Add organization identifier check on request signature validation

TBCBank · Jun 22, 2023 · cb1fcbc · cb1fcbc
1 parent 5dc068d
commit cb1fcbc
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 0 deletions.
diff --git a/src/TBC.OpenBanking.Jws/src/HttpMessageData.cs b/src/TBC.OpenBanking.Jws/src/HttpMessageData.cs
@@ -66,6 +66,7 @@ public enum HeaderNecessity
 
     public const string DigestHeadertName = "digest";
     public const string SignatureHeaderName = "x-jws-signature";
+    public const string OrganizationIdentifier = "x-organization-id";
 
     internal const string PsuPrefix = "psu-";
 
@@ -74,6 +75,8 @@ public enum HeaderNecessity
 
     internal readonly static byte[] EmptyBody = Array.Empty<byte>();
 
+    internal const string OidSubjectName = "OID.2.5.4.97";
+
     /// <summary>
     /// Gets or sets the HTTP body.
     /// </summary>

diff --git a/src/TBC.OpenBanking.Jws/src/HttpSignatureVerifier.cs b/src/TBC.OpenBanking.Jws/src/HttpSignatureVerifier.cs
@@ -23,6 +23,7 @@
 namespace TBC.OpenBanking.Jws;
 
 using System;
+using System.Security.Claims;
 using System.Security.Cryptography.X509Certificates;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Logging.Abstractions;
@@ -117,6 +118,10 @@ public bool VerifySignature(T httpData, DateTime checkTime)
         // Check certificate: get certificate(s) from protected header and try to build certificate chain
         CreateCertificatesChain(ProtectedHeader);
 
+        // Check and compare signing certificate organization identifier to clint certificate 
+        if(httpData is HttpRequestData)
+            CheckOrganizationIdentifier(httpData);
+
         // Compose payload
         var payload = httpData.ComposeHeadersForSignature(ProtectedHeader.DataToBeSigned.Parameters);
 
@@ -187,4 +192,29 @@ private void CheckMandatoryHeaders(T data)
 
         data.CheckMandatoryHeaders();
     }
+
+    private void CheckOrganizationIdentifier(T data)
+    {
+        var subjects = _signerCertificate.Subject.Split(',');
+
+        var oidString = subjects.FirstOrDefault(x => x.Contains(HttpMessageData.OidSubjectName));
+
+        if (oidString == null)
+            throw new CertificateValidationException("The organization identifier is missing in signing certificate");
+
+        var oid = oidString.Split('=');
+        if (oid.Length != 2)
+            throw new CertificateValidationException("Invalid Organization identifier");
+
+        if (!data.Headers.ContainsKey(HttpMessageData.OrganizationIdentifier))
+            throw new HeaderMissingException($"Header '{HttpMessageData.OrganizationIdentifier}' is missing");
+
+        var oidFromHeader = data.Headers[HttpMessageData.OrganizationIdentifier];
+
+        if (string.IsNullOrEmpty(oidFromHeader))
+            throw new HeaderMissingException("The organization identifier headers from client's certificate is missing");
+
+        if (!string.Equals(oid[1], oidFromHeader, StringComparison.Ordinal))
+            throw new CertificateValidationException("The organization identifiers in signing certificate and client certificate does not match each other");
+    }
 }