Smartbox: Allow only "Sign" certificates

[semyon2105]

The official implementation filters out certificates which don't have "Non-Repudiation" X509 Key Usage. Baš Čelik should do it too, as what is signed with an "Auth" cert isn't legally binding (to my knowledge). Still, the ePorezi server accepts login with the "Auth" certificate but I think that's a gap on their side.

[ubavic]

You are right.
I remember that the original Smartbox has some akward logic for this, and that is why I skipped implementing this. I guess I should revist this these days…

[ubavic]

This is from the original Smartbox code:

public static List<X509Certificate> getValidCertificates(Certificate[] chain) {
    ArrayList<X509Certificate> certificates = new ArrayList<X509Certificate>();
    if (chain != null) {
        for (Certificate cert : chain) {
            X509Certificate chainMember = (X509Certificate)cert;
            boolean[] keyUsage = chainMember.getKeyUsage();
            if (!keyUsage[1]) continue;
            try {
                chainMember.checkValidity(new Date());
                if (!SmartCardUtil.containsJMBG(chainMember)) continue;
                certificates.add(chainMember);
            } catch (CertificateExpiredException | CertificateNotYetValidException certificateException) {
                // empty catch block
            }
        }
    }
    return certificates;
}

private static boolean containsJMBG(X509Certificate certificate) {
    return SmartCardUtil.getJMBG(certificate) != null;
}

private static String getJMBG(X509Certificate certificate) {
    String pnors = null;
    try {
        String subject = certificate.getSubjectX500Principal().toString();
        String issuer = certificate.getIssuerX500Principal().toString();
        String regex = issuer.contains("MUPCA") || issuer.contains("PKS") ? "(\\d{13}, .+)$" : "SERIALNUMBER=PNORS-(\\d{13})";
        Pattern pattern = Pattern.compile(regex);
        Matcher matcher = pattern.matcher(subject);
        if (matcher.find()) {
            pnors = matcher.group(1);
        }
    } catch (Exception exception) {
        // empty catch block
    }
    return pnors;
}