Unverified Commit 4561cae9 authored by Tobias Wich's avatar Tobias Wich Committed by GitHub
Browse files

Merge pull request #27 from ecsec/attached-eid-check

Attached eid check
parents 283db4f4 13c0a6bd
......@@ -33,7 +33,7 @@ import org.openecard.crypto.tls.CertificateVerifier;
*
* @author Tobias Wich
*/
public class SaveEServiceCertHandler implements CertificateVerifier {
public class SaveEidServerCertHandler implements CertificateVerifier {
boolean firstCert = true;
......@@ -42,7 +42,7 @@ public class SaveEServiceCertHandler implements CertificateVerifier {
if (firstCert) {
firstCert = false;
DynamicContext dynCtx = DynamicContext.getInstance(TR03112Keys.INSTANCE_KEY);
dynCtx.put(TR03112Keys.ESERVICE_CERTIFICATE, chain);
dynCtx.put(TR03112Keys.EIDSERVER_CERTIFICATE, chain);
}
}
......
......@@ -36,8 +36,9 @@ public class TR03112Keys {
public static final String TCTOKEN_CHECKS = "tctoken_checks";
public static final String ACTIVATION_THREAD = "activation_thread";
public static final String CONNECTION_HANDLE = "connection_handle";
public static final String SAME_CHANNEL = "same_channel";
public static final String ESERVICE_CERTIFICATE_DESC = "eservice_certificate_description";
public static final String ESERVICE_CERTIFICATE = "eservice_certificate";
public static final String EIDSERVER_CERTIFICATE = "eservice_certificate";
public static final String TCTOKEN_URL = "TCTokenURL";
public static final String TCTOKEN_SERVER_CERTIFICATES = "tctoken_server_certificates";
public static final String IS_REFRESH_URL_VALID = "is_refresh_url_valid";
......
......@@ -49,6 +49,7 @@ import static org.openecard.binding.tctoken.ex.ErrorTranslations.*;
import org.bouncycastle.tls.BasicTlsPSKIdentity;
import org.bouncycastle.tls.crypto.TlsCrypto;
import org.bouncycastle.tls.crypto.impl.bc.BcTlsCrypto;
import org.openecard.common.DynamicContext;
import org.openecard.crypto.common.ReusableSecureRandom;
import org.openecard.crypto.tls.verify.JavaSecVerifier;
......@@ -119,6 +120,9 @@ public class TlsConnectionHandler {
if (tlsClient instanceof ClientCertDefaultTlsClient) {
((ClientCertDefaultTlsClient) tlsClient).setEnforceSameSession(true);
}
// save the info that we have a same channel situtation
DynamicContext dynCtx = DynamicContext.getInstance(TR03112Keys.INSTANCE_KEY);
dynCtx.put(TR03112Keys.SAME_CHANNEL, Boolean.TRUE);
} else {
// kill open channel in tctoken request, it is not needed anymore
if (tokenRequest.getTokenContext() != null) {
......@@ -171,7 +175,7 @@ public class TlsConnectionHandler {
// make sure nobody changes the server when the connection gets reestablished
tlsAuth.addCertificateVerifier(new SameCertVerifier());
// save eService certificate for use in EAC
tlsAuth.addCertificateVerifier(new SaveEServiceCertHandler());
tlsAuth.addCertificateVerifier(new SaveEidServerCertHandler());
// set the authentication class in the tls client
tlsClient.setAuthentication(tlsAuth);
......
......@@ -436,7 +436,7 @@ public class PACEStep implements ProtocolStep<DIDAuthenticate, DIDAuthenticateRe
/**
* Perform all checks as described in BSI TR-03112-7 3.4.4.
*
* @param certDescription CertificateDescription of the eService Certificate
* @param certDescription CertificateDescription of the eService CV Certificate
* @param dynCtx Dynamic Context
* @return a {@link Result} set according to the results of the checks
*/
......@@ -444,9 +444,9 @@ public class PACEStep implements ProtocolStep<DIDAuthenticate, DIDAuthenticateRe
Object tokenChecks = dynCtx.get(TR03112Keys.TCTOKEN_CHECKS);
// omit these checks if explicitly disabled
if (convertToBoolean(tokenChecks)) {
boolean checkPassed = checkEserviceCertificate(certDescription, dynCtx);
boolean checkPassed = checkEidServerCertificate(certDescription, dynCtx);
if (! checkPassed) {
String msg = "Hash of eService certificate is NOT contained in the CertificateDescription.";
String msg = "Hash of eID-Server certificate is NOT contained in the CertificateDescription.";
// TODO check for the correct minor type
Result r = WSHelper.makeResultError(ECardConstants.Minor.SAL.PREREQUISITES_NOT_SATISFIED, msg);
return r;
......@@ -492,13 +492,19 @@ public class PACEStep implements ProtocolStep<DIDAuthenticate, DIDAuthenticateRe
}
}
private boolean checkEserviceCertificate(CertificateDescription certDescription, DynamicContext dynCtx) {
TlsServerCertificate certificate = (TlsServerCertificate) dynCtx.get(TR03112Keys.ESERVICE_CERTIFICATE);
if (certificate != null) {
return TR03112Utils.isInCommCertificates(certificate, certDescription.getCommCertificates(), "eService");
private boolean checkEidServerCertificate(CertificateDescription certDescription, DynamicContext dynCtx) {
Boolean sameChannel = (Boolean) dynCtx.get(TR03112Keys.SAME_CHANNEL);
if (Boolean.TRUE.equals(sameChannel)) {
LOG.debug("eID-Server certificate is not check explicitly due to attached eID-Server case.");
return true;
} else {
LOG.error("No eService TLS Certificate set in Dynamic Context.");
return false;
TlsServerCertificate certificate = (TlsServerCertificate) dynCtx.get(TR03112Keys.EIDSERVER_CERTIFICATE);
if (certificate != null) {
return TR03112Utils.isInCommCertificates(certificate, certDescription.getCommCertificates(), "eID-Server");
} else {
LOG.error("No eID-Server TLS Certificate set in Dynamic Context.");
return false;
}
}
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment