From b0d77d439a8df6b09648e19b1ec93f24eadfbe7b Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Fri, 20 Jan 2017 14:48:55 +0100
Subject: small changes to support TSL-lib version RC2

---
 .../moa/spss/util/CertificateUtils.java            | 81 ++++++++++++++++------
 1 file changed, 60 insertions(+), 21 deletions(-)

(limited to 'moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java')

diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java
index 6b07594..ad64052 100644
--- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java
+++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java
@@ -22,6 +22,7 @@ import java.util.List;
 import at.gv.egovernment.moa.sig.tsl.TslConstants;
 import at.gv.egovernment.moa.sig.tsl.engine.data.ITslEndEntityResult;
 import at.gv.egovernment.moa.sig.tsl.exception.TslException;
+import at.gv.egovernment.moa.sig.tsl.utils.MiscUtil;
 import at.gv.egovernment.moa.spss.api.common.TslInfos;
 import at.gv.egovernment.moa.spss.api.impl.TslInfosImpl;
 import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider;
@@ -197,10 +198,15 @@ public class CertificateUtils {
 					URI tslServiceTypeIdentifier = tslCheckResult.getEvaluatedServiceTypeIdentifier();
 					List<URI> tslCertificateQualifier = tslCheckResult.getEvaluatedQualifier();
 					
+					// QC evaluation flags
 					boolean qc = false;
 					boolean qcSourceTSL = false;
+					boolean qcDisallowedFromTSL = false;
+					
+					// SSCD/QSCD evaluation flags
 					boolean sscd = false;
 					boolean sscdSourceTSL = false;
+					
 										
 					//check QC
 					List<URI> allowedQCQualifier = config.getTSLConfiguration().getQualifierForQC();
@@ -212,26 +218,8 @@ public class CertificateUtils {
 						}
 						
 					}
-					if (qcSourceTSL)					
-						Logger.debug("Certificate is QC (Source: TSL)");
-					
-					else {
-						// if QC check via TSL returns false
-						// try certificate extensions QCP and QcEuCompliance
-						Logger.debug("QC check via TSL returned false - checking certificate extensions");
-				     	boolean checkQCP = CertificateUtils.checkQCP(chain[0]);
-				        boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]);
-				        
-				        if (checkQCP || checkQcEuCompliance) {
-				        	Logger.debug("Certificate is QC (Source: Certificate)");
-				        	qc = true;
-				        	
-				        }	
-						
-					}
-					
 					
-					//check SSCD
+					//check SSCD/QSCD qualifiers and mark result acording this check
 					List<URI> allowedSSCDQualifier = config.getTSLConfiguration().getQualifierForSSCD();
 					if (tslCertificateQualifier != null && allowedSSCDQualifier != null) {						
 						for (URI allowedSSCD : allowedSSCDQualifier) {
@@ -243,7 +231,57 @@ public class CertificateUtils {
 								}
 							}
 						}
-					} 
+					}
+					
+					//check additional flags in TSP qualifiers for this certificate					
+					if (tslCertificateQualifier != null) {
+						for (URI qEl : tslCertificateQualifier) {
+							//check if SSCD/QSCD status must be used from cert
+							if (qEl.equals(
+									TslConstants.SSCD_QUALIFIER_SORT_TO_URI.get(
+											TslConstants.SSCD_QUALIFIER_SHORT.QCQSCDStatusAsInCert))
+									|| qEl.equals(TslConstants.SSCD_QUALIFIER_SORT_TO_URI.get(
+											TslConstants.SSCD_QUALIFIER_SHORT.QCSSCDStatusAsInCert))) {
+								
+								sscdSourceTSL = false;
+								sscd = false;
+	
+								//check if extentsion includes a NotQualified flag
+							} else if (qEl.equals(								
+										TslConstants.SSCD_QUALIFIER_SORT_TO_URI.get(
+												TslConstants.SSCD_QUALIFIER_SHORT.NotQualified))) {
+								qc = false;
+								qcSourceTSL = false;
+								qcDisallowedFromTSL = true;
+								Logger.info("TSL mark this certificate explicitly as 'NotQualified'!");
+															
+							}											
+						}
+					}
+					
+					//evaluate QC statement according previous selected information 
+					if (qcSourceTSL)					
+						Logger.debug("Certificate is QC (Source: TSL)");
+										
+					else {
+						// if TSL return no service-type identifier us information from certificate
+						if (tslServiceTypeIdentifier == null || 
+								MiscUtil.isEmpty(tslServiceTypeIdentifier.toString())) {
+							// try certificate extensions QCP and QcEuCompliance
+							Logger.debug("QC check via TSL returned false - checking certificate extensions");
+							boolean checkQCP = CertificateUtils.checkQCP(chain[0]);
+							boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]);
+				        
+							if ((checkQCP || checkQcEuCompliance) && !qcDisallowedFromTSL) {
+								Logger.debug("Certificate is QC (Source: Certificate)");
+								qc = true;
+				        	
+							}
+						}						
+					}
+					
+					
+					//evaluate SSCD/QSCD results according previous selected information  
 					if (sscdSourceTSL)					
 						Logger.debug("Certificate is SSCD (Source: TSL)");
 					
@@ -268,7 +306,8 @@ public class CertificateUtils {
 							tslCheckResult.getTerritory(),
 							tslCheckResult.getTspStatus(),
 							tslServiceTypeIdentifier.toString(),
-							tslCertificateQualifier);
+							tslCertificateQualifier,
+							tslCheckResult.getAdditionalServiceInformation());
 					result.setTslInfos(extTslInfos);
 										
 					return result;
-- 
cgit v1.2.3