aboutsummaryrefslogtreecommitdiff
path: root/src/main
diff options
context:
space:
mode:
Diffstat (limited to 'src/main')
-rw-r--r--src/main/java/at/gv/egiz/moazs/config/MoaSigConfig.java7
-rw-r--r--src/main/java/at/gv/egiz/moazs/pipeline/SameThreadDeliveryPipeline.java12
-rw-r--r--src/main/java/at/gv/egiz/moazs/verify/MoaSPSSSignatureVerifier.java87
-rw-r--r--src/main/java/at/gv/egiz/moazs/verify/SignatureVerifier.java8
-rw-r--r--src/main/resources/application.yaml2
-rw-r--r--src/main/resources/moa-spss/certstore/toBeAdded/IAIK_test_intermediate_CA.derbin0 -> 1199 bytes
-rw-r--r--src/main/resources/moa-spss/certstore/toBeAdded/msz-test-root-cert.derbin1565 -> 0 bytes
-rw-r--r--src/main/resources/moa-spss/trustProfiles/test-trustprofile/IAIK_test_intermediate_CA.derbin0 -> 1199 bytes
-rw-r--r--src/main/resources/moa-spss/trustProfiles/test-trustprofile/msz-test-root-cert.derbin1565 -> 0 bytes
9 files changed, 100 insertions, 16 deletions
diff --git a/src/main/java/at/gv/egiz/moazs/config/MoaSigConfig.java b/src/main/java/at/gv/egiz/moazs/config/MoaSigConfig.java
index 84e5299..05ecac1 100644
--- a/src/main/java/at/gv/egiz/moazs/config/MoaSigConfig.java
+++ b/src/main/java/at/gv/egiz/moazs/config/MoaSigConfig.java
@@ -90,13 +90,14 @@ public class MoaSigConfig {
}
@Bean
- public SignatureVerifier signatureVerifier(@Value("${moa.spss.is-active}") boolean isMoaSPSSActive) {
+ public SignatureVerifier signatureVerifier(@Value("${moa.spss.is-active}") boolean isMoaSPSSActive,
+ @Value("${moa.spss.is-manifest-check-active}") boolean isManifestCheckActive) {
if (isMoaSPSSActive) {
log.info("Moa SPSS is active. Signatures in SOAP Messages will be verified.");
- return new MoaSPSSSignatureVerifier(moaSigVerifyService(), defaultTrustProfile);
+ return new MoaSPSSSignatureVerifier(moaSigVerifyService(), defaultTrustProfile, isManifestCheckActive);
} else {
log.warn("Moa SPSS is not active. Signatures in SOAP Messages will not be verified.");
- return signedXMLdocument -> true;
+ return signedXMLdocument -> {};
}
}
}
diff --git a/src/main/java/at/gv/egiz/moazs/pipeline/SameThreadDeliveryPipeline.java b/src/main/java/at/gv/egiz/moazs/pipeline/SameThreadDeliveryPipeline.java
index 9f2b6d4..920e90d 100644
--- a/src/main/java/at/gv/egiz/moazs/pipeline/SameThreadDeliveryPipeline.java
+++ b/src/main/java/at/gv/egiz/moazs/pipeline/SameThreadDeliveryPipeline.java
@@ -75,11 +75,12 @@ public class SameThreadDeliveryPipeline implements DeliveryPipeline {
status = msgClientFactory.create(msgRequest, mzsRequest.getConfig(), interceptor).send();
var signedStatus = repository.getSignedDeliveryRequestStatus(appDeliveryId).get();
- if (verifier.verify(signedStatus)) {
- repository.add(status);
- } else {
+
+ try {
+ verifier.verify(signedStatus);
+ } catch (Exception ex) {
throw moaZSExceptionBuilder("Signature of DeliveryRequestStatus with AppDeliveryId={} " +
- "is invalid.", appDeliveryId)
+ " is not valid.", appDeliveryId)
.withErrorCode(MoaZSException.ERROR_MOASP_SIGNATURE_INVALID)
.withMzsRequest(mzsRequest)
.withTnvzResult(tnvzResult)
@@ -87,6 +88,9 @@ public class SameThreadDeliveryPipeline implements DeliveryPipeline {
.withMsgResult(status)
.build();
}
+
+ repository.add(status);
+
} catch (MoaZSException exception) {
var errorStatus = generateErrorStatus(exception, appDeliveryId);
repository.add(errorStatus);
diff --git a/src/main/java/at/gv/egiz/moazs/verify/MoaSPSSSignatureVerifier.java b/src/main/java/at/gv/egiz/moazs/verify/MoaSPSSSignatureVerifier.java
index 518cdb3..0757c5d 100644
--- a/src/main/java/at/gv/egiz/moazs/verify/MoaSPSSSignatureVerifier.java
+++ b/src/main/java/at/gv/egiz/moazs/verify/MoaSPSSSignatureVerifier.java
@@ -1,10 +1,15 @@
package at.gv.egiz.moazs.verify;
import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.ISignatureVerificationService;
+import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.data.IXMLSignatureVerificationResponse;
import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.exceptions.MOASigServiceException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import static at.gv.egiz.moazs.MoaZSException.moaZSException;
+import static at.gv.egiz.moazs.MoaZSException.moaZSExceptionBuilder;
+import static java.lang.String.*;
+
public class MoaSPSSSignatureVerifier implements SignatureVerifier {
private static final Logger log = LoggerFactory.getLogger(MoaSPSSSignatureVerifier.class);
@@ -13,22 +18,94 @@ public class MoaSPSSSignatureVerifier implements SignatureVerifier {
private final String trustProfile;
+ private final boolean isManifestCheckActive;
+
+ private static final int OK_CODE = 0;
+
public MoaSPSSSignatureVerifier(ISignatureVerificationService service,
- String trustProfile) {
+ String trustProfile, boolean isManifestCheckActive) {
this.service = service;
this.trustProfile = trustProfile;
+ this.isManifestCheckActive = isManifestCheckActive;
}
@Override
- public boolean verify(byte[] signedXMLdocument) {
+ public void verify(byte[] signedXMLdocument) {
try {
var response = service.verifyXMLSignature(signedXMLdocument, trustProfile);
- return response != null;
+
+ if (log.isDebugEnabled()) {
+ print(response);
+ }
+
+ if (response == null) {
+ throw moaZSException("MOA SPSS could not find the signature. ");
+ }
+
+ var builder = new StringBuilder();
+
+ if (response.getSignatureCheckCode() != OK_CODE) {
+ builder.append(format("Signature is not valid; SignatureCheckCode was %d. ",
+ response.getSignatureCheckCode()));
+ }
+
+ if (response.getCertificateCheckCode() != OK_CODE) {
+ builder.append(format("Certificate chain is not valid; CertificateCheckCode was %d. ",
+ response.getCertificateCheckCode()));
+ }
+
+ if (response.getSignatureManifestCheckCode() != OK_CODE) {
+ var signatureManifestErrorMsg = format("Signature Manifest is not valid; " +
+ "SignatureManifestCheckCode was %d. ", response.getSignatureManifestCheckCode());
+ if (isManifestCheckActive) {
+ builder.append(signatureManifestErrorMsg);
+ } else {
+ log.warn(signatureManifestErrorMsg);
+ }
+ }
+
+ if (response.isXmlDSIGManigest() && response.getXmlDSIGManifestCheckCode() != OK_CODE) {
+ var xmlDSIGManifestErrorMsg = format("XmlDSIGManifest Manifest is not valid; " +
+ "XmlDSIGManifest was %d. ", response.getXmlDSIGManifestCheckCode());
+ if (isManifestCheckActive) {
+ builder.append(xmlDSIGManifestErrorMsg);
+ } else {
+ log.warn(xmlDSIGManifestErrorMsg);
+ }
+ }
+
+ var msg = builder.toString();
+
+ if(msg.length() > 0) {
+ throw moaZSException(msg);
+ }
+
} catch (MOASigServiceException e) {
- MoaSPSSSignatureVerifier.log.error("Could not verify the XML signature.", e);
- return false;
+ throw moaZSExceptionBuilder("Could not verify the XML signature.")
+ .withCause(e)
+ .build();
+ }
+
+ }
+
+ private void print(IXMLSignatureVerificationResponse response) {
+ log.debug("Response:");
+
+ if (response == null) {
+ log.debug("null");
+ return;
}
+ log.debug(" XmlDsigSubjectName: " + response.getXmlDsigSubjectName());
+ log.debug(" SignatureManifestCheckCode: " + response.getSignatureManifestCheckCode());
+ log.debug(" XmlDSIGManifestCheckCode: " + response.getXmlDSIGManifestCheckCode());
+ log.debug(" CertificateCheckCode: " + response.getCertificateCheckCode());
+ log.debug(" SignatureCheckCode: " + response.getSignatureCheckCode());
+ log.debug(" SigningDateTime: " + response.getSigningDateTime());
+ log.debug(" isXmlDSIGManigest: " + response.isXmlDSIGManigest());
+ log.debug(" isPublicAuthority: " + response.isPublicAuthority());
+ log.debug(" isQualifiedCertificate: " + response.isQualifiedCertificate());
+ log.debug(" getPublicAuthorityCode: " + response.getPublicAuthorityCode());
}
}
diff --git a/src/main/java/at/gv/egiz/moazs/verify/SignatureVerifier.java b/src/main/java/at/gv/egiz/moazs/verify/SignatureVerifier.java
index 01e90c8..a31c4cf 100644
--- a/src/main/java/at/gv/egiz/moazs/verify/SignatureVerifier.java
+++ b/src/main/java/at/gv/egiz/moazs/verify/SignatureVerifier.java
@@ -4,10 +4,10 @@ package at.gv.egiz.moazs.verify;
public interface SignatureVerifier {
/**
- * Verifies the signature of a signed XML document.
+ * Verifies the signature of a signed XML document. Throws a at.gv.egiz.moazs.MoaZSException exception
+ * if the validation fails.
* @param signedXMLdocument
- * @return true if the signature is valid; false if there is no signature, if the signature is invalid,
- * or if an exception occured.
+ * @throws at.gv.egiz.moazs.MoaZSException
*/
- boolean verify(byte[] signedXMLdocument);
+ void verify(byte[] signedXMLdocument);
}
diff --git a/src/main/resources/application.yaml b/src/main/resources/application.yaml
index 961f437..9ce1158 100644
--- a/src/main/resources/application.yaml
+++ b/src/main/resources/application.yaml
@@ -80,6 +80,8 @@ javax.net.ssl:
### moa spss config
moa.spss:
is-active: true
+ # if active, moa spss will validate manifests in xml signatures
+ is-manifest-check-active: false
server:
# path that points to MoaSPSSConfiguration file; can be:
# - absolute path (unix: starts with /), or
diff --git a/src/main/resources/moa-spss/certstore/toBeAdded/IAIK_test_intermediate_CA.der b/src/main/resources/moa-spss/certstore/toBeAdded/IAIK_test_intermediate_CA.der
new file mode 100644
index 0000000..558ce15
--- /dev/null
+++ b/src/main/resources/moa-spss/certstore/toBeAdded/IAIK_test_intermediate_CA.der
Binary files differ
diff --git a/src/main/resources/moa-spss/certstore/toBeAdded/msz-test-root-cert.der b/src/main/resources/moa-spss/certstore/toBeAdded/msz-test-root-cert.der
deleted file mode 100644
index 3e136d4..0000000
--- a/src/main/resources/moa-spss/certstore/toBeAdded/msz-test-root-cert.der
+++ /dev/null
Binary files differ
diff --git a/src/main/resources/moa-spss/trustProfiles/test-trustprofile/IAIK_test_intermediate_CA.der b/src/main/resources/moa-spss/trustProfiles/test-trustprofile/IAIK_test_intermediate_CA.der
new file mode 100644
index 0000000..558ce15
--- /dev/null
+++ b/src/main/resources/moa-spss/trustProfiles/test-trustprofile/IAIK_test_intermediate_CA.der
Binary files differ
diff --git a/src/main/resources/moa-spss/trustProfiles/test-trustprofile/msz-test-root-cert.der b/src/main/resources/moa-spss/trustProfiles/test-trustprofile/msz-test-root-cert.der
deleted file mode 100644
index 3e136d4..0000000
--- a/src/main/resources/moa-spss/trustProfiles/test-trustprofile/msz-test-root-cert.der
+++ /dev/null
Binary files differ