From 2972ec31c2bd59434be9ac12872baa30141325df Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 25 Jan 2017 11:54:29 +0100 Subject: update QC evaluation from TSL --> if TSL support is enabled for the requested TrustProfile than ONLY QC information from TSL is used --- .../moa/spss/util/CertificateUtils.java | 71 +++++++++++++--------- 1 file changed, 41 insertions(+), 30 deletions(-) diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java index ad64052..ce78580 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java @@ -259,26 +259,33 @@ public class CertificateUtils { } } - //evaluate QC statement according previous selected information - if (qcSourceTSL) - Logger.debug("Certificate is QC (Source: TSL)"); - - else { - // if TSL return no service-type identifier us information from certificate - if (tslServiceTypeIdentifier == null || - MiscUtil.isEmpty(tslServiceTypeIdentifier.toString())) { - // try certificate extensions QCP and QcEuCompliance - Logger.debug("QC check via TSL returned false - checking certificate extensions"); - boolean checkQCP = CertificateUtils.checkQCP(chain[0]); - boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]); - - if ((checkQCP || checkQcEuCompliance) && !qcDisallowedFromTSL) { - Logger.debug("Certificate is QC (Source: Certificate)"); - qc = true; - - } - } - } + /* + * This block is removes with MOA-SP 3.1 because if TSL support is enabled for the requested TrustProfile + * QC evaluation is ONLY allowed from TSL information!!! Because with eIDAS regulation and July 01. 2016 + * the Trust-Status List is constitutive. + */ +// //evaluate QC statement according previous selected information +// if (qcSourceTSL) +// Logger.debug("Certificate is QC (Source: TSL)"); +// +// else { +// +// +// // if TSL return no service-type identifier us information from certificate +// if (tslServiceTypeIdentifier == null || +// MiscUtil.isEmpty(tslServiceTypeIdentifier.toString())) { +// // try certificate extensions QCP and QcEuCompliance +// Logger.debug("QC check via TSL returned false - checking certificate extensions"); +// boolean checkQCP = CertificateUtils.checkQCP(chain[0]); +// boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]); +// +// if ((checkQCP || checkQcEuCompliance) && !qcDisallowedFromTSL) { +// Logger.debug("Certificate is QC (Source: Certificate)"); +// qc = true; +// +// } +// } +// } //evaluate SSCD/QSCD results according previous selected information @@ -313,13 +320,14 @@ public class CertificateUtils { return result; } else { - Logger.debug("Qualifier check via TSL return null - checking certificate extensions"); - return parseInfosFromCertificate(chain); + Logger.debug("Qualifier check via TSL return null - checking certificate extensions without QC evaluation"); + return parseInfosFromCertificate(chain, false); } } else - return parseInfosFromCertificate(chain); + Logger.info("TSL support is not enabled - checking certificate extensions with QC evaluation "); + return parseInfosFromCertificate(chain, true); } catch (TslException e) { MessageProvider msg = MessageProvider.getInstance(); @@ -330,19 +338,22 @@ public class CertificateUtils { } - private static QCSSCDResult parseInfosFromCertificate(X509Certificate[] chain) { + private static QCSSCDResult parseInfosFromCertificate(X509Certificate[] chain, boolean performQCEvaluation) { boolean qc = false; boolean sscd = false; // Trustprofile is not TSL enabled - use certificate extensions only - // perform QC check - // try certificate extensions QCP and QcEuCompliance - boolean checkQCP = CertificateUtils.checkQCP(chain[0]); - boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]); + if (performQCEvaluation) { + // perform QC check + // try certificate extensions QCP and QcEuCompliance + boolean checkQCP = CertificateUtils.checkQCP(chain[0]); + boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]); - if (checkQCP || checkQcEuCompliance) - qc = true; + if (checkQCP || checkQcEuCompliance) + qc = true; + + } // perform SSCD check // try certificate extensions QCP+ and QcEuSSCD -- cgit v1.2.3