package at.gv.egovernment.moa.id.auth.validator; import java.security.PublicKey; import java.security.interfaces.RSAPublicKey; import iaik.asn1.structures.Name; import iaik.utils.RFC2253NameParserException; import iaik.x509.X509Certificate; import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; /** * This class is used to validate an {@link VerifyXMLSignatureResponse} * returned by MOA-SPSS * * @author Stefan Knirsch * @version $Id$ */ public class VerifyXMLSignatureResponseValidator { /** Identification string for checking identity link */ public static final String CHECK_IDENTITY_LINK = "IdentityLink"; /** Identification string for checking authentication block */ public static final String CHECK_AUTH_BLOCK = "AuthBlock"; /** Singleton instance. null, if none has been created. */ private static VerifyXMLSignatureResponseValidator instance; /** * Constructor for a singleton VerifyXMLSignatureResponseValidator. */ public static synchronized VerifyXMLSignatureResponseValidator getInstance() throws ValidateException { if (instance == null) { instance = new VerifyXMLSignatureResponseValidator(); } return instance; } /** * Validates a {@link VerifyXMLSignatureResponse} returned by MOA-SPSS. * * @param verifyXMLSignatureResponse the <VerifyXMLSignatureResponse> * @param identityLinkSignersSubjectDNNames subject names configured * @param whatToCheck is used to identify whether the identityLink or the Auth-Block is validated * @throws ValidateException on any validation error */ public void validate( VerifyXMLSignatureResponse verifyXMLSignatureResponse, String[] identityLinkSignersSubjectDNNames, String whatToCheck) throws ValidateException { if (verifyXMLSignatureResponse.getSignatureCheckCode() != 0) throw new ValidateException("validator.06", null); if (verifyXMLSignatureResponse.getCertificateCheckCode() != 0) if (whatToCheck.equals(CHECK_IDENTITY_LINK)) throw new ValidateException("validator.07", null); else throw new ValidateException("validator.19", null); if (verifyXMLSignatureResponse.isXmlDSIGManigest()) if (verifyXMLSignatureResponse.getXmlDSIGManifestCheckCode() != 0) throw new ValidateException("validator.08", null); //Check whether the returned X509 SubjectName is in the MOA-ID configuration or not if (identityLinkSignersSubjectDNNames != null) { String subjectDN = ""; X509Certificate x509Cert = verifyXMLSignatureResponse.getX509certificate(); try { subjectDN = ((Name) x509Cert.getSubjectDN()).getRFC2253String(); } catch (RFC2253NameParserException e) { throw new ValidateException("validator.17", null); } boolean found = false; for (int i = 0; i < identityLinkSignersSubjectDNNames.length; i++) { if (identityLinkSignersSubjectDNNames[i].equals(subjectDN)) found = true; } if (!found) throw new ValidateException( "validator.18", new Object[] { subjectDN }); } } /** * Method validateCertificate. * @param vsr is the VerifyXMLSignatureResponse * @param idl * @throws ValidateException */ public void validateCertificate( VerifyXMLSignatureResponse verifyXMLSignatureResponse, IdentityLink idl) throws ValidateException { X509Certificate x509Response = verifyXMLSignatureResponse.getX509certificate(); PublicKey[] pubKeysIdentityLink = (PublicKey[]) idl.getPublicKey(); RSAPublicKey pubKeyResponse = (RSAPublicKey) x509Response.getPublicKey(); boolean found = false; for (int i = 0; i < pubKeysIdentityLink.length; i++) { if (idl.getPublicKey()[i] instanceof java.security.interfaces.RSAPublicKey) { /* for (int j = 0; j < idl.getPublicKey()[i].getClass().getInterfaces().length; j++) { if (idl.getPublicKey()[i].getClass().getInterfaces()[j].getName() .equals("java.security.interfaces.RSAPublicKey")) {*/ RSAPublicKey rsakey = (RSAPublicKey) pubKeysIdentityLink[i]; if (rsakey.getModulus().equals(pubKeyResponse.getModulus()) && rsakey.getPublicExponent().equals( pubKeyResponse.getPublicExponent())) found = true; } } if (!found) throw new ValidateException("validator.09", null); } }