diff options
3 files changed, 274 insertions, 0 deletions
diff --git a/moaSig/moa-sig/src/test/java/at/gv/egovernment/moa/spss/test/integration/tsl/OfficialEuTslTest.java b/moaSig/moa-sig/src/test/java/at/gv/egovernment/moa/spss/test/integration/tsl/OfficialEuTslTest.java new file mode 100644 index 0000000..e12bea3 --- /dev/null +++ b/moaSig/moa-sig/src/test/java/at/gv/egovernment/moa/spss/test/integration/tsl/OfficialEuTslTest.java @@ -0,0 +1,163 @@ +package at.gv.egovernment.moa.spss.test.integration.tsl; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertNull; +import static org.junit.Assert.assertTrue; + +import java.io.IOException; +import java.util.Arrays; +import java.util.Collections; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import javax.xml.parsers.ParserConfigurationException; + +import org.apache.commons.io.IOUtils; +import org.apache.commons.lang3.RandomStringUtils; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.BlockJUnit4ClassRunner; + +import at.gv.egovernment.moa.sig.tsl.engine.data.TSLProcessingResultElement; +import at.gv.egovernment.moa.spss.MOAException; +import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureRequest; +import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureResponse; +import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureResponseElement; +import at.gv.egovernment.moa.spss.api.xmlverify.AdESFormResults; +import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureRequest; +import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureResponse; +import at.gv.egovernment.moa.spss.server.config.ConfigurationException; +import at.gv.egovernment.moa.spss.server.init.SystemInitializer; +import at.gv.egovernment.moa.spss.server.invoke.CMSSignatureVerificationInvoker; +import at.gv.egovernment.moa.spss.server.invoke.XMLSignatureVerificationInvoker; +import at.gv.egovernment.moa.spss.server.monitoring.ServiceStatusContainer; +import at.gv.egovernment.moa.spss.test.integration.AbstractIntegrationTest; + +@RunWith(BlockJUnit4ClassRunner.class) +public class OfficialEuTslTest extends AbstractIntegrationTest { + + CMSSignatureVerificationInvoker cadesInvoker; + + @BeforeClass + public static void classInitializer() throws IOException, ConfigurationException, + NoSuchFieldException, SecurityException, IllegalArgumentException, IllegalAccessException { + jvmStateReset(); + + final String current = new java.io.File(".").getCanonicalPath(); + System.setProperty("moa.spss.server.configuration", + current + "/src/test/resources/moaspss_config/MOASPSSConfiguration_tsl_eu_official.xml"); + System.setProperty("iaik.esi.sva.configuration.location", + current + "/src/test/resources/moaspss_config/svaconfig.example"); + moaSpssCore = SystemInitializer.init(); + + } + + @Before + public void initializer() throws ConfigurationException { + cadesInvoker = CMSSignatureVerificationInvoker.getInstance(); + setUpContexts(RandomStringUtils.randomAlphabetic(10)); + + } + + @Test + public void checkTslState() { + assertTrue("TSL not active", ServiceStatusContainer.getStatus()); + + final List<TSLProcessingResultElement> loadedTsl = ServiceStatusContainer.getTslDetailStatus(); + assertFalse("no TSL loaded", loadedTsl.isEmpty()); + assertTrue("wrong TSL size", loadedTsl.size() > 10); + + } + + @Test + public void basicValidationCadesSignature() throws MOAException, IOException { + final VerifyCMSSignatureRequest request = buildVerfifyCmsRequest( + org.apache.commons.codec.binary.Base64.decodeBase64(IOUtils.resourceToByteArray( + "/testdata/pades/testpdf.b64")), + "OnlyTSL", + true, + false); + + // perform test + final VerifyCMSSignatureResponse result = cadesInvoker.verifyCMSSignature(request); + + // verify result + assertNotNull("verification result", result); + assertEquals("wrong result size", 1, result.getResponseElements().size()); + + final VerifyCMSSignatureResponseElement cmsResult = (VerifyCMSSignatureResponseElement) result + .getResponseElements().get(0); + assertEquals("sigCode", 1, cmsResult.getSignatureCheck().getCode()); + assertEquals("certCode", 0, cmsResult.getCertificateCheck().getCode()); + + assertNotNull("signerInfo", cmsResult.getSignerInfo()); + assertEquals("issuerCC", "EE", cmsResult.getSignerInfo().getIssuerCountryCode()); + assertFalse("publicAuthority", cmsResult.getSignerInfo().isPublicAuthority()); + assertTrue("QC", cmsResult.getSignerInfo().isQualifiedCertificate()); + assertTrue("SSCD", cmsResult.getSignerInfo().isSSCD()); + assertNotNull("TSL infos", cmsResult.getSignerInfo().getTslInfos()); + + assertNull("form val. result", cmsResult.getAdESFormResults()); + assertNull("extended val. result", cmsResult.getExtendedCertificateCheck()); + assertNull("byteRange", cmsResult.getByteRangeOfSignature()); + assertNull("used sig alg", cmsResult.getSignatureAlgorithm()); + + } + + @Test + public void extendedValidationCadesSignature() throws MOAException, IOException { + final VerifyCMSSignatureRequest request = buildVerfifyCmsRequest( + org.apache.commons.codec.binary.Base64.decodeBase64(IOUtils.resourceToByteArray( + "/testdata/pades/testpdf.b64")), + "OnlyTSL", + true, + true); + + // perform test + final VerifyCMSSignatureResponse result = cadesInvoker.verifyCMSSignature(request); + + // verify result + assertNotNull("verification result", result); + assertEquals("wrong result size", 1, result.getResponseElements().size()); + + final VerifyCMSSignatureResponseElement cmsResult = (VerifyCMSSignatureResponseElement) result + .getResponseElements().get(0); + assertEquals("sigCode", 1, cmsResult.getSignatureCheck().getCode()); + assertEquals("certCode", 0, cmsResult.getCertificateCheck().getCode()); + + assertNotNull("signerInfo", cmsResult.getSignerInfo()); + assertEquals("issuerCC", "EE", cmsResult.getSignerInfo().getIssuerCountryCode()); + assertFalse("publicAuthority", cmsResult.getSignerInfo().isPublicAuthority()); + assertTrue("QC", cmsResult.getSignerInfo().isQualifiedCertificate()); + assertTrue("SSCD", cmsResult.getSignerInfo().isSSCD()); + assertNotNull("TSL infos", cmsResult.getSignerInfo().getTslInfos()); + + assertNotNull("form val. result", cmsResult.getAdESFormResults()); + assertEquals("form val. result size", 4, cmsResult.getAdESFormResults().size()); + for (final Object el : cmsResult.getAdESFormResults()) { + final AdESFormResults test = (AdESFormResults) el; + if (Arrays.asList("B-B","B-T").contains(test.getName())) { + assertEquals("Find wrong form val status", 0, test.getCode().longValue()); + + } else { + assertEquals("Find wrong form val status", 2, test.getCode().longValue()); + + } + + } + + assertNotNull("extended val. result", cmsResult.getExtendedCertificateCheck()); + assertEquals("ext. val major", 1, cmsResult.getExtendedCertificateCheck().getMajorCode()); + assertEquals("ext. val major", 2, cmsResult.getExtendedCertificateCheck().getMinorCode()); + + assertNotNull("byteRange", cmsResult.getByteRangeOfSignature()); + assertEquals("used sig alg", "SHA1withRSA", cmsResult.getSignatureAlgorithm()); + + } + +} diff --git a/moaSig/moa-sig/src/test/resources/moaspss_config/MOASPSSConfiguration_tsl_eu_official.xml b/moaSig/moa-sig/src/test/resources/moaspss_config/MOASPSSConfiguration_tsl_eu_official.xml new file mode 100644 index 0000000..972cc4e --- /dev/null +++ b/moaSig/moa-sig/src/test/resources/moaspss_config/MOASPSSConfiguration_tsl_eu_official.xml @@ -0,0 +1,108 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!--MOA SPSS 1.3 Configuration File created by MOA SPSS Configuration Mapper--> +<cfg:MOAConfiguration xmlns:cfg="http://reference.e-government.gv.at/namespace/moaconfig/20021122#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> +<cfg:Common> + <cfg:PermitExternalUris> + <cfg:BlackListUri> + <cfg:IP>192.168</cfg:IP> + </cfg:BlackListUri> + </cfg:PermitExternalUris> + </cfg:Common> + <cfg:SignatureVerification> + <cfg:CertificateValidation> + <cfg:PathConstruction> + <cfg:AutoAddCertificates>true</cfg:AutoAddCertificates> + <cfg:UseAuthorityInformationAccess>true</cfg:UseAuthorityInformationAccess> + <cfg:CertificateStore> + <cfg:DirectoryStore> + <cfg:Location>certstore</cfg:Location> + </cfg:DirectoryStore> + </cfg:CertificateStore> + </cfg:PathConstruction> + <cfg:PathValidation> + <cfg:ChainingMode> + <cfg:DefaultMode>pkix</cfg:DefaultMode> + <cfg:TrustAnchor> + <cfg:Identification> + <dsig:X509IssuerName>CN=A-Trust-nQual-0,OU=A-Trust-nQual-0,O=A-Trust,C=AT</dsig:X509IssuerName> + <dsig:X509SerialNumber>536</dsig:X509SerialNumber> + </cfg:Identification> + <cfg:Mode>chaining</cfg:Mode> + </cfg:TrustAnchor> + <cfg:TrustAnchor> + <cfg:Identification> + <dsig:X509IssuerName>C=AT,O=Hauptverband österr. Sozialvers.,CN=Root-CA 1</dsig:X509IssuerName> + <dsig:X509SerialNumber>376503867878755617282523408360935024869</dsig:X509SerialNumber> + </cfg:Identification> + <cfg:Mode>chaining</cfg:Mode> + </cfg:TrustAnchor> + </cfg:ChainingMode> + <cfg:TrustProfile> + <cfg:Id>MOAIDBuergerkarteAuthentisierungsDaten</cfg:Id> + <cfg:TrustAnchorsLocation>trustProfiles/MOAIDBuergerkarteAuthentisierungsDatenOhneTestkarten</cfg:TrustAnchorsLocation> + </cfg:TrustProfile> + <cfg:TrustProfile> + <cfg:Id>MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten</cfg:Id> + <cfg:TrustAnchorsLocation>trustProfiles/MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten</cfg:TrustAnchorsLocation> + </cfg:TrustProfile> + <cfg:TrustProfile> + <cfg:Id>OnlyTSL</cfg:Id> + <cfg:TrustAnchorsLocation>trustProfiles/testTSL</cfg:TrustAnchorsLocation> + <!-- aktiviere TSL-Unterstützung für dieses Vertrauensprofil --> + <cfg:EUTSL> + <!-- Optional kann eine Länderliste mit zweistelligen Länderkürzeln angegeben werden (d.h. nur die --> + <!-- Vertrauensanker der angegeben Länder werden importiert) --> + <!-- cfg:CountrySelection>AT,BE</cfg:CountrySelection> + <cfg:AllowedTSPStatus></cfg:AllowedTSPStatus> + <cfg:AllowedTSPServiceTypes></cfg:AllowedTSPServiceTypes> --> + </cfg:EUTSL> + </cfg:TrustProfile> + </cfg:PathValidation> + <cfg:RevocationChecking> + <cfg:EnableChecking>false</cfg:EnableChecking> + <cfg:MaxRevocationAge>0</cfg:MaxRevocationAge> + <cfg:ServiceOrder> + <cfg:Service>CRL</cfg:Service> + <cfg:Service>OCSP</cfg:Service> + </cfg:ServiceOrder> + <cfg:Archiving> + <cfg:EnableArchiving>false</cfg:EnableArchiving> + <cfg:ArchiveDuration>365</cfg:ArchiveDuration> + <cfg:Archive> + <cfg:DatabaseArchive> + <cfg:JDBCURL>jdbc:url</cfg:JDBCURL> + <cfg:JDBCDriverClassName>fully.qualified.classname</cfg:JDBCDriverClassName> + </cfg:DatabaseArchive> + </cfg:Archive> + </cfg:Archiving> + </cfg:RevocationChecking> + <!-- Optionale Angabe einer TSL Konfiguration--> + <!-- Wichtig: Das WorkingDirectory muss jedenfalls den Unterordner „trust“ aus der Beispielkonfiguration beinhalten. --> + <cfg:TSLConfiguration> + <cfg:UpdateSchedule> + <cfg:StartTime>02:00:00</cfg:StartTime> + <cfg:Period>86400000</cfg:Period> + </cfg:UpdateSchedule> + <cfg:WorkingDirectory>tslworking</cfg:WorkingDirectory> + <cfg:Evaluation> + <cfg:QCQualifier>http://uri.etsi.org/TrstSvc/Svctype/CA/QC,http://uri.etsi.org/TrstSvc/Svctype/TSA/QTST</cfg:QCQualifier> + <cfg:SSCDQualifier>http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/QCWithSSCD,http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/QCWithQSCD</cfg:SSCDQualifier> + </cfg:Evaluation> + </cfg:TSLConfiguration> + + </cfg:CertificateValidation> + <cfg:VerifyTransformsInfoProfile> + <cfg:Id>SL20Authblock_v1.0</cfg:Id> + <cfg:Location>profiles/SL20_authblock_v1.0.xml</cfg:Location> + </cfg:VerifyTransformsInfoProfile> + <cfg:VerifyTransformsInfoProfile> + <cfg:Id>SL20Authblock_v1.0_SIC</cfg:Id> + <cfg:Location>profiles/SL20_authblock_v1.0_SIC.xml</cfg:Location> + </cfg:VerifyTransformsInfoProfile> + <cfg:VerifyTransformsInfoProfile> + <cfg:Id>SL20Authblock_v1.0_OWN</cfg:Id> + <cfg:Location>profiles/SL20_authblock_v1.0_own.xml</cfg:Location> + </cfg:VerifyTransformsInfoProfile> + </cfg:SignatureVerification> + +</cfg:MOAConfiguration> diff --git a/moaSig/moa-sig/src/test/resources/moaspss_config/tslworking/trust/eu/tsl_cert_20210325_1.crt b/moaSig/moa-sig/src/test/resources/moaspss_config/tslworking/trust/eu/tsl_cert_20210325_1.crt new file mode 100644 index 0000000..0872d4c --- /dev/null +++ b/moaSig/moa-sig/src/test/resources/moaspss_config/tslworking/trust/eu/tsl_cert_20210325_1.crt @@ -0,0 +1,3 @@ +-----BEGIN CERTIFICATE----- +MIIH9jCCBt6gAwIBAgIQevrCNQpIXiCh355eXjwtpjANBgkqhkiG9w0BAQsFADCBuzELMAkGA1UEBhMCUFQxLDAqBgNVBAoTI0RpZ2l0YWxTaWduIC0gQ2VydGlmaWNhZG9yYSBEaWdpdGFsMR8wHQYDVQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3b3JrMTUwMwYDVQQLEyxDbGFzcyAyIE1hbmFnZWQgUEtJIEluZGl2aWR1YWwgU3Vic2NyaWJlciBDQTEmMCQGA1UEAxMdRGlnaXRhbFNpZ24gUXVhbGlmaWVkIENBIC0gRzMwHhcNMjAwOTI1MDAwMDAwWhcNMjMwOTI1MjM1OTU5WjCCAZAxCzAJBgNVBAYTAlJPMRwwGgYDVQQKFBNFVVJPUEVBTiBDT01NSVNTSU9OMRkwFwYDVQRhFBBWQVRCRS0wOTQ5MzgzMzQyMT0wOwYDVQQLEzRDZXJ0aWZpY2F0ZSBQcm9maWxlIC0gUXVhbGlmaWVkIENlcnRpZmljYXRlIC0gTWVtYmVyMUUwQwYDVQQLEzxUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cuZGlnaXRhbHNpZ24ucHQvRUNESUdJVEFMU0lHTi9ycGExIjAgBgNVBAsUGUVudGl0bGVtZW50IC0gRUMgT0ZGSUNJQUwxKzApBgkqhkiG9w0BCQEWHGFkcmlhbi5jcm9pdG9ydUBlYy5ldXJvcGEuZXUxETAPBgNVBAQUCENST0lUT1JVMRowGAYDVQQqFBFDT05TVEFOVElOLUFEUklBTjEdMBsGA1UECxQUUmVtb3RlUVNDRE1hbmFnZW1lbnQxIzAhBgNVBAMUGkNPTlNUQU5USU4tQURSSUFOIENST0lUT1JVMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAutg6RcTrmbtcPoxGSoMC1O5+151zAdaw21AklQOnkEMKC8aa5d4utJ3nfiQVIGRd6tFGu8hb8osuxzYEb6ycz5y/OiRVUkr96Gi7LzEv/lIFduIAQMmr+FATvolw+QBuId8WJJaVW04/h+DrEPmbXmx8AoNrrSTeJcQanm5gZy5jaDT/fD3cJYpedkAE9XaiLmfv4LnvOvnAHuIVeY+LXvrdLVFtSCn7Y37b0GwVWTUCkvhwY1xoJm1fgM/OLxfN0SFBHFihRPD2qPHdnu/CxH4/CLvEZM2IjJAPgUxIwbJy32IuiIfadTAeHavzNM1ND/sQnKypeDH1WiaeMPsw4QIDAQABo4IDHDCCAxgwCQYDVR0TBAIwADBzBgNVHR8EbDBqMGigZqBkhmJodHRwOi8vb25zaXRlY3JsLnRydXN0d2lzZS5jb20vRGlnaXRhbFNpZ25DZXJ0aWZpY2Fkb3JhRGlnaXRhbFF1YWxpZmllZENlcnRpZmljYXRlRzMvTGF0ZXN0Q1JMLmNybDAOBgNVHQ8BAf8EBAMCBkAwbgYDVR0gBGcwZTBJBgtghkgBhvhFAQcXAjA6MDgGCCsGAQUFBwIBFixodHRwczovL3d3dy5kaWdpdGFsc2lnbi5wdC9FQ0RJR0lUQUxTSUdOL2NwczANBgtghkgBhvhFAQcsAjAJBgcEAIvsQAECMB0GA1UdDgQWBBRF9Lg2cLhB8QApjl2qjMeSz7Q3JDAfBgNVHSMEGDAWgBT7Xo5CnCOoffQbjFx8Oxir2dn3QDAnBgNVHREEIDAegRxhZHJpYW4uY3JvaXRvcnVAZWMuZXVyb3BhLmV1MIHmBggrBgEFBQcBAwSB2TCB1jAVBggrBgEFBQcLAjAJBgcEAIvsSQEBMBUGCCsGAQUFBwsCMAkGBwQAi+xJAQIwCAYGBACORgEBMAgGBgQAjkYBBDATBgYEAI5GAQYwCQYHBACORgEGATB9BgYEAI5GAQUwczA2FjBodHRwczovL3d3dy5kaWdpdGFsc2lnbi5wdC9FQ0RJR0lUQUxTSUdOL2Nwcy9kZHATAlBUMDkWM2h0dHBzOi8vd3d3LmRpZ2l0YWxzaWduLnB0L0VDRElHSVRBTFNJR04vY3BzL2RkcF9lbhMCRU4wHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMIGkBggrBgEFBQcBAQSBlzCBlDApBggrBgEFBQcwAYYdaHR0cDovL3N0ZC1vY3NwLnRydXN0d2lzZS5jb20wZwYIKwYBBQUHMAKGW2h0dHA6Ly9vbnNpdGVjcmwudHJ1c3R3aXNlLmNvbS9EaWdpdGFsU2lnbkNlcnRpZmljYWRvcmFEaWdpdGFsUXVhbGlmaWVkQ2VydGlmaWNhdGVHMy9jYS5jcnQwDQYJKoZIhvcNAQELBQADggEBAF36+WqrFO9d+DnaWN6u+3I+L5GzNZszQ7ojgJBgECIuuM52D1Yiu6a8GlUvnwVFQVJ3jahn7wF0NtKsl4gx43xcuWL4npatQ6Lptt5Zhx9r7e8/gxCwTqSf3wM3obzj0VS2oXNqsbkt4yho+tmdyrbUv43vmrFzV0e95ULtdPV/z9illmd6fBPkMA2ZPZJlufa63loSOK54By40FNX3NIUvsrd9Qp8BN5kgeFzuLTibZA5GSF/hfgbECyDlNOcSRDRNc8qN58S91VgGfLRBvZRgWIyNqZl9fpzc+8qM+iiHkocQl7mFuhKcENmN+EE+VXKIqPjovE5z7QKq0GOmPZw= +-----END CERTIFICATE----- |