Merge pull request #27 from ecsec/attached-eid-check

Attached eid check

addons/tr03112/src/main/java/org/openecard/binding/tctoken/SaveEServiceCertHandler.java → addons/tr03112/src/main/java/org/openecard/binding/tctoken/SaveEidServerCertHandler.java

@@ -33,7 +33,7 @@ import org.openecard.crypto.tls.CertificateVerifier;
  *
  * @author Tobias Wich
  */
-public class SaveEServiceCertHandler implements CertificateVerifier {
+public class SaveEidServerCertHandler implements CertificateVerifier {
 
     boolean firstCert = true;
 
@@ -42,7 +42,7 @@ public class SaveEServiceCertHandler implements CertificateVerifier {
 	if (firstCert) {
 	    firstCert = false;
 	    DynamicContext dynCtx = DynamicContext.getInstance(TR03112Keys.INSTANCE_KEY);
-	    dynCtx.put(TR03112Keys.ESERVICE_CERTIFICATE, chain);
+	    dynCtx.put(TR03112Keys.EIDSERVER_CERTIFICATE, chain);
 	}
     }
 

addons/tr03112/src/main/java/org/openecard/binding/tctoken/TR03112Keys.java

@@ -36,8 +36,9 @@ public class TR03112Keys {
     public static final String TCTOKEN_CHECKS = "tctoken_checks";
     public static final String ACTIVATION_THREAD = "activation_thread";
     public static final String CONNECTION_HANDLE = "connection_handle";
+    public static final String SAME_CHANNEL = "same_channel";
     public static final String ESERVICE_CERTIFICATE_DESC = "eservice_certificate_description";
-    public static final String ESERVICE_CERTIFICATE = "eservice_certificate";
+    public static final String EIDSERVER_CERTIFICATE = "eservice_certificate";
     public static final String TCTOKEN_URL = "TCTokenURL";
     public static final String TCTOKEN_SERVER_CERTIFICATES = "tctoken_server_certificates";
     public static final String IS_REFRESH_URL_VALID = "is_refresh_url_valid";

addons/tr03112/src/main/java/org/openecard/binding/tctoken/TlsConnectionHandler.java

@@ -49,6 +49,7 @@ import static org.openecard.binding.tctoken.ex.ErrorTranslations.*;
 import org.bouncycastle.tls.BasicTlsPSKIdentity;
 import org.bouncycastle.tls.crypto.TlsCrypto;
 import org.bouncycastle.tls.crypto.impl.bc.BcTlsCrypto;
+import org.openecard.common.DynamicContext;
 import org.openecard.crypto.common.ReusableSecureRandom;
 import org.openecard.crypto.tls.verify.JavaSecVerifier;
 
@@ -119,6 +120,9 @@ public class TlsConnectionHandler {
 		if (tlsClient instanceof ClientCertDefaultTlsClient) {
 		    ((ClientCertDefaultTlsClient) tlsClient).setEnforceSameSession(true);
 		}
+		// save the info that we have a same channel situtation
+		DynamicContext dynCtx = DynamicContext.getInstance(TR03112Keys.INSTANCE_KEY);
+		dynCtx.put(TR03112Keys.SAME_CHANNEL, Boolean.TRUE);
 	    } else {
 		// kill open channel in tctoken request, it is not needed anymore
 		if (tokenRequest.getTokenContext() != null) {
@@ -171,7 +175,7 @@ public class TlsConnectionHandler {
 		// make sure nobody changes the server when the connection gets reestablished
 		tlsAuth.addCertificateVerifier(new SameCertVerifier());
 		// save eService certificate for use in EAC
-		tlsAuth.addCertificateVerifier(new SaveEServiceCertHandler());
+		tlsAuth.addCertificateVerifier(new SaveEidServerCertHandler());
 
 		// set the authentication class in the tls client
 		tlsClient.setAuthentication(tlsAuth);

addons/tr03112/src/main/java/org/openecard/sal/protocol/eac/PACEStep.java

@@ -436,7 +436,7 @@ public class PACEStep implements ProtocolStep<DIDAuthenticate, DIDAuthenticateRe
     /**
      * Perform all checks as described in BSI TR-03112-7 3.4.4.
      *
-     * @param certDescription CertificateDescription of the eService Certificate
+     * @param certDescription CertificateDescription of the eService CV Certificate
      * @param dynCtx Dynamic Context
      * @return a {@link Result} set according to the results of the checks
      */
@@ -444,9 +444,9 @@ public class PACEStep implements ProtocolStep<DIDAuthenticate, DIDAuthenticateRe
 	Object tokenChecks = dynCtx.get(TR03112Keys.TCTOKEN_CHECKS);
 	// omit these checks if explicitly disabled
 	if (convertToBoolean(tokenChecks)) {
-	    boolean checkPassed = checkEserviceCertificate(certDescription, dynCtx);
+	    boolean checkPassed = checkEidServerCertificate(certDescription, dynCtx);
 	    if (! checkPassed) {
-		String msg = "Hash of eService certificate is NOT contained in the CertificateDescription.";
+		String msg = "Hash of eID-Server certificate is NOT contained in the CertificateDescription.";
 		// TODO check for the correct minor type
 		Result r = WSHelper.makeResultError(ECardConstants.Minor.SAL.PREREQUISITES_NOT_SATISFIED, msg);
 		return r;
@@ -492,13 +492,19 @@ public class PACEStep implements ProtocolStep<DIDAuthenticate, DIDAuthenticateRe
 	}
     }
 
-    private boolean checkEserviceCertificate(CertificateDescription certDescription, DynamicContext dynCtx) {
-	TlsServerCertificate certificate = (TlsServerCertificate) dynCtx.get(TR03112Keys.ESERVICE_CERTIFICATE);
-	if (certificate != null) {
-	    return TR03112Utils.isInCommCertificates(certificate, certDescription.getCommCertificates(), "eService");
+    private boolean checkEidServerCertificate(CertificateDescription certDescription, DynamicContext dynCtx) {
+	Boolean sameChannel = (Boolean) dynCtx.get(TR03112Keys.SAME_CHANNEL);
+	if (Boolean.TRUE.equals(sameChannel)) {
+	    LOG.debug("eID-Server certificate is not check explicitly due to attached eID-Server case.");
+	    return true;
 	} else {
-	    LOG.error("No eService TLS Certificate set in Dynamic Context.");
-	    return false;
+	    TlsServerCertificate certificate = (TlsServerCertificate) dynCtx.get(TR03112Keys.EIDSERVER_CERTIFICATE);
+	    if (certificate != null) {
+		return TR03112Utils.isInCommCertificates(certificate, certDescription.getCommCertificates(), "eID-Server");
+	    } else {
+		LOG.error("No eID-Server TLS Certificate set in Dynamic Context.");
+		return false;
+	    }
 	}
     }