Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
ecsec Public
reqesidta-prototype
client-signer
Commits
4561cae9
Unverified
Commit
4561cae9
authored
Oct 23, 2019
by
Tobias Wich
Committed by
GitHub
Oct 23, 2019
Browse files
Merge pull request #27 from ecsec/attached-eid-check
Attached eid check
parents
283db4f4
13c0a6bd
Changes
4
Hide whitespace changes
Inline
Side-by-side
addons/tr03112/src/main/java/org/openecard/binding/tctoken/SaveEServ
ic
eCertHandler.java
→
addons/tr03112/src/main/java/org/openecard/binding/tctoken/SaveE
id
Serve
r
CertHandler.java
View file @
4561cae9
...
@@ -33,7 +33,7 @@ import org.openecard.crypto.tls.CertificateVerifier;
...
@@ -33,7 +33,7 @@ import org.openecard.crypto.tls.CertificateVerifier;
*
*
* @author Tobias Wich
* @author Tobias Wich
*/
*/
public
class
SaveEServ
ic
eCertHandler
implements
CertificateVerifier
{
public
class
SaveE
id
Serve
r
CertHandler
implements
CertificateVerifier
{
boolean
firstCert
=
true
;
boolean
firstCert
=
true
;
...
@@ -42,7 +42,7 @@ public class SaveEServiceCertHandler implements CertificateVerifier {
...
@@ -42,7 +42,7 @@ public class SaveEServiceCertHandler implements CertificateVerifier {
if
(
firstCert
)
{
if
(
firstCert
)
{
firstCert
=
false
;
firstCert
=
false
;
DynamicContext
dynCtx
=
DynamicContext
.
getInstance
(
TR03112Keys
.
INSTANCE_KEY
);
DynamicContext
dynCtx
=
DynamicContext
.
getInstance
(
TR03112Keys
.
INSTANCE_KEY
);
dynCtx
.
put
(
TR03112Keys
.
ESERV
IC
E_CERTIFICATE
,
chain
);
dynCtx
.
put
(
TR03112Keys
.
E
ID
SERVE
R
_CERTIFICATE
,
chain
);
}
}
}
}
...
...
addons/tr03112/src/main/java/org/openecard/binding/tctoken/TR03112Keys.java
View file @
4561cae9
...
@@ -36,8 +36,9 @@ public class TR03112Keys {
...
@@ -36,8 +36,9 @@ public class TR03112Keys {
public
static
final
String
TCTOKEN_CHECKS
=
"tctoken_checks"
;
public
static
final
String
TCTOKEN_CHECKS
=
"tctoken_checks"
;
public
static
final
String
ACTIVATION_THREAD
=
"activation_thread"
;
public
static
final
String
ACTIVATION_THREAD
=
"activation_thread"
;
public
static
final
String
CONNECTION_HANDLE
=
"connection_handle"
;
public
static
final
String
CONNECTION_HANDLE
=
"connection_handle"
;
public
static
final
String
SAME_CHANNEL
=
"same_channel"
;
public
static
final
String
ESERVICE_CERTIFICATE_DESC
=
"eservice_certificate_description"
;
public
static
final
String
ESERVICE_CERTIFICATE_DESC
=
"eservice_certificate_description"
;
public
static
final
String
ESERV
IC
E_CERTIFICATE
=
"eservice_certificate"
;
public
static
final
String
E
ID
SERVE
R
_CERTIFICATE
=
"eservice_certificate"
;
public
static
final
String
TCTOKEN_URL
=
"TCTokenURL"
;
public
static
final
String
TCTOKEN_URL
=
"TCTokenURL"
;
public
static
final
String
TCTOKEN_SERVER_CERTIFICATES
=
"tctoken_server_certificates"
;
public
static
final
String
TCTOKEN_SERVER_CERTIFICATES
=
"tctoken_server_certificates"
;
public
static
final
String
IS_REFRESH_URL_VALID
=
"is_refresh_url_valid"
;
public
static
final
String
IS_REFRESH_URL_VALID
=
"is_refresh_url_valid"
;
...
...
addons/tr03112/src/main/java/org/openecard/binding/tctoken/TlsConnectionHandler.java
View file @
4561cae9
...
@@ -49,6 +49,7 @@ import static org.openecard.binding.tctoken.ex.ErrorTranslations.*;
...
@@ -49,6 +49,7 @@ import static org.openecard.binding.tctoken.ex.ErrorTranslations.*;
import
org.bouncycastle.tls.BasicTlsPSKIdentity
;
import
org.bouncycastle.tls.BasicTlsPSKIdentity
;
import
org.bouncycastle.tls.crypto.TlsCrypto
;
import
org.bouncycastle.tls.crypto.TlsCrypto
;
import
org.bouncycastle.tls.crypto.impl.bc.BcTlsCrypto
;
import
org.bouncycastle.tls.crypto.impl.bc.BcTlsCrypto
;
import
org.openecard.common.DynamicContext
;
import
org.openecard.crypto.common.ReusableSecureRandom
;
import
org.openecard.crypto.common.ReusableSecureRandom
;
import
org.openecard.crypto.tls.verify.JavaSecVerifier
;
import
org.openecard.crypto.tls.verify.JavaSecVerifier
;
...
@@ -119,6 +120,9 @@ public class TlsConnectionHandler {
...
@@ -119,6 +120,9 @@ public class TlsConnectionHandler {
if
(
tlsClient
instanceof
ClientCertDefaultTlsClient
)
{
if
(
tlsClient
instanceof
ClientCertDefaultTlsClient
)
{
((
ClientCertDefaultTlsClient
)
tlsClient
).
setEnforceSameSession
(
true
);
((
ClientCertDefaultTlsClient
)
tlsClient
).
setEnforceSameSession
(
true
);
}
}
// save the info that we have a same channel situtation
DynamicContext
dynCtx
=
DynamicContext
.
getInstance
(
TR03112Keys
.
INSTANCE_KEY
);
dynCtx
.
put
(
TR03112Keys
.
SAME_CHANNEL
,
Boolean
.
TRUE
);
}
else
{
}
else
{
// kill open channel in tctoken request, it is not needed anymore
// kill open channel in tctoken request, it is not needed anymore
if
(
tokenRequest
.
getTokenContext
()
!=
null
)
{
if
(
tokenRequest
.
getTokenContext
()
!=
null
)
{
...
@@ -171,7 +175,7 @@ public class TlsConnectionHandler {
...
@@ -171,7 +175,7 @@ public class TlsConnectionHandler {
// make sure nobody changes the server when the connection gets reestablished
// make sure nobody changes the server when the connection gets reestablished
tlsAuth
.
addCertificateVerifier
(
new
SameCertVerifier
());
tlsAuth
.
addCertificateVerifier
(
new
SameCertVerifier
());
// save eService certificate for use in EAC
// save eService certificate for use in EAC
tlsAuth
.
addCertificateVerifier
(
new
SaveEServ
ic
eCertHandler
());
tlsAuth
.
addCertificateVerifier
(
new
SaveE
id
Serve
r
CertHandler
());
// set the authentication class in the tls client
// set the authentication class in the tls client
tlsClient
.
setAuthentication
(
tlsAuth
);
tlsClient
.
setAuthentication
(
tlsAuth
);
...
...
addons/tr03112/src/main/java/org/openecard/sal/protocol/eac/PACEStep.java
View file @
4561cae9
...
@@ -436,7 +436,7 @@ public class PACEStep implements ProtocolStep<DIDAuthenticate, DIDAuthenticateRe
...
@@ -436,7 +436,7 @@ public class PACEStep implements ProtocolStep<DIDAuthenticate, DIDAuthenticateRe
/**
/**
* Perform all checks as described in BSI TR-03112-7 3.4.4.
* Perform all checks as described in BSI TR-03112-7 3.4.4.
*
*
* @param certDescription CertificateDescription of the eService Certificate
* @param certDescription CertificateDescription of the eService
CV
Certificate
* @param dynCtx Dynamic Context
* @param dynCtx Dynamic Context
* @return a {@link Result} set according to the results of the checks
* @return a {@link Result} set according to the results of the checks
*/
*/
...
@@ -444,9 +444,9 @@ public class PACEStep implements ProtocolStep<DIDAuthenticate, DIDAuthenticateRe
...
@@ -444,9 +444,9 @@ public class PACEStep implements ProtocolStep<DIDAuthenticate, DIDAuthenticateRe
Object
tokenChecks
=
dynCtx
.
get
(
TR03112Keys
.
TCTOKEN_CHECKS
);
Object
tokenChecks
=
dynCtx
.
get
(
TR03112Keys
.
TCTOKEN_CHECKS
);
// omit these checks if explicitly disabled
// omit these checks if explicitly disabled
if
(
convertToBoolean
(
tokenChecks
))
{
if
(
convertToBoolean
(
tokenChecks
))
{
boolean
checkPassed
=
checkE
service
Certificate
(
certDescription
,
dynCtx
);
boolean
checkPassed
=
checkE
idServer
Certificate
(
certDescription
,
dynCtx
);
if
(!
checkPassed
)
{
if
(!
checkPassed
)
{
String
msg
=
"Hash of eServ
ic
e certificate is NOT contained in the CertificateDescription."
;
String
msg
=
"Hash of e
ID-
Serve
r
certificate is NOT contained in the CertificateDescription."
;
// TODO check for the correct minor type
// TODO check for the correct minor type
Result
r
=
WSHelper
.
makeResultError
(
ECardConstants
.
Minor
.
SAL
.
PREREQUISITES_NOT_SATISFIED
,
msg
);
Result
r
=
WSHelper
.
makeResultError
(
ECardConstants
.
Minor
.
SAL
.
PREREQUISITES_NOT_SATISFIED
,
msg
);
return
r
;
return
r
;
...
@@ -492,13 +492,19 @@ public class PACEStep implements ProtocolStep<DIDAuthenticate, DIDAuthenticateRe
...
@@ -492,13 +492,19 @@ public class PACEStep implements ProtocolStep<DIDAuthenticate, DIDAuthenticateRe
}
}
}
}
private
boolean
checkEserviceCertificate
(
CertificateDescription
certDescription
,
DynamicContext
dynCtx
)
{
private
boolean
checkEidServerCertificate
(
CertificateDescription
certDescription
,
DynamicContext
dynCtx
)
{
TlsServerCertificate
certificate
=
(
TlsServerCertificate
)
dynCtx
.
get
(
TR03112Keys
.
ESERVICE_CERTIFICATE
);
Boolean
sameChannel
=
(
Boolean
)
dynCtx
.
get
(
TR03112Keys
.
SAME_CHANNEL
);
if
(
certificate
!=
null
)
{
if
(
Boolean
.
TRUE
.
equals
(
sameChannel
))
{
return
TR03112Utils
.
isInCommCertificates
(
certificate
,
certDescription
.
getCommCertificates
(),
"eService"
);
LOG
.
debug
(
"eID-Server certificate is not check explicitly due to attached eID-Server case."
);
return
true
;
}
else
{
}
else
{
LOG
.
error
(
"No eService TLS Certificate set in Dynamic Context."
);
TlsServerCertificate
certificate
=
(
TlsServerCertificate
)
dynCtx
.
get
(
TR03112Keys
.
EIDSERVER_CERTIFICATE
);
return
false
;
if
(
certificate
!=
null
)
{
return
TR03112Utils
.
isInCommCertificates
(
certificate
,
certDescription
.
getCommCertificates
(),
"eID-Server"
);
}
else
{
LOG
.
error
(
"No eID-Server TLS Certificate set in Dynamic Context."
);
return
false
;
}
}
}
}
}
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment