package at.gv.egovernment.moa.spss.util; import iaik.asn1.ObjectID; import iaik.asn1.structures.Name; import iaik.asn1.structures.PolicyInformation; import iaik.utils.RFC2253NameParser; import iaik.utils.RFC2253NameParserException; import iaik.x509.X509Certificate; import iaik.x509.X509ExtensionInitException; import iaik.x509.extensions.CertificatePolicies; import iaik.x509.extensions.qualified.QCStatements; import iaik.x509.extensions.qualified.structures.QCStatement; import iaik.x509.extensions.qualified.structures.etsi.QcEuCompliance; import iaik.x509.extensions.qualified.structures.etsi.QcEuSSCD; import iaik.xml.crypto.tsl.ex.TSLEngineDiedException; import iaik.xml.crypto.tsl.ex.TSLSearchException; import java.security.Principal; import at.gv.egovernment.moa.spss.tsl.timer.TSLUpdaterTimerTask; import at.gv.egovernment.moaspss.logging.LogMsg; import at.gv.egovernment.moaspss.logging.Logger; public class CertificateUtils { /** * Verifies if the given certificate contains QCP+ statement * @param cert X509Certificate * @return true if the given certificate contains QCP+ statement, else false */ private static boolean checkQCPPlus(X509Certificate cert) { Logger.debug("Checking QCP+ extension"); String OID_QCPPlus = "0.4.0.1456.1.1"; try { CertificatePolicies certPol = (CertificatePolicies) cert.getExtension(CertificatePolicies.oid); if (certPol == null) { Logger.debug("No CertificatePolicies extension found"); return false; } PolicyInformation[] polInfo = certPol.getPolicyInformation(); if (polInfo == null) { Logger.debug("No policy information found"); return false; } for (int i = 0; i < polInfo.length; i++) { ObjectID oid = polInfo[i].getPolicyIdentifier(); String oidStr = oid.getID(); if (oidStr.compareToIgnoreCase(OID_QCPPlus) == 0) { Logger.debug("QCP+ extension found"); return true; } } Logger.debug("No QCP+ extension found"); return false; } catch (X509ExtensionInitException e) { Logger.debug("No QCP+ extension found"); return false; } } /** * Verifies if the given certificate contains QCP statement * @param cert X509Certificate * @return true if the given certificate contains QCP statement, else false */ private static boolean checkQCP(X509Certificate cert) { Logger.debug("Checking QCP extension"); String OID_QCP = "0.4.0.1456.1.2"; try { CertificatePolicies certPol = (CertificatePolicies) cert.getExtension(CertificatePolicies.oid); if (certPol == null) { Logger.debug("No CertificatePolicies extension found"); return false; } PolicyInformation[] polInfo = certPol.getPolicyInformation(); if (polInfo == null) { Logger.debug("No policy information found"); return false; } for (int i = 0; i < polInfo.length; i++) { ObjectID oid = polInfo[i].getPolicyIdentifier(); String oidStr = oid.getID(); if (oidStr.compareToIgnoreCase(OID_QCP) == 0) { Logger.debug("QCP extension found"); return true; } } Logger.debug("No QCP extension found"); return false; } catch (X509ExtensionInitException e) { Logger.debug("No QCP extension found"); return false; } } /** * Verifies if the given certificate contains QcEuCompliance statement * @param cert X509Certificate * @return true if the given certificate contains QcEuCompliance statement, else false */ private static boolean checkQcEuCompliance(X509Certificate cert) { Logger.debug("Checking QcEUCompliance extension"); try { QCStatements qcStatements = (QCStatements) cert.getExtension(QCStatements.oid); if (qcStatements == null) { Logger.debug("No QcStatements extension found"); return false; } QCStatement qcEuCompliance = qcStatements.getQCStatements(QcEuCompliance.statementID); if (qcEuCompliance != null) { Logger.debug("QcEuCompliance extension found"); return true; } Logger.debug("No QcEuCompliance extension found"); return false; } catch (X509ExtensionInitException e) { Logger.debug("No QcEuCompliance extension found"); return false; } } /** * Verifies if the given certificate contains QcEuSSCD statement * @param cert X509Certificate * @return true if the given certificate contains QcEuSSCD statement, else false */ private static boolean checkQcEuSSCD(X509Certificate cert) { Logger.debug("Checking QcEuSSCD extension"); try { QCStatements qcStatements = (QCStatements) cert.getExtension(QCStatements.oid); if (qcStatements == null) { Logger.debug("No QcStatements extension found"); return false; } QCStatement qcEuSSCD = qcStatements.getQCStatements(QcEuSSCD.statementID); if (qcEuSSCD != null) { Logger.debug("QcEuSSCD extension found"); return true; } Logger.debug("No QcEuSSCD extension found"); return false; } catch (X509ExtensionInitException e) { Logger.debug("No QcEuSSCD extension found"); return false; } } public static QCSSCDResult checkQCSSCD(X509Certificate[] chain, boolean isTSLenabledTrustprofile) { boolean qc = false; boolean qcSourceTSL = false; boolean sscd = false; boolean sscdSourceTSL = false; try { if (isTSLenabledTrustprofile) { // perform QC check via TSL boolean checkQCFromTSL = TSLUpdaterTimerTask.tslconnector_.checkQC(chain); if (!checkQCFromTSL) { // if QC check via TSL returns false // try certificate extensions QCP and QcEuCompliance Logger.debug("QC check via TSL returned false - checking certificate extensions"); boolean checkQCP = CertificateUtils.checkQCP(chain[0]); boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]); if (checkQCP || checkQcEuCompliance) { Logger.debug("Certificate is QC (Source: Certificate)"); qc = true; } qcSourceTSL = false; } else { // use TSL result Logger.debug("Certificate is QC (Source: TSL)"); qc = true; qcSourceTSL = true; } // perform SSCD check via TSL boolean checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain); if (!checkSSCDFromTSL) { // if SSCD check via TSL returns false // try certificate extensions QCP+ and QcEuSSCD Logger.debug("SSCD check via TSL returned false - checking certificate extensions"); boolean checkQCPPlus = CertificateUtils.checkQCPPlus(chain[0]); boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD(chain[0]); if (checkQCPPlus || checkQcEuSSCD) { Logger.debug("Certificate is SSCD (Source: Certificate)"); sscd = true; } sscdSourceTSL = false; } else { // use TSL result Logger.debug("Certificate is SSCD (Source: TSL)"); sscd = true; sscdSourceTSL = true; } } else { // Trustprofile is not TSL enabled - use certificate extensions only // perform QC check // try certificate extensions QCP and QcEuCompliance boolean checkQCP = CertificateUtils.checkQCP(chain[0]); boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]); if (checkQCP || checkQcEuCompliance) qc = true; qcSourceTSL = false; // perform SSCD check // try certificate extensions QCP+ and QcEuSSCD boolean checkQCPPlus = CertificateUtils.checkQCPPlus(chain[0]); boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD(chain[0]); if (checkQCPPlus || checkQcEuSSCD) sscd = true; sscdSourceTSL = false; } } catch (TSLEngineDiedException e) { MessageProvider msg = MessageProvider.getInstance(); Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); } catch (TSLSearchException e) { MessageProvider msg = MessageProvider.getInstance(); Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); } QCSSCDResult result = new QCSSCDResult(qc, qcSourceTSL, sscd, sscdSourceTSL); return result; } /** * Gets the country from the certificate issuer * @param cert X509 certificate * @return Country code from the certificate issuer */ public static String getIssuerCountry(X509Certificate cert) { String country = null; Principal issuerdn = cert.getIssuerX500Principal(); RFC2253NameParser nameParser = new RFC2253NameParser(issuerdn.getName()); try { Name name = nameParser.parse(); country = name.getRDN(ObjectID.country); } catch (RFC2253NameParserException e) { Logger.warn("Could not get country code from issuer."); } return country; } }