diff options
Diffstat (limited to 'bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java')
| -rw-r--r-- | bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java | 82 |
1 files changed, 56 insertions, 26 deletions
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java index ace8a75a..ed4b9bda 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java @@ -1,30 +1,31 @@ /*
-* Copyright 2008 Federal Chancellery Austria and
-* Graz University of Technology
-*
-* Licensed under the Apache License, Version 2.0 (the "License");
-* you may not use this file except in compliance with the License.
-* You may obtain a copy of the License at
-*
-* http://www.apache.org/licenses/LICENSE-2.0
-*
-* Unless required by applicable law or agreed to in writing, software
-* distributed under the License is distributed on an "AS IS" BASIS,
-* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-* See the License for the specific language governing permissions and
-* limitations under the License.
-*/
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
package at.gv.egiz.bku.accesscontroller;
import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.ANONYMOUS;
import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.CERTIFIED;
-import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.PSEUDO_ANONYMOUS;
import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.CERTIFIED_GOV_AGENCY;
+import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.PSEUDO_ANONYMOUS;
-import java.net.InetAddress;
import java.net.URL;
-import java.net.UnknownHostException;
+import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
+import java.util.Collection;
+import java.util.List;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -37,6 +38,39 @@ public class AuthenticationClassifier { private AuthenticationClassifier() {
}
+ public static boolean isGovAgency(X509Certificate cert) {
+ String[] rdns = (cert.getSubjectX500Principal().getName()).split(",");
+ for (String rdn : rdns) {
+ if (rdn.startsWith("CN=")) {
+ String dns = rdn.split("=")[1];
+ log.trace("Analyzing cn dn: " + dns);
+ if (dns.endsWith(GOV_DOMAIN)) {
+ return true;
+ }
+ }
+ }
+ try {
+ Collection<List<?>> sanList = cert.getSubjectAlternativeNames();
+ if (sanList != null) {
+ for (List<?> san : sanList) {
+ log.trace("Analyzing subj. alt name: " + san);
+ if ((Integer) san.get(0) == 2) {
+ String dns = (String) san.get(1);
+ if (dns.endsWith(GOV_DOMAIN)) {
+ return true;
+ }
+ }
+ }
+ }
+ } catch (CertificateParsingException e) {
+ log.error(e);
+ }
+ if (cert.getExtensionValue("1.2.40.0.10.1.1.1") != null) {
+ return true;
+ }
+ return false;
+ }
+
/**
* Client Certificates are currently not supported
*
@@ -45,13 +79,8 @@ public class AuthenticationClassifier { URL url, X509Certificate cert) {
if (isDataUrl) {
if (url.getProtocol().equalsIgnoreCase("https")) {
- try {
- if (InetAddress.getByName(url.getHost()).getCanonicalHostName()
- .endsWith(GOV_DOMAIN)) {
- return CERTIFIED_GOV_AGENCY;
- }
- } catch (UnknownHostException e) {
- log.error("Cannot determine host name", e);
+ if (isGovAgency(cert)) {
+ return CERTIFIED_GOV_AGENCY;
}
if (cert.getExtensionValue("1.2.40.0.10.1.1.1") != null) {
return CERTIFIED_GOV_AGENCY;
@@ -68,7 +97,8 @@ public class AuthenticationClassifier { /**
*
* @param isDataUrl
- * @param url if the url's protocol is https a cert parameter must be provided.
+ * @param url
+ * if the url's protocol is https a cert parameter must be provided.
* @param cert
* @return
*/
|