1 files changed, 116 insertions, 0 deletions
diff --git a/src/main/java/at/gv/egiz/moazs/backend/SignatureVerifier.java b/src/main/java/at/gv/egiz/moazs/backend/SignatureVerifier.java
new file mode 100644
index 0000000..e9c5387
--- /dev/null
+++ b/src/main/java/at/gv/egiz/moazs/backend/SignatureVerifier.java
@@ -0,0 +1,116 @@
+package at.gv.egiz.moazs.backend;
+
+import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.ISignatureVerificationService;
+import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.data.IXMLSignatureVerificationResponse;
+import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.exceptions.MOASigServiceException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.function.Consumer;
+
+import static at.gv.egiz.moazs.MoaZSException.moaZSException;
+import static at.gv.egiz.moazs.MoaZSException.moaZSExceptionBuilder;
+import static java.lang.String.format;
+
+public class SignatureVerifier implements Consumer<byte[]> {
+
+    private static final Logger log = LoggerFactory.getLogger(SignatureVerifier.class);
+    private static final int OK_CODE = 0;
+
+    private final ISignatureVerificationService service;
+    private final String trustProfile;
+    private final boolean isManifestCheckActive;
+
+    public SignatureVerifier(ISignatureVerificationService service,
+                                    String trustProfile, boolean isManifestCheckActive) {
+        this.service = service;
+        this.trustProfile = trustProfile;
+        this.isManifestCheckActive = isManifestCheckActive;
+    }
+
+    /**
+     * Verifies the signature of a signed XML document. Throws a at.gv.egiz.moazs.MoaZSException exception
+     * if the validation fails.
+     * @param signedXMLdocument
+     * @throws at.gv.egiz.moazs.MoaZSException
+     */
+    @Override
+    public void accept(byte[] signedXMLdocument) {
+
+        try {
+            var response = service.verifyXMLSignature(signedXMLdocument, trustProfile);
+
+            if (log.isDebugEnabled()) {
+                print(response);
+            }
+
+            if (response == null) {
+                throw moaZSException("MOA SPSS could not find the signature. ");
+            }
+
+            var builder = new StringBuilder();
+
+            if (response.getSignatureCheckCode() != OK_CODE) {
+                builder.append(format("Signature is not valid; SignatureCheckCode was %d. ",
+                        response.getSignatureCheckCode()));
+            }
+
+            if (response.getCertificateCheckCode() != OK_CODE) {
+                builder.append(format("Certificate chain is not valid; CertificateCheckCode was %d. ",
+                        response.getCertificateCheckCode()));
+            }
+
+            if (response.getSignatureManifestCheckCode() != OK_CODE) {
+                var signatureManifestErrorMsg = format("Signature Manifest is not valid; " +
+                        "SignatureManifestCheckCode was %d. ", response.getSignatureManifestCheckCode());
+                if (isManifestCheckActive) {
+                    builder.append(signatureManifestErrorMsg);
+                } else {
+                    log.warn(signatureManifestErrorMsg);
+                }
+            }
+
+            if (response.isXmlDSIGManigest() && response.getXmlDSIGManifestCheckCode() != OK_CODE) {
+                var xmlDSIGManifestErrorMsg = format("XmlDSIGManifest Manifest is not valid; " +
+                        "XmlDSIGManifest was %d. ", response.getXmlDSIGManifestCheckCode());
+                if (isManifestCheckActive) {
+                    builder.append(xmlDSIGManifestErrorMsg);
+                } else {
+                    log.warn(xmlDSIGManifestErrorMsg);
+                }
+            }
+
+            var msg = builder.toString();
+
+            if(msg.length() > 0) {
+                throw moaZSException(msg);
+            }
+
+        } catch (MOASigServiceException e) {
+            throw moaZSExceptionBuilder("Could not accept the XML signature.")
+                    .withCause(e)
+                    .build();
+        }
+
+    }
+
+    private void print(IXMLSignatureVerificationResponse response) {
+        log.debug("Response:");
+
+        if (response == null) {
+            log.debug("null");
+            return;
+        }
+
+        log.debug("  XmlDsigSubjectName: {}", response.getXmlDsigSubjectName());
+        log.debug("  SignatureManifestCheckCode: {}", response.getSignatureManifestCheckCode());
+        log.debug("  XmlDSIGManifestCheckCode: {}", response.getXmlDSIGManifestCheckCode());
+        log.debug("  CertificateCheckCode: {}", response.getCertificateCheckCode());
+        log.debug("  SignatureCheckCode: {}", response.getSignatureCheckCode());
+        log.debug("  SigningDateTime: {}", response.getSigningDateTime());
+        log.debug("  isXmlDSIGManigest: {}", response.isXmlDSIGManigest());
+        log.debug("  isPublicAuthority: {}", response.isPublicAuthority());
+        log.debug("  isQualifiedCertificate: {}", response.isQualifiedCertificate());
+        log.debug("  getPublicAuthorityCode: {}", response.getPublicAuthorityCode());
+    }
+}