From 5d183fd9535d80e5066647e0501da881bcac4d58 Mon Sep 17 00:00:00 2001
From: Christof Rabensteiner <christof.rabensteiner@iaik.tugraz.at>
Date: Wed, 19 Jun 2019 10:46:15 +0200
Subject: Finalize moa-sig-lib's Integration and Add Testcase

- Interpret `ISignatureVerificationService` response properly (by
  following security layer spec [1] and moaspss handbook [2]).
- Add config flag `moa.spss.is-manifest-check-active`
- Change SignatureVerifier Interface: Remove @return boolean, just
  throw an exception when a validation error occurs. Reason: In case
  the signature cannot be validated, the application always needs the
  reason for the validation error, which requires the verifier to
  throw an exception. In turn, the only valid return value for
  `verify()` becomes `true`, which can be omitted at that point.
- Add testcase for verifying a valid enveloped xml signature
- Remove Certificates that are not needed.

[1] https://www.buergerkarte.at/konzept/securitylayer/spezifikation/20140114/core/core.html
[2] https://apps.egiz.gv.at/handbooks/moa-spss/handbook/handbook/usage/usage.html
---
 .../egiz/moazs/MoaSPSSSignatureVerifierTest.java   | 49 ++++++++++++++++++++++
 .../egiz/moazs/SameThreadDeliveryPipelineTest.java | 11 ++---
 .../valid-signed-delivery-response.xml             | 30 +++++++++++++
 3 files changed, 83 insertions(+), 7 deletions(-)
 create mode 100644 src/test/java/at/gv/egiz/moazs/MoaSPSSSignatureVerifierTest.java
 create mode 100644 src/test/resources/at/gv/egiz/moazs/MoaSPSSSignatureVerifierTest/valid-signed-delivery-response.xml

(limited to 'src/test')

diff --git a/src/test/java/at/gv/egiz/moazs/MoaSPSSSignatureVerifierTest.java b/src/test/java/at/gv/egiz/moazs/MoaSPSSSignatureVerifierTest.java
new file mode 100644
index 0000000..afa817f
--- /dev/null
+++ b/src/test/java/at/gv/egiz/moazs/MoaSPSSSignatureVerifierTest.java
@@ -0,0 +1,49 @@
+package at.gv.egiz.moazs;
+
+import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.ISignatureVerificationService;
+import at.gv.egiz.moazs.verify.MoaSPSSSignatureVerifier;
+import at.gv.egiz.moazs.verify.SignatureVerifier;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.context.TestConfiguration;
+import org.springframework.context.annotation.Bean;
+import org.springframework.test.context.junit4.SpringRunner;
+
+import java.io.File;
+import java.io.IOException;
+import java.nio.file.Files;
+
+@RunWith(SpringRunner.class)
+@SpringBootTest
+    public class MoaSPSSSignatureVerifierTest {
+
+    private final String resourcesPath = "src/test/resources/at/gv/egiz/moazs/MoaSPSSSignatureVerifierTest/";
+
+    @TestConfiguration
+    public class Config{
+
+        @Bean
+        public SignatureVerifier verifier(@Autowired ISignatureVerificationService service){
+            return new MoaSPSSSignatureVerifier(service, "test-trust-profile", true);
+        }
+
+    }
+
+    @Autowired
+    private SignatureVerifier verifier;
+
+    //TODO make sure that testcase does not depend on runtime because it's certificate expires in 2023-09-27.
+    @Test
+    public void acceptValidSignedDeliveryResponse() throws IOException {
+
+        var path = resourcesPath + "valid-signed-delivery-response.xml";
+        var signature = Files.readAllBytes(new File(path).toPath());
+
+        verifier.verify(signature);
+    }
+
+}
diff --git a/src/test/java/at/gv/egiz/moazs/SameThreadDeliveryPipelineTest.java b/src/test/java/at/gv/egiz/moazs/SameThreadDeliveryPipelineTest.java
index 768f376..cd454f2 100644
--- a/src/test/java/at/gv/egiz/moazs/SameThreadDeliveryPipelineTest.java
+++ b/src/test/java/at/gv/egiz/moazs/SameThreadDeliveryPipelineTest.java
@@ -20,10 +20,12 @@ import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mockito.Mock;
+import org.mockito.Mockito;
 import org.mockito.junit.MockitoJUnitRunner;
 
 import java.util.List;
 
+import static at.gv.egiz.moazs.MoaZSException.moaZSException;
 import static at.gv.zustellung.app2mzs.xsd.ConfigType.configTypeBuilder;
 import static at.gv.zustellung.app2mzs.xsd.DeliveryRequestType.Payload;
 import static at.gv.zustellung.app2mzs.xsd.DeliveryRequestType.Payload.payloadBuilder;
@@ -148,7 +150,8 @@ public class SameThreadDeliveryPipelineTest {
     @Test
     public void rejectInvalidSignature() {
         var appDeliveryId = "invalid-signature";
-        setupMocks(appDeliveryId, true, List.of(), List.of("*/*"), false);
+        setupMocks(appDeliveryId, true, List.of(), List.of("*/*"));
+        doThrow(moaZSException("Signature Invalid!")).when(verifier).verify(any());
 
         pipeline.processRequest(appDeliveryId);
         var actualCode = repository.getDeliveryRequestStatus(appDeliveryId).get()
@@ -160,11 +163,6 @@ public class SameThreadDeliveryPipelineTest {
 
     private DeliveryRequestStatusType setupMocks(String appDeliveryId, boolean tnvzRequest,
                                                  List<String> attachedTypes, List<String> acceptedTypes) {
-        return setupMocks(appDeliveryId, tnvzRequest, attachedTypes, acceptedTypes, true);
-    }
-
-    private DeliveryRequestStatusType setupMocks(String appDeliveryId, boolean tnvzRequest,
-                                                 List<String> attachedTypes, List<String> acceptedTypes, boolean isSignedStatusValid) {
 
         var mzsRequest = setupMzsRequest(appDeliveryId, tnvzRequest, attachedTypes);
         var msgRequest = setupMsgRequest(appDeliveryId);
@@ -178,7 +176,6 @@ public class SameThreadDeliveryPipelineTest {
         when(converter.convert(eq(mzsRequest), any())).thenReturn(msgRequest);
         when(msgClientFactory.create(msgRequest, mzsRequest.getConfig(), interceptor)).thenReturn(msgClient);
         when(msgClient.send()).thenReturn(status);
-        when(verifier.verify(signedStatus)).thenReturn(isSignedStatusValid);
 
         return status;
 
diff --git a/src/test/resources/at/gv/egiz/moazs/MoaSPSSSignatureVerifierTest/valid-signed-delivery-response.xml b/src/test/resources/at/gv/egiz/moazs/MoaSPSSSignatureVerifierTest/valid-signed-delivery-response.xml
new file mode 100644
index 0000000..59a90cf
--- /dev/null
+++ b/src/test/resources/at/gv/egiz/moazs/MoaSPSSSignatureVerifierTest/valid-signed-delivery-response.xml
@@ -0,0 +1,30 @@
+<DeliveryResponse xmlns="http://reference.e-government.gv.at/namespace/zustellung/msg/phase2/20181206#" xmlns:ns2="http://reference.e-government.gv.at/namespace/persondata/phase2/20181206#" xmlns:ns3="http://www.w3.org/2000/09/xmldsig#"><PartialSuccess><DeliverySystem>https://testzustellsystem.egiz.gv.at</DeliverySystem><ZSDeliveryID>zs-valid-delivery-request-id</ZSDeliveryID><AppDeliveryID>valid-delivery-request-id</AppDeliveryID><GZ>12345</GZ></PartialSuccess><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Id="signature-1-1"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference Id="reference-1-1" URI=""><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><dsig:DigestValue>ejvUI0yh/IIyauFe8x5ZonD/i5oznl8vFyS3oLNivzA=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>hmVZrLkMDbXaRLYQKOaV3OtK13TQgMu3csKyw9M4zWqNyva1yxnYkzoX3dKDOdc9
+O56yQJsjoA3Cuw7pXlGO7jSfVM77dTXbWSDaF95O9Vdsrmr7R6Uki0jA9SmgQLXg
+hZAUG8JpsHcBn8M0L2BXADKjSn0LuMDL2L7dmU3EM7eRy+OvFwDrXDw1fhjQO6L2
+KoflAWLgUerDhJSpzr0+YfmkrjzitLUA7oIg8ieOnfGyql31ECmDJEqgnL78hyPZ
+KaNZImDf3EWFs8je6mt+os1TwsyXYwz+GGbjoDR8lGTS9xVqnXdrgP8Jyv6p9FEu
+0IYgSY2FlbI3skPZC8ZVXg==</dsig:SignatureValue><dsig:KeyInfo><dsig:X509Data><dsig:X509Certificate>MIIEqzCCBBSgAwIBAgIHANux81oNezANBgkqhkiG9w0BAQUFADBAMSIwIAYDVQQD
+ExlJQUlLIFRlc3QgSW50ZXJtZWRpYXRlIENBMQ0wCwYDVQQKEwRJQUlLMQswCQYD
+VQQGEwJBVDAeFw0xMzA5MjcwNTMzMzdaFw0yMzA5MjcwNTMzMzdaMIHkMQswCQYD
+VQQGEwJBVDENMAsGA1UEBxMER3JhejEmMCQGA1UEChMdR3JheiBVbml2ZXJzaXR5
+IG9mIFRlY2hub2xvZ3kxSDBGBgNVBAsTP0luc3RpdHV0ZSBmb3IgQXBwbGllZCBJ
+bmZvcm1hdGlvbiBQcm9jZXNzaW5nIGFuZCBDb21tdW5pY2F0aW9uczEUMBIGA1UE
+BBMLTU9BLVNTIFRlc3QxGDAWBgNVBCoTD0VHSVogVGVzdHBvcnRhbDEkMCIGA1UE
+AxMbRUdJWiBUZXN0cG9ydGFsIE1PQS1TUyBUZXN0MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuDjOyf+mY+oQL2FQzzuaiC8C23vVKbq/n2Zi7BqSibZH
+mtqMJfmj4pT+hWSNHvVvWsaxFcx4KeNqdCMzwnw1r4P3Sf+2o5uFku5KHEMLMokR
+yYQG9VqY/KkB94ye7Pv6zT8gvKqxGFg96UamECep4swPaSZrA8AOER5WAtyGDzKI
+Tz+a5zfFaTXDoba7f98PCWR96yKiFjVOhzp38WVz4VJgz+b8ZSY7Xsv5Kn7DXjOL
+STX4MevFLki3rFPup3+4vGToaMBW3PEj67HXBdqR855Le6+E6rVxORqsXqlVwhsI
+6nuS0CO2LWYmBNR1IB0mXteeYH/HfxvuZc+7yDjdPQIDAQABo4IBhDCCAYAwDgYD
+VR0PAQH/BAQDAgbAMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFEmcH6VY4BG1EAGB
+TLoNR9vH/g6yMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jYS5pYWlrLnR1Z3Jh
+ei5hdC9jYXBzby9jcmxzL0lBSUtUZXN0X0ludGVybWVkaWF0ZUNBLmNybDCBqgYI
+KwYBBQUHAQEEgZ0wgZowSgYIKwYBBQUHMAGGPmh0dHA6Ly9jYS5pYWlrLnR1Z3Jh
+ei5hdC9jYXBzby9PQ1NQP2NhPUlBSUtUZXN0X0ludGVybWVkaWF0ZUNBMEwGCCsG
+AQUFBzAChkBodHRwOi8vY2EuaWFpay50dWdyYXouYXQvY2Fwc28vY2VydHMvSUFJ
+S1Rlc3RfSW50ZXJtZWRpYXRlQ0EuY2VyMCEGA1UdEQQaMBiBFnRob21hcy5sZW56
+QGVnaXouZ3YuYXQwHwYDVR0jBBgwFoAUaKJeEdreL4BrRES/jfplNoEkp28wDQYJ
+KoZIhvcNAQEFBQADgYEAlFGjUxXLs7SAT8NtXSrv2WrjlklaRnHTFHLQwyVo8JWb
+gvRkHHDUv2o8ofXUY2R2WJ38dxeDoccgbXrJb/Qhi8IY7YhCwv/TuIZDisyAqo8W
+ORKSip/6HWlGCSR/Vgoet1GtCmF0FoUxFUIGSAuQ2yyt4fIzt5GJrU1X5ujjI1w=</dsig:X509Certificate></dsig:X509Data></dsig:KeyInfo></dsig:Signature></DeliveryResponse>
-- 
cgit v1.2.3