From 45860b07b44777b1ed2c9e76165da20f2655f92d Mon Sep 17 00:00:00 2001
From: Thomas <>
Date: Fri, 26 Mar 2021 22:28:28 +0100
Subject: add jUnit test the loads official TSL and perform a signature
 validation with TSL result

---
 .../test/integration/tsl/OfficialEuTslTest.java    | 163 +++++++++++++++++++++
 .../MOASPSSConfiguration_tsl_eu_official.xml       | 108 ++++++++++++++
 .../tslworking/trust/eu/tsl_cert_20210325_1.crt    |   3 +
 3 files changed, 274 insertions(+)
 create mode 100644 moaSig/moa-sig/src/test/java/at/gv/egovernment/moa/spss/test/integration/tsl/OfficialEuTslTest.java
 create mode 100644 moaSig/moa-sig/src/test/resources/moaspss_config/MOASPSSConfiguration_tsl_eu_official.xml
 create mode 100644 moaSig/moa-sig/src/test/resources/moaspss_config/tslworking/trust/eu/tsl_cert_20210325_1.crt

diff --git a/moaSig/moa-sig/src/test/java/at/gv/egovernment/moa/spss/test/integration/tsl/OfficialEuTslTest.java b/moaSig/moa-sig/src/test/java/at/gv/egovernment/moa/spss/test/integration/tsl/OfficialEuTslTest.java
new file mode 100644
index 0000000..e12bea3
--- /dev/null
+++ b/moaSig/moa-sig/src/test/java/at/gv/egovernment/moa/spss/test/integration/tsl/OfficialEuTslTest.java
@@ -0,0 +1,163 @@
+package at.gv.egovernment.moa.spss.test.integration.tsl;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.apache.commons.io.IOUtils;
+import org.apache.commons.lang3.RandomStringUtils;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.BlockJUnit4ClassRunner;
+
+import at.gv.egovernment.moa.sig.tsl.engine.data.TSLProcessingResultElement;
+import at.gv.egovernment.moa.spss.MOAException;
+import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureRequest;
+import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureResponse;
+import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureResponseElement;
+import at.gv.egovernment.moa.spss.api.xmlverify.AdESFormResults;
+import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureRequest;
+import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureResponse;
+import at.gv.egovernment.moa.spss.server.config.ConfigurationException;
+import at.gv.egovernment.moa.spss.server.init.SystemInitializer;
+import at.gv.egovernment.moa.spss.server.invoke.CMSSignatureVerificationInvoker;
+import at.gv.egovernment.moa.spss.server.invoke.XMLSignatureVerificationInvoker;
+import at.gv.egovernment.moa.spss.server.monitoring.ServiceStatusContainer;
+import at.gv.egovernment.moa.spss.test.integration.AbstractIntegrationTest;
+
+@RunWith(BlockJUnit4ClassRunner.class)
+public class OfficialEuTslTest extends AbstractIntegrationTest {
+
+  CMSSignatureVerificationInvoker cadesInvoker;
+
+  @BeforeClass
+  public static void classInitializer() throws IOException, ConfigurationException, 
+      NoSuchFieldException, SecurityException, IllegalArgumentException, IllegalAccessException {
+    jvmStateReset();
+    
+    final String current = new java.io.File(".").getCanonicalPath();
+    System.setProperty("moa.spss.server.configuration",
+        current + "/src/test/resources/moaspss_config/MOASPSSConfiguration_tsl_eu_official.xml");
+    System.setProperty("iaik.esi.sva.configuration.location",
+        current + "/src/test/resources/moaspss_config/svaconfig.example");
+    moaSpssCore = SystemInitializer.init();
+
+  }
+
+  @Before
+  public void initializer() throws ConfigurationException {
+    cadesInvoker = CMSSignatureVerificationInvoker.getInstance();
+    setUpContexts(RandomStringUtils.randomAlphabetic(10));
+
+  }
+
+  @Test
+  public void checkTslState() {
+    assertTrue("TSL not active", ServiceStatusContainer.getStatus());
+
+    final List<TSLProcessingResultElement> loadedTsl = ServiceStatusContainer.getTslDetailStatus();
+    assertFalse("no TSL loaded", loadedTsl.isEmpty());
+    assertTrue("wrong TSL size", loadedTsl.size() > 10);
+
+  }
+
+  @Test
+  public void basicValidationCadesSignature() throws MOAException, IOException {
+    final VerifyCMSSignatureRequest request = buildVerfifyCmsRequest(
+        org.apache.commons.codec.binary.Base64.decodeBase64(IOUtils.resourceToByteArray(
+            "/testdata/pades/testpdf.b64")),
+        "OnlyTSL",
+        true,
+        false);
+
+    // perform test
+    final VerifyCMSSignatureResponse result = cadesInvoker.verifyCMSSignature(request);
+
+    // verify result
+    assertNotNull("verification result", result);
+    assertEquals("wrong result size", 1, result.getResponseElements().size());
+
+    final VerifyCMSSignatureResponseElement cmsResult = (VerifyCMSSignatureResponseElement) result
+        .getResponseElements().get(0);
+    assertEquals("sigCode", 1, cmsResult.getSignatureCheck().getCode());
+    assertEquals("certCode", 0, cmsResult.getCertificateCheck().getCode());
+
+    assertNotNull("signerInfo", cmsResult.getSignerInfo());
+    assertEquals("issuerCC", "EE", cmsResult.getSignerInfo().getIssuerCountryCode());
+    assertFalse("publicAuthority", cmsResult.getSignerInfo().isPublicAuthority());
+    assertTrue("QC", cmsResult.getSignerInfo().isQualifiedCertificate());
+    assertTrue("SSCD", cmsResult.getSignerInfo().isSSCD());
+    assertNotNull("TSL infos", cmsResult.getSignerInfo().getTslInfos());
+
+    assertNull("form val. result", cmsResult.getAdESFormResults());
+    assertNull("extended val. result", cmsResult.getExtendedCertificateCheck());
+    assertNull("byteRange", cmsResult.getByteRangeOfSignature());
+    assertNull("used sig alg", cmsResult.getSignatureAlgorithm());
+
+  }
+
+  @Test
+  public void extendedValidationCadesSignature() throws MOAException, IOException {
+    final VerifyCMSSignatureRequest request = buildVerfifyCmsRequest(
+        org.apache.commons.codec.binary.Base64.decodeBase64(IOUtils.resourceToByteArray(
+            "/testdata/pades/testpdf.b64")),
+        "OnlyTSL",
+        true,
+        true);
+
+    // perform test
+    final VerifyCMSSignatureResponse result = cadesInvoker.verifyCMSSignature(request);
+
+    // verify result
+    assertNotNull("verification result", result);
+    assertEquals("wrong result size", 1, result.getResponseElements().size());
+
+    final VerifyCMSSignatureResponseElement cmsResult = (VerifyCMSSignatureResponseElement) result
+        .getResponseElements().get(0);
+    assertEquals("sigCode", 1, cmsResult.getSignatureCheck().getCode());
+    assertEquals("certCode", 0, cmsResult.getCertificateCheck().getCode());
+
+    assertNotNull("signerInfo", cmsResult.getSignerInfo());
+    assertEquals("issuerCC", "EE", cmsResult.getSignerInfo().getIssuerCountryCode());
+    assertFalse("publicAuthority", cmsResult.getSignerInfo().isPublicAuthority());
+    assertTrue("QC", cmsResult.getSignerInfo().isQualifiedCertificate());
+    assertTrue("SSCD", cmsResult.getSignerInfo().isSSCD());
+    assertNotNull("TSL infos", cmsResult.getSignerInfo().getTslInfos());
+
+    assertNotNull("form val. result", cmsResult.getAdESFormResults());
+    assertEquals("form val. result size", 4, cmsResult.getAdESFormResults().size());
+    for (final Object el : cmsResult.getAdESFormResults()) {
+      final AdESFormResults test = (AdESFormResults) el;
+      if (Arrays.asList("B-B","B-T").contains(test.getName())) {
+        assertEquals("Find wrong form val status", 0, test.getCode().longValue());
+        
+      } else {
+        assertEquals("Find wrong form val status", 2, test.getCode().longValue());
+        
+      }
+
+    }
+
+    assertNotNull("extended val. result", cmsResult.getExtendedCertificateCheck());
+    assertEquals("ext. val major", 1, cmsResult.getExtendedCertificateCheck().getMajorCode());
+    assertEquals("ext. val major", 2, cmsResult.getExtendedCertificateCheck().getMinorCode());
+
+    assertNotNull("byteRange", cmsResult.getByteRangeOfSignature());
+    assertEquals("used sig alg", "SHA1withRSA", cmsResult.getSignatureAlgorithm());
+
+  }
+  
+}
diff --git a/moaSig/moa-sig/src/test/resources/moaspss_config/MOASPSSConfiguration_tsl_eu_official.xml b/moaSig/moa-sig/src/test/resources/moaspss_config/MOASPSSConfiguration_tsl_eu_official.xml
new file mode 100644
index 0000000..972cc4e
--- /dev/null
+++ b/moaSig/moa-sig/src/test/resources/moaspss_config/MOASPSSConfiguration_tsl_eu_official.xml
@@ -0,0 +1,108 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--MOA SPSS 1.3 Configuration File created by MOA SPSS Configuration Mapper-->
+<cfg:MOAConfiguration xmlns:cfg="http://reference.e-government.gv.at/namespace/moaconfig/20021122#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
+<cfg:Common>
+		<cfg:PermitExternalUris>
+			<cfg:BlackListUri>
+				<cfg:IP>192.168</cfg:IP>
+			</cfg:BlackListUri>			
+		</cfg:PermitExternalUris>
+	</cfg:Common>	
+	<cfg:SignatureVerification>
+		<cfg:CertificateValidation>
+			<cfg:PathConstruction>
+				<cfg:AutoAddCertificates>true</cfg:AutoAddCertificates>
+				<cfg:UseAuthorityInformationAccess>true</cfg:UseAuthorityInformationAccess>
+				<cfg:CertificateStore>
+					<cfg:DirectoryStore>
+						<cfg:Location>certstore</cfg:Location>
+					</cfg:DirectoryStore>
+				</cfg:CertificateStore>
+			</cfg:PathConstruction>
+			<cfg:PathValidation>
+				<cfg:ChainingMode>
+					<cfg:DefaultMode>pkix</cfg:DefaultMode>
+					<cfg:TrustAnchor>
+						<cfg:Identification>
+							<dsig:X509IssuerName>CN=A-Trust-nQual-0,OU=A-Trust-nQual-0,O=A-Trust,C=AT</dsig:X509IssuerName>
+							<dsig:X509SerialNumber>536</dsig:X509SerialNumber>
+						</cfg:Identification>
+						<cfg:Mode>chaining</cfg:Mode>
+					</cfg:TrustAnchor>
+					<cfg:TrustAnchor>
+             <cfg:Identification>
+               <dsig:X509IssuerName>C=AT,O=Hauptverband österr. Sozialvers.,CN=Root-CA 1</dsig:X509IssuerName>
+               <dsig:X509SerialNumber>376503867878755617282523408360935024869</dsig:X509SerialNumber>
+             </cfg:Identification>
+             <cfg:Mode>chaining</cfg:Mode>
+          </cfg:TrustAnchor>
+				</cfg:ChainingMode>
+				<cfg:TrustProfile>
+					<cfg:Id>MOAIDBuergerkarteAuthentisierungsDaten</cfg:Id>
+					<cfg:TrustAnchorsLocation>trustProfiles/MOAIDBuergerkarteAuthentisierungsDatenOhneTestkarten</cfg:TrustAnchorsLocation>
+				</cfg:TrustProfile>
+				<cfg:TrustProfile>
+					<cfg:Id>MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten</cfg:Id>
+					<cfg:TrustAnchorsLocation>trustProfiles/MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten</cfg:TrustAnchorsLocation>
+				</cfg:TrustProfile>
+				<cfg:TrustProfile>
+					<cfg:Id>OnlyTSL</cfg:Id>
+					<cfg:TrustAnchorsLocation>trustProfiles/testTSL</cfg:TrustAnchorsLocation>
+					<!-- aktiviere TSL-Unterstützung für dieses Vertrauensprofil -->
+					<cfg:EUTSL>
+					<!-- Optional kann eine Länderliste mit zweistelligen Länderkürzeln angegeben werden (d.h. nur die -->
+					<!-- Vertrauensanker der angegeben Länder werden importiert) -->
+						<!-- cfg:CountrySelection>AT,BE</cfg:CountrySelection>
+						<cfg:AllowedTSPStatus></cfg:AllowedTSPStatus>
+						<cfg:AllowedTSPServiceTypes></cfg:AllowedTSPServiceTypes> -->
+					</cfg:EUTSL>
+				</cfg:TrustProfile>				
+			</cfg:PathValidation>
+			<cfg:RevocationChecking>
+				<cfg:EnableChecking>false</cfg:EnableChecking>
+				<cfg:MaxRevocationAge>0</cfg:MaxRevocationAge>
+				<cfg:ServiceOrder>
+                             <cfg:Service>CRL</cfg:Service>
+                             <cfg:Service>OCSP</cfg:Service>
+                           </cfg:ServiceOrder>
+                           <cfg:Archiving>
+					<cfg:EnableArchiving>false</cfg:EnableArchiving>
+					<cfg:ArchiveDuration>365</cfg:ArchiveDuration>
+					<cfg:Archive>
+						<cfg:DatabaseArchive>
+							<cfg:JDBCURL>jdbc:url</cfg:JDBCURL>
+							<cfg:JDBCDriverClassName>fully.qualified.classname</cfg:JDBCDriverClassName>
+						</cfg:DatabaseArchive>
+					</cfg:Archive>
+				</cfg:Archiving>
+			</cfg:RevocationChecking>
+			<!-- Optionale Angabe einer TSL Konfiguration-->
+			<!-- Wichtig: Das WorkingDirectory muss jedenfalls den Unterordner „trust“ aus der Beispielkonfiguration beinhalten. -->
+			<cfg:TSLConfiguration>
+				<cfg:UpdateSchedule>
+					<cfg:StartTime>02:00:00</cfg:StartTime>
+					<cfg:Period>86400000</cfg:Period>
+				</cfg:UpdateSchedule>
+				<cfg:WorkingDirectory>tslworking</cfg:WorkingDirectory>
+        		<cfg:Evaluation>
+          			<cfg:QCQualifier>http://uri.etsi.org/TrstSvc/Svctype/CA/QC,http://uri.etsi.org/TrstSvc/Svctype/TSA/QTST</cfg:QCQualifier>
+          			<cfg:SSCDQualifier>http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/QCWithSSCD,http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/QCWithQSCD</cfg:SSCDQualifier>
+        		</cfg:Evaluation>
+			</cfg:TSLConfiguration>
+			
+		</cfg:CertificateValidation>				
+    	<cfg:VerifyTransformsInfoProfile>
+			<cfg:Id>SL20Authblock_v1.0</cfg:Id>
+			<cfg:Location>profiles/SL20_authblock_v1.0.xml</cfg:Location>      
+		</cfg:VerifyTransformsInfoProfile>		
+		<cfg:VerifyTransformsInfoProfile>
+			<cfg:Id>SL20Authblock_v1.0_SIC</cfg:Id>
+			<cfg:Location>profiles/SL20_authblock_v1.0_SIC.xml</cfg:Location>      
+		</cfg:VerifyTransformsInfoProfile>
+    <cfg:VerifyTransformsInfoProfile>
+			<cfg:Id>SL20Authblock_v1.0_OWN</cfg:Id>
+			<cfg:Location>profiles/SL20_authblock_v1.0_own.xml</cfg:Location>      
+		</cfg:VerifyTransformsInfoProfile>    	
+	</cfg:SignatureVerification>
+	
+</cfg:MOAConfiguration>
diff --git a/moaSig/moa-sig/src/test/resources/moaspss_config/tslworking/trust/eu/tsl_cert_20210325_1.crt b/moaSig/moa-sig/src/test/resources/moaspss_config/tslworking/trust/eu/tsl_cert_20210325_1.crt
new file mode 100644
index 0000000..0872d4c
--- /dev/null
+++ b/moaSig/moa-sig/src/test/resources/moaspss_config/tslworking/trust/eu/tsl_cert_20210325_1.crt
@@ -0,0 +1,3 @@
+-----BEGIN CERTIFICATE-----
+MIIH9jCCBt6gAwIBAgIQevrCNQpIXiCh355eXjwtpjANBgkqhkiG9w0BAQsFADCBuzELMAkGA1UEBhMCUFQxLDAqBgNVBAoTI0RpZ2l0YWxTaWduIC0gQ2VydGlmaWNhZG9yYSBEaWdpdGFsMR8wHQYDVQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3b3JrMTUwMwYDVQQLEyxDbGFzcyAyIE1hbmFnZWQgUEtJIEluZGl2aWR1YWwgU3Vic2NyaWJlciBDQTEmMCQGA1UEAxMdRGlnaXRhbFNpZ24gUXVhbGlmaWVkIENBIC0gRzMwHhcNMjAwOTI1MDAwMDAwWhcNMjMwOTI1MjM1OTU5WjCCAZAxCzAJBgNVBAYTAlJPMRwwGgYDVQQKFBNFVVJPUEVBTiBDT01NSVNTSU9OMRkwFwYDVQRhFBBWQVRCRS0wOTQ5MzgzMzQyMT0wOwYDVQQLEzRDZXJ0aWZpY2F0ZSBQcm9maWxlIC0gUXVhbGlmaWVkIENlcnRpZmljYXRlIC0gTWVtYmVyMUUwQwYDVQQLEzxUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cuZGlnaXRhbHNpZ24ucHQvRUNESUdJVEFMU0lHTi9ycGExIjAgBgNVBAsUGUVudGl0bGVtZW50IC0gRUMgT0ZGSUNJQUwxKzApBgkqhkiG9w0BCQEWHGFkcmlhbi5jcm9pdG9ydUBlYy5ldXJvcGEuZXUxETAPBgNVBAQUCENST0lUT1JVMRowGAYDVQQqFBFDT05TVEFOVElOLUFEUklBTjEdMBsGA1UECxQUUmVtb3RlUVNDRE1hbmFnZW1lbnQxIzAhBgNVBAMUGkNPTlNUQU5USU4tQURSSUFOIENST0lUT1JVMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAutg6RcTrmbtcPoxGSoMC1O5+151zAdaw21AklQOnkEMKC8aa5d4utJ3nfiQVIGRd6tFGu8hb8osuxzYEb6ycz5y/OiRVUkr96Gi7LzEv/lIFduIAQMmr+FATvolw+QBuId8WJJaVW04/h+DrEPmbXmx8AoNrrSTeJcQanm5gZy5jaDT/fD3cJYpedkAE9XaiLmfv4LnvOvnAHuIVeY+LXvrdLVFtSCn7Y37b0GwVWTUCkvhwY1xoJm1fgM/OLxfN0SFBHFihRPD2qPHdnu/CxH4/CLvEZM2IjJAPgUxIwbJy32IuiIfadTAeHavzNM1ND/sQnKypeDH1WiaeMPsw4QIDAQABo4IDHDCCAxgwCQYDVR0TBAIwADBzBgNVHR8EbDBqMGigZqBkhmJodHRwOi8vb25zaXRlY3JsLnRydXN0d2lzZS5jb20vRGlnaXRhbFNpZ25DZXJ0aWZpY2Fkb3JhRGlnaXRhbFF1YWxpZmllZENlcnRpZmljYXRlRzMvTGF0ZXN0Q1JMLmNybDAOBgNVHQ8BAf8EBAMCBkAwbgYDVR0gBGcwZTBJBgtghkgBhvhFAQcXAjA6MDgGCCsGAQUFBwIBFixodHRwczovL3d3dy5kaWdpdGFsc2lnbi5wdC9FQ0RJR0lUQUxTSUdOL2NwczANBgtghkgBhvhFAQcsAjAJBgcEAIvsQAECMB0GA1UdDgQWBBRF9Lg2cLhB8QApjl2qjMeSz7Q3JDAfBgNVHSMEGDAWgBT7Xo5CnCOoffQbjFx8Oxir2dn3QDAnBgNVHREEIDAegRxhZHJpYW4uY3JvaXRvcnVAZWMuZXVyb3BhLmV1MIHmBggrBgEFBQcBAwSB2TCB1jAVBggrBgEFBQcLAjAJBgcEAIvsSQEBMBUGCCsGAQUFBwsCMAkGBwQAi+xJAQIwCAYGBACORgEBMAgGBgQAjkYBBDATBgYEAI5GAQYwCQYHBACORgEGATB9BgYEAI5GAQUwczA2FjBodHRwczovL3d3dy5kaWdpdGFsc2lnbi5wdC9FQ0RJR0lUQUxTSUdOL2Nwcy9kZHATAlBUMDkWM2h0dHBzOi8vd3d3LmRpZ2l0YWxzaWduLnB0L0VDRElHSVRBTFNJR04vY3BzL2RkcF9lbhMCRU4wHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMIGkBggrBgEFBQcBAQSBlzCBlDApBggrBgEFBQcwAYYdaHR0cDovL3N0ZC1vY3NwLnRydXN0d2lzZS5jb20wZwYIKwYBBQUHMAKGW2h0dHA6Ly9vbnNpdGVjcmwudHJ1c3R3aXNlLmNvbS9EaWdpdGFsU2lnbkNlcnRpZmljYWRvcmFEaWdpdGFsUXVhbGlmaWVkQ2VydGlmaWNhdGVHMy9jYS5jcnQwDQYJKoZIhvcNAQELBQADggEBAF36+WqrFO9d+DnaWN6u+3I+L5GzNZszQ7ojgJBgECIuuM52D1Yiu6a8GlUvnwVFQVJ3jahn7wF0NtKsl4gx43xcuWL4npatQ6Lptt5Zhx9r7e8/gxCwTqSf3wM3obzj0VS2oXNqsbkt4yho+tmdyrbUv43vmrFzV0e95ULtdPV/z9illmd6fBPkMA2ZPZJlufa63loSOK54By40FNX3NIUvsrd9Qp8BN5kgeFzuLTibZA5GSF/hfgbECyDlNOcSRDRNc8qN58S91VgGfLRBvZRgWIyNqZl9fpzc+8qM+iiHkocQl7mFuhKcENmN+EE+VXKIqPjovE5z7QKq0GOmPZw=
+-----END CERTIFICATE-----
-- 
cgit v1.2.3