NFC-82 NFC signing support for web-eid example

SanderKondratjevNortal · SanderKondratjevNortal · commit d7e085fe48f7 · 2025-10-15T14:17:13.000+03:00
Signed-off-by: Sander Kondratjev &lt;sander.kondratjev@nortal.com&gt;
diff --git a/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java b/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
@@ -30,6 +30,7 @@
 import eu.webeid.security.challenge.ChallengeNonceGenerator;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -38,11 +39,13 @@
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler;
+import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
 @Configuration
 @EnableWebSecurity
 @EnableMethodSecurity(securedEnabled = true)
-public class ApplicationConfiguration {
+public class ApplicationConfiguration implements WebMvcConfigurer {
 
     @Bean
     public SecurityFilterChain filterChain(
@@ -66,4 +69,10 @@ public SecurityFilterChain filterChain(
             .headers(h -> h.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin))
             .build();
     }
+
+    @Override
+    public void addViewControllers(ViewControllerRegistry registry) {
+        registry.addViewController("/sign/mobile/certificate").setViewName("welcome");
+        registry.addViewController("/sign/mobile/signature").setViewName("welcome");
+    }
 }
diff --git a/example/src/main/java/eu/webeid/example/config/YAMLConfig.java b/example/src/main/java/eu/webeid/example/config/YAMLConfig.java
@@ -47,6 +47,17 @@ public class YAMLConfig {
     @Value("#{new Boolean('${web-eid-auth-token.validation.use-digidoc4j-prod-configuration}'.trim())}")
     private Boolean useDigiDoc4jProdConfiguration;
 
+    @Value("#{new Boolean('${web-eid-auth-token.request-signing-cert:false}')}")
+    private Boolean requestSigningCert;
+
+    public Boolean getRequestSigningCert() {
+        return requestSigningCert;
+    }
+
+    public void setRequestSigningCert(Boolean requestSigningCert) {
+        this.requestSigningCert = requestSigningCert;
+    }
+
     public String getLocalOrigin() {
         return localOrigin;
     }
diff --git a/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java b/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java
@@ -22,7 +22,10 @@
 
 package eu.webeid.example.security;
 
+import eu.webeid.security.authtoken.SupportedSignatureAlgorithm;
+import eu.webeid.security.authtoken.WebEidAuthToken;
 import eu.webeid.security.certificate.CertificateData;
+import org.springframework.lang.Nullable;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
@@ -36,21 +39,40 @@
 public class WebEidAuthentication extends PreAuthenticatedAuthenticationToken implements Authentication {
 
     private final String idCode;
+    private final transient String signingCertificate;
+    private final transient List<SupportedSignatureAlgorithm> supportedSignatureAlgorithms;
 
-    public static Authentication fromCertificate(X509Certificate userCertificate, List<GrantedAuthority> authorities) throws CertificateEncodingException {
+    public static Authentication fromCertificate(@Nullable WebEidAuthToken authToken, X509Certificate userCertificate, List<GrantedAuthority> authorities) throws CertificateEncodingException {
         final String principalName = getPrincipalNameFromCertificate(userCertificate);
         final String idCode = CertificateData.getSubjectIdCode(userCertificate)
                 .orElseThrow(() -> new CertificateEncodingException("Certificate does not contain subject ID code"));
-        return new WebEidAuthentication(principalName, idCode, authorities);
+
+        final String signingCertificate = Optional.ofNullable(authToken)
+            .map(WebEidAuthToken::getUnverifiedSigningCertificate)
+            .orElse(null);
+
+        final List<SupportedSignatureAlgorithm> supportedSignatureAlgorithms = Optional.ofNullable(authToken)
+            .map(WebEidAuthToken::getSupportedSignatureAlgorithms)
+            .orElse(null);
+
+        return new WebEidAuthentication(principalName, idCode, signingCertificate, supportedSignatureAlgorithms, authorities);
     }
 
     public String getIdCode() {
         return idCode;
     }
+    public String getSigningCertificate() {
+        return signingCertificate;
+    }
+    public List<SupportedSignatureAlgorithm> getSupportedSignatureAlgorithms() {
+        return supportedSignatureAlgorithms;
+    }
 
-    private WebEidAuthentication(String principalName, String idCode, List<GrantedAuthority> authorities) {
+    private WebEidAuthentication(String principalName, String idCode, String signingCertificate, List<SupportedSignatureAlgorithm> supportedSignatureAlgorithms, List<GrantedAuthority> authorities) {
         super(principalName, idCode, authorities);
         this.idCode = idCode;
+        this.signingCertificate = signingCertificate;
+        this.supportedSignatureAlgorithms = supportedSignatureAlgorithms;
     }
 
     private static String getPrincipalNameFromCertificate(X509Certificate userCertificate) throws CertificateEncodingException {
diff --git a/example/src/main/java/eu/webeid/example/security/WebEidAuthenticationProvider.java b/example/src/main/java/eu/webeid/example/security/WebEidAuthenticationProvider.java
@@ -72,7 +72,7 @@ public Authentication authenticate(Authentication auth) throws AuthenticationExc
         try {
             final String nonce = challengeNonceStore.getAndRemove().getBase64EncodedNonce();
             final X509Certificate userCertificate = tokenValidator.validate(authToken, nonce);
-            return WebEidAuthentication.fromCertificate(userCertificate, authorities);
+            return WebEidAuthentication.fromCertificate(authToken, userCertificate, authorities);
         } catch (AuthTokenException e) {
             throw new AuthenticationServiceException("Web eID token validation failed", e);
         } catch (CertificateEncodingException e) {
diff --git a/example/src/main/java/eu/webeid/example/service/SigningService.java b/example/src/main/java/eu/webeid/example/service/SigningService.java
@@ -22,12 +22,15 @@
 
 package eu.webeid.example.service;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
 import eu.webeid.example.config.YAMLConfig;
 import eu.webeid.example.security.WebEidAuthentication;
 import eu.webeid.example.service.dto.CertificateDTO;
 import eu.webeid.example.service.dto.DigestDTO;
 import eu.webeid.example.service.dto.FileDTO;
+import eu.webeid.example.service.dto.SignatureAlgorithmDTO;
 import eu.webeid.example.service.dto.SignatureDTO;
+import eu.webeid.security.authtoken.SupportedSignatureAlgorithm;
 import eu.webeid.security.certificate.CertificateData;
 import jakarta.servlet.http.HttpSession;
 import jakarta.xml.bind.DatatypeConverter;
@@ -48,12 +51,16 @@
 import org.springframework.core.io.ByteArrayResource;
 import org.springframework.security.access.annotation.Secured;
 import org.springframework.stereotype.Service;
+import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
 
 import java.io.IOException;
 import java.io.InputStream;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
+import java.util.Base64;
+import java.util.List;
+import java.util.Map;
 import java.util.Objects;
 
 import static eu.webeid.example.security.WebEidAuthenticationProvider.ROLE_USER;
@@ -65,13 +72,17 @@ public class SigningService {
     private static final String SESSION_ATTR_FILE = "file-to-sign";
     private static final String SESSION_ATTR_CONTAINER = "container-to-sign";
     private static final String SESSION_ATTR_DATA = "data-to-sign";
+    public static final String CERTIFICATE_URI = "/sign/mobile/certificate";
+    public static final String SIGNATURE_URI = "/sign/mobile/signature";
     private static final Logger LOG = LoggerFactory.getLogger(SigningService.class);
     private final Configuration signingConfiguration;
 
     private final ObjectFactory<HttpSession> httpSessionFactory;
+    private final YAMLConfig yamlConfig;
 
     public SigningService(ObjectFactory<HttpSession> httpSessionFactory, YAMLConfig yamlConfig) {
         this.httpSessionFactory = httpSessionFactory;
+        this.yamlConfig = yamlConfig;
         signingConfiguration = Configuration.of(yamlConfig.getUseDigiDoc4jProdConfiguration() ?
                 Configuration.Mode.PROD : Configuration.Mode.TEST);
         // Use automatic AIA OCSP URL selection from certificate for signatures.
@@ -179,6 +190,81 @@ private Container getContainerToSign(FileDTO fileDTO) {
                 .build();
     }
 
+    public Map<String, Object> buildMobileInitResponse(WebEidAuthentication authentication) throws IOException, CertificateException, NoSuchAlgorithmException {
+        String signingCertificate = authentication.getSigningCertificate();
+        var supportedSignatureAlgorithms = authentication.getSupportedSignatureAlgorithms();
+
+        boolean hasCertificateData = signingCertificate != null
+            && supportedSignatureAlgorithms != null
+            && !supportedSignatureAlgorithms.isEmpty();
+
+        boolean requestSigningCert = yamlConfig.getRequestSigningCert();
+        String nextPath = requestSigningCert
+            ? CERTIFICATE_URI
+            : SIGNATURE_URI;
+
+        if (!requestSigningCert && hasCertificateData) {
+            CertificateDTO certificateDTO = new CertificateDTO();
+            certificateDTO.setCertificate(signingCertificate);
+            certificateDTO.setSupportedSignatureAlgorithms(mapSupportedAlgorithms(supportedSignatureAlgorithms));
+            prepareContainer(certificateDTO, authentication);
+        } else {
+            LOG.info("Skipping container preparation — no certificate available.");
+        }
+
+        String responseUri = ServletUriComponentsBuilder.fromCurrentContextPath()
+            .path(nextPath)
+            .build()
+            .toUriString();
+
+        return Map.of("sign_uri", buildDeepLink(Map.of("response_uri", responseUri)));
+    }
+
+    public Map<String, Object> buildMobileCertificateResponse(CertificateDTO certificateDTO, WebEidAuthentication authentication) throws IOException, CertificateException, NoSuchAlgorithmException {
+        certificateDTO.setSupportedSignatureAlgorithms(mapSupportedAlgorithms(certificateDTO.getSupportedSignatureAlgorithms()));
+        DigestDTO digest = prepareContainer(certificateDTO, authentication);
+        String responseUri = ServletUriComponentsBuilder.fromCurrentContextPath()
+            .path(SIGNATURE_URI)
+            .build()
+            .toUriString();
+
+        Map<String, Object> payload = Map.of(
+            "response_uri", responseUri,
+            "sign_certificate", certificateDTO.getCertificate(),
+            "hash", digest.getHash(),
+            "hash_function", digest.getHashFunction()
+        );
+
+        return Map.of(
+            "sign_uri", buildDeepLink(payload),
+            "hash", digest.getHash(),
+            "hashFunction", digest.getHashFunction()
+        );
+    }
+
+    private List<SignatureAlgorithmDTO> mapSupportedAlgorithms(List<?> algorithms) {
+        if (algorithms == null) return List.of();
+        return algorithms.stream().map(item -> {
+            if (item instanceof SignatureAlgorithmDTO dto) {
+                return dto;
+            } else if (item instanceof SupportedSignatureAlgorithm ssa) {
+                var dto = new SignatureAlgorithmDTO();
+                dto.setCryptoAlgorithm(ssa.getCryptoAlgorithm());
+                dto.setHashFunction(ssa.getHashFunction());
+                dto.setPaddingScheme(ssa.getPaddingScheme());
+                return dto;
+            } else {
+                throw new IllegalArgumentException("Unsupported algorithm type: " + item.getClass());
+            }
+        }).toList();
+    }
+
+    private String buildDeepLink(Map<String, Object> payload) throws IOException {
+        String payloadJson = new ObjectMapper().writeValueAsString(payload);
+        String encoded = Base64.getUrlEncoder().withoutPadding().encodeToString(payloadJson.getBytes());
+        return "web-eid-mobile://sign#" + encoded;
+    }
+
     private String generateContainerName(String fileName) {
         return FilenameUtils.removeExtension(fileName) + ".asice";
     }
diff --git a/example/src/main/java/eu/webeid/example/web/rest/SigningController.java b/example/src/main/java/eu/webeid/example/web/rest/SigningController.java
@@ -38,10 +38,12 @@
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.servlet.ModelAndView;
 
 import java.io.IOException;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
+import java.util.Map;
 
 import static eu.webeid.example.security.WebEidAuthenticationProvider.ROLE_USER;
 
@@ -66,6 +68,26 @@ public FileDTO sign(@RequestBody SignatureDTO data) {
         return signingService.signContainer(data);
     }
 
+    @PostMapping("mobile/init")
+    public ResponseEntity<Map<String, Object>> mobileInit(WebEidAuthentication authentication) throws CertificateException, IOException, NoSuchAlgorithmException {
+        return ResponseEntity.ok(signingService.buildMobileInitResponse(authentication));
+    }
+
+    @PostMapping("mobile/certificate")
+    public ResponseEntity<Map<String, Object>> mobileCertificate(@RequestBody CertificateDTO certDto, WebEidAuthentication authentication) throws CertificateException, IOException, NoSuchAlgorithmException {
+        return ResponseEntity.ok(signingService.buildMobileCertificateResponse(certDto, authentication));
+    }
+
+    @PostMapping("mobile/sign")
+    public ResponseEntity<FileDTO> mobileSign(@RequestBody SignatureDTO signatureDTO) {
+        return ResponseEntity.ok(signingService.signContainer(signatureDTO));
+    }
+
+    @GetMapping("mobile/certificate")
+    public ModelAndView showCertificateStep() {
+        return new ModelAndView("welcome");
+    }
+
     @GetMapping(value = "download", produces = "application/vnd.etsi.asic-e+zip")
     public ResponseEntity<Resource> download() throws IOException {
 
diff --git a/example/src/main/resources/application-dev.yaml b/example/src/main/resources/application-dev.yaml
@@ -2,3 +2,4 @@ web-eid-auth-token:
   validation:
     use-digidoc4j-prod-configuration: false
     local-origin: "https://test.web-eid.eu"
+  request-signing-cert: false
diff --git a/example/src/main/resources/application-prod.yaml b/example/src/main/resources/application-prod.yaml
@@ -3,6 +3,7 @@ web-eid-auth-token:
     use-digidoc4j-prod-configuration: true
     local-origin: "https://web-eid.eu"
     truststore-password: "changeit"
+  request-signing-cert: false
 spring:
   thymeleaf:
     cache: true
diff --git a/example/src/main/resources/templates/welcome.html b/example/src/main/resources/templates/welcome.html
diff --git a/example/src/test/java/eu/webeid/example/security/WebEidAuthenticationTest.java b/example/src/test/java/eu/webeid/example/security/WebEidAuthenticationTest.java
