diff options
author | Thomas <> | 2023-05-02 09:27:05 +0200 |
---|---|---|
committer | Thomas <> | 2023-05-02 09:27:05 +0200 |
commit | dafc76624606f7d47f65006a6bf4695c3a0cd1a9 (patch) | |
tree | 87b7cca5e6abeecf6c0109cf1407a890b53439ab /moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss | |
parent | 25927320bb14d0acc2ab8204ff10646014c8c0c8 (diff) | |
download | moa-sig-dafc76624606f7d47f65006a6bf4695c3a0cd1a9.tar.gz moa-sig-dafc76624606f7d47f65006a6bf4695c3a0cd1a9.tar.bz2 moa-sig-dafc76624606f7d47f65006a6bf4695c3a0cd1a9.zip |
feat(pkix): add addition features to validate short-term certificates
Diffstat (limited to 'moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss')
3 files changed, 156 insertions, 7 deletions
diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java index 5daf1a6..5f8b46d 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java @@ -94,6 +94,9 @@ public class ConfigurationPartsBuilder { private static final String CM_CHAINING = "chaining"; private static final String CM_PKIX = "pkix"; + private static final int SHORT_TIME_CERT_DEFAULT_INTERVAL = 0; + private static final boolean SHORT_TIME_CERT_DEFAULT_ETSI = true; + // // XPath expressions to select certain parts of the configuration // @@ -205,6 +208,17 @@ public class ConfigurationPartsBuilder { + CONF + "RevocationChecking/" + CONF + "CrlRetentionIntervals/" + CONF + "CA"; + + private static final String SHORT_TIME_CERTS_INTERVALS_XPATH = + ROOT + CONF + "SignatureVerification/" + + CONF + "CertificateValidation/" + + CONF + "RevocationChecking/" + + CONF + "ShortTermedCertificates"; + + private static final String SHORT_TIME_CERTS_INTERVALS_CA_XPATH = + SHORT_TIME_CERTS_INTERVALS_XPATH + "/" + + CONF + "CA"; + private static final String ENABLE_REVOCATION_CHECKING_XPATH_ = ROOT + CONF + "SignatureVerification/" + CONF + "CertificateValidation/" @@ -1718,17 +1732,84 @@ public class ConfigurationPartsBuilder { final String x509IssuerName = getElementValue(modElem, CONF + "X509IssuerName", null); final String i = getElementValue(modElem, CONF + "Interval", null); final Integer interval = new Integer(i); - try { - final RFC2253NameParser parser = new RFC2253NameParser(x509IssuerName); - final Name name = parser.parse(); - map.put(name.getRFC2253String(), interval); - } catch (final RFC2253NameParserException e) { - map.put(x509IssuerName, interval); - } + map.put(ConfigurationProvider.normalizeX500Names(x509IssuerName), interval); } return map; } + + /** + * Should ETSI extension should be used for short-time certificate validation. + * + * @return <code>true</code> if it is used + */ + public boolean isShotTimeCertEtsiExtCheck() { + final NodeIterator modIter = XPathUtils.selectNodeIterator( + getConfigElem(), + SHORT_TIME_CERTS_INTERVALS_XPATH); + + Element modElem; + if ((modElem = (Element) modIter.nextNode()) != null) { + Boolean value = Boolean.valueOf(modElem.getAttribute("checkETSIValidityAssuredExtension")); + Logger.debug((value ? "Enable" : "Disable") + "shortTime certificate ETSI extension"); + return value; + + } + + return SHORT_TIME_CERT_DEFAULT_ETSI; + } + + /** + * Get default shortTime certificate interval. + * + * @return Time in minutes + */ + public int getShotTimeCertDefaultInterval() { + final NodeIterator modIter = XPathUtils.selectNodeIterator( + getConfigElem(), + SHORT_TIME_CERTS_INTERVALS_XPATH); + + Element modElem; + if ((modElem = (Element) modIter.nextNode()) != null) { + String defaultString = modElem.getAttribute("defaultValidityPeriod"); + Logger.debug("Set default shortTimePeriodInterval to: " + defaultString); + return Integer.valueOf(defaultString); + + } + + return SHORT_TIME_CERT_DEFAULT_INTERVAL; + } + + + /** + * Returns a map of shortTime certificate intervals. + * + * <p> + * No revocation checks are performed during this interval. + * </p> + * + * @return + */ + public Map<String, Integer> getShotTimeCertIntervals() { + final Map map = new HashMap(); + final NodeIterator modIter = XPathUtils.selectNodeIterator( + getConfigElem(), + SHORT_TIME_CERTS_INTERVALS_CA_XPATH); + + Element modElem; + while ((modElem = (Element) modIter.nextNode()) != null) { + final String x509IssuerName = ConfigurationProvider.normalizeX500Names( + getElementValue(modElem, CONF + "X509IssuerName", null)); + final String i = getElementValue(modElem, CONF + "ValidityPeriod", null); + final Integer interval = new Integer(i); + map.put(x509IssuerName, interval); + Logger.debug("Set shortTimePeriodInterval: " + interval + " for Issuer: " + x509IssuerName); + + } + + return map; + } + } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java index 4596109..85930b2 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java @@ -258,6 +258,12 @@ public class ConfigurationProvider { */ private Map crlRetentionIntervals; + + private boolean useShortTimeCertificateEtisExt; + private int defaultShortTimeCertificatePeriod; + private Map<String, Integer> shortTimeCertificatePeriods; + + /** * Indicates wether external URIs are allowed or not */ @@ -416,6 +422,10 @@ public class ConfigurationProvider { permitFileURIs = builder.getPermitFileURIs(); crlRetentionIntervals = builder.getCrlRetentionIntervals(); + shortTimeCertificatePeriods = builder.getShotTimeCertIntervals(); + defaultShortTimeCertificatePeriod = builder.getShotTimeCertDefaultInterval(); + useShortTimeCertificateEtisExt = builder.isShotTimeCertEtsiExtCheck(); + allowExternalUris_ = builder.allowExternalUris(); if (allowExternalUris_) { @@ -998,5 +1008,33 @@ public class ConfigurationProvider { public TSLConfiguration getTSLConfiguration() { return tslconfiguration_; } + + public int getDefaultShortTimeCertificatePeriod() { + return defaultShortTimeCertificatePeriod; + } + + public boolean isUseShortTimeCertificateEtisExt() { + return useShortTimeCertificateEtisExt; + } + + public Map<String, Integer> getShortTimeCertificatePeriods() { + return shortTimeCertificatePeriods; + } + + + public static final String normalizeX500Names(String x500Name) { + try { + final RFC2253NameParser parser = new RFC2253NameParser(x500Name); + final Name name = parser.parse(); + return name.getRFC2253String(); + + } catch (final RFC2253NameParserException e) { + Logger.info("X500Name: " + x500Name + " can not be normalized. Use it as it is"); + return x500Name; + + } + + } + }
\ No newline at end of file diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/RevocationConfigurationImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/RevocationConfigurationImpl.java index 6aa20cf..002df3b 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/RevocationConfigurationImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/RevocationConfigurationImpl.java @@ -30,8 +30,11 @@ import java.util.Map; import java.util.Set; import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; +import at.gv.egovernment.moaspss.logging.Logger; +import iaik.asn1.structures.Name; import iaik.pki.revocation.RevocationConfiguration; import iaik.pki.revocation.dbcrl.config.DBCrlConfig; +import iaik.utils.RFC2253NameParserException; /** * An implementation of the <code>RevocationConfiguration</code> interface using @@ -111,4 +114,31 @@ public class RevocationConfigurationImpl extends AbstractObservableConfiguration return false; } + @Override + public boolean checkETSIValidityAssuredShortTermExt() { + return config.isUseShortTimeCertificateEtisExt(); + + } + + @Override + public Long getShortTermedValidityPeriod(X509Certificate eeCert) { + try { + String issuer = ConfigurationProvider.normalizeX500Names(((Name)eeCert.getIssuerDN()).getRFC2253String()); + if (config.getShortTimeCertificatePeriods().containsKey(issuer)) { + Integer interval = config.getShortTimeCertificatePeriods().get(issuer); + Logger.debug("Use shortTermedValidityPeriod: " + interval + "[min] for Issuer: " + issuer); + return Long.valueOf(interval) * 60 * 1000; + + } + + } catch (RFC2253NameParserException e) { + Logger.warn("Can not normalize X509 IssuerName: " + eeCert.getIssuerDN(), e); + + } + + Logger.debug("Use default shortTermedValidityPeriod: " + config.getDefaultShortTimeCertificatePeriod() + "[min]"); + return Long.valueOf(config.getDefaultShortTimeCertificatePeriod()) * 60 * 1000; + + } + } |