From dafc76624606f7d47f65006a6bf4695c3a0cd1a9 Mon Sep 17 00:00:00 2001
From: Thomas <>
Date: Tue, 2 May 2023 09:27:05 +0200
Subject: feat(pkix): add addition features to validate short-term certificates

---
 .../server/config/ConfigurationPartsBuilder.java   | 95 ++++++++++++++++++++--
 .../spss/server/config/ConfigurationProvider.java  | 38 +++++++++
 .../iaik/config/RevocationConfigurationImpl.java   | 30 +++++++
 3 files changed, 156 insertions(+), 7 deletions(-)

(limited to 'moaSig/moa-sig-lib/src/main/java/at')

diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
index 5daf1a6..5f8b46d 100644
--- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
+++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
@@ -94,6 +94,9 @@ public class ConfigurationPartsBuilder {
   private static final String CM_CHAINING = "chaining";
   private static final String CM_PKIX = "pkix";
 
+  private static final int SHORT_TIME_CERT_DEFAULT_INTERVAL = 0;
+  private static final boolean SHORT_TIME_CERT_DEFAULT_ETSI = true;
+  
   //
   // XPath expressions to select certain parts of the configuration
   //
@@ -205,6 +208,17 @@ public class ConfigurationPartsBuilder {
           + CONF + "RevocationChecking/"
           + CONF + "CrlRetentionIntervals/"
           + CONF + "CA";
+  
+  private static final String SHORT_TIME_CERTS_INTERVALS_XPATH =
+      ROOT + CONF + "SignatureVerification/"
+          + CONF + "CertificateValidation/"
+          + CONF + "RevocationChecking/"
+          + CONF + "ShortTermedCertificates";
+  
+  private static final String SHORT_TIME_CERTS_INTERVALS_CA_XPATH =
+      SHORT_TIME_CERTS_INTERVALS_XPATH + "/"
+          + CONF + "CA";
+  
   private static final String ENABLE_REVOCATION_CHECKING_XPATH_ =
       ROOT + CONF + "SignatureVerification/"
           + CONF + "CertificateValidation/"
@@ -1718,17 +1732,84 @@ public class ConfigurationPartsBuilder {
       final String x509IssuerName = getElementValue(modElem, CONF + "X509IssuerName", null);
       final String i = getElementValue(modElem, CONF + "Interval", null);
       final Integer interval = new Integer(i);
-      try {
-        final RFC2253NameParser parser = new RFC2253NameParser(x509IssuerName);
-        final Name name = parser.parse();
-        map.put(name.getRFC2253String(), interval);
-      } catch (final RFC2253NameParserException e) {
-        map.put(x509IssuerName, interval);
-      }
+      map.put(ConfigurationProvider.normalizeX500Names(x509IssuerName), interval);
 
     }
 
     return map;
   }
 
+  
+  /**
+   * Should ETSI extension should be used for short-time certificate validation.
+   * 
+   * @return <code>true</code> if it is used
+   */
+  public boolean isShotTimeCertEtsiExtCheck() {
+    final NodeIterator modIter = XPathUtils.selectNodeIterator(
+        getConfigElem(),
+        SHORT_TIME_CERTS_INTERVALS_XPATH);
+    
+    Element modElem;
+    if ((modElem = (Element) modIter.nextNode()) != null) {      
+      Boolean value = Boolean.valueOf(modElem.getAttribute("checkETSIValidityAssuredExtension"));      
+      Logger.debug((value ? "Enable" : "Disable") + "shortTime certificate ETSI extension");      
+      return value;
+      
+    }
+    
+    return SHORT_TIME_CERT_DEFAULT_ETSI;    
+  }
+  
+  /**
+   * Get default shortTime certificate interval.
+   * 
+   * @return Time in minutes
+   */
+  public int getShotTimeCertDefaultInterval() {
+    final NodeIterator modIter = XPathUtils.selectNodeIterator(
+        getConfigElem(),
+        SHORT_TIME_CERTS_INTERVALS_XPATH);
+    
+    Element modElem;
+    if ((modElem = (Element) modIter.nextNode()) != null) {
+      String defaultString = modElem.getAttribute("defaultValidityPeriod");
+      Logger.debug("Set default shortTimePeriodInterval to: " + defaultString);
+      return Integer.valueOf(defaultString);
+      
+    }
+    
+    return SHORT_TIME_CERT_DEFAULT_INTERVAL;    
+  }
+  
+  
+  /**
+   * Returns a map of shortTime certificate intervals.
+   * 
+   * <p>
+   * No revocation checks are performed during this interval.
+   * </p>
+   *
+   * @return
+   */
+  public Map<String, Integer> getShotTimeCertIntervals() {
+    final Map map = new HashMap();
+    final NodeIterator modIter = XPathUtils.selectNodeIterator(
+        getConfigElem(),
+        SHORT_TIME_CERTS_INTERVALS_CA_XPATH);
+
+    Element modElem;
+    while ((modElem = (Element) modIter.nextNode()) != null) {
+      final String x509IssuerName = ConfigurationProvider.normalizeX500Names(
+          getElementValue(modElem, CONF + "X509IssuerName", null));
+      final String i = getElementValue(modElem, CONF + "ValidityPeriod", null);
+      final Integer interval = new Integer(i);
+      map.put(x509IssuerName, interval);
+      Logger.debug("Set shortTimePeriodInterval: " + interval + " for Issuer: " + x509IssuerName);
+      
+    }
+
+    return map;
+  }
+  
 }
diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java
index 4596109..85930b2 100644
--- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java
+++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java
@@ -258,6 +258,12 @@ public class ConfigurationProvider {
    */
   private Map crlRetentionIntervals;
 
+  
+  private boolean useShortTimeCertificateEtisExt;
+  private int defaultShortTimeCertificatePeriod;
+  private Map<String, Integer> shortTimeCertificatePeriods;
+  
+  
   /**
    * Indicates wether external URIs are allowed or not
    */
@@ -416,6 +422,10 @@ public class ConfigurationProvider {
       permitFileURIs = builder.getPermitFileURIs();
       crlRetentionIntervals = builder.getCrlRetentionIntervals();
 
+      shortTimeCertificatePeriods = builder.getShotTimeCertIntervals();
+      defaultShortTimeCertificatePeriod = builder.getShotTimeCertDefaultInterval();
+      useShortTimeCertificateEtisExt = builder.isShotTimeCertEtsiExtCheck();
+      
       allowExternalUris_ = builder.allowExternalUris();
 
       if (allowExternalUris_) {
@@ -998,5 +1008,33 @@ public class ConfigurationProvider {
   public TSLConfiguration getTSLConfiguration() {
     return tslconfiguration_;
   }
+  
+  public int getDefaultShortTimeCertificatePeriod() {
+    return defaultShortTimeCertificatePeriod;
+  }
+
+  public boolean isUseShortTimeCertificateEtisExt() {
+    return useShortTimeCertificateEtisExt;
+  }
+
+  public Map<String, Integer> getShortTimeCertificatePeriods() {
+    return shortTimeCertificatePeriods;
+  }
 
+  
+  
+  public static final String normalizeX500Names(String x500Name) {
+    try {
+      final RFC2253NameParser parser = new RFC2253NameParser(x500Name);
+      final Name name = parser.parse();
+      return name.getRFC2253String();
+    
+    } catch (final RFC2253NameParserException e) {
+      Logger.info("X500Name: " + x500Name + " can not be normalized. Use it as it is");
+      return x500Name;
+      
+    }
+    
+  }
+  
 }
\ No newline at end of file
diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/RevocationConfigurationImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/RevocationConfigurationImpl.java
index 6aa20cf..002df3b 100644
--- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/RevocationConfigurationImpl.java
+++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/RevocationConfigurationImpl.java
@@ -30,8 +30,11 @@ import java.util.Map;
 import java.util.Set;
 
 import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider;
+import at.gv.egovernment.moaspss.logging.Logger;
+import iaik.asn1.structures.Name;
 import iaik.pki.revocation.RevocationConfiguration;
 import iaik.pki.revocation.dbcrl.config.DBCrlConfig;
+import iaik.utils.RFC2253NameParserException;
 
 /**
  * An implementation of the <code>RevocationConfiguration</code> interface using
@@ -111,4 +114,31 @@ public class RevocationConfigurationImpl extends AbstractObservableConfiguration
     return false;
   }
 
+  @Override
+  public boolean checkETSIValidityAssuredShortTermExt() {
+    return config.isUseShortTimeCertificateEtisExt();
+    
+  }
+
+  @Override
+  public Long getShortTermedValidityPeriod(X509Certificate eeCert) {    
+    try {
+      String issuer = ConfigurationProvider.normalizeX500Names(((Name)eeCert.getIssuerDN()).getRFC2253String());      
+      if (config.getShortTimeCertificatePeriods().containsKey(issuer)) {
+        Integer interval = config.getShortTimeCertificatePeriods().get(issuer);
+        Logger.debug("Use shortTermedValidityPeriod: " + interval + "[min] for Issuer: " + issuer);
+        return Long.valueOf(interval) * 60 * 1000;
+        
+      } 
+      
+    } catch (RFC2253NameParserException e) {
+      Logger.warn("Can not normalize X509 IssuerName: " + eeCert.getIssuerDN(), e);
+      
+    }   
+    
+    Logger.debug("Use default shortTermedValidityPeriod: " + config.getDefaultShortTimeCertificatePeriod() + "[min]");
+    return Long.valueOf(config.getDefaultShortTimeCertificatePeriod()) * 60 * 1000;
+    
+  }
+  
 }
-- 
cgit v1.2.3