web-eid
diff --git a/‎example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java‎
Lines changed: 1 addition & 10 deletions b/‎example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java‎
Lines changed: 1 addition & 10 deletions
diff --git a/‎example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java‎
Lines changed: 20 additions & 28 deletions b/‎example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java‎
Lines changed: 20 additions & 28 deletions
diff --git a/‎example/src/main/java/eu/webeid/example/security/WebEidAuthenticationProvider.java‎
Lines changed: 10 additions & 1 deletion b/‎example/src/main/java/eu/webeid/example/security/WebEidAuthenticationProvider.java‎
Lines changed: 10 additions & 1 deletion
diff --git a/‎example/src/main/java/eu/webeid/example/service/MobleSigningService.java‎
Lines changed: 130 additions & 0 deletions b/‎example/src/main/java/eu/webeid/example/service/MobleSigningService.java‎
Lines changed: 130 additions & 0 deletions
@@ -31,7 +31,6 @@
 import org.springframework.boot.context.properties.ConfigurationPropertiesScan;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -40,14 +39,12 @@
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler;
-import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
-import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
 @Configuration
 @ConfigurationPropertiesScan
 @EnableWebSecurity
 @EnableMethodSecurity(securedEnabled = true)
-public class ApplicationConfiguration implements WebMvcConfigurer {
+public class ApplicationConfiguration {
 
     @Bean
     public SecurityFilterChain filterChain(
@@ -71,10 +68,4 @@ public SecurityFilterChain filterChain(
             .headers(h -> h.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin))
             .build();
     }
-
-    @Override
-    public void addViewControllers(ViewControllerRegistry registry) {
-        registry.addViewController("/sign/mobile/certificate").setViewName("welcome");
-        registry.addViewController("/sign/mobile/signature").setViewName("welcome");
-    }
 }
@@ -23,7 +23,6 @@
 package eu.webeid.example.security;
 
 import eu.webeid.security.authtoken.SupportedSignatureAlgorithm;
-import eu.webeid.security.authtoken.WebEidAuthToken;
 import eu.webeid.security.certificate.CertificateData;
 import org.springframework.lang.Nullable;
 import org.springframework.security.core.Authentication;
@@ -42,39 +41,20 @@ public class WebEidAuthentication extends PreAuthenticatedAuthenticationToken im
     private final transient String signingCertificate;
     private final transient List<SupportedSignatureAlgorithm> supportedSignatureAlgorithms;
 
-    public static Authentication fromCertificate(@Nullable WebEidAuthToken authToken, X509Certificate userCertificate, List<GrantedAuthority> authorities) throws CertificateEncodingException {
-        final String principalName = getPrincipalNameFromCertificate(userCertificate);
-        final String idCode = CertificateData.getSubjectIdCode(userCertificate)
-                .orElseThrow(() -> new CertificateEncodingException("Certificate does not contain subject ID code"));
-
-        final String signingCertificate = Optional.ofNullable(authToken)
-            .map(WebEidAuthToken::getUnverifiedSigningCertificate)
-            .orElse(null);
-
-        final List<SupportedSignatureAlgorithm> supportedSignatureAlgorithms = Optional.ofNullable(authToken)
-            .map(WebEidAuthToken::getSupportedSignatureAlgorithms)
-            .orElse(null);
-
-        return new WebEidAuthentication(principalName, idCode, signingCertificate, supportedSignatureAlgorithms, authorities);
-    }
-
-    public String getIdCode() {
-        return idCode;
-    }
-    public String getSigningCertificate() {
-        return signingCertificate;
-    }
-    public List<SupportedSignatureAlgorithm> getSupportedSignatureAlgorithms() {
-        return supportedSignatureAlgorithms;
-    }
-
     private WebEidAuthentication(String principalName, String idCode, String signingCertificate, List<SupportedSignatureAlgorithm> supportedSignatureAlgorithms, List<GrantedAuthority> authorities) {
         super(principalName, idCode, authorities);
         this.idCode = idCode;
         this.signingCertificate = signingCertificate;
         this.supportedSignatureAlgorithms = supportedSignatureAlgorithms;
     }
 
+    public static Authentication fromCertificate(X509Certificate userCertificate, @Nullable String signingCertificate, @Nullable List<SupportedSignatureAlgorithm> supportedSignatureAlgorithms, List<GrantedAuthority> authorities) throws CertificateEncodingException {
+        final String principalName = getPrincipalNameFromCertificate(userCertificate);
+        final String idCode = CertificateData.getSubjectIdCode(userCertificate)
+            .orElseThrow(() -> new CertificateEncodingException("Certificate does not contain subject ID code"));
+        return new WebEidAuthentication(principalName, idCode, signingCertificate, supportedSignatureAlgorithms, authorities);
+    }
+
     private static String getPrincipalNameFromCertificate(X509Certificate userCertificate) throws CertificateEncodingException {
         final Optional<String> givenName = CertificateData.getSubjectGivenName(userCertificate);
         final Optional<String> surname = CertificateData.getSubjectSurname(userCertificate);
@@ -84,10 +64,22 @@ private static String getPrincipalNameFromCertificate(X509Certificate userCertif
         } else {
             // Organization certificates do not have given name and surname fields.
             return CertificateData.getSubjectCN(userCertificate)
-                    .orElseThrow(() -> new CertificateEncodingException("Certificate does not contain subject CN"));
+                .orElseThrow(() -> new CertificateEncodingException("Certificate does not contain subject CN"));
         }
     }
 
+    public String getIdCode() {
+        return idCode;
+    }
+
+    public String getSigningCertificate() {
+        return signingCertificate;
+    }
+
+    public List<SupportedSignatureAlgorithm> getSupportedSignatureAlgorithms() {
+        return supportedSignatureAlgorithms;
+    }
+
     @Override
     public boolean equals(Object o) {
         if (!super.equals(o)) return false;
 
@@ -22,6 +22,7 @@
 
 package eu.webeid.example.security;
 
+import eu.webeid.security.authtoken.SupportedSignatureAlgorithm;
 import eu.webeid.security.authtoken.WebEidAuthToken;
 import eu.webeid.security.challenge.ChallengeNonceStore;
 import eu.webeid.security.exceptions.AuthTokenException;
@@ -41,6 +42,7 @@
 import java.security.cert.X509Certificate;
 import java.util.Collections;
 import java.util.List;
+import java.util.Optional;
 
 /**
  * Parses JWT from token string inside AuthTokenDTO and attempts authentication.
@@ -72,7 +74,14 @@ public Authentication authenticate(Authentication auth) throws AuthenticationExc
         try {
             final String nonce = challengeNonceStore.getAndRemove().getBase64EncodedNonce();
             final X509Certificate userCertificate = tokenValidator.validate(authToken, nonce);
-            return WebEidAuthentication.fromCertificate(authToken, userCertificate, authorities);
+            final String signingCertificate = Optional.ofNullable(authToken)
+                .map(WebEidAuthToken::getUnverifiedSigningCertificate)
+                .orElse(null);
+            final List<SupportedSignatureAlgorithm> supportedSignatureAlgorithms = Optional.ofNullable(authToken)
+                .map(WebEidAuthToken::getSupportedSignatureAlgorithms)
+                .orElse(null);
+
+            return WebEidAuthentication.fromCertificate(userCertificate, signingCertificate, supportedSignatureAlgorithms, authorities);
         } catch (AuthTokenException e) {
             throw new AuthenticationServiceException("Web eID token validation failed", e);
         } catch (CertificateEncodingException e) {
 
@@ -0,0 +1,130 @@
+/*
+ * Copyright (c) 2020-2025 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package eu.webeid.example.service;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.ObjectWriter;
+import eu.webeid.example.config.WebEidMobileProperties;
+import eu.webeid.example.security.WebEidAuthentication;
+import eu.webeid.example.service.dto.CertificateDTO;
+import eu.webeid.example.service.dto.DigestDTO;
+import eu.webeid.example.service.dto.SignatureAlgorithmDTO;
+import eu.webeid.security.authtoken.SupportedSignatureAlgorithm;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Component;
+import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
+import org.springframework.web.util.UriComponents;
+import org.springframework.web.util.UriComponentsBuilder;
+
+import java.io.IOException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.util.Base64;
+import java.util.List;
+
+@Component
+public class MobleSigningService {
+    public static final String CERTIFICATE_RESPONSE_PATH = "/sign/mobile/certificate";
+    public static final String SIGNATURE_RESPONSE_PATH = "/sign/mobile/signature";
+    public static final String WEB_EID_MOBILE_SIGN_PATH = "/sign";
+    public static final String WEB_EID_GET_CERT_PATH = "/cert";
+    private static final Logger LOG = LoggerFactory.getLogger(MobleSigningService.class);
+    private static final ObjectWriter OBJECT_WRITER = new ObjectMapper().writerFor(RequestObject.class);
+    private final SigningService signingService;
+    private final WebEidMobileProperties webEidMobileProperties;
+
+    public MobleSigningService(SigningService signingService, WebEidMobileProperties webEidMobileProperties) {
+        this.signingService = signingService;
+        this.webEidMobileProperties = webEidMobileProperties;
+    }
+
+    public MobileInitRequest initSigningRequest(WebEidAuthentication authentication) throws IOException, CertificateException, NoSuchAlgorithmException {
+        String signingCertificate = authentication.getSigningCertificate();
+        List<SupportedSignatureAlgorithm> supportedSignatureAlgorithms = authentication.getSupportedSignatureAlgorithms();
+        if (signingCertificate == null || supportedSignatureAlgorithms == null) {
+            return initSigningRequest(authentication, null);
+        }
+        CertificateDTO certificateDTO = new CertificateDTO();
+        certificateDTO.setCertificate(signingCertificate);
+        certificateDTO.setSupportedSignatureAlgorithms(mapSupportedAlgorithms(supportedSignatureAlgorithms));
+        return initSigningRequest(authentication, certificateDTO);
+    }
+
+    @SuppressWarnings("javax.annotation.Tainted")
+    public MobileInitRequest initSigningRequest(WebEidAuthentication authentication, CertificateDTO certificateDTO) throws IOException, CertificateException, NoSuchAlgorithmException {
+        if (certificateDTO != null) {
+            LOG.info("Initiating signing request");
+            DigestDTO digest = signingService.prepareContainer(certificateDTO, authentication);
+            String responseUri = ServletUriComponentsBuilder.fromCurrentContextPath()
+                .path(SIGNATURE_RESPONSE_PATH)
+                .build()
+                .toUriString();
+            RequestObject initRequest = new RequestObject(responseUri, certificateDTO.getCertificate(), digest.getHash(), digest.getHashFunction());
+            String payloadJson = OBJECT_WRITER.writeValueAsString(initRequest);
+            String encoded = Base64.getUrlEncoder().withoutPadding().encodeToString(payloadJson.getBytes());
+            UriComponents requestUri = UriComponentsBuilder.fromUriString(webEidMobileProperties.baseRequestUri())
+                .path(WEB_EID_MOBILE_SIGN_PATH)
+                .fragment(encoded)
+                .build();
+            return new MobileInitRequest(requestUri.toUriString());
+        } else {
+            LOG.info("Initiating get certificate request");
+            String responseUri = ServletUriComponentsBuilder.fromCurrentContextPath()
+                .path(CERTIFICATE_RESPONSE_PATH)
+                .build()
+                .toUriString();
+            RequestObject initRequest = new RequestObject(responseUri, null, null, null);
+            String payloadJson = OBJECT_WRITER.writeValueAsString(initRequest);
+            String encoded = Base64.getUrlEncoder().withoutPadding().encodeToString(payloadJson.getBytes());
+            UriComponents requestUri = UriComponentsBuilder.fromUriString(webEidMobileProperties.baseRequestUri())
+                .path(WEB_EID_GET_CERT_PATH)
+                .fragment(encoded)
+                .build();
+            return new MobileInitRequest(requestUri.toUriString());
+        }
+    }
+
+    private List<SignatureAlgorithmDTO> mapSupportedAlgorithms(List<SupportedSignatureAlgorithm> algorithms) {
+        return algorithms.stream().map(ssa -> {
+            var dto = new SignatureAlgorithmDTO();
+            dto.setCryptoAlgorithm(ssa.getCryptoAlgorithm());
+            dto.setHashFunction(ssa.getHashFunction());
+            dto.setPaddingScheme(ssa.getPaddingScheme());
+            return dto;
+        }).toList();
+    }
+
+    public record MobileInitRequest(
+        String requestUri) {
+    }
+
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    record RequestObject(
+        String responseUri,
+        String signingCertificate,
+        String hash,
+        String hashFunction) {
+    }
+}