diff options
-rw-r--r-- | pom.xml | 3 | ||||
-rw-r--r-- | readme.md | 16 | ||||
-rw-r--r-- | src/main/java/at/gv/egiz/moazs/config/MoaSigConfig.java | 29 | ||||
-rw-r--r-- | src/main/java/at/gv/egiz/moazs/msg/SignatureVerifier.java | 31 | ||||
-rw-r--r-- | src/main/resources/application.yaml | 5 | ||||
-rw-r--r-- | src/main/resources/moa-spss/MOASPSSConfiguration.xml | 73 | ||||
-rw-r--r-- | src/main/resources/moa-spss/truststores/test-truststores/MZS_ROOT_CA.pem | 35 |
7 files changed, 188 insertions, 4 deletions
@@ -122,8 +122,7 @@ <artifactId>egovutils</artifactId> <version>${egovutils.version}</version> </dependency> - <!-- eaaf components. - checkout https://gitlab.iaik.tugraz.at/egiz/eaaf_components/commits/[version-tag] and run mvn install--> + <!-- eaaf components. See readme.md for installation --> <dependency> <groupId>at.gv.egiz.eaaf</groupId> <artifactId>eaaf_module_moa-sig</artifactId> @@ -6,6 +6,22 @@ Some dependencies are not in the mvn central repo. You need to install those dependencies to your local maven repository with `mvn install`. Check `pom.xml` and follow the instructions. +## How to install `eaaf_module_moa-sig` + +``` +export EAAF_COMPONENTS_VERSION=1.0.7 +cd /path/to/working/dir +git clone https://gitlab.iaik.tugraz.at/egiz/eaaf_components/ +cd eaaf_components +git checkout $EAAF_COMPONENTS_VERSION +mvn package javadoc:jar sources:jar +mvn install:install-file -DgroupId=at.gv.egiz.eaaf -DartifactId=eaaf_module_moa-sig \ + -Dversion=$EAAF_COMPONENTS_VERSION -Dpackaging=jar \ + -Dfile=eaaf_modules/eaaf_module_moa-sig/target/eaaf_module_moa-sig-$EAAF_COMPONENTS_VERSION.jar \ + -Djavadoc=eaaf_modules/eaaf_module_moa-sig/target/eaaf_module_moa-sig-$EAAF_COMPONENTS_VERSION-javadoc.jar \ + -Dsources=eaaf_modules/eaaf_module_moa-sig/target/eaaf_module_moa-sig-$EAAF_COMPONENTS_VERSION-sources.jar +``` + ## Compile & Test ``` diff --git a/src/main/java/at/gv/egiz/moazs/config/MoaSigConfig.java b/src/main/java/at/gv/egiz/moazs/config/MoaSigConfig.java new file mode 100644 index 0000000..e96d851 --- /dev/null +++ b/src/main/java/at/gv/egiz/moazs/config/MoaSigConfig.java @@ -0,0 +1,29 @@ +package at.gv.egiz.moazs.config; + +import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.ISignatureVerificationService; +import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.impl.SignatureVerificationService; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; + +@Configuration +public class MoaSigConfig { + + private final String defaultTrustProfile; + + public MoaSigConfig(@Value("${moa.spss.server.default-trustprofile}") String defaultTrustProfile, + @Value("${moa.spss.server.configuration}") String serverConfigUrl) { + this.defaultTrustProfile = defaultTrustProfile; + System.getProperties().setProperty("moa.spss.server.configuration", serverConfigUrl); + } + + @Bean + public String moaSPSSServerDefaultTrustProfile() { + return defaultTrustProfile; + } + + @Bean + public ISignatureVerificationService moaSigVerifyService() { + return new SignatureVerificationService(); + } +} diff --git a/src/main/java/at/gv/egiz/moazs/msg/SignatureVerifier.java b/src/main/java/at/gv/egiz/moazs/msg/SignatureVerifier.java index 12b1ccb..d6311c4 100644 --- a/src/main/java/at/gv/egiz/moazs/msg/SignatureVerifier.java +++ b/src/main/java/at/gv/egiz/moazs/msg/SignatureVerifier.java @@ -1,13 +1,40 @@ package at.gv.egiz.moazs.msg; +import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.ISignatureVerificationService; +import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.exceptions.MOASigServiceException; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.stereotype.Component; @Component public class SignatureVerifier { - public boolean verify(byte[] signedXMLdocument) { - return true; + private static final Logger log = LoggerFactory.getLogger(SignatureVerifier.class); + + @Autowired + @Qualifier("moaSigVerifyService") + private final ISignatureVerificationService service; + + @Autowired + @Qualifier("moaSPSSServerDefaultTrustProfile") + private final String trustProfile; + public SignatureVerifier(ISignatureVerificationService service, + String trustProfile) { + this.service = service; + this.trustProfile = trustProfile; + } + + public boolean verify(byte[] signedXMLdocument) { + try { + var response = service.verifyXMLSignature(signedXMLdocument, trustProfile); + return response != null; + } catch (MOASigServiceException e) { + log.error("Could not verify the XML signature.", e); + return false; + } } } diff --git a/src/main/resources/application.yaml b/src/main/resources/application.yaml index 1a432c2..61c7dba 100644 --- a/src/main/resources/application.yaml +++ b/src/main/resources/application.yaml @@ -70,3 +70,8 @@ logging: root: WARN org.springframework: WARN at.gv.egiz.moazs: INFO + +### moa spss config +moa.spss.server: + configuration: file:./moa-spss/MOASPSSConfiguration.xml + default-trustprofile: test-trustprofile diff --git a/src/main/resources/moa-spss/MOASPSSConfiguration.xml b/src/main/resources/moa-spss/MOASPSSConfiguration.xml new file mode 100644 index 0000000..edaaf8a --- /dev/null +++ b/src/main/resources/moa-spss/MOASPSSConfiguration.xml @@ -0,0 +1,73 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!--MOA SPSS 1.3 Configuration File created by MOA SPSS Configuration Mapper--> +<cfg:MOAConfiguration xmlns:cfg="http://reference.e-government.gv.at/namespace/moaconfig/20021122#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> +<cfg:Common> + <cfg:PermitExternalUris> + <cfg:BlackListUri> + <cfg:IP>192.168</cfg:IP> + </cfg:BlackListUri> + </cfg:PermitExternalUris> + </cfg:Common> + + <cfg:SignatureVerification> + <cfg:CertificateValidation> + <cfg:PathConstruction> + <cfg:AutoAddCertificates>true</cfg:AutoAddCertificates> + <cfg:UseAuthorityInformationAccess>true</cfg:UseAuthorityInformationAccess> + <cfg:CertificateStore> + <cfg:DirectoryStore> + <cfg:Location>certstore</cfg:Location> + </cfg:DirectoryStore> + </cfg:CertificateStore> + </cfg:PathConstruction> + <cfg:PathValidation> + <cfg:ChainingMode> + <cfg:DefaultMode>pkix</cfg:DefaultMode> + <cfg:TrustAnchor> + <cfg:Identification> + <dsig:X509IssuerName>CN=A-Trust-nQual-0,OU=A-Trust-nQual-0,O=A-Trust,C=AT</dsig:X509IssuerName> + <dsig:X509SerialNumber>536</dsig:X509SerialNumber> + </cfg:Identification> + <cfg:Mode>chaining</cfg:Mode> + </cfg:TrustAnchor> + <cfg:TrustAnchor> + <cfg:Identification> + <dsig:X509IssuerName>C=AT,O=Hauptverband österr. Sozialvers.,CN=Root-CA 1</dsig:X509IssuerName> + <dsig:X509SerialNumber>376503867878755617282523408360935024869</dsig:X509SerialNumber> + </cfg:Identification> + <cfg:Mode>chaining</cfg:Mode> + </cfg:TrustAnchor> + </cfg:ChainingMode> + + <cfg:TrustProfile> + <cfg:Id>test-trustprofile</cfg:Id> + <cfg:TrustAnchorsLocation>truststores/test-truststore</cfg:TrustAnchorsLocation> + </cfg:TrustProfile> + + </cfg:PathValidation> + <cfg:RevocationChecking> + <cfg:EnableChecking>false</cfg:EnableChecking> + <cfg:MaxRevocationAge>0</cfg:MaxRevocationAge> + <cfg:ServiceOrder> + <cfg:Service>CRL</cfg:Service> + <cfg:Service>OCSP</cfg:Service> + </cfg:ServiceOrder> + <cfg:Archiving> + <cfg:EnableArchiving>false</cfg:EnableArchiving> + <cfg:ArchiveDuration>365</cfg:ArchiveDuration> + <cfg:Archive> + <cfg:DatabaseArchive> + <cfg:JDBCURL>jdbc:url</cfg:JDBCURL> + <cfg:JDBCDriverClassName>fully.qualified.classname</cfg:JDBCDriverClassName> + </cfg:DatabaseArchive> + </cfg:Archive> + </cfg:Archiving> + </cfg:RevocationChecking> + </cfg:CertificateValidation> + + <cfg:VerifyTransformsInfoProfile> + <cfg:Id>SL20Authblock_v1.0</cfg:Id> + <cfg:Location>profiles/SL20_authblock_v1.0.xml</cfg:Location> + </cfg:VerifyTransformsInfoProfile> + </cfg:SignatureVerification> +</cfg:MOAConfiguration> diff --git a/src/main/resources/moa-spss/truststores/test-truststores/MZS_ROOT_CA.pem b/src/main/resources/moa-spss/truststores/test-truststores/MZS_ROOT_CA.pem new file mode 100644 index 0000000..57963bd --- /dev/null +++ b/src/main/resources/moa-spss/truststores/test-truststores/MZS_ROOT_CA.pem @@ -0,0 +1,35 @@ +-----BEGIN CERTIFICATE----- +MIIGGTCCBAGgAwIBAgIUEzQUFWuzrC0F4mODQYgPZ/Lhq04wDQYJKoZIhvcNAQEL +BQAwgZMxCzAJBgNVBAYTAkFUMRAwDgYDVQQIDAdBdXN0cmlhMQ0wCwYDVQQKDARJ +QUlLMQ0wCwYDVQQLDARFR0laMSMwIQYDVQQDDBpFR0laIENSQUJFTlNURUlORVIg +Uk9PVCBDQTEvMC0GCSqGSIb3DQEJARYgY2hyaXN0b2YucmFiZW5zdGVpbmVyQGVn +aXouZ3YuYXQwHhcNMTkwNDIzMTQwNTU2WhcNMzkwNDE4MTQwNTU2WjCBkzELMAkG +A1UEBhMCQVQxEDAOBgNVBAgMB0F1c3RyaWExDTALBgNVBAoMBElBSUsxDTALBgNV +BAsMBEVHSVoxIzAhBgNVBAMMGkVHSVogQ1JBQkVOU1RFSU5FUiBST09UIENBMS8w +LQYJKoZIhvcNAQkBFiBjaHJpc3RvZi5yYWJlbnN0ZWluZXJAZWdpei5ndi5hdDCC +AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMclj0pHf7LxLXEvtz+P7mxI +5U5Lx0xDiEY4XeLn75jis3IQotv3zmUz8Mvv9rkAT7y9JMJyJPBUPo2iWCO/dtm+ +qYlCy4fNPGvGPyjE05TM+JhG8bijpgO2EEZmKv48by+UUzioX8H/to5n8xNzDu8C +bibBddbGyfQ9E7PkR2VhdW8PkUrqJCxeG/xiwS0h1U2v++4ZKQpS78rj75KNEExx +t8spzZFyKV3i5mTkW2Exp5OSr07SpadjlRqkYWkdZsAPnaK4L4KQ+rrL9qXb/fzK +syD2LkAHimV3s19IZjGVbdwCtgacDZlME3zNfGxIC0hAeJsSXJJN2FMO3SrnXv2b +CDJT3SOCF+PMhmv41PGMswQxnCtPvB9659y/Cr/tHkY5bhQiR4XamZie7IkxpsMa +WpV4jCY9iz1L8OsM62DVRsztDWw1w1j2dyWyODNbxaI7fEWg9klUW7GgEDYBeJ2h +9kfgwZXiMZkw/7+0VHU97a7AKmpCXP3kH6n1z3MAgaf+Dd4Gq7RXB+4HEZ31uiNO +OqrnayFs2td/X7cl/0ioNLnJ/hbaOmHsGDQo5W0WyXg9bVkLtezajVwTCKkRdUnn +kAXL0y+x/aRc2CycE7tlC0SHtBDTVjdx5CWeulynBMMiMWZwb+HR9id/rnifp3Vk +/CPA+eyjiVtt8uXXozLFAgMBAAGjYzBhMB0GA1UdDgQWBBSK8/VCjnMFpNKrPSEv +k+GF/qM5izAfBgNVHSMEGDAWgBSK8/VCjnMFpNKrPSEvk+GF/qM5izAPBgNVHRMB +Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAp/fR +A+cZlMw0jtiFRYy7096dadgjefIcQVgZYNTL3zuPrXyRIHMp4dTlNnREkobmzkcy +jWN/I41hm2SHt86+E1c7n/wd1KE1oefqoRkhQws84718zlLBkL/iMwluzE4ZzqiE +RPxBFv23QqFLzaZpqan4ic9zlkqW1d8IZ9kt9vctAxUIju4hXqozUfaYIjIThutU +wkIgN1A6e6qugFYB9jkhijnMw0HJeP19JbBUNGp9bP3GiSEc+S1ydddU2492rDQj +NQKvUMvGUhoUdxbbcUhxs6i6Gfct5bCXRN+r7d+mpwFrpN9xv0a0a7y5GNZk//2S +0qsqQwVEHYa0fDxsBFLnM7i2EY6+eo9mMccOgn0Jk8z+IIU3OCHgRs3df8R0zWbd +2FSeqrHTTtgcnmfEx3TMZnuuLfOCIwczl/4DP6M5Z6xwp/MKXzUWFy5SP1wkLe9i +KiTaYeYLiVZb4AluW8TdhkBjj87gA1gCqqGIAyQ6+40LGplt7Wt5pY2XGWqQQLcq +qfutUjWQM+HOQEDsodrPu8DR07Q613XdrfMuJGHXDh7a+6xD0nRhpkR9JacoY1h/ +UTObjMFCIwIZ8bYniFLgmJhKlMiuhgNuGsEoSMsFHVDrCsEXZOKkoL8OmRu/V4zo +2vewbMLL/jvutkmtS8E+R1lt+J6iEI5EYJHONrw= +-----END CERTIFICATE----- |