feat: refactor with new certificate (#12)

* feat: refactor with new certificate

Signed-off-by: Christoffer Killander <extern.christoffer.killander@digg.se>

* feat: add x509 to response header

Signed-off-by: Christoffer Killander <extern.christoffer.killander@digg.se>

Author: ChristofferKillander

src/main/java/se/digg/wallet/provider/application/config/WuaKeystoreProperties.java

@@ -7,8 +7,12 @@
 import java.security.KeyStore;
 import java.security.PrivateKey;
 import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
 import java.security.interfaces.ECPrivateKey;
 import java.security.interfaces.ECPublicKey;
+import java.util.Arrays;
+import java.util.List;
+import java.util.stream.Collectors;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.core.io.Resource;
 
@@ -45,4 +49,16 @@ public ECPublicKey getPublicKey() {
       throw new RuntimeException("Failed to load public key from filesystem", e);
     }
   }
+
+  public List<X509Certificate> getCertificateChain() {
+    try {
+      KeyStore keyStore = KeyStore.getInstance(type());
+      keyStore.load(location().getInputStream(), password().toCharArray());
+      return Arrays.stream(keyStore.getCertificateChain(alias()))
+          .map(c -> (X509Certificate) c)
+          .collect(Collectors.toList());
+    } catch (Exception e) {
+      throw new RuntimeException("Failed to load certificate chain from filesystem", e);
+    }
+  }
 }

src/main/java/se/digg/wallet/provider/application/service/WalletUnitAttestationService.java

@@ -7,15 +7,17 @@
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.core.type.TypeReference;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import com.nimbusds.jose.JOSEException;
 import com.nimbusds.jose.JOSEObjectType;
 import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jose.JWSHeader;
 import com.nimbusds.jose.JWSSigner;
 import com.nimbusds.jose.crypto.ECDSASigner;
 import com.nimbusds.jose.jwk.ECKey;
+import com.nimbusds.jose.util.Base64;
 import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.jwt.SignedJWT;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
 import java.security.interfaces.ECPrivateKey;
 import java.time.Duration;
 import java.time.Instant;
@@ -33,8 +35,7 @@ public class WalletUnitAttestationService {
   private final ObjectMapper objectMapper;
 
   public WalletUnitAttestationService(
-      WuaKeystoreProperties keystoreProperties,
-      ObjectMapper objectMapper) {
+      WuaKeystoreProperties keystoreProperties, ObjectMapper objectMapper) {
     this.keystoreProperties = keystoreProperties;
     this.objectMapper = objectMapper;
   }
@@ -48,30 +49,12 @@ public SignedJWT createWalletUnitAttestation(String walletPublicKeyJwk) throws E
     claims.put("status", getStatus());
     claims.put("attested_keys", attestedKeys);
 
-    return createSignedJwt(
-        keystoreProperties.getSigningKey(),
-        keystoreProperties.alias(),
-        keystoreProperties.issuer(),
-        Duration.ofHours(keystoreProperties.validityHours()),
-        claims);
-  }
-
-  private Map<String, Object> getStatus() throws JsonProcessingException {
-    return objectMapper.readValue(keystoreProperties.status(), new TypeReference<>() {});
-  }
-
-  private Map<String, Object> getEudiWalletInfo() throws JsonProcessingException {
-    return objectMapper.readValue(
-        keystoreProperties.eudiWalletInfo(), new TypeReference<>() {});
-  }
+    ECPrivateKey signingKey = keystoreProperties.getSigningKey();
+    String keyId = keystoreProperties.alias();
+    List<X509Certificate> certificateChain = keystoreProperties.getCertificateChain();
+    String issuer = keystoreProperties.issuer();
+    Duration validity = Duration.ofHours(keystoreProperties.validityHours());
 
-  private SignedJWT createSignedJwt(
-      ECPrivateKey signingKey,
-      String keyId,
-      String issuer,
-      Duration validity,
-      Map<String, Object> claims)
-      throws JOSEException {
     Instant now = Instant.now();
 
     JWTClaimsSet.Builder claimsBuilder =
@@ -86,10 +69,23 @@ private SignedJWT createSignedJwt(
 
     JWTClaimsSet claimsSet = claimsBuilder.build();
 
+    List<Base64> x5c =
+        certificateChain.stream()
+            .map(
+                c -> {
+                  try {
+                    return Base64.encode(c.getEncoded());
+                  } catch (CertificateEncodingException e) {
+                    throw new RuntimeException(e);
+                  }
+                })
+            .toList();
+
     JWSHeader header =
         new JWSHeader.Builder(JWSAlgorithm.ES256)
             .keyID(keyId)
             .type(new JOSEObjectType("keyattestation+jwt"))
+            .x509CertChain(x5c)
             .build();
 
     SignedJWT signedJwt = new SignedJWT(header, claimsSet);
@@ -99,4 +95,12 @@ private SignedJWT createSignedJwt(
 
     return signedJwt;
   }
+
+  private Map<String, Object> getStatus() throws JsonProcessingException {
+    return objectMapper.readValue(keystoreProperties.status(), new TypeReference<>() {});
+  }
+
+  private Map<String, Object> getEudiWalletInfo() throws JsonProcessingException {
+    return objectMapper.readValue(keystoreProperties.eudiWalletInfo(), new TypeReference<>() {});
+  }
 }

src/main/resources/application-dev.yml

@@ -3,7 +3,7 @@
 
 wua:
   keystore:
-    location: file:src/test/resources/dev/wua-signing.p12
-    password: Test1234
-    alias: wua-signing
+    location: file:src/test/resources/certificates/wallet-provider.p12
+    password: secret
+    alias: wallet-provider
     type: PKCS12

src/test/java/se/digg/wallet/provider/application/service/WalletUnitAttestationServiceTest.java

@@ -5,6 +5,7 @@
 package se.digg.wallet.provider.application.service;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
@@ -85,6 +86,19 @@ void assertThatCreateWalletUnitAttestation_givenValidJwk_shouldSucceed() throws
     verifyJwtSignature(jwt, keystoreProperties.getPublicKey());
   }
 
+  @Test
+  void assertThatCreateWalletUnitAttestation_hasX5cHeader() throws Exception {
+    KeyPairGenerator gen = KeyPairGenerator.getInstance("EC");
+    gen.initialize(Curve.P_256.toECParameterSpec());
+    KeyPair keyPair = gen.generateKeyPair();
+    ECKey jwk = new ECKey.Builder(Curve.P_256, (ECPublicKey) keyPair.getPublic()).build();
+
+    SignedJWT jwt = service.createWalletUnitAttestation(jwk.toString());
+
+    assertNotNull(jwt.getHeader().getX509CertChain());
+    assertFalse(jwt.getHeader().getX509CertChain().isEmpty());
+  }
+
   private void verifyJwtSignature(SignedJWT jwt, ECPublicKey publicKey) throws JOSEException {
     assertTrue(jwt.verify(new ECDSAVerifier(publicKey)));
   }

src/test/resources/application.yml

@@ -8,9 +8,9 @@ spring:
 
 wua:
   keystore:
-    location: classpath:dev/wua-signing.p12
-    password: Test1234
-    alias: wua-signing
+    location: classpath:certificates/wallet-provider.p12
+    password: secret
+    alias: wallet-provider
     type: PKCS12
     issuer: "Digg"
     validity-hours: 24