Merge pull request #9 from jahwag/feat/signed-jwt

Jahziah Wagner · web-flow · commit 34a755389281 · 2025-09-23T10:58:22.000+01:00
feat: response of /wallet-unit-attestion should be a signed jwt
diff --git a/src/main/java/se/digg/wallet/provider/Application.java b/src/main/java/se/digg/wallet/provider/Application.java
@@ -6,8 +6,10 @@
 
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.boot.context.properties.ConfigurationPropertiesScan;
 
 @SpringBootApplication
+@ConfigurationPropertiesScan
 public class Application {
   public static void main(String[] args) {
     SpringApplication.run(Application.class, args);
diff --git a/src/main/java/se/digg/wallet/provider/application/config/WuaKeystoreProperties.java b/src/main/java/se/digg/wallet/provider/application/config/WuaKeystoreProperties.java
@@ -0,0 +1,40 @@
+// SPDX-FileCopyrightText: 2025 Digg - Agency for Digital Government
+//
+// SPDX-License-Identifier: EUPL-1.2
+
+package se.digg.wallet.provider.application.config;
+
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.cert.Certificate;
+import java.security.interfaces.ECPrivateKey;
+import java.security.interfaces.ECPublicKey;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.core.io.Resource;
+
+@ConfigurationProperties(prefix = "wua.keystore")
+public record WuaKeystoreProperties(Resource location, String password, String alias, String type) {
+
+  public ECPrivateKey getSigningKey() {
+    try {
+      KeyStore keyStore = KeyStore.getInstance(type());
+      keyStore.load(location().getInputStream(), password().toCharArray());
+      PrivateKey privateKey = (PrivateKey) keyStore.getKey(alias(), password().toCharArray());
+
+      return (ECPrivateKey) privateKey;
+    } catch (Exception e) {
+      throw new RuntimeException("Failed to load signing key from filesystem", e);
+    }
+  }
+
+  public ECPublicKey getPublicKey() {
+    try {
+      KeyStore keyStore = KeyStore.getInstance(type());
+      keyStore.load(location().getInputStream(), password().toCharArray());
+      Certificate cert = keyStore.getCertificate(alias());
+      return (ECPublicKey) cert.getPublicKey();
+    } catch (Exception e) {
+      throw new RuntimeException("Failed to load public key from filesystem", e);
+    }
+  }
+}
diff --git a/src/main/java/se/digg/wallet/provider/application/controller/WalletUnitAttestationController.java b/src/main/java/se/digg/wallet/provider/application/controller/WalletUnitAttestationController.java
@@ -4,55 +4,30 @@
 
 package se.digg.wallet.provider.application.controller;
 
-import com.nimbusds.jose.jwk.ECKey;
+import com.nimbusds.jwt.SignedJWT;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 import se.digg.wallet.provider.application.model.WalletUnitAttestationDto;
+import se.digg.wallet.provider.application.service.WalletUnitAttestationService;
 
 @RequestMapping("/wallet-unit-attestation")
 @RestController
 public class WalletUnitAttestationController {
 
-  private final String createWuaResponse =
-      """
-          {
-            "iss": "Digg",
-            "iat": 1516247022,
-            "exp": 1541493724,
-            "eudi_wallet_info": {
-              "general_info": {
-                "wallet_provider_name": "Digg",
-                "wallet_solution_id": "Diggidigg-id",
-                "wallet_solution_version": "0.0.1",
-                "wallet_solution_certification_information": "UNCERTIFIED"
-              },
-              "wscd_info": {
-                "wscd_type": "REMOTE",
-                "wscd_certification_information": "UNCERTIFIED",
-                "wscd_attack_resistance": 2
-              }
-            },
-            "status": {
-              "status_list": {
-                "idx": 412,
-                "uri": "https://revocation_url/statuslists/1"
-              }
-            },
-            "attested_keys": [
-              %s
-            ]
-          }
-          """;
+  private final WalletUnitAttestationService attestationService;
+
+  public WalletUnitAttestationController(WalletUnitAttestationService attestationService) {
+    this.attestationService = attestationService;
+  }
 
   @PostMapping
   public ResponseEntity<String> postWalletUnitAttestation(
       @RequestBody WalletUnitAttestationDto walletUnitAttestationDto) throws Exception {
-
-    ECKey key = ECKey.parse(walletUnitAttestationDto.jwk());
-
-    return ResponseEntity.ok(String.format(createWuaResponse, key.toString()));
+    SignedJWT signedJwt =
+        attestationService.createWalletUnitAttestation(walletUnitAttestationDto.jwk());
+    return ResponseEntity.ok(signedJwt.serialize());
   }
 }
diff --git a/src/main/java/se/digg/wallet/provider/application/service/WalletUnitAttestationService.java b/src/main/java/se/digg/wallet/provider/application/service/WalletUnitAttestationService.java
@@ -0,0 +1,99 @@
+// SPDX-FileCopyrightText: 2025 diggsweden/wallet-backend-reference
+//
+// SPDX-License-Identifier: EUPL-1.2
+
+package se.digg.wallet.provider.application.service;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JOSEObjectType;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.JWSHeader;
+import com.nimbusds.jose.JWSSigner;
+import com.nimbusds.jose.crypto.ECDSASigner;
+import com.nimbusds.jose.jwk.ECKey;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.SignedJWT;
+import java.security.interfaces.ECPrivateKey;
+import java.time.Duration;
+import java.time.Instant;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import org.springframework.stereotype.Service;
+import se.digg.wallet.provider.application.config.WuaKeystoreProperties;
+
+@Service
+public class WalletUnitAttestationService {
+
+  private final WuaKeystoreProperties keystoreProperties;
+
+  public WalletUnitAttestationService(WuaKeystoreProperties keystoreProperties) {
+    this.keystoreProperties = keystoreProperties;
+  }
+
+  public SignedJWT createWalletUnitAttestation(String walletPublicKeyJwk) throws Exception {
+    ECKey attestedKey = ECKey.parse(walletPublicKeyJwk);
+
+    Map<String, Object> eudiWalletInfo =
+        Map.of(
+            "general_info",
+            Map.of(
+                "wallet_provider_name", "Digg",
+                "wallet_solution_id", "Diggidigg-id",
+                "wallet_solution_version", "0.0.1",
+                "wallet_solution_certification_information", "UNCERTIFIED"),
+            "wscd_info", Map.of("wscd_certification_information", "UNCERTIFIED"));
+
+    Map<String, Object> status =
+        Map.of("status_list", Map.of("idx", 412, "uri", "https://revocation_url/statuslists/1"));
+
+    List<Map<String, Object>> attestedKeys = List.of(attestedKey.toJSONObject());
+
+    Map<String, Object> claims = new HashMap<>();
+    claims.put("eudi_wallet_info", eudiWalletInfo);
+    claims.put("status", status);
+    claims.put("attested_keys", attestedKeys);
+
+    return createSignedJwt(
+        keystoreProperties.getSigningKey(),
+        keystoreProperties.alias(),
+        "Digg",
+        Duration.ofHours(24),
+        claims);
+  }
+
+  private SignedJWT createSignedJwt(
+      ECPrivateKey signingKey,
+      String keyId,
+      String issuer,
+      Duration validity,
+      Map<String, Object> claims)
+      throws JOSEException {
+    Instant now = Instant.now();
+
+    JWTClaimsSet.Builder claimsBuilder =
+        new JWTClaimsSet.Builder()
+            .issuer(issuer)
+            .issueTime(Date.from(now))
+            .expirationTime(Date.from(now.plus(validity)));
+
+    if (claims != null) {
+      claims.forEach(claimsBuilder::claim);
+    }
+
+    JWTClaimsSet claimsSet = claimsBuilder.build();
+
+    JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.ES256)
+        .keyID(keyId)
+        .type(new JOSEObjectType("keyattestation+jwt"))
+        .build();
+
+    SignedJWT signedJwt = new SignedJWT(header, claimsSet);
+
+    JWSSigner signer = new ECDSASigner(signingKey);
+    signedJwt.sign(signer);
+
+    return signedJwt;
+  }
+}
diff --git a/src/main/resources/application-dev.yml b/src/main/resources/application-dev.yml
@@ -0,0 +1,9 @@
+# SPDX-FileCopyrightText: 2025 Digg - Agency for Digital Government
+# SPDX-License-Identifier: EUPL-1.2
+
+wua:
+  keystore:
+    location: file:src/test/resources/dev/wua-signing.p12
+    password: Test1234
+    alias: wua-signing
+    type: PKCS12
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
@@ -34,3 +34,10 @@ management:
       enabled: true
     diskspace:
       enabled: true
+
+wua:
+  keystore:
+    location: ${WUA_KEYSTORE_PATH}
+    password: ${WUA_KEYSTORE_PASSWORD}
+    alias: ${WUA_KEYSTORE_ALIAS}
+    type: PKCS12
diff --git a/src/test/java/se/digg/wallet/provider/application/config/WuaKeystorePropertiesTest.java b/src/test/java/se/digg/wallet/provider/application/config/WuaKeystorePropertiesTest.java
@@ -0,0 +1,37 @@
+// SPDX-FileCopyrightText: 2025 Digg - Agency for Digital Government
+//
+// SPDX-License-Identifier: EUPL-1.2
+
+package se.digg.wallet.provider.application.config;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+
+import java.security.interfaces.ECPrivateKey;
+import java.security.interfaces.ECPublicKey;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+
+@SpringBootTest
+class WuaKeystorePropertiesTest {
+
+  @Autowired
+  private WuaKeystoreProperties properties;
+
+  @Test
+  void assertThatGetSigningKey_givenValidKeyStore_shouldReturnSigningKey() {
+    ECPrivateKey key = properties.getSigningKey();
+
+    assertNotNull(key);
+    assertEquals("EC", key.getAlgorithm());
+  }
+
+  @Test
+  void assertThatGetSigningKey_givenValidKeyStore_shouldReturnPublicKey() {
+    ECPublicKey key = properties.getPublicKey();
+
+    assertNotNull(key);
+    assertEquals("EC", key.getAlgorithm());
+  }
+}
diff --git a/src/test/java/se/digg/wallet/provider/application/controller/WalletUnitAttestationControllerTest.java b/src/test/java/se/digg/wallet/provider/application/controller/WalletUnitAttestationControllerTest.java
@@ -4,58 +4,54 @@
 
 package se.digg.wallet.provider.application.controller;
 
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
-import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.log;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.ObjectWriter;
-import com.nimbusds.jose.jwk.Curve;
-import com.nimbusds.jose.jwk.ECKey;
-import com.nimbusds.jose.jwk.JWK;
-import java.security.KeyPair;
-import java.security.KeyPairGenerator;
-import java.security.interfaces.ECPrivateKey;
-import java.security.interfaces.ECPublicKey;
+import com.nimbusds.jwt.SignedJWT;
 import java.util.UUID;
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
 import org.springframework.http.MediaType;
+import org.springframework.test.context.bean.override.mockito.MockitoBean;
 import org.springframework.test.web.servlet.MockMvc;
 import se.digg.wallet.provider.application.model.WalletUnitAttestationDto;
+import se.digg.wallet.provider.application.service.WalletUnitAttestationService;
 
 @WebMvcTest(WalletUnitAttestationController.class)
 class WalletUnitAttestationControllerTest {
-  @Autowired
-  MockMvc mockMvc;
 
-  ObjectMapper mapper = new ObjectMapper();
+  private final ObjectMapper mapper = new ObjectMapper();
+  @Autowired
+  private MockMvc mockMvc;
+  @MockitoBean
+  private WalletUnitAttestationService service;
 
   @Test
-  void assertThatPostWalletUnitAttestation_givenValidPublicKey_shouldReturnOk() throws Exception {
-
-    KeyPairGenerator gen = KeyPairGenerator.getInstance("EC");
-    gen.initialize(Curve.P_256.toECParameterSpec());
-    KeyPair keyPair = gen.generateKeyPair();
-
-    // Convert to JWK format
-    JWK jwk =
-        new ECKey.Builder(Curve.P_256, (ECPublicKey) keyPair.getPublic())
-            .privateKey((ECPrivateKey) keyPair.getPrivate())
-            .build();
+  void assertThatPostWalletUnitAttestation_givenWalletIdAndValidPublicKey_shouldReturnOk()
+      throws Exception {
+    String expectedJwt = "eyJhbGciOiJFUzI1NiJ9.eyJpc3MiOiJEaWdnIn0.test";
+    when(service.createWalletUnitAttestation(anyString())).thenReturn(SignedJWT.parse(expectedJwt));
 
-    WalletUnitAttestationDto input =
-        new WalletUnitAttestationDto(UUID.randomUUID(), jwk.toString());
+    String jwk =
+        "{\"kty\":\"EC\",\"use\":\"sig\",\"crv\":\"P-256\","
+            + "\"x\":\"18wHLeIgW9wVN6VD1Txgpqy2LszYkMf6J8njVAibvhM\","
+            + "\"y\":\"-V4dS4UaLMgP_4fY4j8ir7cl1TXlFdAgcx55o7TkcSA\"}";
+    WalletUnitAttestationDto input = new WalletUnitAttestationDto(UUID.randomUUID(), jwk);
 
-    String path = "/wallet-unit-attestation";
     mockMvc
-        .perform(post(path).contentType(MediaType.APPLICATION_JSON).content(asJson(input)))
-        .andDo(log())
+        .perform(
+            post("/wallet-unit-attestation")
+                .contentType(MediaType.APPLICATION_JSON)
+                .content(asJson(input)))
         .andExpect(status().isOk())
-        .andExpect(jsonPath("$.attested_keys[0].x").value(jwk.toECKey().getX().toString()));
+        .andExpect(content().string(expectedJwt));
   }
 
   private String asJson(WalletUnitAttestationDto input) throws JsonProcessingException {
diff --git a/src/test/java/se/digg/wallet/provider/application/service/WalletUnitAttestationServiceTest.java b/src/test/java/se/digg/wallet/provider/application/service/WalletUnitAttestationServiceTest.java
diff --git a/src/test/resources/application.yml b/src/test/resources/application.yml
diff --git a/src/test/resources/dev/wua-signing.p12 b/src/test/resources/dev/wua-signing.p12
diff --git a/src/test/resources/dev/wua-signing.p12.license b/src/test/resources/dev/wua-signing.p12.license
