From 8574f931c169248c67c3a5946351f9072628af46 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Mon, 2 Jan 2017 16:35:43 +0100
Subject: first untested beta version with new TSL lib

---
 .../moa/spss/util/CertificateUtils.java            | 221 +++++++++++++--------
 1 file changed, 135 insertions(+), 86 deletions(-)

(limited to 'moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java')

diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java
index 358524d..0ea0677 100644
--- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java
+++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java
@@ -12,12 +12,19 @@ import iaik.x509.extensions.qualified.QCStatements;
 import iaik.x509.extensions.qualified.structures.QCStatement;
 import iaik.x509.extensions.qualified.structures.etsi.QcEuCompliance;
 import iaik.x509.extensions.qualified.structures.etsi.QcEuSSCD;
-import iaik.xml.crypto.tsl.ex.TSLEngineDiedException;
-import iaik.xml.crypto.tsl.ex.TSLSearchException;
 
+import java.net.URI;
 import java.security.Principal;
+import java.util.Arrays;
+import java.util.Date;
+import java.util.List;
 
-import at.gv.egovernment.moa.spss.tsl.timer.TSLUpdaterTimerTask;
+import at.gv.egovernment.moa.sig.tsl.engine.data.ITslEndEntityResult;
+import at.gv.egovernment.moa.sig.tsl.exception.TslException;
+import at.gv.egovernment.moa.spss.api.common.TslInfos;
+import at.gv.egovernment.moa.spss.api.impl.TslInfosImpl;
+import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider;
+import at.gv.egovernment.moa.spss.tsl.TSLServiceFactory;
 import at.gv.egovernment.moaspss.logging.LogMsg;
 import at.gv.egovernment.moaspss.logging.Logger;
 
@@ -169,100 +176,142 @@ public class CertificateUtils {
 		
 	}
 
-	public static QCSSCDResult checkQCSSCD(X509Certificate[] chain, boolean isTSLenabledTrustprofile) {
-		
-		boolean qc = false;
-		boolean qcSourceTSL = false;
-		boolean sscd = false;
-		boolean sscdSourceTSL = false;
-		
+	public static QCSSCDResult checkQCSSCD(X509Certificate[] chain, Date signingTime, boolean isTSLenabledTrustprofile, ConfigurationProvider config) {
+					
 		try { 
-		
 			if (isTSLenabledTrustprofile) {
-				// perform QC check via TSL
-				boolean checkQCFromTSL = TSLUpdaterTimerTask.tslconnector_.checkQC(chain);
-				if (!checkQCFromTSL) { 
-					// if QC check via TSL returns false
-					// try certificate extensions QCP and QcEuCompliance
-					Logger.debug("QC check via TSL returned false - checking certificate extensions");
-			     	boolean checkQCP = CertificateUtils.checkQCP(chain[0]);
-			        boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]);
-			        
-			        if (checkQCP || checkQcEuCompliance) {
-			        	Logger.debug("Certificate is QC (Source: Certificate)");
-			        	qc = true;			        	
-			        }
-			        
-		        	qcSourceTSL = false;
-		        }
-		        else {
-		        	// use TSL result
-		        	Logger.debug("Certificate is QC (Source: TSL)");
-		        	qc = true;
-		        	qcSourceTSL = true;
-		        }
+				if (signingTime == null) {
+					signingTime = new Date();
+					Logger.debug("TSL check without signingTime --> use current time for evaluation");
+					
+				}
 				
-				// perform SSCD check via TSL
-	        	boolean checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain);
-	        	if (!checkSSCDFromTSL) {
-	        		// if SSCD check via TSL returns false
-					// try certificate extensions QCP+ and QcEuSSCD			       
-	        		Logger.debug("SSCD check via TSL returned false - checking certificate extensions");
-		        	boolean checkQCPPlus = CertificateUtils.checkQCPPlus(chain[0]);
-			        boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD(chain[0]);
-			        
-			        if (checkQCPPlus || checkQcEuSSCD) {
-			        	Logger.debug("Certificate is SSCD (Source: Certificate)");
-			        	sscd = true;
-			        }
-			        
-		        	sscdSourceTSL = false;
-		        }
-		        else {
-		        	// use TSL result
-		        	Logger.debug("Certificate is SSCD (Source: TSL)");
-		        	sscd = true;
-		        	sscdSourceTSL = true;
-		        }
-	        	
-			}
-			else {
-				// Trustprofile is not TSL enabled - use certificate extensions only
-
-				// perform QC check
-				// try certificate extensions QCP and QcEuCompliance
-		     	boolean checkQCP = CertificateUtils.checkQCP(chain[0]);
-		        boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]);
-		        
-		        if (checkQCP || checkQcEuCompliance)
-		        	qc = true;
-		        
-	        	qcSourceTSL = false;
-	        	
-	        	// perform SSCD check
-	        	// try certificate extensions QCP+ and QcEuSSCD			       
-	        	boolean checkQCPPlus = CertificateUtils.checkQCPPlus(chain[0]);
-		        boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD(chain[0]);
-		        
-		        if (checkQCPPlus || checkQcEuSSCD)
-		        	sscd = true;
-		        
-	        	sscdSourceTSL = false;
-			}
+				ITslEndEntityResult tslCheckResult = TSLServiceFactory.getTSLServiceClient().evaluate(Arrays.asList(chain), signingTime);
+				
+				if (tslCheckResult != null) {				
+					URI tslServiceTypeIdentifier = tslCheckResult.getEvaluatedServiceTypeIdentifier();
+					List<URI> tslCertificateQualifier = tslCheckResult.getEvaluatedQualifier();
+					
+					boolean qc = false;
+					boolean qcSourceTSL = false;
+					boolean sscd = false;
+					boolean sscdSourceTSL = false;
+										
+					//check QC
+					List<URI> allowedQCQualifier = config.getTSLConfiguration().getQualifierForQC();
+					for (URI el : allowedQCQualifier) {
+						if (el.equals(tslServiceTypeIdentifier)) {
+							qcSourceTSL = true;
+							qc = true;
+							
+						}
+						
+					}
+					if (qcSourceTSL)					
+						Logger.debug("Certificate is QC (Source: TSL)");
+					
+					else {
+						// if QC check via TSL returns false
+						// try certificate extensions QCP and QcEuCompliance
+						Logger.debug("QC check via TSL returned false - checking certificate extensions");
+				     	boolean checkQCP = CertificateUtils.checkQCP(chain[0]);
+				        boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]);
+				        
+				        if (checkQCP || checkQcEuCompliance) {
+				        	Logger.debug("Certificate is QC (Source: Certificate)");
+				        	qc = true;
+				        	
+				        }	
+						
+					}
+					
+					
+					//check SSCD
+					List<URI> allowedSSCDQualifier = config.getTSLConfiguration().getQualifierForSSCD();
+					for (URI allowedSSCD : allowedSSCDQualifier) {
+						for (URI certSSCD : tslCertificateQualifier) {						
+							if (allowedSSCD.equals(certSSCD)) {
+								sscdSourceTSL = true;
+								sscd = true;
+							
+							}
+						}
+						
+					} 
+					if (sscdSourceTSL)					
+						Logger.debug("Certificate is SSCD (Source: TSL)");
+					
+					else {
+						// if SSCD check via TSL returns false
+						// try certificate extensions QCP+ and QcEuSSCD			       
+		        		Logger.debug("SSCD check via TSL returned false - checking certificate extensions");
+			        	boolean checkQCPPlus = CertificateUtils.checkQCPPlus(chain[0]);
+				        boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD(chain[0]);
+				        
+				        if (checkQCPPlus || checkQcEuSSCD) {
+				        	Logger.debug("Certificate is SSCD (Source: Certificate)");
+				        	sscd = true;
+				        }						
+					}
+					
+					//build basic result
+					QCSSCDResult result = new QCSSCDResult(qc, qcSourceTSL, sscd, sscdSourceTSL);
+					
+					//add additinal information
+					TslInfos extTslInfos = new TslInfosImpl(
+							tslCheckResult.getTerritory(),
+							tslCheckResult.getTspStatus(),
+							tslServiceTypeIdentifier.toString(),
+							tslCertificateQualifier);
+					result.setTslInfos(extTslInfos);
+										
+					return result;
+									
+				} else {
+					Logger.debug("Qualifier check via TSL return null - checking certificate extensions");
+					return parseInfosFromCertificate(chain);
+					
+				}
+							        	
+			} else 
+				return parseInfosFromCertificate(chain);
 		}
-		catch (TSLEngineDiedException e) {
-	    	MessageProvider msg = MessageProvider.getInstance();
-	        Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e);
-		} catch (TSLSearchException e) {
+		catch (TslException e) {
 	    	MessageProvider msg = MessageProvider.getInstance();
 	        Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e);
+		
+	        return new QCSSCDResult();
 		}
 		
-		QCSSCDResult result = new QCSSCDResult(qc, qcSourceTSL, sscd, sscdSourceTSL);
+	}
+	
+	private static QCSSCDResult parseInfosFromCertificate(X509Certificate[] chain) {
+		boolean qc = false;
+		boolean sscd = false;
+		
+		// Trustprofile is not TSL enabled - use certificate extensions only
+
+		// perform QC check
+		// try certificate extensions QCP and QcEuCompliance
+     	boolean checkQCP = CertificateUtils.checkQCP(chain[0]);
+        boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]);
+        
+        if (checkQCP || checkQcEuCompliance)
+        	qc = true;
+            	
+    	// perform SSCD check
+    	// try certificate extensions QCP+ and QcEuSSCD			       
+    	boolean checkQCPPlus = CertificateUtils.checkQCPPlus(chain[0]);
+        boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD(chain[0]);
+        
+        if (checkQCPPlus || checkQcEuSSCD)
+        	sscd = true;
+            	
+    	return new QCSSCDResult(qc, false, sscd, false);
 		
-		return result;
 	}
 	
+	
 	/**
 	    * Gets the country from the certificate issuer
 	    * @param cert X509 certificate
-- 
cgit v1.2.3