From f7d20da1c2ab2a952ae64a9447f189bfafd4e2a5 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Fri, 13 Jun 2014 08:53:18 +0200
Subject: new test credentials include a certificate with a test OID as x509
 extension add test OID checks

---
 .../VerifyXMLSignatureResponseValidator.java       | 54 ++++++++++++++++++++--
 1 file changed, 50 insertions(+), 4 deletions(-)

(limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
index 4fd7fa965..2b687a0c8 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
@@ -46,6 +46,7 @@
 
 package at.gv.egovernment.moa.id.auth.validator;
 
+import iaik.asn1.ObjectID;
 import iaik.asn1.structures.Name;
 import iaik.security.ecc.ecdsa.ECPublicKey;
 import iaik.utils.RFC2253NameParserException;
@@ -54,7 +55,10 @@ import iaik.x509.X509ExtensionInitException;
 
 import java.security.PublicKey;
 import java.security.interfaces.RSAPublicKey;
+import java.util.ArrayList;
+import java.util.Iterator;
 import java.util.List;
+import java.util.Set;
 
 import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.data.IdentityLink;
@@ -62,6 +66,7 @@ import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse;
 import at.gv.egovernment.moa.id.auth.exception.ValidateException;
 import at.gv.egovernment.moa.id.config.ConfigurationException;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
 import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
 import at.gv.egovernment.moa.logging.Logger;
 
@@ -99,7 +104,7 @@ public class VerifyXMLSignatureResponseValidator {
    * @param verifyXMLSignatureResponse the <code>&lt;VerifyXMLSignatureResponse&gt;</code>
    * @param identityLinkSignersSubjectDNNames subject names configured
    * @param whatToCheck is used to identify whether the identityLink or the Auth-Block is validated
-   * @param ignoreManifestValidationResult specifies whether the validation result of the 
+   * @param oaParam specifies whether the validation result of the 
    *                                       manifest has to be ignored (identityLink validation if
    *                                       the OA is a business service) or not
    * @throws ValidateException on any validation error
@@ -108,7 +113,7 @@ public class VerifyXMLSignatureResponseValidator {
   public void validate(VerifyXMLSignatureResponse verifyXMLSignatureResponse,
                        List<String> identityLinkSignersSubjectDNNames, 
                        String whatToCheck,
-                       boolean ignoreManifestValidationResult)
+                       IOAAuthParameters oaParam)
     throws ValidateException, ConfigurationException {
 
     if (verifyXMLSignatureResponse.getSignatureCheckCode() != 0)
@@ -137,8 +142,49 @@ public class VerifyXMLSignatureResponseValidator {
     //check QC 
     if (AuthConfigurationProvider.getInstance().isCertifiacteQCActive() &&
     		!whatToCheck.equals(CHECK_IDENTITY_LINK) &&
-    		!verifyXMLSignatureResponse.isQualifiedCertificate())
-        throw new ValidateException("validator.71", null);
+    		!verifyXMLSignatureResponse.isQualifiedCertificate()) {
+    	    	
+    	//check if testcards are active and certificate has an extension for test credentials
+    	if (oaParam.isTestCredentialEnabled()) {
+        	boolean foundTestCredentialOID = false;
+        	try {
+        		X509Certificate signerCert = verifyXMLSignatureResponse.getX509certificate();
+    		
+        		List<String> validOIDs = new ArrayList<String>();
+        		if (oaParam.getTestCredentialOIDs() != null)
+        			validOIDs.addAll(oaParam.getTestCredentialOIDs());
+        		else
+        			validOIDs.add(MOAIDAuthConstants.TESTCREDENTIALROOTOID);
+    		
+        		Set<String> extentsions = signerCert.getCriticalExtensionOIDs();
+        		extentsions.addAll(signerCert.getNonCriticalExtensionOIDs());
+        		Iterator<String> extit = extentsions.iterator();
+        		while(extit.hasNext()) {
+        			String certOID = extit.next();
+        			for (String el : validOIDs) {
+        				if (certOID.startsWith(el))
+        					foundTestCredentialOID = true;
+        			}    			
+        		}
+        		
+        	} catch (Exception e) {
+        		Logger.warn("Test credential OID extraction FAILED.", e);
+        		
+        	}
+        	//throw Exception if not TestCredentialOID is found
+        	if (!foundTestCredentialOID)
+        		throw new ValidateException("validator.72", null);
+    		
+    	} else    	
+    		throw new ValidateException("validator.71", null);        
+    }
+    
+    // if OA is type is business service the manifest validation result has
+    // to be ignored
+    boolean ignoreManifestValidationResult = false;
+    if (whatToCheck.equals(CHECK_IDENTITY_LINK))    	
+    	ignoreManifestValidationResult = (oaParam.getBusinessService()) ? true
+            : false;
     
     if (ignoreManifestValidationResult) {
       Logger.debug("OA type is business service, thus ignoring DSIG manifest validation result");
-- 
cgit v1.2.3