Commit b67bce64 authored by YannGarcia's avatar YannGarcia
Browse files

Add SSP check

parent 940a838b
......@@ -157,7 +157,7 @@ module LibItsHttp_Templates {
version_major := 1,
version_minor := 1,
statuscode := 200,
statustext := "OK",
statustext := ?,
header := p_header,
body := p_body
} // End of template mw_http_response_ok
......
......@@ -3370,9 +3370,13 @@ module LibItsPki_Functions {
log("f_verify_ec_certificate: Signature not verified");
return false;
}
// TODO Check that requested information are present
if (f_verifySspPermissions(p_ec_certificate.toBeSigned.appPermissions, p_ea_certificate.toBeSigned.appPermissions) == false) {
log("f_verify_ec_certificate: Ssp permissions not verified");
return false;
}
return true;
} // End of function f_verify_ec_certificate
......@@ -3412,6 +3416,13 @@ module LibItsPki_Functions {
return false;
}
// TODO Check that requested information are present
if (f_verifySspPermissions(p_aa_certificate.toBeSigned.appPermissions, p_at_certificate.toBeSigned.appPermissions) == false) {
log("f_verify_ec_certificate: Ssp permissions not verified");
return false;
}
return true;
} // End of function f_verify_at_certificate
......
......@@ -95,6 +95,16 @@ module LibItsPki_Pics {
*/
modulepar boolean PICS_ITS_S_WITH_PRIVACY := true;
/**
* @desc Set to true if the PKI configuration authorize to configure an external EA entity
*/
modulepar boolean PICS_SIMULTE_EA_ENTITY := false;
/**
* @desc Set to true if the PKI configuration authorize to configure an external AA entity
*/
modulepar boolean PICS_SIMULTE_AA_ENTITY := false;
/**
* @desc HTTP POST URI for InnerECRequest
*/
......
......@@ -1993,7 +1993,7 @@ module LibItsSecurity_Functions {
log(">>> f_verifyGnSecuredMessageSignatureWithCertificate: p_certificate=", p_certificate);
if (f_getCertificateHash(valueof(p_certificate_id), v_issuer) == false) {
log("f_verifyCertificateSignatureWithPublicKey: Invalid certificate id: " & p_certificate_id);
log("f_verifyCertificateSignatureWithPublicKey: Invalid certificate id: " & valueof(p_certificate_id));
return false;
}
if (ischosen(p_securedMessage.content.signedData.signature_.ecdsaBrainpoolP256r1Signature)) {
......@@ -2009,6 +2009,66 @@ module LibItsSecurity_Functions {
} // End of group deviceSignatureHelpers
group sspPermissions {
function f_verifySspPermissions(
in SequenceOfPsidSsp p_issuer_ssp_permissions,
in SequenceOfPsidSsp p_subordinate_ssp_permissions
) return boolean {
// Local variables
var integer v_idx := 0;
for (v_idx := 0; v_idx < lengthof(p_issuer_ssp_permissions); v_idx := v_idx + 1) {
var PsidSsp v_issuerPsidSsp := p_issuer_ssp_permissions[v_idx];
var PsidSsp v_subordinatePsidSsp;
var boolean v_found := false;
var integer v_jdx := 0;
// 1. Check permission from issuer is present
for (v_jdx := 0; v_jdx < lengthof(p_subordinate_ssp_permissions); v_jdx := v_jdx + 1) {
if (match(v_issuerPsidSsp, m_appPermissions(p_subordinate_ssp_permissions[v_jdx].psid, p_subordinate_ssp_permissions[v_jdx].ssp)) == true) {
v_subordinatePsidSsp := p_subordinate_ssp_permissions[v_jdx];
v_found := true;
break;
}
} // End of 'for' statement
if (v_found == false) {
log("f_verifySspPermissions: Permission set not found: ", v_issuerPsidSsp)
return false;
}
// 2. Validate bits mask
if (ispresent(v_issuerPsidSsp.ssp)) {
if (ispresent(v_subordinatePsidSsp.ssp) == false) {
log("f_verifySspPermissions: Ssp shall not be omitted: ", v_issuerPsidSsp)
return false;
}
if ((ischosen(v_issuerPsidSsp.ssp.bitmapSsp) == false) or (ischosen(v_subordinatePsidSsp.ssp.bitmapSsp) == false)) {
log("f_verifySspPermissions: Wrong variant : ", v_issuerPsidSsp.ssp, " / ", v_subordinatePsidSsp.ssp);
return false;
}
if (lengthof(v_issuerPsidSsp.ssp.bitmapSsp) < lengthof(v_subordinatePsidSsp.ssp.bitmapSsp)) {
log("f_verifySspPermissions: Ssp not be compliant: ", v_issuerPsidSsp.ssp, " / ", v_subordinatePsidSsp.ssp);
return false;
} else {
var charstring v_issuerSsp := bit2str(oct2bit(v_issuerPsidSsp.ssp.bitmapSsp));
var charstring v_subordinateSsp := bit2str(oct2bit(v_subordinatePsidSsp.ssp.bitmapSsp));
for (var integer i := 0; i < lengthof(v_issuerSsp); i := i + 1) {
if (v_issuerSsp[i] == "1") { // TODO How to check Permission using SspBitmask/SspValue
if (v_subordinateSsp[i] != "1") {
log("f_verifySspPermissions: Ssp bitmask mismatch at index: ", i);
return false;
}
} // else, no restriction, subordinate certificate can have any value.
} // End of 'for' statement
}
}
} // End of 'for' statement
return true;
} // End of function f_verifySspPermissions
} // End of group sspPermissions
group messageGetters {
/**
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment