aboutsummaryrefslogtreecommitdiff
path: root/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment
diff options
context:
space:
mode:
authorThomas <>2023-05-02 09:27:05 +0200
committerThomas <>2023-05-02 09:27:05 +0200
commitdafc76624606f7d47f65006a6bf4695c3a0cd1a9 (patch)
tree87b7cca5e6abeecf6c0109cf1407a890b53439ab /moaSig/moa-sig-lib/src/main/java/at/gv/egovernment
parent25927320bb14d0acc2ab8204ff10646014c8c0c8 (diff)
downloadmoa-sig-dafc76624606f7d47f65006a6bf4695c3a0cd1a9.tar.gz
moa-sig-dafc76624606f7d47f65006a6bf4695c3a0cd1a9.tar.bz2
moa-sig-dafc76624606f7d47f65006a6bf4695c3a0cd1a9.zip
feat(pkix): add addition features to validate short-term certificates
Diffstat (limited to 'moaSig/moa-sig-lib/src/main/java/at/gv/egovernment')
-rw-r--r--moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java95
-rw-r--r--moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java38
-rw-r--r--moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/RevocationConfigurationImpl.java30
3 files changed, 156 insertions, 7 deletions
diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
index 5daf1a6..5f8b46d 100644
--- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
+++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
@@ -94,6 +94,9 @@ public class ConfigurationPartsBuilder {
private static final String CM_CHAINING = "chaining";
private static final String CM_PKIX = "pkix";
+ private static final int SHORT_TIME_CERT_DEFAULT_INTERVAL = 0;
+ private static final boolean SHORT_TIME_CERT_DEFAULT_ETSI = true;
+
//
// XPath expressions to select certain parts of the configuration
//
@@ -205,6 +208,17 @@ public class ConfigurationPartsBuilder {
+ CONF + "RevocationChecking/"
+ CONF + "CrlRetentionIntervals/"
+ CONF + "CA";
+
+ private static final String SHORT_TIME_CERTS_INTERVALS_XPATH =
+ ROOT + CONF + "SignatureVerification/"
+ + CONF + "CertificateValidation/"
+ + CONF + "RevocationChecking/"
+ + CONF + "ShortTermedCertificates";
+
+ private static final String SHORT_TIME_CERTS_INTERVALS_CA_XPATH =
+ SHORT_TIME_CERTS_INTERVALS_XPATH + "/"
+ + CONF + "CA";
+
private static final String ENABLE_REVOCATION_CHECKING_XPATH_ =
ROOT + CONF + "SignatureVerification/"
+ CONF + "CertificateValidation/"
@@ -1718,17 +1732,84 @@ public class ConfigurationPartsBuilder {
final String x509IssuerName = getElementValue(modElem, CONF + "X509IssuerName", null);
final String i = getElementValue(modElem, CONF + "Interval", null);
final Integer interval = new Integer(i);
- try {
- final RFC2253NameParser parser = new RFC2253NameParser(x509IssuerName);
- final Name name = parser.parse();
- map.put(name.getRFC2253String(), interval);
- } catch (final RFC2253NameParserException e) {
- map.put(x509IssuerName, interval);
- }
+ map.put(ConfigurationProvider.normalizeX500Names(x509IssuerName), interval);
}
return map;
}
+
+ /**
+ * Should ETSI extension should be used for short-time certificate validation.
+ *
+ * @return <code>true</code> if it is used
+ */
+ public boolean isShotTimeCertEtsiExtCheck() {
+ final NodeIterator modIter = XPathUtils.selectNodeIterator(
+ getConfigElem(),
+ SHORT_TIME_CERTS_INTERVALS_XPATH);
+
+ Element modElem;
+ if ((modElem = (Element) modIter.nextNode()) != null) {
+ Boolean value = Boolean.valueOf(modElem.getAttribute("checkETSIValidityAssuredExtension"));
+ Logger.debug((value ? "Enable" : "Disable") + "shortTime certificate ETSI extension");
+ return value;
+
+ }
+
+ return SHORT_TIME_CERT_DEFAULT_ETSI;
+ }
+
+ /**
+ * Get default shortTime certificate interval.
+ *
+ * @return Time in minutes
+ */
+ public int getShotTimeCertDefaultInterval() {
+ final NodeIterator modIter = XPathUtils.selectNodeIterator(
+ getConfigElem(),
+ SHORT_TIME_CERTS_INTERVALS_XPATH);
+
+ Element modElem;
+ if ((modElem = (Element) modIter.nextNode()) != null) {
+ String defaultString = modElem.getAttribute("defaultValidityPeriod");
+ Logger.debug("Set default shortTimePeriodInterval to: " + defaultString);
+ return Integer.valueOf(defaultString);
+
+ }
+
+ return SHORT_TIME_CERT_DEFAULT_INTERVAL;
+ }
+
+
+ /**
+ * Returns a map of shortTime certificate intervals.
+ *
+ * <p>
+ * No revocation checks are performed during this interval.
+ * </p>
+ *
+ * @return
+ */
+ public Map<String, Integer> getShotTimeCertIntervals() {
+ final Map map = new HashMap();
+ final NodeIterator modIter = XPathUtils.selectNodeIterator(
+ getConfigElem(),
+ SHORT_TIME_CERTS_INTERVALS_CA_XPATH);
+
+ Element modElem;
+ while ((modElem = (Element) modIter.nextNode()) != null) {
+ final String x509IssuerName = ConfigurationProvider.normalizeX500Names(
+ getElementValue(modElem, CONF + "X509IssuerName", null));
+ final String i = getElementValue(modElem, CONF + "ValidityPeriod", null);
+ final Integer interval = new Integer(i);
+ map.put(x509IssuerName, interval);
+ Logger.debug("Set shortTimePeriodInterval: " + interval + " for Issuer: " + x509IssuerName);
+
+ }
+
+ return map;
+ }
+
}
diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java
index 4596109..85930b2 100644
--- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java
+++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java
@@ -258,6 +258,12 @@ public class ConfigurationProvider {
*/
private Map crlRetentionIntervals;
+
+ private boolean useShortTimeCertificateEtisExt;
+ private int defaultShortTimeCertificatePeriod;
+ private Map<String, Integer> shortTimeCertificatePeriods;
+
+
/**
* Indicates wether external URIs are allowed or not
*/
@@ -416,6 +422,10 @@ public class ConfigurationProvider {
permitFileURIs = builder.getPermitFileURIs();
crlRetentionIntervals = builder.getCrlRetentionIntervals();
+ shortTimeCertificatePeriods = builder.getShotTimeCertIntervals();
+ defaultShortTimeCertificatePeriod = builder.getShotTimeCertDefaultInterval();
+ useShortTimeCertificateEtisExt = builder.isShotTimeCertEtsiExtCheck();
+
allowExternalUris_ = builder.allowExternalUris();
if (allowExternalUris_) {
@@ -998,5 +1008,33 @@ public class ConfigurationProvider {
public TSLConfiguration getTSLConfiguration() {
return tslconfiguration_;
}
+
+ public int getDefaultShortTimeCertificatePeriod() {
+ return defaultShortTimeCertificatePeriod;
+ }
+
+ public boolean isUseShortTimeCertificateEtisExt() {
+ return useShortTimeCertificateEtisExt;
+ }
+
+ public Map<String, Integer> getShortTimeCertificatePeriods() {
+ return shortTimeCertificatePeriods;
+ }
+
+
+ public static final String normalizeX500Names(String x500Name) {
+ try {
+ final RFC2253NameParser parser = new RFC2253NameParser(x500Name);
+ final Name name = parser.parse();
+ return name.getRFC2253String();
+
+ } catch (final RFC2253NameParserException e) {
+ Logger.info("X500Name: " + x500Name + " can not be normalized. Use it as it is");
+ return x500Name;
+
+ }
+
+ }
+
} \ No newline at end of file
diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/RevocationConfigurationImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/RevocationConfigurationImpl.java
index 6aa20cf..002df3b 100644
--- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/RevocationConfigurationImpl.java
+++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/RevocationConfigurationImpl.java
@@ -30,8 +30,11 @@ import java.util.Map;
import java.util.Set;
import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider;
+import at.gv.egovernment.moaspss.logging.Logger;
+import iaik.asn1.structures.Name;
import iaik.pki.revocation.RevocationConfiguration;
import iaik.pki.revocation.dbcrl.config.DBCrlConfig;
+import iaik.utils.RFC2253NameParserException;
/**
* An implementation of the <code>RevocationConfiguration</code> interface using
@@ -111,4 +114,31 @@ public class RevocationConfigurationImpl extends AbstractObservableConfiguration
return false;
}
+ @Override
+ public boolean checkETSIValidityAssuredShortTermExt() {
+ return config.isUseShortTimeCertificateEtisExt();
+
+ }
+
+ @Override
+ public Long getShortTermedValidityPeriod(X509Certificate eeCert) {
+ try {
+ String issuer = ConfigurationProvider.normalizeX500Names(((Name)eeCert.getIssuerDN()).getRFC2253String());
+ if (config.getShortTimeCertificatePeriods().containsKey(issuer)) {
+ Integer interval = config.getShortTimeCertificatePeriods().get(issuer);
+ Logger.debug("Use shortTermedValidityPeriod: " + interval + "[min] for Issuer: " + issuer);
+ return Long.valueOf(interval) * 60 * 1000;
+
+ }
+
+ } catch (RFC2253NameParserException e) {
+ Logger.warn("Can not normalize X509 IssuerName: " + eeCert.getIssuerDN(), e);
+
+ }
+
+ Logger.debug("Use default shortTermedValidityPeriod: " + config.getDefaultShortTimeCertificatePeriod() + "[min]");
+ return Long.valueOf(config.getDefaultShortTimeCertificatePeriod()) * 60 * 1000;
+
+ }
+
}