Merge branch 'RM-4086_verification_code' into 'SID'

RM-4086: verification code and interaction parameters

See merge request cdoc2/cdoc2-java-ref-impl!98

Author: jann0k

cdoc2-cli/src/main/java/ee/cyber/cdoc2/cli/commands/CDocDecryptCmd.java

@@ -56,7 +56,6 @@ private void setKeyServerPropertiesFile(String server) {
         System.setProperty(KEY_CAPSULES_PROPERTIES, keyServerPropertiesFile);
     }
 
-
     @CommandLine.Parameters(description = "one or more files to decrypt", paramLabel = "fileToExtract")
     private String[] filesToExtract = new String[0];
 

cdoc2-cli/src/main/java/ee/cyber/cdoc2/cli/util/CDocDecryptionHelper.java

@@ -18,6 +18,8 @@
 import ee.cyber.cdoc2.crypto.PemTools;
 import ee.cyber.cdoc2.crypto.Pkcs11Tools;
 import ee.cyber.cdoc2.crypto.AuthenticationIdentifier;
+import ee.cyber.cdoc2.crypto.jwt.InteractionParams;
+import ee.cyber.cdoc2.crypto.jwt.InteractionParamsConfigurable;
 import ee.cyber.cdoc2.crypto.keymaterial.DecryptionKeyMaterial;
 import ee.cyber.cdoc2.crypto.keymaterial.LabeledPassword;
 import ee.cyber.cdoc2.crypto.keymaterial.LabeledSecret;
@@ -110,12 +112,12 @@ public static DecryptionKeyMaterial getDecryptionKeyMaterial(
         }
 
         if (isWithSid && decryptionKm == null) {
-            decryptionKm = getSidDecryptionKeyMaterial(decryptArguments.getSid());
+            decryptionKm = getSidDecryptionKeyMaterial(decryptArguments.getSid(), cdocFile);
         }
 
         if (isWithMid && decryptionKm == null) {
             decryptionKm = getMidDecryptionKeyMaterial(
-                decryptArguments.getMid(), decryptArguments.getMidPhone()
+                decryptArguments.getMid(), decryptArguments.getMidPhone(), cdocFile
             );
         }
 
@@ -127,25 +129,49 @@ public static DecryptionKeyMaterial getDecryptionKeyMaterial(
         return decryptionKm;
     }
 
-    private static DecryptionKeyMaterial getSidDecryptionKeyMaterial(String idCode) {
+    private static DecryptionKeyMaterial getSidDecryptionKeyMaterial(String idCode, File cdocFile) {
         AuthenticationIdentifier authIdentifier = AuthenticationIdentifier.forKeyShares(
             createSemanticsIdentifier(idCode), AuthenticationIdentifier.AuthenticationType.SID
         );
 
-        return DecryptionKeyMaterial.fromAuthMeans(authIdentifier);
+        DecryptionKeyMaterial dkm = DecryptionKeyMaterial.fromAuthMeans(authIdentifier);
+        addInteractionParameters(cdocFile, dkm);
+        return dkm;
+
     }
 
+    /**
+     *
+     * @param idCode estonian national identity code
+     * @param phoneNumber user phone number international format +372...
+     * @param cdocFile cdoc2 file decrypted
+     * @return
+     */
     private static DecryptionKeyMaterial getMidDecryptionKeyMaterial(
         String idCode,
-        String phoneNumber
+        String phoneNumber,
+        File cdocFile
     ) {
 
         AuthenticationIdentifier authIdentifier = AuthenticationIdentifier.forMidDecryption(
             createSemanticsIdentifier(idCode),
             getValidatedPhoneNumber(phoneNumber)
         );
 
-        return DecryptionKeyMaterial.fromAuthMeans(authIdentifier);
+        DecryptionKeyMaterial dkm = DecryptionKeyMaterial.fromAuthMeans(authIdentifier);
+        addInteractionParameters(cdocFile, dkm);
+        return dkm;
+    }
+
+    private static void addInteractionParameters(File cdocFile, DecryptionKeyMaterial dkm) {
+        if (dkm instanceof InteractionParamsConfigurable paramsConfigurable) {
+
+            InteractionParams interactionParams = (cdocFile == null)
+                ? InteractionParams.displayTextAndPin()
+                : InteractionParams.displayTextAndVCCForDocument(cdocFile.toPath().getFileName().toString());
+            interactionParams.addAuthListener(e -> System.out.println("Verification code:" + e.getVerificationCode()));
+            paramsConfigurable.init(interactionParams);
+        }
     }
 
     private static DecryptionKeyMaterial getPasswordDecryptionKeyMaterial(

cdoc2-lib/src/main/java/ee/cyber/cdoc2/client/mobileid/MobileIdClient.java

@@ -1,8 +1,11 @@
 package ee.cyber.cdoc2.client.mobileid;
 
+import ee.cyber.cdoc2.crypto.jwt.InteractionParams;
 import ee.sk.mid.MidAuthentication;
 import ee.sk.mid.MidClient;
+import ee.sk.mid.MidDisplayTextFormat;
 import ee.sk.mid.MidHashToSign;
+import ee.sk.mid.MidLanguage;
 import ee.sk.mid.rest.dao.request.MidAuthenticationRequest;
 
 import java.io.IOException;
@@ -12,6 +15,7 @@
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 
+import jakarta.annotation.Nullable;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -30,9 +34,11 @@ public class MobileIdClient {
 
     private static final String CERT_NOT_FOUND = "Mobile ID trusted SSL certificates not found";
 
-    private final MobileIdClientWrapper mobileIdClientWrapper;
+    // protected to allow overriding MobileIdClient to allow more control over interaction
+    protected final MobileIdClientWrapper mobileIdClientWrapper;
 
-    private final MobileIdClientConfiguration mobileIdClientConfig;
+    // protected to allow overriding MobileIdClient to allow more control over interaction
+    protected final MobileIdClientConfiguration mobileIdClientConfig;
 
     /**
      * Constructor for Mobile-ID Client
@@ -42,35 +48,94 @@ public MobileIdClient(MobileIdClientConfiguration conf) {
         this.mobileIdClientConfig = conf;
         MidClient midClient = configureMobileIdClient();
         this.mobileIdClientWrapper = new MobileIdClientWrapper(midClient);
+
+    }
+
+    protected MobileIdClient(MobileIdClientConfiguration conf, MobileIdClientWrapper wrapper) {
+        this.mobileIdClientConfig = conf;
+        this.mobileIdClientWrapper = wrapper;
     }
 
     /**
      * Authentication request to Mobile ID client. Returns raw MidAuthentication that contains MidSignature and signing
      * Certificate
      * @param userData user request data
      * @param authenticationHash Base64 encoded hash function output to be signed
+     * @param interactionParams Optional  parameters to drive user interaction and to get verification code.
+     *                          {@code null} when not in use
      * @return MidAuthentication object that contains MidSignature and Certificate
      */
     public MidAuthentication startAuthentication(
         MobileIdUserData userData,
-        MidHashToSign authenticationHash
+        MidHashToSign authenticationHash,
+        @Nullable InteractionParams interactionParams
     ) throws CdocMobileIdClientException {
 
-        // ToDo display verification code and text to the user in RM-4086
-        //String verificationCode = authenticationHash.calculateVerificationCode();
-
         MidAuthenticationRequest request = MidAuthenticationRequest.newBuilder()
             .withPhoneNumber(userData.phoneNumber())
             .withNationalIdentityNumber(userData.identityCode())
             .withHashToSign(authenticationHash)
-            .withLanguage(mobileIdClientConfig.getDisplayTextLanguage())
-            .withDisplayText(mobileIdClientConfig.getDisplayText())
-            .withDisplayTextFormat(mobileIdClientConfig.getDisplayTextFormat())
+            .withLanguage(getLanguage(interactionParams))
+            .withDisplayText(getDisplayText(interactionParams))
+            .withDisplayTextFormat(getEncoding(interactionParams))
             .build();
 
         return mobileIdClientWrapper.authenticate(request, authenticationHash);
     }
 
+    /**
+     * Get MID language from interactionParams if defined, otherwise get default value from configuration
+     */
+    protected MidLanguage getLanguage(@Nullable InteractionParams interactionParams) {
+        MidLanguage lang = mobileIdClientConfig.getDefaultDisplayTextLanguage();
+        if (interactionParams != null) {
+            String iLang = interactionParams.getLanguage();
+            if (iLang != null) {
+                try {
+                    lang = MidLanguage.valueOf(iLang);
+                } catch (IllegalArgumentException e) {
+                    log.warn("Illegal MidLanguage value, using {}", lang, e);
+                }
+            }
+        }
+        return lang;
+    }
+
+    /**
+     * Get MidDisplayTextFormat from interactionParams if defined, otherwise get default value from configuration
+     */
+    protected MidDisplayTextFormat getEncoding(@Nullable InteractionParams interactionParams) {
+        MidDisplayTextFormat enc = mobileIdClientConfig.getDefaultDisplayTextFormat();
+        if (interactionParams != null) {
+            String iEnc = interactionParams.getEncoding();
+            if (iEnc != null) {
+                try {
+                    enc = MidDisplayTextFormat.valueOf(iEnc);
+                } catch (IllegalArgumentException e) {
+                    log.warn("Illegal MidDisplayTextFormat value, using {}", enc, e);
+                }
+            }
+        }
+
+        return enc;
+    }
+
+    /** Get displayText from interactionParams if defined, otherwise get default value from configuration */
+    protected String getDisplayText(@Nullable InteractionParams interactionParams) {
+
+        // Mobile-ID doesn't support interactionType and text length is limited to 100 bytes -
+        // 50 chars for UCS2 and 100 chars for GSM7
+        // https://github.com/SK-EID/MID?tab=readme-ov-file#323-request-parameters
+
+        String textAndPIN = mobileIdClientConfig.getDefaultDisplayText();
+        if (interactionParams != null) {
+                textAndPIN = (getEncoding(interactionParams) == MidDisplayTextFormat.GSM7)
+                    ? interactionParams.getDisplayText(100) // GSM7
+                    : interactionParams.getDisplayText(50); // UCS2
+        }
+        return textAndPIN;
+    }
+
     /**
      * Mobile ID client configuration
      */

cdoc2-lib/src/main/java/ee/cyber/cdoc2/client/smartid/SmartIdClient.java

@@ -1,6 +1,7 @@
 package ee.cyber.cdoc2.client.smartid;
 
 import ee.cyber.cdoc2.config.SmartIdClientConfiguration;
+import ee.cyber.cdoc2.crypto.jwt.InteractionParams;
 import ee.sk.smartid.AuthenticationIdentity;
 import ee.sk.smartid.AuthenticationHash;
 import ee.sk.smartid.SmartIdAuthenticationResponse;
@@ -11,13 +12,18 @@
 import ee.sk.smartid.exception.useraction.SessionTimeoutException;
 import ee.sk.smartid.exception.useraction.UserRefusedException;
 import ee.sk.smartid.exception.useraction.UserSelectedWrongVerificationCodeException;
+import ee.sk.smartid.rest.dao.Interaction;
 import ee.sk.smartid.rest.dao.SemanticsIdentifier;
 
+import jakarta.annotation.Nullable;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import ee.cyber.cdoc2.exceptions.CdocSmartIdClientException;
 
+import java.util.List;
+
+import static ee.cyber.cdoc2.crypto.jwt.InteractionParams.InteractionType.DISPLAY_TEXT_AND_PIN;
 
 /**
  * Client for communicating with the Smart ID client API.
@@ -38,18 +44,22 @@ public SmartIdClient(SmartIdClientConfiguration conf) {
      * @param authenticationHash Base64 encoded hash function output to be signed
      * @param certificationLevel Level of certificate requested, can either be
      *                           {@code QUALIFIED} or {@code ADVANCED}
+     * @param interactionParams Optional  parameters to drive user interaction and to get verification code.
+     *                          {@code null} when not in use
      * @return SmartIdAuthenticationResponse object
      */
     public SmartIdAuthenticationResponse authenticate(
         SemanticsIdentifier semanticsIdentifier,
         AuthenticationHash authenticationHash,
-        String certificationLevel
+        String certificationLevel,
+        @Nullable InteractionParams interactionParams
     ) throws CdocSmartIdClientException {
         String errorMsg = "Failed to authenticate Smart ID client request for " + semanticsIdentifier.getIdentifier();
 
         try {
             return smartIdClientWrapper.authenticate(
-                semanticsIdentifier, authenticationHash, certificationLevel
+                semanticsIdentifier, authenticationHash, certificationLevel,
+                    getSIDInteractions(semanticsIdentifier, authenticationHash, certificationLevel, interactionParams)
             );
         } catch (UserAccountNotFoundException ex) {
             throw logNoUserAccountErrorAndThrow(errorMsg);
@@ -64,6 +74,49 @@ public SmartIdAuthenticationResponse authenticate(
         }
     }
 
+    /**
+     * Convert cdoc2 specific InteractionParams to Smart-ID Interaction list. Has same parameters as authenticate, so
+     * that this method can be overridden
+     * @param semanticsIdentifier ETSI semantics identifier
+     * @param authenticationHash  Base64 encoded hash function output to be signed
+     * @param certificationLevel  Level of certificate requested, can either be
+     *                            {@code QUALIFIED} or {@code ADVANCED}
+     * @param interactionParams generic InteractionParams that is used to create Smart-ID {@code Interaction} list
+     * @return list of SID Interaction objects
+     */
+    protected List<Interaction> getSIDInteractions(SemanticsIdentifier semanticsIdentifier,
+                                                AuthenticationHash authenticationHash,
+                                                String certificationLevel,
+                                                @Nullable InteractionParams interactionParams
+    ) {
+        String displayText200 = (interactionParams == null)
+            ? InteractionParams.DEFAULT_DISPLAY_TEXT
+            : interactionParams.getDisplayText200();
+
+        String displayText60 = (interactionParams == null)
+            ? InteractionParams.DEFAULT_DISPLAY_TEXT
+            : interactionParams.getDisplayText60();
+
+        var interactionType = (interactionParams == null)
+            ? DISPLAY_TEXT_AND_PIN
+            : interactionParams.getInteractionType();
+
+        switch (interactionType) {
+            case DISPLAY_TEXT_AND_PIN:
+                return  List.of(Interaction.displayTextAndPIN(displayText60));
+            case VERIFICATION_CODE_CHOICE:
+                return  List.of(Interaction.verificationCodeChoice(displayText60));
+            case CONFIRMATION_MESSAGE:
+                return List.of(Interaction.confirmationMessage(displayText200));
+            case CONFIRMATION_MESSAGE_AND_VERIFICATION_CODE_CHOICE:
+                return List.of(Interaction.confirmationMessageAndVerificationCodeChoice(displayText200));
+            default:
+                log.error("Unknown interaction type {}", interactionType);
+                return  List.of(Interaction.displayTextAndPIN(displayText60));
+        }
+    }
+
+
     public AuthenticationIdentity validateResponse(SmartIdAuthenticationResponse authResponse)
             throws CdocSmartIdClientException {
         return smartIdClientWrapper.validateResponse(authResponse);

cdoc2-lib/src/main/java/ee/cyber/cdoc2/client/smartid/SmartIdClientWrapper.java

@@ -20,7 +20,6 @@
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
-import java.util.Collections;
 import java.util.Enumeration;
 import java.util.LinkedList;
 import java.util.List;
@@ -29,7 +28,8 @@
 import ee.cyber.cdoc2.exceptions.ConfigurationLoadingException;
 import ee.cyber.cdoc2.exceptions.CdocSmartIdClientException;
 import ee.cyber.cdoc2.util.Resources;
-
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 /**
  * Smart-ID Client
@@ -42,6 +42,7 @@ public class SmartIdClientWrapper {
     private final SmartIdClientConfiguration smartIdClientConfig;
     private final AuthenticationResponseValidator authenticationResponseValidator;
 
+    private static final Logger log = LoggerFactory.getLogger(SmartIdClientWrapper.class);
     /**
      * Constructor for Smart-ID Client wrapper
      * @param conf Smart-ID client configuration
@@ -75,12 +76,14 @@ private static SmartIdClient configureSmartIdClient(SmartIdClientConfiguration c
      * @param authenticationHash  Base64 encoded hash function output to be signed
      * @param certificationLevel  Level of certificate requested, can either be
      *                            {@code QUALIFIED} or {@code ADVANCED}
+     * @param interactions interaction parameters used to drive Smart-ID UI
      * @return SmartIdAuthenticationResponse object
      */
     public SmartIdAuthenticationResponse authenticate(
         SemanticsIdentifier semanticsIdentifier,
         AuthenticationHash authenticationHash,
-        String certificationLevel
+        String certificationLevel,
+        List<Interaction> interactions
     ) throws UserAccountNotFoundException,
         UserRefusedException,
         UserSelectedWrongVerificationCodeException,
@@ -94,10 +97,7 @@ public SmartIdAuthenticationResponse authenticate(
             .withSemanticsIdentifier(semanticsIdentifier)
             .withAuthenticationHash(authenticationHash)
             .withCertificateLevel(certificationLevel)
-            // Smart-ID app will display verification code to the user and user must insert PIN1
-            .withAllowedInteractionsOrder(
-                Collections.singletonList(Interaction.displayTextAndPIN("Log in to self-service?"))
-            )
+            .withAllowedInteractionsOrder(interactions)
             // Commented out as EIDPRX fails request parsing when this property is present
             //.withShareMdClientIpAddress(true)
             .authenticate();
@@ -107,6 +107,7 @@ public SmartIdAuthenticationResponse authenticate(
         return authResponse;
     }
 
+
     public AuthenticationIdentity validateResponse(
         SmartIdAuthenticationResponse authResponse
     ) throws CdocSmartIdClientException {