actually, STORK response processing does not verify the signature of signedDoc attribute

 --> check if signature verification response exists.

1 files changed, 13 insertions, 5 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
index c0e1dd3ca..9af2f5ee5 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
@@ -478,11 +478,19 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
 		authData.setGivenName(identityLink.getGivenName());
 		authData.setFamilyName(identityLink.getFamilyName());
 		authData.setDateOfBirth(identityLink.getDateOfBirth());
-		authData.setQualifiedCertificate(verifyXMLSigResp
-				.isQualifiedCertificate());
-		authData.setPublicAuthority(verifyXMLSigResp.isPublicAuthority());
-		authData.setPublicAuthorityCode(verifyXMLSigResp
-				.getPublicAuthorityCode());
+		
+		if (verifyXMLSigResp != null) {
+			authData.setQualifiedCertificate(verifyXMLSigResp
+					.isQualifiedCertificate());
+			authData.setPublicAuthority(verifyXMLSigResp.isPublicAuthority());
+			authData.setPublicAuthorityCode(verifyXMLSigResp
+					.getPublicAuthorityCode());
+			
+		} else {
+			Logger.warn("No signature verfication response found!");
+			
+		}
+		
 		authData.setBkuURL(session.getBkuURL());
 		
 		authData.setStorkAttributes(session.getStorkAttributes());