package at.gv.egiz.moazs.verify; import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.ISignatureVerificationService; import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.api.data.IXMLSignatureVerificationResponse; import at.gv.egiz.eid.authhandler.modules.sigverify.moasig.exceptions.MOASigServiceException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import static at.gv.egiz.moazs.MoaZSException.moaZSException; import static at.gv.egiz.moazs.MoaZSException.moaZSExceptionBuilder; import static java.lang.String.*; public class MoaSPSSSignatureVerifier implements SignatureVerifier { private static final Logger log = LoggerFactory.getLogger(MoaSPSSSignatureVerifier.class); private final ISignatureVerificationService service; private final String trustProfile; private final boolean isManifestCheckActive; private static final int OK_CODE = 0; public MoaSPSSSignatureVerifier(ISignatureVerificationService service, String trustProfile, boolean isManifestCheckActive) { this.service = service; this.trustProfile = trustProfile; this.isManifestCheckActive = isManifestCheckActive; } @Override public void verify(byte[] signedXMLdocument) { try { var response = service.verifyXMLSignature(signedXMLdocument, trustProfile); if (log.isDebugEnabled()) { print(response); } if (response == null) { throw moaZSException("MOA SPSS could not find the signature. "); } var builder = new StringBuilder(); if (response.getSignatureCheckCode() != OK_CODE) { builder.append(format("Signature is not valid; SignatureCheckCode was %d. ", response.getSignatureCheckCode())); } if (response.getCertificateCheckCode() != OK_CODE) { builder.append(format("Certificate chain is not valid; CertificateCheckCode was %d. ", response.getCertificateCheckCode())); } if (response.getSignatureManifestCheckCode() != OK_CODE) { var signatureManifestErrorMsg = format("Signature Manifest is not valid; " + "SignatureManifestCheckCode was %d. ", response.getSignatureManifestCheckCode()); if (isManifestCheckActive) { builder.append(signatureManifestErrorMsg); } else { log.warn(signatureManifestErrorMsg); } } if (response.isXmlDSIGManigest() && response.getXmlDSIGManifestCheckCode() != OK_CODE) { var xmlDSIGManifestErrorMsg = format("XmlDSIGManifest Manifest is not valid; " + "XmlDSIGManifest was %d. ", response.getXmlDSIGManifestCheckCode()); if (isManifestCheckActive) { builder.append(xmlDSIGManifestErrorMsg); } else { log.warn(xmlDSIGManifestErrorMsg); } } var msg = builder.toString(); if(msg.length() > 0) { throw moaZSException(msg); } } catch (MOASigServiceException e) { throw moaZSExceptionBuilder("Could not verify the XML signature.") .withCause(e) .build(); } } private void print(IXMLSignatureVerificationResponse response) { log.debug("Response:"); if (response == null) { log.debug("null"); return; } log.debug(" XmlDsigSubjectName: {}", response.getXmlDsigSubjectName()); log.debug(" SignatureManifestCheckCode: {}", response.getSignatureManifestCheckCode()); log.debug(" XmlDSIGManifestCheckCode: {}", response.getXmlDSIGManifestCheckCode()); log.debug(" CertificateCheckCode: {}", response.getCertificateCheckCode()); log.debug(" SignatureCheckCode: {}", response.getSignatureCheckCode()); log.debug(" SigningDateTime: {}", response.getSigningDateTime()); log.debug(" isXmlDSIGManigest: {}", response.isXmlDSIGManigest()); log.debug(" isPublicAuthority: {}", response.isPublicAuthority()); log.debug(" isQualifiedCertificate: {}", response.isQualifiedCertificate()); log.debug(" getPublicAuthorityCode: {}", response.getPublicAuthorityCode()); } }