Check incoming BDEW requests wether an EMT/MAKO certificate is used

phase4-profile-bdew/src/main/java/com/helger/phase4/profile/bdew/BDEWCompatibilityValidator.java

@@ -73,6 +73,9 @@
  */
 public class BDEWCompatibilityValidator implements IAS4ProfileValidator
 {
+
+  public static final String EMT_MAK = "EMT.MAK";
+
   public BDEWCompatibilityValidator ()
   {}
 
@@ -430,6 +433,38 @@ public void validateInitiatorIdentity (@Nonnull final Ebms3UserMessage aUserMsg,
                                          @Nonnull final IAS4IncomingMessageMetadata aMessageMetadata,
                                          @Nonnull final ErrorList aErrorList)
   {
+
+    X509Certificate aTlsClientEndCert = null;
+    if (aMessageMetadata.hasRemoteTlsCerts ())
+    {
+      aTlsClientEndCert = aMessageMetadata.remoteTlsCerts ().getFirstOrNull ();
+
+      final X500Name aTlsName = new X500Name (aTlsClientEndCert.getSubjectX500Principal ().getName ());
+      final RDN aTlsCnRDN = aTlsName.getRDNs (BCStyle.CN)[0];
+      final String cn = IETFUtils.valueToString (aTlsCnRDN.getFirst ().getValue ());
+
+      if (!cn.contains (EMT_MAK))
+      {
+        aErrorList.add (_createError ("TLS certificate '" +
+                                              aTlsClientEndCert.getSubjectX500Principal()
+                                              + "' is not an EMT/MAKO certificate"));
+      }
+    }
+
+    if (aSignatureCert != null)
+    {
+      final X500Name aTlsName = new X500Name (aSignatureCert.getSubjectX500Principal ().getName ());
+      final RDN aSigCnRDN = aTlsName.getRDNs (BCStyle.CN)[0];
+      final String cn = IETFUtils.valueToString (aSigCnRDN.getFirst ().getValue ());
+
+      if (!cn.contains (EMT_MAK))
+      {
+        aErrorList.add (_createError ("Signature certificate '" +
+                                              aSignatureCert.getSubjectX500Principal()
+                                              + "' is not an EMT/MAKO certificate"));
+      }
+    }
+
     final Ebms3PartyInfo aInitatorPartyInfo = aUserMsg.getPartyInfo ();
     if (aInitatorPartyInfo != null)
     {
@@ -458,9 +493,8 @@ public void validateInitiatorIdentity (@Nonnull final Ebms3UserMessage aUserMsg,
               }
             }
 
-            if (aMessageMetadata.hasRemoteTlsCerts ())
+            if (aTlsClientEndCert != null)
             {
-              final X509Certificate aTlsClientEndCert = aMessageMetadata.remoteTlsCerts ().getFirstOrNull ();
 
               final X500Name aTlsName = new X500Name (aTlsClientEndCert.getSubjectX500Principal ().getName ());
               final RDN aTlsOuRDN = aTlsName.getRDNs (BCStyle.OU)[0];

phase4-profile-bdew/src/test/java/com/helger/phase4/profile/bdew/BDEWCompatibilityValidatorTest.java

@@ -31,6 +31,8 @@
 import com.helger.phase4.ebms3header.Ebms3SignalMessage;
 import com.helger.phase4.ebms3header.Ebms3To;
 import com.helger.phase4.ebms3header.Ebms3UserMessage;
+import com.helger.phase4.messaging.EAS4MessageMode;
+import com.helger.phase4.messaging.IAS4IncomingMessageMetadata;
 import com.helger.phase4.messaging.domain.MessageHelperMethods;
 import com.helger.phase4.model.EMEP;
 import com.helger.phase4.model.EMEPBinding;
@@ -43,14 +45,22 @@
 import com.helger.phase4.model.pmode.leg.PModeLegErrorHandling;
 import com.helger.phase4.model.pmode.leg.PModeLegProtocol;
 import com.helger.phase4.model.pmode.leg.PModeLegSecurity;
+import com.helger.phase4.servlet.AS4IncomingMessageMetadata;
 import com.helger.phase4.soap.ESoapVersion;
 import com.helger.phase4.wss.EWSSVersion;
 import com.helger.photon.app.mock.PhotonAppWebTestRule;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.junit.Before;
 import org.junit.ClassRule;
 import org.junit.Ignore;
 import org.junit.Test;
 
+import java.security.NoSuchProviderException;
+import java.security.Security;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.Collection;
 import java.util.Locale;
 import java.util.UUID;
 
@@ -86,6 +96,7 @@ public void before ()
                                           "http://localhost:8080",
                                           IPModeIDProvider.DEFAULT_DYNAMIC,
                                           true);
+    Security.addProvider(new BouncyCastleProvider());
   }
 
   @Test
@@ -854,4 +865,28 @@ public void testValidateSignalMessageNoMessageID ()
     assertTrue (m_aErrorList.containsAny (x -> x.getErrorText (LOCALE).contains ("MessageInfo/MessageId is missing")));
   }
 
+  @SuppressWarnings("unchecked")
+  @Test
+  public void testValidateInitiatorIdentityNonEmtMakoTls () throws CertificateException, NoSuchProviderException
+  {
+    final Ebms3UserMessage aUserMessage = new Ebms3UserMessage ();
+    final AS4IncomingMessageMetadata incomingMessageMetadata = AS4IncomingMessageMetadata.createForRequest();
+    final CertificateFactory certificateFactory = CertificateFactory.getInstance("X509", "BC");
+    final Collection<X509Certificate> certificates = (Collection<X509Certificate>) certificateFactory.generateCertificates(BDEWCompatibilityValidator.class.getResourceAsStream("nonemtmako.cert"));
+    incomingMessageMetadata.setRemoteTlsCerts(certificates.toArray(new X509Certificate[0]));
+    VALIDATOR.validateInitiatorIdentity (aUserMessage, null, incomingMessageMetadata, m_aErrorList);
+    assertTrue (m_aErrorList.containsAny (x -> x.getErrorText (LOCALE).contains ("is not an EMT/MAKO certificate")));
+  }
+
+  @Test
+  public void testValidateInitiatorIdentityNonEmtMakoSig () throws CertificateException, NoSuchProviderException
+  {
+    final Ebms3UserMessage aUserMessage = new Ebms3UserMessage ();
+    final AS4IncomingMessageMetadata incomingMessageMetadata = AS4IncomingMessageMetadata.createForRequest();
+    final CertificateFactory certificateFactory = CertificateFactory.getInstance("X509", "BC");
+    final X509Certificate certificate = (X509Certificate) certificateFactory.generateCertificate(BDEWCompatibilityValidator.class.getResourceAsStream("nonemtmako.cert"));
+    VALIDATOR.validateInitiatorIdentity (aUserMessage, certificate, incomingMessageMetadata, m_aErrorList);
+    assertTrue (m_aErrorList.containsAny (x -> x.getErrorText (LOCALE).contains ("is not an EMT/MAKO certificate")));
+  }
+
 }

phase4-profile-bdew/src/test/resources/com/helger/phase4/profile/bdew/nonemtmako.cert

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX+gAwIBAgIUeO7Nd7BLDfycbhdx/+sBjsKdVBIwCgYIKoZIzj0EAwIw
+azEKMAgGA1UEBRMBMTELMAkGA1UEBhMCREUxDjAMBgNVBAgMBUR1bW15MQ4wDAYD
+VQQHDAVEdW1teTEWMBQGA1UECwwNOTk5OTk5OTk5OTk5OTEYMBYGA1UEAwwPZHVt
+bXkuRU1ULmR1bW15MCAXDTI0MDQwOTExMjc1NFoYDzIxMjQwNDA5MTEyNzU0WjBr
+MQowCAYDVQQFEwExMQswCQYDVQQGEwJERTEOMAwGA1UECAwFRHVtbXkxDjAMBgNV
+BAcMBUR1bW15MRYwFAYDVQQLDA05OTk5OTk5OTk5OTk5MRgwFgYDVQQDDA9kdW1t
+eS5FTVQuZHVtbXkwWjAUBgcqhkjOPQIBBgkrJAMDAggBAQcDQgAEKuLVYNOqwaap
+gNoYgT4RcADtU+LT8/0IFikiPhSBiauV7WDSu11fep+8P4zeMGMRNfPSvnsIhyDF
+Nat0oVWznDAKBggqhkjOPQQDAgNHADBEAiAcX3Eal5L/WoN9kkYOKO33z2QbR35I
+uEJz8yleJrLXDAIgX5N1KWU+0egFfu+UeioKOVGCx2rJv0OUJGgVrn6sIqU=
+-----END CERTIFICATE-----