Feat: add more built-in SSA validations to registration context (software_id, subject DN, CN, OU)

JanssenProject / jans

An open source enterprise digital identity platform for CIAM or workforce... Janssen is a distribution of standards-based, developer friendly, components that are engineered to work together in any cloud. #OAuth #OpenID #FIDO

https://docs.jans.io

Apache License 2.0

460 stars 73 forks source link

Feat: add more built-in SSA validations to registration context (software_id, subject DN, CN, OU) #546

Closed yuriyz closed 3 years ago

yuriyz commented 3 years ago

Describe the issue

If the request assertion specifies a software_id metadata element, that value MUST match the software_id element in the SSA -
The Subject DN MUST contain the commonName (CN) attribute and organisationUnit (OU) of the certificate.
The CN attribute of the certificate MUST match the software_id specified within the SSA.
The OU attribute of the certificate MUST match the org_id specified within the SSA.

https://openbanking.atlassian.net/wiki/spaces/DZ/pages/36667724/OpenBanking+OpenID+Dynamic+Client+Registration+Specification+-+v1.0.0-rc2

yuriyz commented 3 years ago

Implemented. Following methods added to registration context :

validateSSA() - performs ALL validations, call thin one single method for all built-in SSA and cert validations
validateSoftwareId() - validates match of SSA software_id and request software_id
validateCertSubjectHasCNAndOU() - validates CN and OU are present in cert subject
validateCNEqualsSoftwareId() - validates certs CN equals to SSA software_id
validateOUEqualsOrgId() - validates certs OU equals to SSA org_id