diff options
Diffstat (limited to 'moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util')
-rw-r--r-- | moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java | 95 |
1 files changed, 70 insertions, 25 deletions
diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java index 0ea0677..ad64052 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java @@ -19,8 +19,10 @@ import java.util.Arrays; import java.util.Date; import java.util.List; +import at.gv.egovernment.moa.sig.tsl.TslConstants; import at.gv.egovernment.moa.sig.tsl.engine.data.ITslEndEntityResult; import at.gv.egovernment.moa.sig.tsl.exception.TslException; +import at.gv.egovernment.moa.sig.tsl.utils.MiscUtil; import at.gv.egovernment.moa.spss.api.common.TslInfos; import at.gv.egovernment.moa.spss.api.impl.TslInfosImpl; import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; @@ -186,16 +188,25 @@ public class CertificateUtils { } - ITslEndEntityResult tslCheckResult = TSLServiceFactory.getTSLServiceClient().evaluate(Arrays.asList(chain), signingTime); + ITslEndEntityResult tslCheckResult = + TSLServiceFactory.getTSLServiceClient().evaluate( + Arrays.asList(chain), + signingTime, + TslConstants.CHAIN_MODEL); if (tslCheckResult != null) { URI tslServiceTypeIdentifier = tslCheckResult.getEvaluatedServiceTypeIdentifier(); List<URI> tslCertificateQualifier = tslCheckResult.getEvaluatedQualifier(); + // QC evaluation flags boolean qc = false; boolean qcSourceTSL = false; + boolean qcDisallowedFromTSL = false; + + // SSCD/QSCD evaluation flags boolean sscd = false; boolean sscdSourceTSL = false; + //check QC List<URI> allowedQCQualifier = config.getTSLConfiguration().getQualifierForQC(); @@ -207,37 +218,70 @@ public class CertificateUtils { } } + + //check SSCD/QSCD qualifiers and mark result acording this check + List<URI> allowedSSCDQualifier = config.getTSLConfiguration().getQualifierForSSCD(); + if (tslCertificateQualifier != null && allowedSSCDQualifier != null) { + for (URI allowedSSCD : allowedSSCDQualifier) { + for (URI certSSCD : tslCertificateQualifier) { + if (allowedSSCD.equals(certSSCD)) { + sscdSourceTSL = true; + sscd = true; + + } + } + } + } + + //check additional flags in TSP qualifiers for this certificate + if (tslCertificateQualifier != null) { + for (URI qEl : tslCertificateQualifier) { + //check if SSCD/QSCD status must be used from cert + if (qEl.equals( + TslConstants.SSCD_QUALIFIER_SORT_TO_URI.get( + TslConstants.SSCD_QUALIFIER_SHORT.QCQSCDStatusAsInCert)) + || qEl.equals(TslConstants.SSCD_QUALIFIER_SORT_TO_URI.get( + TslConstants.SSCD_QUALIFIER_SHORT.QCSSCDStatusAsInCert))) { + + sscdSourceTSL = false; + sscd = false; + + //check if extentsion includes a NotQualified flag + } else if (qEl.equals( + TslConstants.SSCD_QUALIFIER_SORT_TO_URI.get( + TslConstants.SSCD_QUALIFIER_SHORT.NotQualified))) { + qc = false; + qcSourceTSL = false; + qcDisallowedFromTSL = true; + Logger.info("TSL mark this certificate explicitly as 'NotQualified'!"); + + } + } + } + + //evaluate QC statement according previous selected information if (qcSourceTSL) Logger.debug("Certificate is QC (Source: TSL)"); - + else { - // if QC check via TSL returns false - // try certificate extensions QCP and QcEuCompliance - Logger.debug("QC check via TSL returned false - checking certificate extensions"); - boolean checkQCP = CertificateUtils.checkQCP(chain[0]); - boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]); + // if TSL return no service-type identifier us information from certificate + if (tslServiceTypeIdentifier == null || + MiscUtil.isEmpty(tslServiceTypeIdentifier.toString())) { + // try certificate extensions QCP and QcEuCompliance + Logger.debug("QC check via TSL returned false - checking certificate extensions"); + boolean checkQCP = CertificateUtils.checkQCP(chain[0]); + boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]); - if (checkQCP || checkQcEuCompliance) { - Logger.debug("Certificate is QC (Source: Certificate)"); - qc = true; + if ((checkQCP || checkQcEuCompliance) && !qcDisallowedFromTSL) { + Logger.debug("Certificate is QC (Source: Certificate)"); + qc = true; - } - + } + } } - //check SSCD - List<URI> allowedSSCDQualifier = config.getTSLConfiguration().getQualifierForSSCD(); - for (URI allowedSSCD : allowedSSCDQualifier) { - for (URI certSSCD : tslCertificateQualifier) { - if (allowedSSCD.equals(certSSCD)) { - sscdSourceTSL = true; - sscd = true; - - } - } - - } + //evaluate SSCD/QSCD results according previous selected information if (sscdSourceTSL) Logger.debug("Certificate is SSCD (Source: TSL)"); @@ -262,7 +306,8 @@ public class CertificateUtils { tslCheckResult.getTerritory(), tslCheckResult.getTspStatus(), tslServiceTypeIdentifier.toString(), - tslCertificateQualifier); + tslCertificateQualifier, + tslCheckResult.getAdditionalServiceInformation()); result.setTslInfos(extTslInfos); return result; |