From e165ef27812874bee7062a4e7ecc8bec99ced328 Mon Sep 17 00:00:00 2001
From: Christof Rabensteiner <christof.rabensteiner@iaik.tugraz.at>
Date: Wed, 29 May 2019 09:49:02 +0200
Subject: Integrate MoaSig Verification into SignatureVerifier

- Verify signature via ISignatureVerificationService.
- Override System Property moa.spss.server.configuration via spring's
  environment (Reason: can configure path to moa SPSS config file via
  application.yaml & moa SPSS needs this parameter to find the config
  file)
- Setup test configuration directory for moaspss in
  src/main/resources/moa-spss
- Readme: Explain how to install moaspss' dependencies into local
  repository.
---
 .../java/at/gv/egiz/moazs/config/MoaSigConfig.java | 29 +++++++++
 .../at/gv/egiz/moazs/msg/SignatureVerifier.java    | 31 ++++++++-
 src/main/resources/application.yaml                |  5 ++
 .../resources/moa-spss/MOASPSSConfiguration.xml    | 73 ++++++++++++++++++++++
 .../truststores/test-truststores/MZS_ROOT_CA.pem   | 35 +++++++++++
 5 files changed, 171 insertions(+), 2 deletions(-)
 create mode 100644 src/main/java/at/gv/egiz/moazs/config/MoaSigConfig.java
 create mode 100644 src/main/resources/moa-spss/MOASPSSConfiguration.xml
 create mode 100644 src/main/resources/moa-spss/truststores/test-truststores/MZS_ROOT_CA.pem

(limited to 'src/main')

diff --git a/src/main/java/at/gv/egiz/moazs/config/MoaSigConfig.java b/src/main/java/at/gv/egiz/moazs/config/MoaSigConfig.java
new file mode 100644
index 0000000..e96d851
--- /dev/null
+++ b/src/main/java/at/gv/egiz/moazs/config/MoaSigConfig.java
@@ -0,0 +1,29 @@
+package at.gv.egiz.moazs.config;
+
+import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.ISignatureVerificationService;
+import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.impl.SignatureVerificationService;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+public class MoaSigConfig {
+
+    private final String defaultTrustProfile;
+
+    public MoaSigConfig(@Value("${moa.spss.server.default-trustprofile}") String defaultTrustProfile,
+                        @Value("${moa.spss.server.configuration}") String serverConfigUrl) {
+        this.defaultTrustProfile = defaultTrustProfile;
+        System.getProperties().setProperty("moa.spss.server.configuration", serverConfigUrl);
+    }
+
+    @Bean
+    public String moaSPSSServerDefaultTrustProfile() {
+        return defaultTrustProfile;
+    }
+
+    @Bean
+    public ISignatureVerificationService moaSigVerifyService() {
+        return new SignatureVerificationService();
+    }
+}
diff --git a/src/main/java/at/gv/egiz/moazs/msg/SignatureVerifier.java b/src/main/java/at/gv/egiz/moazs/msg/SignatureVerifier.java
index 12b1ccb..d6311c4 100644
--- a/src/main/java/at/gv/egiz/moazs/msg/SignatureVerifier.java
+++ b/src/main/java/at/gv/egiz/moazs/msg/SignatureVerifier.java
@@ -1,13 +1,40 @@
 package at.gv.egiz.moazs.msg;
 
+import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.ISignatureVerificationService;
+import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.exceptions.MOASigServiceException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.stereotype.Component;
 
 @Component
 public class SignatureVerifier {
 
-    public boolean verify(byte[] signedXMLdocument) {
-        return true;
+    private static final Logger log = LoggerFactory.getLogger(SignatureVerifier.class);
+
+    @Autowired
+    @Qualifier("moaSigVerifyService")
+    private final ISignatureVerificationService service;
+
+    @Autowired
+    @Qualifier("moaSPSSServerDefaultTrustProfile")
+    private final String trustProfile;
 
+    public SignatureVerifier(ISignatureVerificationService service,
+                             String trustProfile) {
+        this.service = service;
+        this.trustProfile = trustProfile;
+    }
+
+    public boolean verify(byte[] signedXMLdocument) {
+        try {
+            var response = service.verifyXMLSignature(signedXMLdocument, trustProfile);
+            return response != null;
+        } catch (MOASigServiceException e) {
+            log.error("Could not verify the XML signature.", e);
+            return false;
+        }
     }
 
 }
diff --git a/src/main/resources/application.yaml b/src/main/resources/application.yaml
index 1a432c2..61c7dba 100644
--- a/src/main/resources/application.yaml
+++ b/src/main/resources/application.yaml
@@ -70,3 +70,8 @@ logging:
     root: WARN
     org.springframework: WARN
     at.gv.egiz.moazs: INFO
+
+### moa spss config
+moa.spss.server:
+      configuration: file:./moa-spss/MOASPSSConfiguration.xml
+      default-trustprofile: test-trustprofile
diff --git a/src/main/resources/moa-spss/MOASPSSConfiguration.xml b/src/main/resources/moa-spss/MOASPSSConfiguration.xml
new file mode 100644
index 0000000..edaaf8a
--- /dev/null
+++ b/src/main/resources/moa-spss/MOASPSSConfiguration.xml
@@ -0,0 +1,73 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--MOA SPSS 1.3 Configuration File created by MOA SPSS Configuration Mapper-->
+<cfg:MOAConfiguration xmlns:cfg="http://reference.e-government.gv.at/namespace/moaconfig/20021122#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
+<cfg:Common>
+		<cfg:PermitExternalUris>
+			<cfg:BlackListUri>
+				<cfg:IP>192.168</cfg:IP>
+			</cfg:BlackListUri>
+		</cfg:PermitExternalUris>
+	</cfg:Common>
+
+	<cfg:SignatureVerification>
+		<cfg:CertificateValidation>
+			<cfg:PathConstruction>
+				<cfg:AutoAddCertificates>true</cfg:AutoAddCertificates>
+				<cfg:UseAuthorityInformationAccess>true</cfg:UseAuthorityInformationAccess>
+				<cfg:CertificateStore>
+					<cfg:DirectoryStore>
+						<cfg:Location>certstore</cfg:Location>
+					</cfg:DirectoryStore>
+				</cfg:CertificateStore>
+			</cfg:PathConstruction>
+			<cfg:PathValidation>
+				<cfg:ChainingMode>
+					<cfg:DefaultMode>pkix</cfg:DefaultMode>
+					<cfg:TrustAnchor>
+						<cfg:Identification>
+							<dsig:X509IssuerName>CN=A-Trust-nQual-0,OU=A-Trust-nQual-0,O=A-Trust,C=AT</dsig:X509IssuerName>
+							<dsig:X509SerialNumber>536</dsig:X509SerialNumber>
+						</cfg:Identification>
+						<cfg:Mode>chaining</cfg:Mode>
+					</cfg:TrustAnchor>
+					<cfg:TrustAnchor>
+             <cfg:Identification>
+               <dsig:X509IssuerName>C=AT,O=Hauptverband österr. Sozialvers.,CN=Root-CA 1</dsig:X509IssuerName>
+               <dsig:X509SerialNumber>376503867878755617282523408360935024869</dsig:X509SerialNumber>
+             </cfg:Identification>
+             <cfg:Mode>chaining</cfg:Mode>
+          </cfg:TrustAnchor>
+				</cfg:ChainingMode>
+
+				<cfg:TrustProfile>
+					<cfg:Id>test-trustprofile</cfg:Id>
+					<cfg:TrustAnchorsLocation>truststores/test-truststore</cfg:TrustAnchorsLocation>
+				</cfg:TrustProfile>
+
+			</cfg:PathValidation>
+			<cfg:RevocationChecking>
+				<cfg:EnableChecking>false</cfg:EnableChecking>
+				<cfg:MaxRevocationAge>0</cfg:MaxRevocationAge>
+				<cfg:ServiceOrder>
+            <cfg:Service>CRL</cfg:Service>
+            <cfg:Service>OCSP</cfg:Service>
+         </cfg:ServiceOrder>
+          <cfg:Archiving>
+					<cfg:EnableArchiving>false</cfg:EnableArchiving>
+					<cfg:ArchiveDuration>365</cfg:ArchiveDuration>
+					<cfg:Archive>
+						<cfg:DatabaseArchive>
+							<cfg:JDBCURL>jdbc:url</cfg:JDBCURL>
+							<cfg:JDBCDriverClassName>fully.qualified.classname</cfg:JDBCDriverClassName>
+						</cfg:DatabaseArchive>
+					</cfg:Archive>
+				</cfg:Archiving>
+			</cfg:RevocationChecking>
+		</cfg:CertificateValidation>
+
+    <cfg:VerifyTransformsInfoProfile>
+			<cfg:Id>SL20Authblock_v1.0</cfg:Id>
+			<cfg:Location>profiles/SL20_authblock_v1.0.xml</cfg:Location>
+		</cfg:VerifyTransformsInfoProfile>
+	</cfg:SignatureVerification>
+</cfg:MOAConfiguration>
diff --git a/src/main/resources/moa-spss/truststores/test-truststores/MZS_ROOT_CA.pem b/src/main/resources/moa-spss/truststores/test-truststores/MZS_ROOT_CA.pem
new file mode 100644
index 0000000..57963bd
--- /dev/null
+++ b/src/main/resources/moa-spss/truststores/test-truststores/MZS_ROOT_CA.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGGTCCBAGgAwIBAgIUEzQUFWuzrC0F4mODQYgPZ/Lhq04wDQYJKoZIhvcNAQEL
+BQAwgZMxCzAJBgNVBAYTAkFUMRAwDgYDVQQIDAdBdXN0cmlhMQ0wCwYDVQQKDARJ
+QUlLMQ0wCwYDVQQLDARFR0laMSMwIQYDVQQDDBpFR0laIENSQUJFTlNURUlORVIg
+Uk9PVCBDQTEvMC0GCSqGSIb3DQEJARYgY2hyaXN0b2YucmFiZW5zdGVpbmVyQGVn
+aXouZ3YuYXQwHhcNMTkwNDIzMTQwNTU2WhcNMzkwNDE4MTQwNTU2WjCBkzELMAkG
+A1UEBhMCQVQxEDAOBgNVBAgMB0F1c3RyaWExDTALBgNVBAoMBElBSUsxDTALBgNV
+BAsMBEVHSVoxIzAhBgNVBAMMGkVHSVogQ1JBQkVOU1RFSU5FUiBST09UIENBMS8w
+LQYJKoZIhvcNAQkBFiBjaHJpc3RvZi5yYWJlbnN0ZWluZXJAZWdpei5ndi5hdDCC
+AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMclj0pHf7LxLXEvtz+P7mxI
+5U5Lx0xDiEY4XeLn75jis3IQotv3zmUz8Mvv9rkAT7y9JMJyJPBUPo2iWCO/dtm+
+qYlCy4fNPGvGPyjE05TM+JhG8bijpgO2EEZmKv48by+UUzioX8H/to5n8xNzDu8C
+bibBddbGyfQ9E7PkR2VhdW8PkUrqJCxeG/xiwS0h1U2v++4ZKQpS78rj75KNEExx
+t8spzZFyKV3i5mTkW2Exp5OSr07SpadjlRqkYWkdZsAPnaK4L4KQ+rrL9qXb/fzK
+syD2LkAHimV3s19IZjGVbdwCtgacDZlME3zNfGxIC0hAeJsSXJJN2FMO3SrnXv2b
+CDJT3SOCF+PMhmv41PGMswQxnCtPvB9659y/Cr/tHkY5bhQiR4XamZie7IkxpsMa
+WpV4jCY9iz1L8OsM62DVRsztDWw1w1j2dyWyODNbxaI7fEWg9klUW7GgEDYBeJ2h
+9kfgwZXiMZkw/7+0VHU97a7AKmpCXP3kH6n1z3MAgaf+Dd4Gq7RXB+4HEZ31uiNO
+OqrnayFs2td/X7cl/0ioNLnJ/hbaOmHsGDQo5W0WyXg9bVkLtezajVwTCKkRdUnn
+kAXL0y+x/aRc2CycE7tlC0SHtBDTVjdx5CWeulynBMMiMWZwb+HR9id/rnifp3Vk
+/CPA+eyjiVtt8uXXozLFAgMBAAGjYzBhMB0GA1UdDgQWBBSK8/VCjnMFpNKrPSEv
+k+GF/qM5izAfBgNVHSMEGDAWgBSK8/VCjnMFpNKrPSEvk+GF/qM5izAPBgNVHRMB
+Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAp/fR
+A+cZlMw0jtiFRYy7096dadgjefIcQVgZYNTL3zuPrXyRIHMp4dTlNnREkobmzkcy
+jWN/I41hm2SHt86+E1c7n/wd1KE1oefqoRkhQws84718zlLBkL/iMwluzE4ZzqiE
+RPxBFv23QqFLzaZpqan4ic9zlkqW1d8IZ9kt9vctAxUIju4hXqozUfaYIjIThutU
+wkIgN1A6e6qugFYB9jkhijnMw0HJeP19JbBUNGp9bP3GiSEc+S1ydddU2492rDQj
+NQKvUMvGUhoUdxbbcUhxs6i6Gfct5bCXRN+r7d+mpwFrpN9xv0a0a7y5GNZk//2S
+0qsqQwVEHYa0fDxsBFLnM7i2EY6+eo9mMccOgn0Jk8z+IIU3OCHgRs3df8R0zWbd
+2FSeqrHTTtgcnmfEx3TMZnuuLfOCIwczl/4DP6M5Z6xwp/MKXzUWFy5SP1wkLe9i
+KiTaYeYLiVZb4AluW8TdhkBjj87gA1gCqqGIAyQ6+40LGplt7Wt5pY2XGWqQQLcq
+qfutUjWQM+HOQEDsodrPu8DR07Q613XdrfMuJGHXDh7a+6xD0nRhpkR9JacoY1h/
+UTObjMFCIwIZ8bYniFLgmJhKlMiuhgNuGsEoSMsFHVDrCsEXZOKkoL8OmRu/V4zo
+2vewbMLL/jvutkmtS8E+R1lt+J6iEI5EYJHONrw=
+-----END CERTIFICATE-----
-- 
cgit v1.2.3