From 5d183fd9535d80e5066647e0501da881bcac4d58 Mon Sep 17 00:00:00 2001 From: Christof Rabensteiner Date: Wed, 19 Jun 2019 10:46:15 +0200 Subject: Finalize moa-sig-lib's Integration and Add Testcase - Interpret `ISignatureVerificationService` response properly (by following security layer spec [1] and moaspss handbook [2]). - Add config flag `moa.spss.is-manifest-check-active` - Change SignatureVerifier Interface: Remove @return boolean, just throw an exception when a validation error occurs. Reason: In case the signature cannot be validated, the application always needs the reason for the validation error, which requires the verifier to throw an exception. In turn, the only valid return value for `verify()` becomes `true`, which can be omitted at that point. - Add testcase for verifying a valid enveloped xml signature - Remove Certificates that are not needed. [1] https://www.buergerkarte.at/konzept/securitylayer/spezifikation/20140114/core/core.html [2] https://apps.egiz.gv.at/handbooks/moa-spss/handbook/handbook/usage/usage.html --- .../moazs/verify/MoaSPSSSignatureVerifier.java | 87 ++++++++++++++++++++-- 1 file changed, 82 insertions(+), 5 deletions(-) (limited to 'src/main/java/at/gv/egiz/moazs/verify/MoaSPSSSignatureVerifier.java') diff --git a/src/main/java/at/gv/egiz/moazs/verify/MoaSPSSSignatureVerifier.java b/src/main/java/at/gv/egiz/moazs/verify/MoaSPSSSignatureVerifier.java index 518cdb3..0757c5d 100644 --- a/src/main/java/at/gv/egiz/moazs/verify/MoaSPSSSignatureVerifier.java +++ b/src/main/java/at/gv/egiz/moazs/verify/MoaSPSSSignatureVerifier.java @@ -1,10 +1,15 @@ package at.gv.egiz.moazs.verify; import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.ISignatureVerificationService; +import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.data.IXMLSignatureVerificationResponse; import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.exceptions.MOASigServiceException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import static at.gv.egiz.moazs.MoaZSException.moaZSException; +import static at.gv.egiz.moazs.MoaZSException.moaZSExceptionBuilder; +import static java.lang.String.*; + public class MoaSPSSSignatureVerifier implements SignatureVerifier { private static final Logger log = LoggerFactory.getLogger(MoaSPSSSignatureVerifier.class); @@ -13,22 +18,94 @@ public class MoaSPSSSignatureVerifier implements SignatureVerifier { private final String trustProfile; + private final boolean isManifestCheckActive; + + private static final int OK_CODE = 0; + public MoaSPSSSignatureVerifier(ISignatureVerificationService service, - String trustProfile) { + String trustProfile, boolean isManifestCheckActive) { this.service = service; this.trustProfile = trustProfile; + this.isManifestCheckActive = isManifestCheckActive; } @Override - public boolean verify(byte[] signedXMLdocument) { + public void verify(byte[] signedXMLdocument) { try { var response = service.verifyXMLSignature(signedXMLdocument, trustProfile); - return response != null; + + if (log.isDebugEnabled()) { + print(response); + } + + if (response == null) { + throw moaZSException("MOA SPSS could not find the signature. "); + } + + var builder = new StringBuilder(); + + if (response.getSignatureCheckCode() != OK_CODE) { + builder.append(format("Signature is not valid; SignatureCheckCode was %d. ", + response.getSignatureCheckCode())); + } + + if (response.getCertificateCheckCode() != OK_CODE) { + builder.append(format("Certificate chain is not valid; CertificateCheckCode was %d. ", + response.getCertificateCheckCode())); + } + + if (response.getSignatureManifestCheckCode() != OK_CODE) { + var signatureManifestErrorMsg = format("Signature Manifest is not valid; " + + "SignatureManifestCheckCode was %d. ", response.getSignatureManifestCheckCode()); + if (isManifestCheckActive) { + builder.append(signatureManifestErrorMsg); + } else { + log.warn(signatureManifestErrorMsg); + } + } + + if (response.isXmlDSIGManigest() && response.getXmlDSIGManifestCheckCode() != OK_CODE) { + var xmlDSIGManifestErrorMsg = format("XmlDSIGManifest Manifest is not valid; " + + "XmlDSIGManifest was %d. ", response.getXmlDSIGManifestCheckCode()); + if (isManifestCheckActive) { + builder.append(xmlDSIGManifestErrorMsg); + } else { + log.warn(xmlDSIGManifestErrorMsg); + } + } + + var msg = builder.toString(); + + if(msg.length() > 0) { + throw moaZSException(msg); + } + } catch (MOASigServiceException e) { - MoaSPSSSignatureVerifier.log.error("Could not verify the XML signature.", e); - return false; + throw moaZSExceptionBuilder("Could not verify the XML signature.") + .withCause(e) + .build(); + } + + } + + private void print(IXMLSignatureVerificationResponse response) { + log.debug("Response:"); + + if (response == null) { + log.debug("null"); + return; } + log.debug(" XmlDsigSubjectName: " + response.getXmlDsigSubjectName()); + log.debug(" SignatureManifestCheckCode: " + response.getSignatureManifestCheckCode()); + log.debug(" XmlDSIGManifestCheckCode: " + response.getXmlDSIGManifestCheckCode()); + log.debug(" CertificateCheckCode: " + response.getCertificateCheckCode()); + log.debug(" SignatureCheckCode: " + response.getSignatureCheckCode()); + log.debug(" SigningDateTime: " + response.getSigningDateTime()); + log.debug(" isXmlDSIGManigest: " + response.isXmlDSIGManigest()); + log.debug(" isPublicAuthority: " + response.isPublicAuthority()); + log.debug(" isQualifiedCertificate: " + response.isQualifiedCertificate()); + log.debug(" getPublicAuthorityCode: " + response.getPublicAuthorityCode()); } } -- cgit v1.2.3