aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristof Rabensteiner <christof.rabensteiner@iaik.tugraz.at>2019-05-29 09:49:02 +0200
committerChristof Rabensteiner <christof.rabensteiner@iaik.tugraz.at>2019-05-29 13:30:03 +0200
commite165ef27812874bee7062a4e7ecc8bec99ced328 (patch)
tree6fb60c546adda519281be0f3682f5659afd036ec
parentcef481f2ad56764f71e8b0f1d4340b8af0686a96 (diff)
downloadmoa-zs-e165ef27812874bee7062a4e7ecc8bec99ced328.tar.gz
moa-zs-e165ef27812874bee7062a4e7ecc8bec99ced328.tar.bz2
moa-zs-e165ef27812874bee7062a4e7ecc8bec99ced328.zip
Integrate MoaSig Verification into SignatureVerifier
- Verify signature via ISignatureVerificationService. - Override System Property moa.spss.server.configuration via spring's environment (Reason: can configure path to moa SPSS config file via application.yaml & moa SPSS needs this parameter to find the config file) - Setup test configuration directory for moaspss in src/main/resources/moa-spss - Readme: Explain how to install moaspss' dependencies into local repository.
-rw-r--r--pom.xml3
-rw-r--r--readme.md16
-rw-r--r--src/main/java/at/gv/egiz/moazs/config/MoaSigConfig.java29
-rw-r--r--src/main/java/at/gv/egiz/moazs/msg/SignatureVerifier.java31
-rw-r--r--src/main/resources/application.yaml5
-rw-r--r--src/main/resources/moa-spss/MOASPSSConfiguration.xml73
-rw-r--r--src/main/resources/moa-spss/truststores/test-truststores/MZS_ROOT_CA.pem35
7 files changed, 188 insertions, 4 deletions
diff --git a/pom.xml b/pom.xml
index ee3f5de..9d2d9c0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -122,8 +122,7 @@
<artifactId>egovutils</artifactId>
<version>${egovutils.version}</version>
</dependency>
- <!-- eaaf components.
- checkout https://gitlab.iaik.tugraz.at/egiz/eaaf_components/commits/[version-tag] and run mvn install-->
+ <!-- eaaf components. See readme.md for installation -->
<dependency>
<groupId>at.gv.egiz.eaaf</groupId>
<artifactId>eaaf_module_moa-sig</artifactId>
diff --git a/readme.md b/readme.md
index 3bcb3d0..497088e 100644
--- a/readme.md
+++ b/readme.md
@@ -6,6 +6,22 @@ Some dependencies are not in the mvn central repo. You need to install
those dependencies to your local maven repository with `mvn install`.
Check `pom.xml` and follow the instructions.
+## How to install `eaaf_module_moa-sig`
+
+```
+export EAAF_COMPONENTS_VERSION=1.0.7
+cd /path/to/working/dir
+git clone https://gitlab.iaik.tugraz.at/egiz/eaaf_components/
+cd eaaf_components
+git checkout $EAAF_COMPONENTS_VERSION
+mvn package javadoc:jar sources:jar
+mvn install:install-file -DgroupId=at.gv.egiz.eaaf -DartifactId=eaaf_module_moa-sig \
+ -Dversion=$EAAF_COMPONENTS_VERSION -Dpackaging=jar \
+ -Dfile=eaaf_modules/eaaf_module_moa-sig/target/eaaf_module_moa-sig-$EAAF_COMPONENTS_VERSION.jar \
+ -Djavadoc=eaaf_modules/eaaf_module_moa-sig/target/eaaf_module_moa-sig-$EAAF_COMPONENTS_VERSION-javadoc.jar \
+ -Dsources=eaaf_modules/eaaf_module_moa-sig/target/eaaf_module_moa-sig-$EAAF_COMPONENTS_VERSION-sources.jar
+```
+
## Compile & Test
```
diff --git a/src/main/java/at/gv/egiz/moazs/config/MoaSigConfig.java b/src/main/java/at/gv/egiz/moazs/config/MoaSigConfig.java
new file mode 100644
index 0000000..e96d851
--- /dev/null
+++ b/src/main/java/at/gv/egiz/moazs/config/MoaSigConfig.java
@@ -0,0 +1,29 @@
+package at.gv.egiz.moazs.config;
+
+import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.ISignatureVerificationService;
+import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.impl.SignatureVerificationService;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+public class MoaSigConfig {
+
+ private final String defaultTrustProfile;
+
+ public MoaSigConfig(@Value("${moa.spss.server.default-trustprofile}") String defaultTrustProfile,
+ @Value("${moa.spss.server.configuration}") String serverConfigUrl) {
+ this.defaultTrustProfile = defaultTrustProfile;
+ System.getProperties().setProperty("moa.spss.server.configuration", serverConfigUrl);
+ }
+
+ @Bean
+ public String moaSPSSServerDefaultTrustProfile() {
+ return defaultTrustProfile;
+ }
+
+ @Bean
+ public ISignatureVerificationService moaSigVerifyService() {
+ return new SignatureVerificationService();
+ }
+}
diff --git a/src/main/java/at/gv/egiz/moazs/msg/SignatureVerifier.java b/src/main/java/at/gv/egiz/moazs/msg/SignatureVerifier.java
index 12b1ccb..d6311c4 100644
--- a/src/main/java/at/gv/egiz/moazs/msg/SignatureVerifier.java
+++ b/src/main/java/at/gv/egiz/moazs/msg/SignatureVerifier.java
@@ -1,13 +1,40 @@
package at.gv.egiz.moazs.msg;
+import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.ISignatureVerificationService;
+import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.exceptions.MOASigServiceException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Component;
@Component
public class SignatureVerifier {
- public boolean verify(byte[] signedXMLdocument) {
- return true;
+ private static final Logger log = LoggerFactory.getLogger(SignatureVerifier.class);
+
+ @Autowired
+ @Qualifier("moaSigVerifyService")
+ private final ISignatureVerificationService service;
+
+ @Autowired
+ @Qualifier("moaSPSSServerDefaultTrustProfile")
+ private final String trustProfile;
+ public SignatureVerifier(ISignatureVerificationService service,
+ String trustProfile) {
+ this.service = service;
+ this.trustProfile = trustProfile;
+ }
+
+ public boolean verify(byte[] signedXMLdocument) {
+ try {
+ var response = service.verifyXMLSignature(signedXMLdocument, trustProfile);
+ return response != null;
+ } catch (MOASigServiceException e) {
+ log.error("Could not verify the XML signature.", e);
+ return false;
+ }
}
}
diff --git a/src/main/resources/application.yaml b/src/main/resources/application.yaml
index 1a432c2..61c7dba 100644
--- a/src/main/resources/application.yaml
+++ b/src/main/resources/application.yaml
@@ -70,3 +70,8 @@ logging:
root: WARN
org.springframework: WARN
at.gv.egiz.moazs: INFO
+
+### moa spss config
+moa.spss.server:
+ configuration: file:./moa-spss/MOASPSSConfiguration.xml
+ default-trustprofile: test-trustprofile
diff --git a/src/main/resources/moa-spss/MOASPSSConfiguration.xml b/src/main/resources/moa-spss/MOASPSSConfiguration.xml
new file mode 100644
index 0000000..edaaf8a
--- /dev/null
+++ b/src/main/resources/moa-spss/MOASPSSConfiguration.xml
@@ -0,0 +1,73 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--MOA SPSS 1.3 Configuration File created by MOA SPSS Configuration Mapper-->
+<cfg:MOAConfiguration xmlns:cfg="http://reference.e-government.gv.at/namespace/moaconfig/20021122#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
+<cfg:Common>
+ <cfg:PermitExternalUris>
+ <cfg:BlackListUri>
+ <cfg:IP>192.168</cfg:IP>
+ </cfg:BlackListUri>
+ </cfg:PermitExternalUris>
+ </cfg:Common>
+
+ <cfg:SignatureVerification>
+ <cfg:CertificateValidation>
+ <cfg:PathConstruction>
+ <cfg:AutoAddCertificates>true</cfg:AutoAddCertificates>
+ <cfg:UseAuthorityInformationAccess>true</cfg:UseAuthorityInformationAccess>
+ <cfg:CertificateStore>
+ <cfg:DirectoryStore>
+ <cfg:Location>certstore</cfg:Location>
+ </cfg:DirectoryStore>
+ </cfg:CertificateStore>
+ </cfg:PathConstruction>
+ <cfg:PathValidation>
+ <cfg:ChainingMode>
+ <cfg:DefaultMode>pkix</cfg:DefaultMode>
+ <cfg:TrustAnchor>
+ <cfg:Identification>
+ <dsig:X509IssuerName>CN=A-Trust-nQual-0,OU=A-Trust-nQual-0,O=A-Trust,C=AT</dsig:X509IssuerName>
+ <dsig:X509SerialNumber>536</dsig:X509SerialNumber>
+ </cfg:Identification>
+ <cfg:Mode>chaining</cfg:Mode>
+ </cfg:TrustAnchor>
+ <cfg:TrustAnchor>
+ <cfg:Identification>
+ <dsig:X509IssuerName>C=AT,O=Hauptverband österr. Sozialvers.,CN=Root-CA 1</dsig:X509IssuerName>
+ <dsig:X509SerialNumber>376503867878755617282523408360935024869</dsig:X509SerialNumber>
+ </cfg:Identification>
+ <cfg:Mode>chaining</cfg:Mode>
+ </cfg:TrustAnchor>
+ </cfg:ChainingMode>
+
+ <cfg:TrustProfile>
+ <cfg:Id>test-trustprofile</cfg:Id>
+ <cfg:TrustAnchorsLocation>truststores/test-truststore</cfg:TrustAnchorsLocation>
+ </cfg:TrustProfile>
+
+ </cfg:PathValidation>
+ <cfg:RevocationChecking>
+ <cfg:EnableChecking>false</cfg:EnableChecking>
+ <cfg:MaxRevocationAge>0</cfg:MaxRevocationAge>
+ <cfg:ServiceOrder>
+ <cfg:Service>CRL</cfg:Service>
+ <cfg:Service>OCSP</cfg:Service>
+ </cfg:ServiceOrder>
+ <cfg:Archiving>
+ <cfg:EnableArchiving>false</cfg:EnableArchiving>
+ <cfg:ArchiveDuration>365</cfg:ArchiveDuration>
+ <cfg:Archive>
+ <cfg:DatabaseArchive>
+ <cfg:JDBCURL>jdbc:url</cfg:JDBCURL>
+ <cfg:JDBCDriverClassName>fully.qualified.classname</cfg:JDBCDriverClassName>
+ </cfg:DatabaseArchive>
+ </cfg:Archive>
+ </cfg:Archiving>
+ </cfg:RevocationChecking>
+ </cfg:CertificateValidation>
+
+ <cfg:VerifyTransformsInfoProfile>
+ <cfg:Id>SL20Authblock_v1.0</cfg:Id>
+ <cfg:Location>profiles/SL20_authblock_v1.0.xml</cfg:Location>
+ </cfg:VerifyTransformsInfoProfile>
+ </cfg:SignatureVerification>
+</cfg:MOAConfiguration>
diff --git a/src/main/resources/moa-spss/truststores/test-truststores/MZS_ROOT_CA.pem b/src/main/resources/moa-spss/truststores/test-truststores/MZS_ROOT_CA.pem
new file mode 100644
index 0000000..57963bd
--- /dev/null
+++ b/src/main/resources/moa-spss/truststores/test-truststores/MZS_ROOT_CA.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGGTCCBAGgAwIBAgIUEzQUFWuzrC0F4mODQYgPZ/Lhq04wDQYJKoZIhvcNAQEL
+BQAwgZMxCzAJBgNVBAYTAkFUMRAwDgYDVQQIDAdBdXN0cmlhMQ0wCwYDVQQKDARJ
+QUlLMQ0wCwYDVQQLDARFR0laMSMwIQYDVQQDDBpFR0laIENSQUJFTlNURUlORVIg
+Uk9PVCBDQTEvMC0GCSqGSIb3DQEJARYgY2hyaXN0b2YucmFiZW5zdGVpbmVyQGVn
+aXouZ3YuYXQwHhcNMTkwNDIzMTQwNTU2WhcNMzkwNDE4MTQwNTU2WjCBkzELMAkG
+A1UEBhMCQVQxEDAOBgNVBAgMB0F1c3RyaWExDTALBgNVBAoMBElBSUsxDTALBgNV
+BAsMBEVHSVoxIzAhBgNVBAMMGkVHSVogQ1JBQkVOU1RFSU5FUiBST09UIENBMS8w
+LQYJKoZIhvcNAQkBFiBjaHJpc3RvZi5yYWJlbnN0ZWluZXJAZWdpei5ndi5hdDCC
+AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMclj0pHf7LxLXEvtz+P7mxI
+5U5Lx0xDiEY4XeLn75jis3IQotv3zmUz8Mvv9rkAT7y9JMJyJPBUPo2iWCO/dtm+
+qYlCy4fNPGvGPyjE05TM+JhG8bijpgO2EEZmKv48by+UUzioX8H/to5n8xNzDu8C
+bibBddbGyfQ9E7PkR2VhdW8PkUrqJCxeG/xiwS0h1U2v++4ZKQpS78rj75KNEExx
+t8spzZFyKV3i5mTkW2Exp5OSr07SpadjlRqkYWkdZsAPnaK4L4KQ+rrL9qXb/fzK
+syD2LkAHimV3s19IZjGVbdwCtgacDZlME3zNfGxIC0hAeJsSXJJN2FMO3SrnXv2b
+CDJT3SOCF+PMhmv41PGMswQxnCtPvB9659y/Cr/tHkY5bhQiR4XamZie7IkxpsMa
+WpV4jCY9iz1L8OsM62DVRsztDWw1w1j2dyWyODNbxaI7fEWg9klUW7GgEDYBeJ2h
+9kfgwZXiMZkw/7+0VHU97a7AKmpCXP3kH6n1z3MAgaf+Dd4Gq7RXB+4HEZ31uiNO
+OqrnayFs2td/X7cl/0ioNLnJ/hbaOmHsGDQo5W0WyXg9bVkLtezajVwTCKkRdUnn
+kAXL0y+x/aRc2CycE7tlC0SHtBDTVjdx5CWeulynBMMiMWZwb+HR9id/rnifp3Vk
+/CPA+eyjiVtt8uXXozLFAgMBAAGjYzBhMB0GA1UdDgQWBBSK8/VCjnMFpNKrPSEv
+k+GF/qM5izAfBgNVHSMEGDAWgBSK8/VCjnMFpNKrPSEvk+GF/qM5izAPBgNVHRMB
+Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAp/fR
+A+cZlMw0jtiFRYy7096dadgjefIcQVgZYNTL3zuPrXyRIHMp4dTlNnREkobmzkcy
+jWN/I41hm2SHt86+E1c7n/wd1KE1oefqoRkhQws84718zlLBkL/iMwluzE4ZzqiE
+RPxBFv23QqFLzaZpqan4ic9zlkqW1d8IZ9kt9vctAxUIju4hXqozUfaYIjIThutU
+wkIgN1A6e6qugFYB9jkhijnMw0HJeP19JbBUNGp9bP3GiSEc+S1ydddU2492rDQj
+NQKvUMvGUhoUdxbbcUhxs6i6Gfct5bCXRN+r7d+mpwFrpN9xv0a0a7y5GNZk//2S
+0qsqQwVEHYa0fDxsBFLnM7i2EY6+eo9mMccOgn0Jk8z+IIU3OCHgRs3df8R0zWbd
+2FSeqrHTTtgcnmfEx3TMZnuuLfOCIwczl/4DP6M5Z6xwp/MKXzUWFy5SP1wkLe9i
+KiTaYeYLiVZb4AluW8TdhkBjj87gA1gCqqGIAyQ6+40LGplt7Wt5pY2XGWqQQLcq
+qfutUjWQM+HOQEDsodrPu8DR07Q613XdrfMuJGHXDh7a+6xD0nRhpkR9JacoY1h/
+UTObjMFCIwIZ8bYniFLgmJhKlMiuhgNuGsEoSMsFHVDrCsEXZOKkoL8OmRu/V4zo
+2vewbMLL/jvutkmtS8E+R1lt+J6iEI5EYJHONrw=
+-----END CERTIFICATE-----