diff options
Diffstat (limited to 'src/main/java/at/gv/egiz/moazs')
4 files changed, 98 insertions, 16 deletions
diff --git a/src/main/java/at/gv/egiz/moazs/config/MoaSigConfig.java b/src/main/java/at/gv/egiz/moazs/config/MoaSigConfig.java index 84e5299..05ecac1 100644 --- a/src/main/java/at/gv/egiz/moazs/config/MoaSigConfig.java +++ b/src/main/java/at/gv/egiz/moazs/config/MoaSigConfig.java @@ -90,13 +90,14 @@ public class MoaSigConfig { } @Bean - public SignatureVerifier signatureVerifier(@Value("${moa.spss.is-active}") boolean isMoaSPSSActive) { + public SignatureVerifier signatureVerifier(@Value("${moa.spss.is-active}") boolean isMoaSPSSActive, + @Value("${moa.spss.is-manifest-check-active}") boolean isManifestCheckActive) { if (isMoaSPSSActive) { log.info("Moa SPSS is active. Signatures in SOAP Messages will be verified."); - return new MoaSPSSSignatureVerifier(moaSigVerifyService(), defaultTrustProfile); + return new MoaSPSSSignatureVerifier(moaSigVerifyService(), defaultTrustProfile, isManifestCheckActive); } else { log.warn("Moa SPSS is not active. Signatures in SOAP Messages will not be verified."); - return signedXMLdocument -> true; + return signedXMLdocument -> {}; } } } diff --git a/src/main/java/at/gv/egiz/moazs/pipeline/SameThreadDeliveryPipeline.java b/src/main/java/at/gv/egiz/moazs/pipeline/SameThreadDeliveryPipeline.java index 9f2b6d4..920e90d 100644 --- a/src/main/java/at/gv/egiz/moazs/pipeline/SameThreadDeliveryPipeline.java +++ b/src/main/java/at/gv/egiz/moazs/pipeline/SameThreadDeliveryPipeline.java @@ -75,11 +75,12 @@ public class SameThreadDeliveryPipeline implements DeliveryPipeline { status = msgClientFactory.create(msgRequest, mzsRequest.getConfig(), interceptor).send(); var signedStatus = repository.getSignedDeliveryRequestStatus(appDeliveryId).get(); - if (verifier.verify(signedStatus)) { - repository.add(status); - } else { + + try { + verifier.verify(signedStatus); + } catch (Exception ex) { throw moaZSExceptionBuilder("Signature of DeliveryRequestStatus with AppDeliveryId={} " + - "is invalid.", appDeliveryId) + " is not valid.", appDeliveryId) .withErrorCode(MoaZSException.ERROR_MOASP_SIGNATURE_INVALID) .withMzsRequest(mzsRequest) .withTnvzResult(tnvzResult) @@ -87,6 +88,9 @@ public class SameThreadDeliveryPipeline implements DeliveryPipeline { .withMsgResult(status) .build(); } + + repository.add(status); + } catch (MoaZSException exception) { var errorStatus = generateErrorStatus(exception, appDeliveryId); repository.add(errorStatus); diff --git a/src/main/java/at/gv/egiz/moazs/verify/MoaSPSSSignatureVerifier.java b/src/main/java/at/gv/egiz/moazs/verify/MoaSPSSSignatureVerifier.java index 518cdb3..0757c5d 100644 --- a/src/main/java/at/gv/egiz/moazs/verify/MoaSPSSSignatureVerifier.java +++ b/src/main/java/at/gv/egiz/moazs/verify/MoaSPSSSignatureVerifier.java @@ -1,10 +1,15 @@ package at.gv.egiz.moazs.verify; import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.ISignatureVerificationService; +import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.data.IXMLSignatureVerificationResponse; import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.exceptions.MOASigServiceException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import static at.gv.egiz.moazs.MoaZSException.moaZSException; +import static at.gv.egiz.moazs.MoaZSException.moaZSExceptionBuilder; +import static java.lang.String.*; + public class MoaSPSSSignatureVerifier implements SignatureVerifier { private static final Logger log = LoggerFactory.getLogger(MoaSPSSSignatureVerifier.class); @@ -13,22 +18,94 @@ public class MoaSPSSSignatureVerifier implements SignatureVerifier { private final String trustProfile; + private final boolean isManifestCheckActive; + + private static final int OK_CODE = 0; + public MoaSPSSSignatureVerifier(ISignatureVerificationService service, - String trustProfile) { + String trustProfile, boolean isManifestCheckActive) { this.service = service; this.trustProfile = trustProfile; + this.isManifestCheckActive = isManifestCheckActive; } @Override - public boolean verify(byte[] signedXMLdocument) { + public void verify(byte[] signedXMLdocument) { try { var response = service.verifyXMLSignature(signedXMLdocument, trustProfile); - return response != null; + + if (log.isDebugEnabled()) { + print(response); + } + + if (response == null) { + throw moaZSException("MOA SPSS could not find the signature. "); + } + + var builder = new StringBuilder(); + + if (response.getSignatureCheckCode() != OK_CODE) { + builder.append(format("Signature is not valid; SignatureCheckCode was %d. ", + response.getSignatureCheckCode())); + } + + if (response.getCertificateCheckCode() != OK_CODE) { + builder.append(format("Certificate chain is not valid; CertificateCheckCode was %d. ", + response.getCertificateCheckCode())); + } + + if (response.getSignatureManifestCheckCode() != OK_CODE) { + var signatureManifestErrorMsg = format("Signature Manifest is not valid; " + + "SignatureManifestCheckCode was %d. ", response.getSignatureManifestCheckCode()); + if (isManifestCheckActive) { + builder.append(signatureManifestErrorMsg); + } else { + log.warn(signatureManifestErrorMsg); + } + } + + if (response.isXmlDSIGManigest() && response.getXmlDSIGManifestCheckCode() != OK_CODE) { + var xmlDSIGManifestErrorMsg = format("XmlDSIGManifest Manifest is not valid; " + + "XmlDSIGManifest was %d. ", response.getXmlDSIGManifestCheckCode()); + if (isManifestCheckActive) { + builder.append(xmlDSIGManifestErrorMsg); + } else { + log.warn(xmlDSIGManifestErrorMsg); + } + } + + var msg = builder.toString(); + + if(msg.length() > 0) { + throw moaZSException(msg); + } + } catch (MOASigServiceException e) { - MoaSPSSSignatureVerifier.log.error("Could not verify the XML signature.", e); - return false; + throw moaZSExceptionBuilder("Could not verify the XML signature.") + .withCause(e) + .build(); + } + + } + + private void print(IXMLSignatureVerificationResponse response) { + log.debug("Response:"); + + if (response == null) { + log.debug("null"); + return; } + log.debug(" XmlDsigSubjectName: " + response.getXmlDsigSubjectName()); + log.debug(" SignatureManifestCheckCode: " + response.getSignatureManifestCheckCode()); + log.debug(" XmlDSIGManifestCheckCode: " + response.getXmlDSIGManifestCheckCode()); + log.debug(" CertificateCheckCode: " + response.getCertificateCheckCode()); + log.debug(" SignatureCheckCode: " + response.getSignatureCheckCode()); + log.debug(" SigningDateTime: " + response.getSigningDateTime()); + log.debug(" isXmlDSIGManigest: " + response.isXmlDSIGManigest()); + log.debug(" isPublicAuthority: " + response.isPublicAuthority()); + log.debug(" isQualifiedCertificate: " + response.isQualifiedCertificate()); + log.debug(" getPublicAuthorityCode: " + response.getPublicAuthorityCode()); } } diff --git a/src/main/java/at/gv/egiz/moazs/verify/SignatureVerifier.java b/src/main/java/at/gv/egiz/moazs/verify/SignatureVerifier.java index 01e90c8..a31c4cf 100644 --- a/src/main/java/at/gv/egiz/moazs/verify/SignatureVerifier.java +++ b/src/main/java/at/gv/egiz/moazs/verify/SignatureVerifier.java @@ -4,10 +4,10 @@ package at.gv.egiz.moazs.verify; public interface SignatureVerifier { /** - * Verifies the signature of a signed XML document. + * Verifies the signature of a signed XML document. Throws a at.gv.egiz.moazs.MoaZSException exception + * if the validation fails. * @param signedXMLdocument - * @return true if the signature is valid; false if there is no signature, if the signature is invalid, - * or if an exception occured. + * @throws at.gv.egiz.moazs.MoaZSException */ - boolean verify(byte[] signedXMLdocument); + void verify(byte[] signedXMLdocument); } |