if ( allowRaVerifyPopo && (pop.getRaVerified() != null)) {
ret = true;
} else if (pop.getSignature() != null) {
try {
final POPOSigningKey sk = pop.getSignature();
final POPOSigningKeyInput pski = sk.getPoposkInput();
Object protObject = pski;
// Use of POPOSigningKeyInput or not, as described in RFC4211, section 4.1.
if (pski == null) {
if (log.isDebugEnabled()) {
log.debug("Using CertRequest as POPO input.");
}
protObject = getReq().getCertReq();
} else {
// Assume POPOSigningKeyInput with the public key and name, MUST be the same as in the request according to RFC4211
if (log.isDebugEnabled()) {
log.debug("Using POPOSigningKeyInput as POPO input.");
}
final CertRequest req = getReq().getCertReq();
// If subject is present in cert template it must be the same as in POPOSigningKeyInput
final X509Name subject = req.getCertTemplate().getSubject();
if (subject != null && !subject.toString().equals(pski.getSender().getName().toString())) {
log.info("Subject '"+subject.toString()+"̈́', is not equal to '"+pski.getSender().toString()+"'.");
protObject = null; // pski is not a valid protection object
}
// If public key is present in cert template it must be the same as in POPOSigningKeyInput
final SubjectPublicKeyInfo pk = req.getCertTemplate().getPublicKey();
if (pk != null && !Arrays.areEqual(pk.getEncoded(), pski.getPublicKey().getEncoded())) {
log.info("Subject key in cert template, is not equal to subject key in POPOSigningKeyInput.");
protObject = null; // pski is not a valid protection object
}
}
// If a protectObject is present we extract the bytes and verify it