9 files changed, 100 insertions, 16 deletions

diff --git a/src/main/java/at/gv/egiz/moazs/config/MoaSigConfig.java b/src/main/java/at/gv/egiz/moazs/config/MoaSigConfig.java
index 84e5299..05ecac1 100644
--- a/src/main/java/at/gv/egiz/moazs/config/MoaSigConfig.java
+++ b/src/main/java/at/gv/egiz/moazs/config/MoaSigConfig.java
@@ -90,13 +90,14 @@ public class MoaSigConfig {
     }
 
     @Bean
-    public SignatureVerifier signatureVerifier(@Value("${moa.spss.is-active}") boolean isMoaSPSSActive) {
+    public SignatureVerifier signatureVerifier(@Value("${moa.spss.is-active}") boolean isMoaSPSSActive,
+                                               @Value("${moa.spss.is-manifest-check-active}") boolean isManifestCheckActive) {
         if (isMoaSPSSActive) {
             log.info("Moa SPSS is active. Signatures in SOAP Messages will be verified.");
-            return new MoaSPSSSignatureVerifier(moaSigVerifyService(), defaultTrustProfile);
+            return new MoaSPSSSignatureVerifier(moaSigVerifyService(), defaultTrustProfile, isManifestCheckActive);
         } else {
             log.warn("Moa SPSS is not active. Signatures in SOAP Messages will not be verified.");
-            return signedXMLdocument -> true;
+            return signedXMLdocument -> {};
         }
     }
 }
diff --git a/src/main/java/at/gv/egiz/moazs/pipeline/SameThreadDeliveryPipeline.java b/src/main/java/at/gv/egiz/moazs/pipeline/SameThreadDeliveryPipeline.java
index 9f2b6d4..920e90d 100644
--- a/src/main/java/at/gv/egiz/moazs/pipeline/SameThreadDeliveryPipeline.java
+++ b/src/main/java/at/gv/egiz/moazs/pipeline/SameThreadDeliveryPipeline.java
@@ -75,11 +75,12 @@ public class SameThreadDeliveryPipeline implements DeliveryPipeline {
             status = msgClientFactory.create(msgRequest, mzsRequest.getConfig(), interceptor).send();
 
             var signedStatus = repository.getSignedDeliveryRequestStatus(appDeliveryId).get();
-            if (verifier.verify(signedStatus)) {
-                repository.add(status);
-            } else {
+
+            try {
+                verifier.verify(signedStatus);
+            } catch (Exception ex) {
                 throw moaZSExceptionBuilder("Signature of DeliveryRequestStatus with AppDeliveryId={} " +
-                        "is invalid.", appDeliveryId)
+                        " is not valid.", appDeliveryId)
                         .withErrorCode(MoaZSException.ERROR_MOASP_SIGNATURE_INVALID)
                         .withMzsRequest(mzsRequest)
                         .withTnvzResult(tnvzResult)
@@ -87,6 +88,9 @@ public class SameThreadDeliveryPipeline implements DeliveryPipeline {
                         .withMsgResult(status)
                         .build();
             }
+
+            repository.add(status);
+
         } catch (MoaZSException exception) {
             var errorStatus = generateErrorStatus(exception, appDeliveryId);
             repository.add(errorStatus);
diff --git a/src/main/java/at/gv/egiz/moazs/verify/MoaSPSSSignatureVerifier.java b/src/main/java/at/gv/egiz/moazs/verify/MoaSPSSSignatureVerifier.java
index 518cdb3..0757c5d 100644
--- a/src/main/java/at/gv/egiz/moazs/verify/MoaSPSSSignatureVerifier.java
+++ b/src/main/java/at/gv/egiz/moazs/verify/MoaSPSSSignatureVerifier.java
@@ -1,10 +1,15 @@
 package at.gv.egiz.moazs.verify;
 
 import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.ISignatureVerificationService;
+import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.data.IXMLSignatureVerificationResponse;
 import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.exceptions.MOASigServiceException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import static at.gv.egiz.moazs.MoaZSException.moaZSException;
+import static at.gv.egiz.moazs.MoaZSException.moaZSExceptionBuilder;
+import static java.lang.String.*;
+
 public class MoaSPSSSignatureVerifier implements SignatureVerifier {
 
     private static final Logger log = LoggerFactory.getLogger(MoaSPSSSignatureVerifier.class);
@@ -13,22 +18,94 @@ public class MoaSPSSSignatureVerifier implements SignatureVerifier {
 
     private final String trustProfile;
 
+    private final boolean isManifestCheckActive;
+
+    private static final int OK_CODE = 0;
+
     public MoaSPSSSignatureVerifier(ISignatureVerificationService service,
-                                    String trustProfile) {
+                                    String trustProfile, boolean isManifestCheckActive) {
         this.service = service;
         this.trustProfile = trustProfile;
+        this.isManifestCheckActive = isManifestCheckActive;
     }
 
     @Override
-    public boolean verify(byte[] signedXMLdocument) {
+    public void verify(byte[] signedXMLdocument) {
 
         try {
             var response = service.verifyXMLSignature(signedXMLdocument, trustProfile);
-            return response != null;
+
+            if (log.isDebugEnabled()) {
+                print(response);
+            }
+
+            if (response == null) {
+                throw moaZSException("MOA SPSS could not find the signature. ");
+            }
+
+            var builder = new StringBuilder();
+
+            if (response.getSignatureCheckCode() != OK_CODE) {
+                builder.append(format("Signature is not valid; SignatureCheckCode was %d. ",
+                        response.getSignatureCheckCode()));
+            }
+
+            if (response.getCertificateCheckCode() != OK_CODE) {
+                builder.append(format("Certificate chain is not valid; CertificateCheckCode was %d. ",
+                        response.getCertificateCheckCode()));
+            }
+
+            if (response.getSignatureManifestCheckCode() != OK_CODE) {
+                var signatureManifestErrorMsg = format("Signature Manifest is not valid; " +
+                        "SignatureManifestCheckCode was %d. ", response.getSignatureManifestCheckCode());
+                if (isManifestCheckActive) {
+                    builder.append(signatureManifestErrorMsg);
+                } else {
+                    log.warn(signatureManifestErrorMsg);
+                }
+            }
+
+            if (response.isXmlDSIGManigest() && response.getXmlDSIGManifestCheckCode() != OK_CODE) {
+                var xmlDSIGManifestErrorMsg = format("XmlDSIGManifest Manifest is not valid; " +
+                        "XmlDSIGManifest was %d. ", response.getXmlDSIGManifestCheckCode());
+                if (isManifestCheckActive) {
+                    builder.append(xmlDSIGManifestErrorMsg);
+                } else {
+                    log.warn(xmlDSIGManifestErrorMsg);
+                }
+            }
+
+            var msg = builder.toString();
+
+            if(msg.length() > 0) {
+                throw moaZSException(msg);
+            }
+
         } catch (MOASigServiceException e) {
-            MoaSPSSSignatureVerifier.log.error("Could not verify the XML signature.", e);
-            return false;
+            throw moaZSExceptionBuilder("Could not verify the XML signature.")
+                    .withCause(e)
+                    .build();
+        }
+
+    }
+
+    private void print(IXMLSignatureVerificationResponse response) {
+        log.debug("Response:");
+
+        if (response == null) {
+            log.debug("null");
+            return;
         }
 
+        log.debug("  XmlDsigSubjectName: " + response.getXmlDsigSubjectName());
+        log.debug("  SignatureManifestCheckCode: " + response.getSignatureManifestCheckCode());
+        log.debug("  XmlDSIGManifestCheckCode: " + response.getXmlDSIGManifestCheckCode());
+        log.debug("  CertificateCheckCode: " + response.getCertificateCheckCode());
+        log.debug("  SignatureCheckCode: " + response.getSignatureCheckCode());
+        log.debug("  SigningDateTime: " + response.getSigningDateTime());
+        log.debug("  isXmlDSIGManigest: " + response.isXmlDSIGManigest());
+        log.debug("  isPublicAuthority: " + response.isPublicAuthority());
+        log.debug("  isQualifiedCertificate: " + response.isQualifiedCertificate());
+        log.debug("  getPublicAuthorityCode: " + response.getPublicAuthorityCode());
     }
 }
diff --git a/src/main/java/at/gv/egiz/moazs/verify/SignatureVerifier.java b/src/main/java/at/gv/egiz/moazs/verify/SignatureVerifier.java
index 01e90c8..a31c4cf 100644
--- a/src/main/java/at/gv/egiz/moazs/verify/SignatureVerifier.java
+++ b/src/main/java/at/gv/egiz/moazs/verify/SignatureVerifier.java
@@ -4,10 +4,10 @@ package at.gv.egiz.moazs.verify;
 public interface SignatureVerifier {
 
     /**
-     * Verifies the signature of a signed XML document.
+     * Verifies the signature of a signed XML document. Throws a at.gv.egiz.moazs.MoaZSException exception
+     * if the validation fails.
      * @param signedXMLdocument
-     * @return true if the signature is valid; false if there is no signature, if the signature is invalid,
-     *  or if an exception occured.
+     * @throws at.gv.egiz.moazs.MoaZSException
      */
-    boolean verify(byte[] signedXMLdocument);
+    void verify(byte[] signedXMLdocument);
 }
diff --git a/src/main/resources/application.yaml b/src/main/resources/application.yaml
index 961f437..9ce1158 100644
--- a/src/main/resources/application.yaml
+++ b/src/main/resources/application.yaml
@@ -80,6 +80,8 @@ javax.net.ssl:
 ### moa spss config
 moa.spss:
   is-active: true
+  # if active, moa spss will validate manifests in xml signatures
+  is-manifest-check-active: false
   server:
     # path that points to MoaSPSSConfiguration file; can be:
     # - absolute path (unix: starts with /), or
diff --git a/src/main/resources/moa-spss/certstore/toBeAdded/IAIK_test_intermediate_CA.der b/src/main/resources/moa-spss/certstore/toBeAdded/IAIK_test_intermediate_CA.der
new file mode 100644
index 0000000..558ce15
--- /dev/null
+++ b/src/main/resources/moa-spss/certstore/toBeAdded/IAIK_test_intermediate_CA.der
diff --git a/src/main/resources/moa-spss/certstore/toBeAdded/msz-test-root-cert.der b/src/main/resources/moa-spss/certstore/toBeAdded/msz-test-root-cert.der
deleted file mode 100644
index 3e136d4..0000000
--- a/src/main/resources/moa-spss/certstore/toBeAdded/msz-test-root-cert.der
+++ /dev/null
diff --git a/src/main/resources/moa-spss/trustProfiles/test-trustprofile/IAIK_test_intermediate_CA.der b/src/main/resources/moa-spss/trustProfiles/test-trustprofile/IAIK_test_intermediate_CA.der
new file mode 100644
index 0000000..558ce15
--- /dev/null
+++ b/src/main/resources/moa-spss/trustProfiles/test-trustprofile/IAIK_test_intermediate_CA.der
diff --git a/src/main/resources/moa-spss/trustProfiles/test-trustprofile/msz-test-root-cert.der b/src/main/resources/moa-spss/trustProfiles/test-trustprofile/msz-test-root-cert.der
deleted file mode 100644
index 3e136d4..0000000
--- a/src/main/resources/moa-spss/trustProfiles/test-trustprofile/msz-test-root-cert.der
+++ /dev/null