Commit c9748c79 authored by YannGarcia's avatar YannGarcia
Browse files

Implementing SECPKI_CA_CERTGEN TPs

parent 1fe4c006
/**
f_verify_rca_certificate/**
* @author ETSI / STF544
* @version $Url$
* $Id$
......@@ -3480,7 +3480,8 @@ module LibItsPki_Functions {
in boolean p_check_reconstruction_value := false,
in boolean p_check_no_signature := false,
in boolean p_check_region_restriction := false,
in boolean p_check_signature_content := false
in boolean p_check_signature_content := false,
in boolean p_check_app_permissions := false
) return boolean {
var CertificateType v_type_ := explicit;
var template Signature v_signature_ := ?;
......@@ -3634,7 +3635,54 @@ module LibItsPki_Functions {
return false;
}
}
// Check appPermissions
if (p_check_app_permissions == true) {
var integer v_idx, v_jdx;
var charstring v_psid := ""; // 'psid' currently processed
var charstring v_psidsFound := ";"; // Used to build the list of the 'psid' already processed
var template charstring m_found_pattern; // Used in regex to verify that 'psid' was not found before
var Certificate v_authorized_certificate;
if (f_readCertificate(p_authorized_certificate, v_authorized_certificate) == false) {
log("f_verify_rca_certificate: Fail to load p_authorized_certificate");
return false;
}
log("f_verify_rca_certificate: v_authorized_certificate=", v_authorized_certificate);
if (match(v_authorized_certificate.toBeSigned.certIssuePermissions, { mw_psidGroupPermissions }) == false) {
log("f_verify_rca_certificate: eeType mismatch");
return false;
}
for (v_idx := 0; v_idx < lengthof(p_certificate.toBeSigned.appPermissions); v_idx := v_idx + 1) {
log("f_verify_rca_certificate: Processing ", p_certificate.toBeSigned.appPermissions[v_idx]);
if (match(p_certificate.toBeSigned.appPermissions[v_idx], mw_appPermissions) == false) {
log("f_verify_rca_certificate: PsidSsp mismatch");
return false;
}
// Check uniqueness of PSIDs
v_psid := int2str(p_certificate.toBeSigned.appPermissions[v_idx].psid);
m_found_pattern := pattern "*({v_psid})*";
if (regexp(v_psidsFound, m_found_pattern, 0) == v_psid) {
log("f_verify_rca_certificate: Psid uniqueness is not verified");
return false; // v_psid exist at least 2 times, uniqueness is not verified
}
// v_psid non found, add it into the built list
v_psidsFound := v_psidsFound & v_psid & ";";
// Check that 'psid' is in the certIssuePermissions component in the issuing certificate
if (match(v_authorized_certificate.toBeSigned.certIssuePermissions[0].subjectPermissions, mw_subjectPermissions_explicit) == false) {
for (v_jdx := 0; v_jdx < lengthof(v_authorized_certificate.toBeSigned.certIssuePermissions[0].subjectPermissions.explicit); v_jdx := v_jdx + 1) {
if (int2str(v_authorized_certificate.toBeSigned.certIssuePermissions[0].subjectPermissions.explicit[v_jdx].psid) == v_psid) {
break;
}
} // End of 'for'statement
if (v_jdx == lengthof(v_authorized_certificate.toBeSigned.certIssuePermissions[0].subjectPermissions.explicit)) {
log("f_verify_rca_certificate: Psid is not in the list of the issuing certificate");
return false;
}
}
} // End of 'for'statement
}
return true;
}
......
......@@ -1728,8 +1728,8 @@ module LibItsSecurity_Templates {
} // End of template m_appPermissions
template PsidSsp mw_appPermissions(
template (present) Psid p_psid := ?,
template ServiceSpecificPermissions p_ssp := *
template (present) Psid p_psid := ?,
template ServiceSpecificPermissions p_ssp := *
) := {
psid := p_psid,
ssp := p_ssp
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment