Commit acda274c authored by Tobias Wich's avatar Tobias Wich
Browse files

Omit eID-Server cert hash check in case of attached eID-Server case

parent d99e19e9
......@@ -36,6 +36,7 @@ public class TR03112Keys {
public static final String TCTOKEN_CHECKS = "tctoken_checks";
public static final String ACTIVATION_THREAD = "activation_thread";
public static final String CONNECTION_HANDLE = "connection_handle";
public static final String SAME_CHANNEL = "same_channel";
public static final String ESERVICE_CERTIFICATE_DESC = "eservice_certificate_description";
public static final String ESERVICE_CERTIFICATE = "eservice_certificate";
public static final String TCTOKEN_URL = "TCTokenURL";
......
......@@ -49,6 +49,7 @@ import static org.openecard.binding.tctoken.ex.ErrorTranslations.*;
import org.bouncycastle.tls.BasicTlsPSKIdentity;
import org.bouncycastle.tls.crypto.TlsCrypto;
import org.bouncycastle.tls.crypto.impl.bc.BcTlsCrypto;
import org.openecard.common.DynamicContext;
import org.openecard.crypto.common.ReusableSecureRandom;
import org.openecard.crypto.tls.verify.JavaSecVerifier;
......@@ -119,6 +120,9 @@ public class TlsConnectionHandler {
if (tlsClient instanceof ClientCertDefaultTlsClient) {
((ClientCertDefaultTlsClient) tlsClient).setEnforceSameSession(true);
}
// save the info that we have a same channel situtation
DynamicContext dynCtx = DynamicContext.getInstance(TR03112Keys.INSTANCE_KEY);
dynCtx.put(TR03112Keys.SAME_CHANNEL, Boolean.TRUE);
} else {
// kill open channel in tctoken request, it is not needed anymore
if (tokenRequest.getTokenContext() != null) {
......
......@@ -493,12 +493,18 @@ public class PACEStep implements ProtocolStep<DIDAuthenticate, DIDAuthenticateRe
}
private boolean checkEserviceCertificate(CertificateDescription certDescription, DynamicContext dynCtx) {
TlsServerCertificate certificate = (TlsServerCertificate) dynCtx.get(TR03112Keys.ESERVICE_CERTIFICATE);
if (certificate != null) {
return TR03112Utils.isInCommCertificates(certificate, certDescription.getCommCertificates(), "eService");
Boolean sameChannel = (Boolean) dynCtx.get(TR03112Keys.SAME_CHANNEL);
if (Boolean.TRUE.equals(sameChannel)) {
LOG.debug("eService certificate is not check explicitly due to attached eID-Server case.");
return true;
} else {
LOG.error("No eService TLS Certificate set in Dynamic Context.");
return false;
TlsServerCertificate certificate = (TlsServerCertificate) dynCtx.get(TR03112Keys.ESERVICE_CERTIFICATE);
if (certificate != null) {
return TR03112Utils.isInCommCertificates(certificate, certDescription.getCommCertificates(), "eService");
} else {
LOG.error("No eService TLS Certificate set in Dynamic Context.");
return false;
}
}
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment