NFC-99 Add web-eid-1.1 token support

Signed-off-by: Sander Kondratjev <[email protected]>

Author: SanderKondratjevNortal

src/WebEid.Security.Tests/TestUtils/AbstractTestWithValidator.cs

@@ -34,6 +34,15 @@ public abstract class AbstractTestWithValidator
         "\"appVersion\":\"https://web-eid.eu/web-eid-app/releases/2.0.0+0\"," +
         "\"signature\":\"tbMTrZD4CKUj6atjNCHZruIeyPFAEJk2htziQ1t08BSTyA5wKKqmNmzsJ7562hWQ6+tJd6nlidHGE5jVVJRKmPtNv3f9gbT2b7RXcD4t5Pjn8eUCBCA4IX99Af32Z5ln\"," +
         "\"format\":\"web-eid:1\"}";
+
+        protected const string ValidV11AuthTokenStr = "{\"algorithm\":\"ES384\"," +
+        "\"unverifiedCertificate\":\"MIIEBDCCA2WgAwIBAgIQY5OGshxoPMFg+Wfc0gFEaTAKBggqhkjOPQQDBDBgMQswCQYDVQQGEwJFRTEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYDVQRhDA5OVFJFRS0xMDc0NzAxMzEbMBkGA1UEAwwSVEVTVCBvZiBFU1RFSUQyMDE4MB4XDTIxMDcyMjEyNDMwOFoXDTI2MDcwOTIxNTk1OVowfzELMAkGA1UEBhMCRUUxKjAoBgNVBAMMIUrDlUVPUkcsSkFBSy1LUklTVEpBTiwzODAwMTA4NTcxODEQMA4GA1UEBAwHSsOVRU9SRzEWMBQGA1UEKgwNSkFBSy1LUklTVEpBTjEaMBgGA1UEBRMRUE5PRUUtMzgwMDEwODU3MTgwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQmwEKsJTjaMHSaZj19hb9EJaJlwbKc5VFzmlGMFSJVk4dDy+eUxa5KOA7tWXqzcmhh5SYdv+MxcaQKlKWLMa36pfgv20FpEDb03GCtLqjLTRZ7649PugAQ5EmAqIic29CjggHDMIIBvzAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIDiDBHBgNVHSAEQDA+MDIGCysGAQQBg5EhAQIBMCMwIQYIKwYBBQUHAgEWFWh0dHBzOi8vd3d3LnNrLmVlL0NQUzAIBgYEAI96AQIwHwYDVR0RBBgwFoEUMzgwMDEwODU3MThAZWVzdGkuZWUwHQYDVR0OBBYEFPlp/ceABC52itoqppEmbf71TJz6MGEGCCsGAQUFBwEDBFUwUzBRBgYEAI5GAQUwRzBFFj9odHRwczovL3NrLmVlL2VuL3JlcG9zaXRvcnkvY29uZGl0aW9ucy1mb3ItdXNlLW9mLWNlcnRpZmljYXRlcy8TAkVOMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAfBgNVHSMEGDAWgBTAhJkpxE6fOwI09pnhClYACCk+ezBzBggrBgEFBQcBAQRnMGUwLAYIKwYBBQUHMAGGIGh0dHA6Ly9haWEuZGVtby5zay5lZS9lc3RlaWQyMDE4MDUGCCsGAQUFBzAChilodHRwOi8vYy5zay5lZS9UZXN0X29mX0VTVEVJRDIwMTguZGVyLmNydDAKBggqhkjOPQQDBAOBjAAwgYgCQgDCAgybz0u3W+tGI+AX+PiI5CrE9ptEHO5eezR1Jo4j7iGaO0i39xTGUB+NSC7P6AQbyE/ywqJjA1a62jTLcS9GHAJCARxN4NO4eVdWU3zVohCXm8WN3DWA7XUcn9TZiLGQ29P4xfQZOXJi/z4PNRRsR4plvSNB3dfyBvZn31HhC7my8woi\"," +
+        "\"unverifiedSigningCertificate\":\"MIID6zCCA02gAwIBAgIQT7j6zk6pmVRcyspLo5SqejAKBggqhkjOPQQDBDBgMQswCQYDVQQGEwJFRTEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYDVQRhDA5OVFJFRS0xMDc0NzAxMzEbMBkGA1UEAwwSVEVTVCBvZiBFU1RFSUQyMDE4MB4XDTE5MDUwMjEwNDUzMVoXDTI5MDUwMjEwNDUzMVowfzELMAkGA1UEBhMCRUUxFjAUBgNVBCoMDUpBQUstS1JJU1RKQU4xEDAOBgNVBAQMB0rDlUVPUkcxKjAoBgNVBAMMIUrDlUVPUkcsSkFBSy1LUklTVEpBTiwzODAwMTA4NTcxODEaMBgGA1UEBRMRUE5PRUUtMzgwMDEwODU3MTgwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASkwENR8GmCpEs6OshDWDfIiKvGuyNMOD2rjIQW321AnZD3oIsqD0svBMNEJJj9Dlvq/47TYDObIa12KAU5IuOBfJs2lrFdSXZjaM+a5TWT3O2JTM36YDH2GcMe/eisepejggGrMIIBpzAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIGQDBIBgNVHSAEQTA/MDIGCysGAQQBg5EhAQIBMCMwIQYIKwYBBQUHAgEWFWh0dHBzOi8vd3d3LnNrLmVlL0NQUzAJBgcEAIvsQAECMB0GA1UdDgQWBBTVX3s48Spy/Es2TcXgkRvwUn2YcjCBigYIKwYBBQUHAQMEfjB8MAgGBgQAjkYBATAIBgYEAI5GAQQwEwYGBACORgEGMAkGBwQAjkYBBgEwUQYGBACORgEFMEcwRRY/aHR0cHM6Ly9zay5lZS9lbi9yZXBvc2l0b3J5L2NvbmRpdGlvbnMtZm9yLXVzZS1vZi1jZXJ0aWZpY2F0ZXMvEwJFTjAfBgNVHSMEGDAWgBTAhJkpxE6fOwI09pnhClYACCk+ezBzBggrBgEFBQcBAQRnMGUwLAYIKwYBBQUHMAGGIGh0dHA6Ly9haWEuZGVtby5zay5lZS9lc3RlaWQyMDE4MDUGCCsGAQUFBzAChilodHRwOi8vYy5zay5lZS9UZXN0X29mX0VTVEVJRDIwMTguZGVyLmNydDAKBggqhkjOPQQDBAOBiwAwgYcCQgGBr+Jbo1GeqgWdIwgMo7SA29AP38JxNm2HWq2Qb+kIHpusAK574Co1K5D4+Mk7/ITTuXQaET5WphHoN7tdAciTaQJBAn0zBigYyVPYSTO68HM6hmlwTwi/KlJDdXW/2NsMjSqofFFJXpGvpxk2CTqSRCjcavxLPnkasTbNROYSJcmM8Xc=\"," +
+        "\"supportedSignatureAlgorithms\":[{\"cryptoAlgorithm\":\"RSA\",\"hashFunction\":\"SHA-256\",\"paddingScheme\":\"PKCS1.5\"}]," +
+        "\"appVersion\":\"https://web-eid.eu/web-eid-mobile-app/releases/v1.0.0\"," +
+        "\"signature\":\"0Ov7ME6pTY1K2GXMj8Wxov/o2fGIMEds8OMY5dKdkB0nrqQX7fG1E5mnsbvyHpMDecMUH6Yg+p1HXdgB/lLqOcFZjt/OVXPjAAApC5d1YgRYATDcxsR1zqQwiNcHdmWn\"," +
+        "\"format\":\"web-eid:1.1\"}";
+
         public const string ValidChallengeNonce = "12345678123456781234567812345678912356789123";
 
         private DateTimeProvider dateTimeProvider;
@@ -44,15 +53,22 @@ public abstract class AbstractTestWithValidator
         [SetUp]
         protected void SetUp()
         {
-            this.Validator = AuthTokenValidators.GetAuthTokenValidator();
-            this.ValidAuthToken = this.Validator.Parse(ValidAuthTokenStr);
-            this.dateTimeProvider = DateTimeProvider.OverrideUtcNow(new DateTime(2021, 3, 1));
+            Validator = AuthTokenValidators.GetAuthTokenValidator();
+            ValidAuthToken = Validator.Parse(ValidAuthTokenStr);
+            dateTimeProvider = DateTimeProvider.OverrideUtcNow(new DateTime(2021, 8, 1));
         }
 
         [TearDown]
-        public void TearDown() => this.dateTimeProvider?.Dispose();
+        public void TearDown() => dateTimeProvider?.Dispose();
 
         protected WebEidAuthToken ReplaceTokenField(string token, string field, string value) =>
-            this.Validator.Parse(token.Replace(field, value));
+            Validator.Parse(token.Replace(field, value));
+
+        protected string RemoveJsonField(string json, string fieldName)
+        {
+            var node = Newtonsoft.Json.Linq.JObject.Parse(json);
+            node.Remove(fieldName);
+            return node.ToString(Newtonsoft.Json.Formatting.None);
+        }
     }
 }

src/WebEid.Security.Tests/Validator/AuthTokenAlgorithmTest.cs

@@ -22,33 +22,77 @@
 namespace WebEid.Security.Tests.Validator
 {
     using NUnit.Framework;
-    using WebEid.Security.Exceptions;
-    using WebEid.Security.Tests.TestUtils;
+    using Exceptions;
+    using TestUtils;
 
     public class AuthTokenAlgorithmTest : AbstractTestWithValidator
     {
         [Test]
         public void WhenAlgorithmNoneThenValidationFailsAsync()
         {
-            var authToken = this.ReplaceTokenField(ValidAuthTokenStr, "ES384", "NONE");
-            Assert.ThrowsAsync<AuthTokenParseException>(() => this.Validator.Validate(authToken, ValidChallengeNonce))
+            var authToken = ReplaceTokenField(ValidAuthTokenStr, "ES384", "NONE");
+            Assert.ThrowsAsync<AuthTokenParseException>(() => Validator.Validate(authToken, ValidChallengeNonce))
                 .WithMessage("Unsupported signature algorithm");
         }
 
         [Test]
         public void WhenAlgorithmEmptyThenParsingFailsAsync()
         {
-            var authToken = this.ReplaceTokenField(ValidAuthTokenStr, "ES384", "");
-            Assert.ThrowsAsync<AuthTokenParseException>(() => this.Validator.Validate(authToken, ValidChallengeNonce))
+            var authToken = ReplaceTokenField(ValidAuthTokenStr, "ES384", "");
+            Assert.ThrowsAsync<AuthTokenParseException>(() => Validator.Validate(authToken, ValidChallengeNonce))
                 .WithMessage("'algorithm' is null or empty");
         }
 
         [Test]
         public void WhenAlgorithmInvalidThenParsingFailsAsync()
         {
-            var authToken = this.ReplaceTokenField(ValidAuthTokenStr, "ES384", "\u0000\t\ninvalid");
-            Assert.ThrowsAsync<AuthTokenParseException>(() => this.Validator.Validate(authToken, ValidChallengeNonce))
+            var authToken = ReplaceTokenField(ValidAuthTokenStr, "ES384", "\u0000\t\ninvalid");
+            Assert.ThrowsAsync<AuthTokenParseException>(() => Validator.Validate(authToken, ValidChallengeNonce))
                 .WithMessage("Unsupported signature algorithm");
         }
+
+        [Test]
+        public void WhenV11TokenMissingSupportedAlgorithmsThenValidationFailsAsync()
+        {
+            var tokenJson = RemoveJsonField(ValidV11AuthTokenStr, "supportedSignatureAlgorithms");
+            var token = Validator.Parse(tokenJson);
+
+            var ex = Assert.ThrowsAsync<AuthTokenParseException>(() =>
+                Validator.Validate(token, ValidChallengeNonce));
+
+            Assert.That(ex.Message, Does.Contain("'supportedSignatureAlgorithms' field is missing"));
+        }
+
+        [Test]
+        public void WhenV11TokenHasInvalidCryptoAlgorithmThenValidationFailsAsync()
+        {
+            var token = ReplaceTokenField(ValidV11AuthTokenStr, "\"cryptoAlgorithm\":\"RSA\"", "\"cryptoAlgorithm\":\"INVALID\"");
+            Assert.ThrowsAsync<AuthTokenParseException>(() => Validator.Validate(token, ValidChallengeNonce))
+                .WithMessage("Unsupported signature algorithm");
+        }
+
+        [Test]
+        public void WhenV11TokenHasInvalidHashFunctionThenValidationFailsAsync()
+        {
+            var token = ReplaceTokenField( ValidV11AuthTokenStr, "\"hashFunction\":\"SHA-256\"", "\"hashFunction\":\"NOT_A_HASH\"");
+            Assert.ThrowsAsync<AuthTokenParseException>(() => Validator.Validate(token, ValidChallengeNonce))
+                .WithMessage("Unsupported signature algorithm");
+        }
+
+        [Test]
+        public void WhenV11TokenHasInvalidPaddingSchemeThenValidationFailsAsync()
+        {
+            var token = ReplaceTokenField( ValidV11AuthTokenStr, "\"paddingScheme\":\"PKCS1.5\"", "\"paddingScheme\":\"BAD_PADDING\"");
+            Assert.ThrowsAsync<AuthTokenParseException>(() => Validator.Validate(token, ValidChallengeNonce))
+                .WithMessage("Unsupported signature algorithm");
+        }
+
+        [Test]
+        public void WhenV11TokenHasEmptySupportedAlgorithmsThenValidationFailsAsync()
+        {
+            var token = ReplaceTokenField( ValidV11AuthTokenStr, "\"supportedSignatureAlgorithms\":[{\"cryptoAlgorithm\":\"RSA\",\"hashFunction\":\"SHA-256\",\"paddingScheme\":\"PKCS1.5\"}]", "\"supportedSignatureAlgorithms\":[]");
+            Assert.ThrowsAsync<AuthTokenParseException>(() => Validator.Validate(token, ValidChallengeNonce))
+                .WithMessage("'supportedSignatureAlgorithms' field is missing");
+        }
     }
 }