diff --git a/phase4-profile-bdew/src/main/java/com/helger/phase4/profile/bdew/BDEWCompatibilityValidator.java b/phase4-profile-bdew/src/main/java/com/helger/phase4/profile/bdew/BDEWCompatibilityValidator.java index 53628a62f..a1fb3a7bd 100644 --- a/phase4-profile-bdew/src/main/java/com/helger/phase4/profile/bdew/BDEWCompatibilityValidator.java +++ b/phase4-profile-bdew/src/main/java/com/helger/phase4/profile/bdew/BDEWCompatibilityValidator.java @@ -73,6 +73,9 @@ */ public class BDEWCompatibilityValidator implements IAS4ProfileValidator { + + public static final String EMT_MAK = "EMT.MAK"; + public BDEWCompatibilityValidator () {} @@ -430,6 +433,38 @@ public void validateInitiatorIdentity (@Nonnull final Ebms3UserMessage aUserMsg, @Nonnull final IAS4IncomingMessageMetadata aMessageMetadata, @Nonnull final ErrorList aErrorList) { + + X509Certificate aTlsClientEndCert = null; + if (aMessageMetadata.hasRemoteTlsCerts ()) + { + aTlsClientEndCert = aMessageMetadata.remoteTlsCerts ().getFirstOrNull (); + + final X500Name aTlsName = new X500Name (aTlsClientEndCert.getSubjectX500Principal ().getName ()); + final RDN aTlsCnRDN = aTlsName.getRDNs (BCStyle.CN)[0]; + final String cn = IETFUtils.valueToString (aTlsCnRDN.getFirst ().getValue ()); + + if (!cn.contains (EMT_MAK)) + { + aErrorList.add (_createError ("TLS certificate '" + + aTlsClientEndCert.getSubjectX500Principal() + + "' is not an EMT/MAKO certificate")); + } + } + + if (aSignatureCert != null) + { + final X500Name aTlsName = new X500Name (aSignatureCert.getSubjectX500Principal ().getName ()); + final RDN aSigCnRDN = aTlsName.getRDNs (BCStyle.CN)[0]; + final String cn = IETFUtils.valueToString (aSigCnRDN.getFirst ().getValue ()); + + if (!cn.contains (EMT_MAK)) + { + aErrorList.add (_createError ("Signature certificate '" + + aSignatureCert.getSubjectX500Principal() + + "' is not an EMT/MAKO certificate")); + } + } + final Ebms3PartyInfo aInitatorPartyInfo = aUserMsg.getPartyInfo (); if (aInitatorPartyInfo != null) { @@ -458,9 +493,8 @@ public void validateInitiatorIdentity (@Nonnull final Ebms3UserMessage aUserMsg, } } - if (aMessageMetadata.hasRemoteTlsCerts ()) + if (aTlsClientEndCert != null) { - final X509Certificate aTlsClientEndCert = aMessageMetadata.remoteTlsCerts ().getFirstOrNull (); final X500Name aTlsName = new X500Name (aTlsClientEndCert.getSubjectX500Principal ().getName ()); final RDN aTlsOuRDN = aTlsName.getRDNs (BCStyle.OU)[0]; diff --git a/phase4-profile-bdew/src/test/java/com/helger/phase4/profile/bdew/BDEWCompatibilityValidatorTest.java b/phase4-profile-bdew/src/test/java/com/helger/phase4/profile/bdew/BDEWCompatibilityValidatorTest.java index f446990f8..fa3dca573 100644 --- a/phase4-profile-bdew/src/test/java/com/helger/phase4/profile/bdew/BDEWCompatibilityValidatorTest.java +++ b/phase4-profile-bdew/src/test/java/com/helger/phase4/profile/bdew/BDEWCompatibilityValidatorTest.java @@ -31,6 +31,8 @@ import com.helger.phase4.ebms3header.Ebms3SignalMessage; import com.helger.phase4.ebms3header.Ebms3To; import com.helger.phase4.ebms3header.Ebms3UserMessage; +import com.helger.phase4.messaging.EAS4MessageMode; +import com.helger.phase4.messaging.IAS4IncomingMessageMetadata; import com.helger.phase4.messaging.domain.MessageHelperMethods; import com.helger.phase4.model.EMEP; import com.helger.phase4.model.EMEPBinding; @@ -43,14 +45,22 @@ import com.helger.phase4.model.pmode.leg.PModeLegErrorHandling; import com.helger.phase4.model.pmode.leg.PModeLegProtocol; import com.helger.phase4.model.pmode.leg.PModeLegSecurity; +import com.helger.phase4.servlet.AS4IncomingMessageMetadata; import com.helger.phase4.soap.ESoapVersion; import com.helger.phase4.wss.EWSSVersion; import com.helger.photon.app.mock.PhotonAppWebTestRule; +import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.junit.Before; import org.junit.ClassRule; import org.junit.Ignore; import org.junit.Test; +import java.security.NoSuchProviderException; +import java.security.Security; +import java.security.cert.CertificateException; +import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; +import java.util.Collection; import java.util.Locale; import java.util.UUID; @@ -86,6 +96,7 @@ public void before () "http://localhost:8080", IPModeIDProvider.DEFAULT_DYNAMIC, true); + Security.addProvider(new BouncyCastleProvider()); } @Test @@ -854,4 +865,28 @@ public void testValidateSignalMessageNoMessageID () assertTrue (m_aErrorList.containsAny (x -> x.getErrorText (LOCALE).contains ("MessageInfo/MessageId is missing"))); } + @SuppressWarnings("unchecked") + @Test + public void testValidateInitiatorIdentityNonEmtMakoTls () throws CertificateException, NoSuchProviderException + { + final Ebms3UserMessage aUserMessage = new Ebms3UserMessage (); + final AS4IncomingMessageMetadata incomingMessageMetadata = AS4IncomingMessageMetadata.createForRequest(); + final CertificateFactory certificateFactory = CertificateFactory.getInstance("X509", "BC"); + final Collection certificates = (Collection) certificateFactory.generateCertificates(BDEWCompatibilityValidator.class.getResourceAsStream("nonemtmako.cert")); + incomingMessageMetadata.setRemoteTlsCerts(certificates.toArray(new X509Certificate[0])); + VALIDATOR.validateInitiatorIdentity (aUserMessage, null, incomingMessageMetadata, m_aErrorList); + assertTrue (m_aErrorList.containsAny (x -> x.getErrorText (LOCALE).contains ("is not an EMT/MAKO certificate"))); + } + + @Test + public void testValidateInitiatorIdentityNonEmtMakoSig () throws CertificateException, NoSuchProviderException + { + final Ebms3UserMessage aUserMessage = new Ebms3UserMessage (); + final AS4IncomingMessageMetadata incomingMessageMetadata = AS4IncomingMessageMetadata.createForRequest(); + final CertificateFactory certificateFactory = CertificateFactory.getInstance("X509", "BC"); + final X509Certificate certificate = (X509Certificate) certificateFactory.generateCertificate(BDEWCompatibilityValidator.class.getResourceAsStream("nonemtmako.cert")); + VALIDATOR.validateInitiatorIdentity (aUserMessage, certificate, incomingMessageMetadata, m_aErrorList); + assertTrue (m_aErrorList.containsAny (x -> x.getErrorText (LOCALE).contains ("is not an EMT/MAKO certificate"))); + } + } diff --git a/phase4-profile-bdew/src/test/resources/com/helger/phase4/profile/bdew/nonemtmako.cert b/phase4-profile-bdew/src/test/resources/com/helger/phase4/profile/bdew/nonemtmako.cert new file mode 100644 index 000000000..678c55a90 --- /dev/null +++ b/phase4-profile-bdew/src/test/resources/com/helger/phase4/profile/bdew/nonemtmako.cert @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIB2DCCAX+gAwIBAgIUeO7Nd7BLDfycbhdx/+sBjsKdVBIwCgYIKoZIzj0EAwIw +azEKMAgGA1UEBRMBMTELMAkGA1UEBhMCREUxDjAMBgNVBAgMBUR1bW15MQ4wDAYD +VQQHDAVEdW1teTEWMBQGA1UECwwNOTk5OTk5OTk5OTk5OTEYMBYGA1UEAwwPZHVt +bXkuRU1ULmR1bW15MCAXDTI0MDQwOTExMjc1NFoYDzIxMjQwNDA5MTEyNzU0WjBr +MQowCAYDVQQFEwExMQswCQYDVQQGEwJERTEOMAwGA1UECAwFRHVtbXkxDjAMBgNV +BAcMBUR1bW15MRYwFAYDVQQLDA05OTk5OTk5OTk5OTk5MRgwFgYDVQQDDA9kdW1t +eS5FTVQuZHVtbXkwWjAUBgcqhkjOPQIBBgkrJAMDAggBAQcDQgAEKuLVYNOqwaap +gNoYgT4RcADtU+LT8/0IFikiPhSBiauV7WDSu11fep+8P4zeMGMRNfPSvnsIhyDF +Nat0oVWznDAKBggqhkjOPQQDAgNHADBEAiAcX3Eal5L/WoN9kkYOKO33z2QbR35I +uEJz8yleJrLXDAIgX5N1KWU+0egFfu+UeioKOVGCx2rJv0OUJGgVrn6sIqU= +-----END CERTIFICATE-----