aboutsummaryrefslogtreecommitdiff
path: root/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java
diff options
context:
space:
mode:
Diffstat (limited to 'moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java')
-rw-r--r--moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java95
1 files changed, 70 insertions, 25 deletions
diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java
index 0ea0677..ad64052 100644
--- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java
+++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java
@@ -19,8 +19,10 @@ import java.util.Arrays;
import java.util.Date;
import java.util.List;
+import at.gv.egovernment.moa.sig.tsl.TslConstants;
import at.gv.egovernment.moa.sig.tsl.engine.data.ITslEndEntityResult;
import at.gv.egovernment.moa.sig.tsl.exception.TslException;
+import at.gv.egovernment.moa.sig.tsl.utils.MiscUtil;
import at.gv.egovernment.moa.spss.api.common.TslInfos;
import at.gv.egovernment.moa.spss.api.impl.TslInfosImpl;
import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider;
@@ -186,16 +188,25 @@ public class CertificateUtils {
}
- ITslEndEntityResult tslCheckResult = TSLServiceFactory.getTSLServiceClient().evaluate(Arrays.asList(chain), signingTime);
+ ITslEndEntityResult tslCheckResult =
+ TSLServiceFactory.getTSLServiceClient().evaluate(
+ Arrays.asList(chain),
+ signingTime,
+ TslConstants.CHAIN_MODEL);
if (tslCheckResult != null) {
URI tslServiceTypeIdentifier = tslCheckResult.getEvaluatedServiceTypeIdentifier();
List<URI> tslCertificateQualifier = tslCheckResult.getEvaluatedQualifier();
+ // QC evaluation flags
boolean qc = false;
boolean qcSourceTSL = false;
+ boolean qcDisallowedFromTSL = false;
+
+ // SSCD/QSCD evaluation flags
boolean sscd = false;
boolean sscdSourceTSL = false;
+
//check QC
List<URI> allowedQCQualifier = config.getTSLConfiguration().getQualifierForQC();
@@ -207,37 +218,70 @@ public class CertificateUtils {
}
}
+
+ //check SSCD/QSCD qualifiers and mark result acording this check
+ List<URI> allowedSSCDQualifier = config.getTSLConfiguration().getQualifierForSSCD();
+ if (tslCertificateQualifier != null && allowedSSCDQualifier != null) {
+ for (URI allowedSSCD : allowedSSCDQualifier) {
+ for (URI certSSCD : tslCertificateQualifier) {
+ if (allowedSSCD.equals(certSSCD)) {
+ sscdSourceTSL = true;
+ sscd = true;
+
+ }
+ }
+ }
+ }
+
+ //check additional flags in TSP qualifiers for this certificate
+ if (tslCertificateQualifier != null) {
+ for (URI qEl : tslCertificateQualifier) {
+ //check if SSCD/QSCD status must be used from cert
+ if (qEl.equals(
+ TslConstants.SSCD_QUALIFIER_SORT_TO_URI.get(
+ TslConstants.SSCD_QUALIFIER_SHORT.QCQSCDStatusAsInCert))
+ || qEl.equals(TslConstants.SSCD_QUALIFIER_SORT_TO_URI.get(
+ TslConstants.SSCD_QUALIFIER_SHORT.QCSSCDStatusAsInCert))) {
+
+ sscdSourceTSL = false;
+ sscd = false;
+
+ //check if extentsion includes a NotQualified flag
+ } else if (qEl.equals(
+ TslConstants.SSCD_QUALIFIER_SORT_TO_URI.get(
+ TslConstants.SSCD_QUALIFIER_SHORT.NotQualified))) {
+ qc = false;
+ qcSourceTSL = false;
+ qcDisallowedFromTSL = true;
+ Logger.info("TSL mark this certificate explicitly as 'NotQualified'!");
+
+ }
+ }
+ }
+
+ //evaluate QC statement according previous selected information
if (qcSourceTSL)
Logger.debug("Certificate is QC (Source: TSL)");
-
+
else {
- // if QC check via TSL returns false
- // try certificate extensions QCP and QcEuCompliance
- Logger.debug("QC check via TSL returned false - checking certificate extensions");
- boolean checkQCP = CertificateUtils.checkQCP(chain[0]);
- boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]);
+ // if TSL return no service-type identifier us information from certificate
+ if (tslServiceTypeIdentifier == null ||
+ MiscUtil.isEmpty(tslServiceTypeIdentifier.toString())) {
+ // try certificate extensions QCP and QcEuCompliance
+ Logger.debug("QC check via TSL returned false - checking certificate extensions");
+ boolean checkQCP = CertificateUtils.checkQCP(chain[0]);
+ boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]);
- if (checkQCP || checkQcEuCompliance) {
- Logger.debug("Certificate is QC (Source: Certificate)");
- qc = true;
+ if ((checkQCP || checkQcEuCompliance) && !qcDisallowedFromTSL) {
+ Logger.debug("Certificate is QC (Source: Certificate)");
+ qc = true;
- }
-
+ }
+ }
}
- //check SSCD
- List<URI> allowedSSCDQualifier = config.getTSLConfiguration().getQualifierForSSCD();
- for (URI allowedSSCD : allowedSSCDQualifier) {
- for (URI certSSCD : tslCertificateQualifier) {
- if (allowedSSCD.equals(certSSCD)) {
- sscdSourceTSL = true;
- sscd = true;
-
- }
- }
-
- }
+ //evaluate SSCD/QSCD results according previous selected information
if (sscdSourceTSL)
Logger.debug("Certificate is SSCD (Source: TSL)");
@@ -262,7 +306,8 @@ public class CertificateUtils {
tslCheckResult.getTerritory(),
tslCheckResult.getTspStatus(),
tslServiceTypeIdentifier.toString(),
- tslCertificateQualifier);
+ tslCertificateQualifier,
+ tslCheckResult.getAdditionalServiceInformation());
result.setTslInfos(extTslInfos);
return result;
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-11 23:53:34 +0000