aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorChristof Rabensteiner <christof.rabensteiner@iaik.tugraz.at>2019-06-19 10:46:15 +0200
committerChristof Rabensteiner <christof.rabensteiner@iaik.tugraz.at>2019-06-19 10:46:15 +0200
commit5d183fd9535d80e5066647e0501da881bcac4d58 (patch)
tree5de251fdde379644e36bace245cf831805faac5d /src
parent2a765b9c3a0d20bf2794c569f584bde05fb21d16 (diff)
downloadmoa-zs-5d183fd9535d80e5066647e0501da881bcac4d58.tar.gz
moa-zs-5d183fd9535d80e5066647e0501da881bcac4d58.tar.bz2
moa-zs-5d183fd9535d80e5066647e0501da881bcac4d58.zip
Finalize moa-sig-lib's Integration and Add Testcase
- Interpret `ISignatureVerificationService` response properly (by following security layer spec [1] and moaspss handbook [2]). - Add config flag `moa.spss.is-manifest-check-active` - Change SignatureVerifier Interface: Remove @return boolean, just throw an exception when a validation error occurs. Reason: In case the signature cannot be validated, the application always needs the reason for the validation error, which requires the verifier to throw an exception. In turn, the only valid return value for `verify()` becomes `true`, which can be omitted at that point. - Add testcase for verifying a valid enveloped xml signature - Remove Certificates that are not needed. [1] https://www.buergerkarte.at/konzept/securitylayer/spezifikation/20140114/core/core.html [2] https://apps.egiz.gv.at/handbooks/moa-spss/handbook/handbook/usage/usage.html
Diffstat (limited to 'src')
-rw-r--r--src/main/java/at/gv/egiz/moazs/config/MoaSigConfig.java7
-rw-r--r--src/main/java/at/gv/egiz/moazs/pipeline/SameThreadDeliveryPipeline.java12
-rw-r--r--src/main/java/at/gv/egiz/moazs/verify/MoaSPSSSignatureVerifier.java87
-rw-r--r--src/main/java/at/gv/egiz/moazs/verify/SignatureVerifier.java8
-rw-r--r--src/main/resources/application.yaml2
-rw-r--r--src/main/resources/moa-spss/certstore/toBeAdded/IAIK_test_intermediate_CA.derbin0 -> 1199 bytes
-rw-r--r--src/main/resources/moa-spss/certstore/toBeAdded/msz-test-root-cert.derbin1565 -> 0 bytes
-rw-r--r--src/main/resources/moa-spss/trustProfiles/test-trustprofile/IAIK_test_intermediate_CA.derbin0 -> 1199 bytes
-rw-r--r--src/main/resources/moa-spss/trustProfiles/test-trustprofile/msz-test-root-cert.derbin1565 -> 0 bytes
-rw-r--r--src/test/java/at/gv/egiz/moazs/MoaSPSSSignatureVerifierTest.java49
-rw-r--r--src/test/java/at/gv/egiz/moazs/SameThreadDeliveryPipelineTest.java11
-rw-r--r--src/test/resources/at/gv/egiz/moazs/MoaSPSSSignatureVerifierTest/valid-signed-delivery-response.xml30
12 files changed, 183 insertions, 23 deletions
diff --git a/src/main/java/at/gv/egiz/moazs/config/MoaSigConfig.java b/src/main/java/at/gv/egiz/moazs/config/MoaSigConfig.java
index 84e5299..05ecac1 100644
--- a/src/main/java/at/gv/egiz/moazs/config/MoaSigConfig.java
+++ b/src/main/java/at/gv/egiz/moazs/config/MoaSigConfig.java
@@ -90,13 +90,14 @@ public class MoaSigConfig {
}
@Bean
- public SignatureVerifier signatureVerifier(@Value("${moa.spss.is-active}") boolean isMoaSPSSActive) {
+ public SignatureVerifier signatureVerifier(@Value("${moa.spss.is-active}") boolean isMoaSPSSActive,
+ @Value("${moa.spss.is-manifest-check-active}") boolean isManifestCheckActive) {
if (isMoaSPSSActive) {
log.info("Moa SPSS is active. Signatures in SOAP Messages will be verified.");
- return new MoaSPSSSignatureVerifier(moaSigVerifyService(), defaultTrustProfile);
+ return new MoaSPSSSignatureVerifier(moaSigVerifyService(), defaultTrustProfile, isManifestCheckActive);
} else {
log.warn("Moa SPSS is not active. Signatures in SOAP Messages will not be verified.");
- return signedXMLdocument -> true;
+ return signedXMLdocument -> {};
}
}
}
diff --git a/src/main/java/at/gv/egiz/moazs/pipeline/SameThreadDeliveryPipeline.java b/src/main/java/at/gv/egiz/moazs/pipeline/SameThreadDeliveryPipeline.java
index 9f2b6d4..920e90d 100644
--- a/src/main/java/at/gv/egiz/moazs/pipeline/SameThreadDeliveryPipeline.java
+++ b/src/main/java/at/gv/egiz/moazs/pipeline/SameThreadDeliveryPipeline.java
@@ -75,11 +75,12 @@ public class SameThreadDeliveryPipeline implements DeliveryPipeline {
status = msgClientFactory.create(msgRequest, mzsRequest.getConfig(), interceptor).send();
var signedStatus = repository.getSignedDeliveryRequestStatus(appDeliveryId).get();
- if (verifier.verify(signedStatus)) {
- repository.add(status);
- } else {
+
+ try {
+ verifier.verify(signedStatus);
+ } catch (Exception ex) {
throw moaZSExceptionBuilder("Signature of DeliveryRequestStatus with AppDeliveryId={} " +
- "is invalid.", appDeliveryId)
+ " is not valid.", appDeliveryId)
.withErrorCode(MoaZSException.ERROR_MOASP_SIGNATURE_INVALID)
.withMzsRequest(mzsRequest)
.withTnvzResult(tnvzResult)
@@ -87,6 +88,9 @@ public class SameThreadDeliveryPipeline implements DeliveryPipeline {
.withMsgResult(status)
.build();
}
+
+ repository.add(status);
+
} catch (MoaZSException exception) {
var errorStatus = generateErrorStatus(exception, appDeliveryId);
repository.add(errorStatus);
diff --git a/src/main/java/at/gv/egiz/moazs/verify/MoaSPSSSignatureVerifier.java b/src/main/java/at/gv/egiz/moazs/verify/MoaSPSSSignatureVerifier.java
index 518cdb3..0757c5d 100644
--- a/src/main/java/at/gv/egiz/moazs/verify/MoaSPSSSignatureVerifier.java
+++ b/src/main/java/at/gv/egiz/moazs/verify/MoaSPSSSignatureVerifier.java
@@ -1,10 +1,15 @@
package at.gv.egiz.moazs.verify;
import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.ISignatureVerificationService;
+import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.data.IXMLSignatureVerificationResponse;
import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.exceptions.MOASigServiceException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import static at.gv.egiz.moazs.MoaZSException.moaZSException;
+import static at.gv.egiz.moazs.MoaZSException.moaZSExceptionBuilder;
+import static java.lang.String.*;
+
public class MoaSPSSSignatureVerifier implements SignatureVerifier {
private static final Logger log = LoggerFactory.getLogger(MoaSPSSSignatureVerifier.class);
@@ -13,22 +18,94 @@ public class MoaSPSSSignatureVerifier implements SignatureVerifier {
private final String trustProfile;
+ private final boolean isManifestCheckActive;
+
+ private static final int OK_CODE = 0;
+
public MoaSPSSSignatureVerifier(ISignatureVerificationService service,
- String trustProfile) {
+ String trustProfile, boolean isManifestCheckActive) {
this.service = service;
this.trustProfile = trustProfile;
+ this.isManifestCheckActive = isManifestCheckActive;
}
@Override
- public boolean verify(byte[] signedXMLdocument) {
+ public void verify(byte[] signedXMLdocument) {
try {
var response = service.verifyXMLSignature(signedXMLdocument, trustProfile);
- return response != null;
+
+ if (log.isDebugEnabled()) {
+ print(response);
+ }
+
+ if (response == null) {
+ throw moaZSException("MOA SPSS could not find the signature. ");
+ }
+
+ var builder = new StringBuilder();
+
+ if (response.getSignatureCheckCode() != OK_CODE) {
+ builder.append(format("Signature is not valid; SignatureCheckCode was %d. ",
+ response.getSignatureCheckCode()));
+ }
+
+ if (response.getCertificateCheckCode() != OK_CODE) {
+ builder.append(format("Certificate chain is not valid; CertificateCheckCode was %d. ",
+ response.getCertificateCheckCode()));
+ }
+
+ if (response.getSignatureManifestCheckCode() != OK_CODE) {
+ var signatureManifestErrorMsg = format("Signature Manifest is not valid; " +
+ "SignatureManifestCheckCode was %d. ", response.getSignatureManifestCheckCode());
+ if (isManifestCheckActive) {
+ builder.append(signatureManifestErrorMsg);
+ } else {
+ log.warn(signatureManifestErrorMsg);
+ }
+ }
+
+ if (response.isXmlDSIGManigest() && response.getXmlDSIGManifestCheckCode() != OK_CODE) {
+ var xmlDSIGManifestErrorMsg = format("XmlDSIGManifest Manifest is not valid; " +
+ "XmlDSIGManifest was %d. ", response.getXmlDSIGManifestCheckCode());
+ if (isManifestCheckActive) {
+ builder.append(xmlDSIGManifestErrorMsg);
+ } else {
+ log.warn(xmlDSIGManifestErrorMsg);
+ }
+ }
+
+ var msg = builder.toString();
+
+ if(msg.length() > 0) {
+ throw moaZSException(msg);
+ }
+
} catch (MOASigServiceException e) {
- MoaSPSSSignatureVerifier.log.error("Could not verify the XML signature.", e);
- return false;
+ throw moaZSExceptionBuilder("Could not verify the XML signature.")
+ .withCause(e)
+ .build();
+ }
+
+ }
+
+ private void print(IXMLSignatureVerificationResponse response) {
+ log.debug("Response:");
+
+ if (response == null) {
+ log.debug("null");
+ return;
}
+ log.debug(" XmlDsigSubjectName: " + response.getXmlDsigSubjectName());
+ log.debug(" SignatureManifestCheckCode: " + response.getSignatureManifestCheckCode());
+ log.debug(" XmlDSIGManifestCheckCode: " + response.getXmlDSIGManifestCheckCode());
+ log.debug(" CertificateCheckCode: " + response.getCertificateCheckCode());
+ log.debug(" SignatureCheckCode: " + response.getSignatureCheckCode());
+ log.debug(" SigningDateTime: " + response.getSigningDateTime());
+ log.debug(" isXmlDSIGManigest: " + response.isXmlDSIGManigest());
+ log.debug(" isPublicAuthority: " + response.isPublicAuthority());
+ log.debug(" isQualifiedCertificate: " + response.isQualifiedCertificate());
+ log.debug(" getPublicAuthorityCode: " + response.getPublicAuthorityCode());
}
}
diff --git a/src/main/java/at/gv/egiz/moazs/verify/SignatureVerifier.java b/src/main/java/at/gv/egiz/moazs/verify/SignatureVerifier.java
index 01e90c8..a31c4cf 100644
--- a/src/main/java/at/gv/egiz/moazs/verify/SignatureVerifier.java
+++ b/src/main/java/at/gv/egiz/moazs/verify/SignatureVerifier.java
@@ -4,10 +4,10 @@ package at.gv.egiz.moazs.verify;
public interface SignatureVerifier {
/**
- * Verifies the signature of a signed XML document.
+ * Verifies the signature of a signed XML document. Throws a at.gv.egiz.moazs.MoaZSException exception
+ * if the validation fails.
* @param signedXMLdocument
- * @return true if the signature is valid; false if there is no signature, if the signature is invalid,
- * or if an exception occured.
+ * @throws at.gv.egiz.moazs.MoaZSException
*/
- boolean verify(byte[] signedXMLdocument);
+ void verify(byte[] signedXMLdocument);
}
diff --git a/src/main/resources/application.yaml b/src/main/resources/application.yaml
index 961f437..9ce1158 100644
--- a/src/main/resources/application.yaml
+++ b/src/main/resources/application.yaml
@@ -80,6 +80,8 @@ javax.net.ssl:
### moa spss config
moa.spss:
is-active: true
+ # if active, moa spss will validate manifests in xml signatures
+ is-manifest-check-active: false
server:
# path that points to MoaSPSSConfiguration file; can be:
# - absolute path (unix: starts with /), or
diff --git a/src/main/resources/moa-spss/certstore/toBeAdded/IAIK_test_intermediate_CA.der b/src/main/resources/moa-spss/certstore/toBeAdded/IAIK_test_intermediate_CA.der
new file mode 100644
index 0000000..558ce15
--- /dev/null
+++ b/src/main/resources/moa-spss/certstore/toBeAdded/IAIK_test_intermediate_CA.der
Binary files differ
diff --git a/src/main/resources/moa-spss/certstore/toBeAdded/msz-test-root-cert.der b/src/main/resources/moa-spss/certstore/toBeAdded/msz-test-root-cert.der
deleted file mode 100644
index 3e136d4..0000000
--- a/src/main/resources/moa-spss/certstore/toBeAdded/msz-test-root-cert.der
+++ /dev/null
Binary files differ
diff --git a/src/main/resources/moa-spss/trustProfiles/test-trustprofile/IAIK_test_intermediate_CA.der b/src/main/resources/moa-spss/trustProfiles/test-trustprofile/IAIK_test_intermediate_CA.der
new file mode 100644
index 0000000..558ce15
--- /dev/null
+++ b/src/main/resources/moa-spss/trustProfiles/test-trustprofile/IAIK_test_intermediate_CA.der
Binary files differ
diff --git a/src/main/resources/moa-spss/trustProfiles/test-trustprofile/msz-test-root-cert.der b/src/main/resources/moa-spss/trustProfiles/test-trustprofile/msz-test-root-cert.der
deleted file mode 100644
index 3e136d4..0000000
--- a/src/main/resources/moa-spss/trustProfiles/test-trustprofile/msz-test-root-cert.der
+++ /dev/null
Binary files differ
diff --git a/src/test/java/at/gv/egiz/moazs/MoaSPSSSignatureVerifierTest.java b/src/test/java/at/gv/egiz/moazs/MoaSPSSSignatureVerifierTest.java
new file mode 100644
index 0000000..afa817f
--- /dev/null
+++ b/src/test/java/at/gv/egiz/moazs/MoaSPSSSignatureVerifierTest.java
@@ -0,0 +1,49 @@
+package at.gv.egiz.moazs;
+
+import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.ISignatureVerificationService;
+import at.gv.egiz.moazs.verify.MoaSPSSSignatureVerifier;
+import at.gv.egiz.moazs.verify.SignatureVerifier;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.context.TestConfiguration;
+import org.springframework.context.annotation.Bean;
+import org.springframework.test.context.junit4.SpringRunner;
+
+import java.io.File;
+import java.io.IOException;
+import java.nio.file.Files;
+
+@RunWith(SpringRunner.class)
+@SpringBootTest
+ public class MoaSPSSSignatureVerifierTest {
+
+ private final String resourcesPath = "src/test/resources/at/gv/egiz/moazs/MoaSPSSSignatureVerifierTest/";
+
+ @TestConfiguration
+ public class Config{
+
+ @Bean
+ public SignatureVerifier verifier(@Autowired ISignatureVerificationService service){
+ return new MoaSPSSSignatureVerifier(service, "test-trust-profile", true);
+ }
+
+ }
+
+ @Autowired
+ private SignatureVerifier verifier;
+
+ //TODO make sure that testcase does not depend on runtime because it's certificate expires in 2023-09-27.
+ @Test
+ public void acceptValidSignedDeliveryResponse() throws IOException {
+
+ var path = resourcesPath + "valid-signed-delivery-response.xml";
+ var signature = Files.readAllBytes(new File(path).toPath());
+
+ verifier.verify(signature);
+ }
+
+}
diff --git a/src/test/java/at/gv/egiz/moazs/SameThreadDeliveryPipelineTest.java b/src/test/java/at/gv/egiz/moazs/SameThreadDeliveryPipelineTest.java
index 768f376..cd454f2 100644
--- a/src/test/java/at/gv/egiz/moazs/SameThreadDeliveryPipelineTest.java
+++ b/src/test/java/at/gv/egiz/moazs/SameThreadDeliveryPipelineTest.java
@@ -20,10 +20,12 @@ import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
+import org.mockito.Mockito;
import org.mockito.junit.MockitoJUnitRunner;
import java.util.List;
+import static at.gv.egiz.moazs.MoaZSException.moaZSException;
import static at.gv.zustellung.app2mzs.xsd.ConfigType.configTypeBuilder;
import static at.gv.zustellung.app2mzs.xsd.DeliveryRequestType.Payload;
import static at.gv.zustellung.app2mzs.xsd.DeliveryRequestType.Payload.payloadBuilder;
@@ -148,7 +150,8 @@ public class SameThreadDeliveryPipelineTest {
@Test
public void rejectInvalidSignature() {
var appDeliveryId = "invalid-signature";
- setupMocks(appDeliveryId, true, List.of(), List.of("*/*"), false);
+ setupMocks(appDeliveryId, true, List.of(), List.of("*/*"));
+ doThrow(moaZSException("Signature Invalid!")).when(verifier).verify(any());
pipeline.processRequest(appDeliveryId);
var actualCode = repository.getDeliveryRequestStatus(appDeliveryId).get()
@@ -160,11 +163,6 @@ public class SameThreadDeliveryPipelineTest {
private DeliveryRequestStatusType setupMocks(String appDeliveryId, boolean tnvzRequest,
List<String> attachedTypes, List<String> acceptedTypes) {
- return setupMocks(appDeliveryId, tnvzRequest, attachedTypes, acceptedTypes, true);
- }
-
- private DeliveryRequestStatusType setupMocks(String appDeliveryId, boolean tnvzRequest,
- List<String> attachedTypes, List<String> acceptedTypes, boolean isSignedStatusValid) {
var mzsRequest = setupMzsRequest(appDeliveryId, tnvzRequest, attachedTypes);
var msgRequest = setupMsgRequest(appDeliveryId);
@@ -178,7 +176,6 @@ public class SameThreadDeliveryPipelineTest {
when(converter.convert(eq(mzsRequest), any())).thenReturn(msgRequest);
when(msgClientFactory.create(msgRequest, mzsRequest.getConfig(), interceptor)).thenReturn(msgClient);
when(msgClient.send()).thenReturn(status);
- when(verifier.verify(signedStatus)).thenReturn(isSignedStatusValid);
return status;
diff --git a/src/test/resources/at/gv/egiz/moazs/MoaSPSSSignatureVerifierTest/valid-signed-delivery-response.xml b/src/test/resources/at/gv/egiz/moazs/MoaSPSSSignatureVerifierTest/valid-signed-delivery-response.xml
new file mode 100644
index 0000000..59a90cf
--- /dev/null
+++ b/src/test/resources/at/gv/egiz/moazs/MoaSPSSSignatureVerifierTest/valid-signed-delivery-response.xml
@@ -0,0 +1,30 @@
+<DeliveryResponse xmlns="http://reference.e-government.gv.at/namespace/zustellung/msg/phase2/20181206#" xmlns:ns2="http://reference.e-government.gv.at/namespace/persondata/phase2/20181206#" xmlns:ns3="http://www.w3.org/2000/09/xmldsig#"><PartialSuccess><DeliverySystem>https://testzustellsystem.egiz.gv.at</DeliverySystem><ZSDeliveryID>zs-valid-delivery-request-id</ZSDeliveryID><AppDeliveryID>valid-delivery-request-id</AppDeliveryID><GZ>12345</GZ></PartialSuccess><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Id="signature-1-1"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference Id="reference-1-1" URI=""><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><dsig:DigestValue>ejvUI0yh/IIyauFe8x5ZonD/i5oznl8vFyS3oLNivzA=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>hmVZrLkMDbXaRLYQKOaV3OtK13TQgMu3csKyw9M4zWqNyva1yxnYkzoX3dKDOdc9
+O56yQJsjoA3Cuw7pXlGO7jSfVM77dTXbWSDaF95O9Vdsrmr7R6Uki0jA9SmgQLXg
+hZAUG8JpsHcBn8M0L2BXADKjSn0LuMDL2L7dmU3EM7eRy+OvFwDrXDw1fhjQO6L2
+KoflAWLgUerDhJSpzr0+YfmkrjzitLUA7oIg8ieOnfGyql31ECmDJEqgnL78hyPZ
+KaNZImDf3EWFs8je6mt+os1TwsyXYwz+GGbjoDR8lGTS9xVqnXdrgP8Jyv6p9FEu
+0IYgSY2FlbI3skPZC8ZVXg==</dsig:SignatureValue><dsig:KeyInfo><dsig:X509Data><dsig:X509Certificate>MIIEqzCCBBSgAwIBAgIHANux81oNezANBgkqhkiG9w0BAQUFADBAMSIwIAYDVQQD
+ExlJQUlLIFRlc3QgSW50ZXJtZWRpYXRlIENBMQ0wCwYDVQQKEwRJQUlLMQswCQYD
+VQQGEwJBVDAeFw0xMzA5MjcwNTMzMzdaFw0yMzA5MjcwNTMzMzdaMIHkMQswCQYD
+VQQGEwJBVDENMAsGA1UEBxMER3JhejEmMCQGA1UEChMdR3JheiBVbml2ZXJzaXR5
+IG9mIFRlY2hub2xvZ3kxSDBGBgNVBAsTP0luc3RpdHV0ZSBmb3IgQXBwbGllZCBJ
+bmZvcm1hdGlvbiBQcm9jZXNzaW5nIGFuZCBDb21tdW5pY2F0aW9uczEUMBIGA1UE
+BBMLTU9BLVNTIFRlc3QxGDAWBgNVBCoTD0VHSVogVGVzdHBvcnRhbDEkMCIGA1UE
+AxMbRUdJWiBUZXN0cG9ydGFsIE1PQS1TUyBUZXN0MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuDjOyf+mY+oQL2FQzzuaiC8C23vVKbq/n2Zi7BqSibZH
+mtqMJfmj4pT+hWSNHvVvWsaxFcx4KeNqdCMzwnw1r4P3Sf+2o5uFku5KHEMLMokR
+yYQG9VqY/KkB94ye7Pv6zT8gvKqxGFg96UamECep4swPaSZrA8AOER5WAtyGDzKI
+Tz+a5zfFaTXDoba7f98PCWR96yKiFjVOhzp38WVz4VJgz+b8ZSY7Xsv5Kn7DXjOL
+STX4MevFLki3rFPup3+4vGToaMBW3PEj67HXBdqR855Le6+E6rVxORqsXqlVwhsI
+6nuS0CO2LWYmBNR1IB0mXteeYH/HfxvuZc+7yDjdPQIDAQABo4IBhDCCAYAwDgYD
+VR0PAQH/BAQDAgbAMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFEmcH6VY4BG1EAGB
+TLoNR9vH/g6yMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jYS5pYWlrLnR1Z3Jh
+ei5hdC9jYXBzby9jcmxzL0lBSUtUZXN0X0ludGVybWVkaWF0ZUNBLmNybDCBqgYI
+KwYBBQUHAQEEgZ0wgZowSgYIKwYBBQUHMAGGPmh0dHA6Ly9jYS5pYWlrLnR1Z3Jh
+ei5hdC9jYXBzby9PQ1NQP2NhPUlBSUtUZXN0X0ludGVybWVkaWF0ZUNBMEwGCCsG
+AQUFBzAChkBodHRwOi8vY2EuaWFpay50dWdyYXouYXQvY2Fwc28vY2VydHMvSUFJ
+S1Rlc3RfSW50ZXJtZWRpYXRlQ0EuY2VyMCEGA1UdEQQaMBiBFnRob21hcy5sZW56
+QGVnaXouZ3YuYXQwHwYDVR0jBBgwFoAUaKJeEdreL4BrRES/jfplNoEkp28wDQYJ
+KoZIhvcNAQEFBQADgYEAlFGjUxXLs7SAT8NtXSrv2WrjlklaRnHTFHLQwyVo8JWb
+gvRkHHDUv2o8ofXUY2R2WJ38dxeDoccgbXrJb/Qhi8IY7YhCwv/TuIZDisyAqo8W
+ORKSip/6HWlGCSR/Vgoet1GtCmF0FoUxFUIGSAuQ2yyt4fIzt5GJrU1X5ujjI1w=</dsig:X509Certificate></dsig:X509Data></dsig:KeyInfo></dsig:Signature></DeliveryResponse>