iaik.asn1.structures.Name; +import iaik.security.ecc.ecdsa.ECPublicKey; import iaik.utils.RFC2253NameParserException; import iaik.x509.X509Certificate; +import iaik.x509.X509ExtensionInitException; +import java.security.PublicKey; +import java.security.interfaces.RSAPublicKey; +import java.util.List; + +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; @@ -53,7 +56,7 @@ public class VerifyXMLSignatureResponseValidator { * @throws ValidateException on any validation error */ public void validate(VerifyXMLSignatureResponse verifyXMLSignatureResponse, - String[] identityLinkSignersSubjectDNNames, + List identityLinkSignersSubjectDNNames, String whatToCheck, boolean ignoreManifestValidationResult) throws ValidateException { @@ -103,15 +106,24 @@ public class VerifyXMLSignatureResponseValidator { catch (RFC2253NameParserException e) { throw new ValidateException("validator.17", null); } - boolean found = false; - for (int i = 0; i < identityLinkSignersSubjectDNNames.length; i++) { - if (identityLinkSignersSubjectDNNames[i].equals(subjectDN)) - found = true; + // check the authorisation to sign the identity link + if (!identityLinkSignersSubjectDNNames.contains(subjectDN)) { + // subject DN check failed, try OID check: + try { + if (x509Cert.getExtension(MOAIDAuthConstants.IDENTITY_LINK_SIGNER_OID) == null) { + throw new ValidateException("validator.18", new Object[] { subjectDN }); + } else { + Logger.debug("Identity link signer cert accepted for signing identity link: " + + "subjectDN check failed, but OID check successfully passed."); + } + } catch (X509ExtensionInitException e) { + throw new ValidateException("validator.49", null); + } + } else { + Logger.debug("Identity link signer cert accepted for signing identity link: " + + "subjectDN check successfully passed."); } - if (!found) - throw new ValidateException( - "validator.18", - new Object[] { subjectDN }); + } } diff --git a/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java b/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java index 6a9aee0ca..ebb29c26d 100644 --- a/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java +++ b/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java @@ -22,6 +22,7 @@ import org.w3c.dom.Node; import org.w3c.dom.NodeList; import org.w3c.dom.traversal.NodeIterator; +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.Schema; import at.gv.egovernment.moa.id.auth.data.SchemaImpl; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; @@ -383,13 +384,13 @@ public class ConfigurationBuilder { /** - * Return a string array containing all X509 Subject Names + * Returns a list containing all X509 Subject Names * of the Identity Link Signers - * @return String with a url-reference to the VerifyAuthBlock trust profile ID + * @return a list containing the configured identity-link signer X509 subject names */ - public String[] getIdentityLink_X509SubjectNames() { + public List getIdentityLink_X509SubjectNames() { - List x509SubjectNameList = new ArrayList(); + Vector x509SubjectNameList = new Vector(); NodeIterator x509Iter = XPathUtils.selectNodeIterator( configElem_, @@ -397,14 +398,20 @@ public class ConfigurationBuilder { Element x509Elem; while ((x509Elem = (Element) x509Iter.nextNode()) != null) { - String vtInfoIDs = DOMUtils.getText(x509Elem); x509SubjectNameList.add(vtInfoIDs); } - String[] result = new String[x509SubjectNameList.size()]; - x509SubjectNameList.toArray(result); - - return result; + + // now add the default identity link signers + String[] identityLinkSignersWithoutOID = MOAIDAuthConstants.IDENTITY_LINK_SIGNERS_WITHOUT_OID; + for (int i=0; i