From 0872d2d8a64fd701776b272f49222428d8def07f Mon Sep 17 00:00:00 2001
From: Andreas Fitzek <andreas.fitzek@iaik.tugraz.at>
Date: Tue, 3 Nov 2015 14:38:34 +0100
Subject: initial commit

---
 .../moa/spss/util/CertificateUtils.java            | 286 +++++++++++++++++++++
 1 file changed, 286 insertions(+)
 create mode 100644 moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java

(limited to 'moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java')

diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java
new file mode 100644
index 0000000..544ea91
--- /dev/null
+++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java
@@ -0,0 +1,286 @@
+package at.gv.egovernment.moa.spss.util;
+
+import iaik.asn1.ObjectID;
+import iaik.asn1.structures.Name;
+import iaik.asn1.structures.PolicyInformation;
+import iaik.utils.RFC2253NameParser;
+import iaik.utils.RFC2253NameParserException;
+import iaik.x509.X509Certificate;
+import iaik.x509.X509ExtensionInitException;
+import iaik.x509.extensions.CertificatePolicies;
+import iaik.x509.extensions.qualified.QCStatements;
+import iaik.x509.extensions.qualified.structures.QCStatement;
+import iaik.x509.extensions.qualified.structures.etsi.QcEuCompliance;
+import iaik.x509.extensions.qualified.structures.etsi.QcEuSSCD;
+import iaik.xml.crypto.tsl.ex.TSLEngineDiedException;
+import iaik.xml.crypto.tsl.ex.TSLSearchException;
+
+import java.security.Principal;
+
+import at.gv.egovernment.moa.logging.LogMsg;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.spss.tsl.timer.TSLUpdaterTimerTask;
+
+public class CertificateUtils {
+	
+	
+	/**
+	 * Verifies if the given certificate contains QCP+ statement
+	 * @param cert X509Certificate
+	 * @return true if the given certificate contains QCP+ statement, else false
+	 */
+	private static boolean checkQCPPlus(X509Certificate cert) {
+		Logger.debug("Checking QCP+ extension");
+		String OID_QCPPlus = "0.4.0.1456.1.1";
+		try {
+			CertificatePolicies certPol = (CertificatePolicies) cert.getExtension(CertificatePolicies.oid);
+			if (certPol == null) {
+				Logger.debug("No CertificatePolicies extension found");
+				return false;
+			}
+			
+			PolicyInformation[] polInfo = certPol.getPolicyInformation();
+			if (polInfo == null) {
+				Logger.debug("No policy information found");
+				return false;
+			}
+			
+			for (int i = 0; i < polInfo.length; i++) {
+				ObjectID oid = polInfo[i].getPolicyIdentifier();
+				String oidStr = oid.getID();
+				if (oidStr.compareToIgnoreCase(OID_QCPPlus) == 0) {
+					Logger.debug("QCP+ extension found");
+					return true;
+				}
+			}
+			
+			Logger.debug("No QCP+ extension found");
+			
+			return false;
+		} catch (X509ExtensionInitException e) {
+			Logger.debug("No QCP+ extension found");
+			
+			return false;
+		}
+		
+	}
+	
+	/**
+	 * Verifies if the given certificate contains QCP statement
+	 * @param cert X509Certificate
+	 * @return true if the given certificate contains QCP statement, else false
+	 */
+	private static boolean checkQCP(X509Certificate cert) {
+		Logger.debug("Checking QCP extension");
+		String OID_QCP = "0.4.0.1456.1.2";
+		try {
+			CertificatePolicies certPol = (CertificatePolicies) cert.getExtension(CertificatePolicies.oid);
+			if (certPol == null) {
+				Logger.debug("No CertificatePolicies extension found");
+				return false;
+			}
+			
+			PolicyInformation[] polInfo = certPol.getPolicyInformation();
+			if (polInfo == null) {
+				Logger.debug("No policy information found");
+				return false;
+			}
+			
+			for (int i = 0; i < polInfo.length; i++) {
+				ObjectID oid = polInfo[i].getPolicyIdentifier();
+				String oidStr = oid.getID();
+				if (oidStr.compareToIgnoreCase(OID_QCP) == 0) {
+					Logger.debug("QCP extension found");
+					return true;
+				}
+				
+			}
+			
+			Logger.debug("No QCP extension found");
+			return false;
+
+		} catch (X509ExtensionInitException e) {
+			Logger.debug("No QCP extension found");
+			return false;
+		}
+		
+	}
+	
+	/**
+	 * Verifies if the given certificate contains QcEuCompliance statement
+	 * @param cert X509Certificate
+	 * @return true if the given certificate contains QcEuCompliance statement, else false
+	 */
+	private static boolean checkQcEuCompliance(X509Certificate cert) {
+		Logger.debug("Checking QcEUCompliance extension");
+		try {
+			QCStatements qcStatements = (QCStatements) cert.getExtension(QCStatements.oid);
+			
+			if (qcStatements == null) {
+				Logger.debug("No QcStatements extension found");
+				return false;
+			}
+			
+			QCStatement qcEuCompliance = qcStatements.getQCStatements(QcEuCompliance.statementID);
+			
+			if (qcEuCompliance != null) {
+				Logger.debug("QcEuCompliance extension found");
+				return true;
+			}
+			
+			Logger.debug("No QcEuCompliance extension found");
+			return false;
+
+		} catch (X509ExtensionInitException e) {
+			Logger.debug("No QcEuCompliance extension found");
+			return false;
+		}
+		
+	}
+	
+	/**
+	 * Verifies if the given certificate contains QcEuSSCD statement
+	 * @param cert X509Certificate
+	 * @return true if the given certificate contains QcEuSSCD statement, else false
+	 */
+	private static boolean checkQcEuSSCD(X509Certificate cert) {
+		Logger.debug("Checking QcEuSSCD extension");
+		try {
+			QCStatements qcStatements = (QCStatements) cert.getExtension(QCStatements.oid);
+			if (qcStatements == null) {
+				Logger.debug("No QcStatements extension found");
+				return false;
+			}
+			
+			QCStatement qcEuSSCD = qcStatements.getQCStatements(QcEuSSCD.statementID);
+			
+			if (qcEuSSCD != null) {
+				Logger.debug("QcEuSSCD extension found");
+				return true;
+			}
+						
+			Logger.debug("No QcEuSSCD extension found");
+			return false;
+
+		} catch (X509ExtensionInitException e) {
+			Logger.debug("No QcEuSSCD extension found");
+			return false;
+		}
+		
+	}
+
+	public static QCSSCDResult checkQCSSCD(X509Certificate[] chain, boolean isTSLenabledTrustprofile) {
+		
+		boolean qc = false;
+		boolean qcSourceTSL = false;
+		boolean sscd = false;
+		boolean sscdSourceTSL = false;
+		
+		try { 
+		
+			if (isTSLenabledTrustprofile) {
+				// perform QC check via TSL
+				boolean checkQCFromTSL = TSLUpdaterTimerTask.tslconnector_.checkQC(chain);
+				if (!checkQCFromTSL) { 
+					// if QC check via TSL returns false
+					// try certificate extensions QCP and QcEuCompliance
+					Logger.debug("QC check via TSL returned false - checking certificate extensions");
+			     	boolean checkQCP = CertificateUtils.checkQCP(chain[0]);
+			        boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]);
+			        
+			        if (checkQCP || checkQcEuCompliance) {
+			        	Logger.debug("Certificate is QC (Source: Certificate)");
+			        	qc = true;			        	
+			        }
+			        
+		        	qcSourceTSL = false;
+		        }
+		        else {
+		        	// use TSL result
+		        	Logger.debug("Certificate is QC (Source: TSL)");
+		        	qc = true;
+		        	qcSourceTSL = true;
+		        }
+				
+				// perform SSCD check via TSL
+	        	boolean checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain);
+	        	if (!checkSSCDFromTSL) {
+	        		// if SSCD check via TSL returns false
+					// try certificate extensions QCP+ and QcEuSSCD			       
+	        		Logger.debug("SSCD check via TSL returned false - checking certificate extensions");
+		        	boolean checkQCPPlus = CertificateUtils.checkQCPPlus(chain[0]);
+			        boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD(chain[0]);
+			        
+			        if (checkQCPPlus || checkQcEuSSCD) {
+			        	Logger.debug("Certificate is SSCD (Source: Certificate)");
+			        	sscd = true;
+			        }
+			        
+		        	sscdSourceTSL = false;
+		        }
+		        else {
+		        	// use TSL result
+		        	Logger.debug("Certificate is SSCD (Source: TSL)");
+		        	sscd = true;
+		        	sscdSourceTSL = true;
+		        }
+	        	
+			}
+			else {
+				// Trustprofile is not TSL enabled - use certificate extensions only
+
+				// perform QC check
+				// try certificate extensions QCP and QcEuCompliance
+		     	boolean checkQCP = CertificateUtils.checkQCP(chain[0]);
+		        boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]);
+		        
+		        if (checkQCP || checkQcEuCompliance)
+		        	qc = true;
+		        
+	        	qcSourceTSL = false;
+	        	
+	        	// perform SSCD check
+	        	// try certificate extensions QCP+ and QcEuSSCD			       
+	        	boolean checkQCPPlus = CertificateUtils.checkQCPPlus(chain[0]);
+		        boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD(chain[0]);
+		        
+		        if (checkQCPPlus || checkQcEuSSCD)
+		        	sscd = true;
+		        
+	        	sscdSourceTSL = false;
+			}
+		}
+		catch (TSLEngineDiedException e) {
+	    	MessageProvider msg = MessageProvider.getInstance();
+	        Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e);
+		} catch (TSLSearchException e) {
+	    	MessageProvider msg = MessageProvider.getInstance();
+	        Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e);
+		}
+		
+		QCSSCDResult result = new QCSSCDResult(qc, qcSourceTSL, sscd, sscdSourceTSL);
+		
+		return result;
+	}
+	
+	/**
+	    * Gets the country from the certificate issuer
+	    * @param cert X509 certificate
+	    * @return Country code from the certificate issuer
+	    */
+	   public static String getIssuerCountry(X509Certificate cert) {
+		   String country = null;
+		   Principal issuerdn = cert.getIssuerX500Principal();
+		   RFC2253NameParser nameParser = new RFC2253NameParser(issuerdn.getName());
+		   
+		   try {
+			   Name name = nameParser.parse();
+			   country = name.getRDN(ObjectID.country);
+		   } catch (RFC2253NameParserException e) {
+			   Logger.warn("Could not get country code from issuer.");
+		   }
+		   
+		    
+		   return country;
+	   }
+}
-- 
cgit v1.2.3