diff options
author | Christof Rabensteiner <christof.rabensteiner@iaik.tugraz.at> | 2019-07-09 14:11:47 +0200 |
---|---|---|
committer | Christof Rabensteiner <christof.rabensteiner@iaik.tugraz.at> | 2019-07-09 14:11:47 +0200 |
commit | 8aba1b4f18f5fbfebdf239b4b4945b628e439905 (patch) | |
tree | 0004115e44b8d6ddf48542b7413d4f54fa76dc27 /src/main/java/at/gv/egiz/moazs/backend/SignatureVerifier.java | |
parent | 65163646205b6e05139485fe957bceabe531f447 (diff) | |
download | moa-zs-8aba1b4f18f5fbfebdf239b4b4945b628e439905.tar.gz moa-zs-8aba1b4f18f5fbfebdf239b4b4945b628e439905.tar.bz2 moa-zs-8aba1b4f18f5fbfebdf239b4b4945b628e439905.zip |
Refactor Needles Interfaces and Rename "process" to "backend"
Reason:
- Interfaces with a single method can be replaced with
interfaces from java.util.function.
- Less interfaces = less code = less maintenance!
- Spring can inject beans by name so we name dependencies correctly
to prevent ambiguity.
Others:
- Rename process to backend since backend gives a better description
of its components.
Diffstat (limited to 'src/main/java/at/gv/egiz/moazs/backend/SignatureVerifier.java')
-rw-r--r-- | src/main/java/at/gv/egiz/moazs/backend/SignatureVerifier.java | 116 |
1 files changed, 116 insertions, 0 deletions
diff --git a/src/main/java/at/gv/egiz/moazs/backend/SignatureVerifier.java b/src/main/java/at/gv/egiz/moazs/backend/SignatureVerifier.java new file mode 100644 index 0000000..e9c5387 --- /dev/null +++ b/src/main/java/at/gv/egiz/moazs/backend/SignatureVerifier.java @@ -0,0 +1,116 @@ +package at.gv.egiz.moazs.backend; + +import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.ISignatureVerificationService; +import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.data.IXMLSignatureVerificationResponse; +import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.exceptions.MOASigServiceException; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.util.function.Consumer; + +import static at.gv.egiz.moazs.MoaZSException.moaZSException; +import static at.gv.egiz.moazs.MoaZSException.moaZSExceptionBuilder; +import static java.lang.String.format; + +public class SignatureVerifier implements Consumer<byte[]> { + + private static final Logger log = LoggerFactory.getLogger(SignatureVerifier.class); + private static final int OK_CODE = 0; + + private final ISignatureVerificationService service; + private final String trustProfile; + private final boolean isManifestCheckActive; + + public SignatureVerifier(ISignatureVerificationService service, + String trustProfile, boolean isManifestCheckActive) { + this.service = service; + this.trustProfile = trustProfile; + this.isManifestCheckActive = isManifestCheckActive; + } + + /** + * Verifies the signature of a signed XML document. Throws a at.gv.egiz.moazs.MoaZSException exception + * if the validation fails. + * @param signedXMLdocument + * @throws at.gv.egiz.moazs.MoaZSException + */ + @Override + public void accept(byte[] signedXMLdocument) { + + try { + var response = service.verifyXMLSignature(signedXMLdocument, trustProfile); + + if (log.isDebugEnabled()) { + print(response); + } + + if (response == null) { + throw moaZSException("MOA SPSS could not find the signature. "); + } + + var builder = new StringBuilder(); + + if (response.getSignatureCheckCode() != OK_CODE) { + builder.append(format("Signature is not valid; SignatureCheckCode was %d. ", + response.getSignatureCheckCode())); + } + + if (response.getCertificateCheckCode() != OK_CODE) { + builder.append(format("Certificate chain is not valid; CertificateCheckCode was %d. ", + response.getCertificateCheckCode())); + } + + if (response.getSignatureManifestCheckCode() != OK_CODE) { + var signatureManifestErrorMsg = format("Signature Manifest is not valid; " + + "SignatureManifestCheckCode was %d. ", response.getSignatureManifestCheckCode()); + if (isManifestCheckActive) { + builder.append(signatureManifestErrorMsg); + } else { + log.warn(signatureManifestErrorMsg); + } + } + + if (response.isXmlDSIGManigest() && response.getXmlDSIGManifestCheckCode() != OK_CODE) { + var xmlDSIGManifestErrorMsg = format("XmlDSIGManifest Manifest is not valid; " + + "XmlDSIGManifest was %d. ", response.getXmlDSIGManifestCheckCode()); + if (isManifestCheckActive) { + builder.append(xmlDSIGManifestErrorMsg); + } else { + log.warn(xmlDSIGManifestErrorMsg); + } + } + + var msg = builder.toString(); + + if(msg.length() > 0) { + throw moaZSException(msg); + } + + } catch (MOASigServiceException e) { + throw moaZSExceptionBuilder("Could not accept the XML signature.") + .withCause(e) + .build(); + } + + } + + private void print(IXMLSignatureVerificationResponse response) { + log.debug("Response:"); + + if (response == null) { + log.debug("null"); + return; + } + + log.debug(" XmlDsigSubjectName: {}", response.getXmlDsigSubjectName()); + log.debug(" SignatureManifestCheckCode: {}", response.getSignatureManifestCheckCode()); + log.debug(" XmlDSIGManifestCheckCode: {}", response.getXmlDSIGManifestCheckCode()); + log.debug(" CertificateCheckCode: {}", response.getCertificateCheckCode()); + log.debug(" SignatureCheckCode: {}", response.getSignatureCheckCode()); + log.debug(" SigningDateTime: {}", response.getSigningDateTime()); + log.debug(" isXmlDSIGManigest: {}", response.isXmlDSIGManigest()); + log.debug(" isPublicAuthority: {}", response.isPublicAuthority()); + log.debug(" isQualifiedCertificate: {}", response.isQualifiedCertificate()); + log.debug(" getPublicAuthorityCode: {}", response.getPublicAuthorityCode()); + } +} |