Refactor initSigningRequest()

- Support both web-eid-mobile:// and https://webeid.ee as base uri
- Remove origin from request object

Author: aarmam

example/src/main/java/eu/webeid/example/config/WebEidMobileProperties.java

@@ -23,12 +23,13 @@
 package eu.webeid.example.config;
 
 import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.Pattern;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.validation.annotation.Validated;
 
 @Validated
 @ConfigurationProperties(prefix = "web-eid-mobile")
 public record WebEidMobileProperties(
-    @NotBlank String baseRequestUri,
+    @NotBlank @Pattern(regexp = "^.*(?:[^/]|://)$", message = "Base URI must not have a trailing slash") String baseRequestUri,
     boolean requestSigningCert) {
 }

example/src/main/java/eu/webeid/example/service/MobileSigningService.java

@@ -23,9 +23,10 @@
 package eu.webeid.example.service;
 
 import com.fasterxml.jackson.annotation.JsonInclude;
-import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.ObjectWriter;
+import com.fasterxml.jackson.databind.PropertyNamingStrategies;
+import com.fasterxml.jackson.databind.annotation.JsonNaming;
 import eu.webeid.example.config.WebEidMobileProperties;
 import eu.webeid.example.security.WebEidAuthentication;
 import eu.webeid.example.service.dto.CertificateDTO;
@@ -36,12 +37,14 @@
 import org.slf4j.LoggerFactory;
 import org.springframework.stereotype.Component;
 import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
+import org.springframework.web.util.UriComponentsBuilder;
 
 import java.io.IOException;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 import java.util.Base64;
 import java.util.List;
+import java.util.Objects;
 
 @Component
 public class MobileSigningService {
@@ -59,62 +62,63 @@ public MobileSigningService(SigningService signingService, WebEidMobilePropertie
         this.webEidMobileProperties = webEidMobileProperties;
     }
 
-    public MobileInitRequest initSigningRequest(WebEidAuthentication authentication) throws IOException, CertificateException, NoSuchAlgorithmException {
+    public MobileInitRequest initCertificateOrSigningRequest(WebEidAuthentication authentication) throws IOException, CertificateException, NoSuchAlgorithmException {
         String signingCertificate = authentication.getSigningCertificate();
         List<SupportedSignatureAlgorithm> supportedSignatureAlgorithms = authentication.getSupportedSignatureAlgorithms();
         if (signingCertificate == null || supportedSignatureAlgorithms == null) {
-            return initSigningRequest(authentication, null);
+            return initCertificateRequest();
         }
         CertificateDTO certificateDTO = new CertificateDTO();
         certificateDTO.setCertificate(signingCertificate);
         certificateDTO.setSupportedSignatureAlgorithms(mapSupportedAlgorithms(supportedSignatureAlgorithms));
         return initSigningRequest(authentication, certificateDTO);
     }
 
-    @SuppressWarnings("javax.annotation.Tainted")
-    public MobileInitRequest initSigningRequest(
-        WebEidAuthentication authentication,
-        CertificateDTO certificateDTO)
-        throws IOException, CertificateException, NoSuchAlgorithmException {
-
-        final boolean isSigningFlow = certificateDTO != null;
-        final String flowLabel = isSigningFlow ? "signing" : "certificate";
-        LOG.info("Initiating {} request", flowLabel);
-
-        DigestDTO digest = null;
-        if (isSigningFlow) {
-            digest = signingService.prepareContainer(certificateDTO, authentication);
-        }
-
+    public MobileInitRequest initSigningRequest(WebEidAuthentication authentication, CertificateDTO certificateDTO) throws IOException, CertificateException, NoSuchAlgorithmException {
+        Objects.requireNonNull(authentication, "authentication must not be null");
+        Objects.requireNonNull(certificateDTO, "certificateDTO must not be null");
         final String responseUri = ServletUriComponentsBuilder.fromCurrentContextPath()
-            .path(isSigningFlow ? SIGNATURE_RESPONSE_PATH : CERTIFICATE_RESPONSE_PATH)
+            .path(SIGNATURE_RESPONSE_PATH)
             .build()
             .toUriString();
-
-        final String origin = ServletUriComponentsBuilder.fromCurrentContextPath()
-            .build()
-            .toUriString()
-            .replaceAll("/$", "");
-
-        final RequestObject initRequest = isSigningFlow
-            ? new RequestObject(
+        final DigestDTO digest = signingService.prepareContainer(certificateDTO, authentication);
+        final RequestObject initRequest = new RequestObject(
             responseUri,
             certificateDTO.getCertificate(),
             digest.getHash(),
-            digest.getHashFunction(),
-            origin)
-            : new RequestObject(responseUri, null, null, null, origin);
+            digest.getHashFunction());
+        final String payloadJson = OBJECT_WRITER.writeValueAsString(initRequest);
+        final String encoded = Base64.getUrlEncoder()
+            .withoutPadding()
+            .encodeToString(payloadJson.getBytes());
+        final String requestUri = getRequestUri(WEB_EID_MOBILE_SIGN_PATH, encoded);
+
+        return new MobileInitRequest(requestUri);
+    }
 
+    private MobileInitRequest initCertificateRequest() throws IOException {
+        final String responseUri = ServletUriComponentsBuilder.fromCurrentContextPath()
+            .path(CERTIFICATE_RESPONSE_PATH)
+            .build()
+            .toUriString();
+        final RequestObject initRequest = new RequestObject(responseUri, null, null, null);
         final String payloadJson = OBJECT_WRITER.writeValueAsString(initRequest);
         final String encoded = Base64.getUrlEncoder()
             .withoutPadding()
             .encodeToString(payloadJson.getBytes());
+        final String requestUri = getRequestUri(WEB_EID_GET_CERT_PATH, encoded);
 
-        String base = webEidMobileProperties.baseRequestUri();
-        String path = isSigningFlow ? WEB_EID_MOBILE_SIGN_PATH : WEB_EID_GET_CERT_PATH;
-        String deepLink = base + path + "#" + encoded;
+        return new MobileInitRequest(requestUri);
+    }
 
-        return new MobileInitRequest(deepLink);
+    private String getRequestUri(String path, String encodedPayload) {
+        UriComponentsBuilder builder = UriComponentsBuilder.fromUriString(webEidMobileProperties.baseRequestUri());
+        if (webEidMobileProperties.baseRequestUri().startsWith("http")) {
+            builder.pathSegment(path);
+        } else {
+            builder.host(path);
+        }
+        return builder.fragment(encodedPayload).toUriString();
     }
 
     private List<SignatureAlgorithmDTO> mapSupportedAlgorithms(List<SupportedSignatureAlgorithm> algorithms) {
@@ -127,16 +131,19 @@ private List<SignatureAlgorithmDTO> mapSupportedAlgorithms(List<SupportedSignatu
         }).toList();
     }
 
+    @JsonNaming(PropertyNamingStrategies.SnakeCaseStrategy.class)
     public record MobileInitRequest(
-        @JsonProperty("request_uri") String requestUri
-    ) { }
+        String requestUri
+    ) {
+    }
 
+    @JsonNaming(PropertyNamingStrategies.SnakeCaseStrategy.class)
     @JsonInclude(JsonInclude.Include.NON_NULL)
     record RequestObject(
-        @JsonProperty("response_uri") String responseUri,
-        @JsonProperty("signing_certificate") String signingCertificate,
-        @JsonProperty("hash") String hash,
-        @JsonProperty("hash_function") String hashFunction,
-        @JsonProperty("origin") String origin
-    ) { }
+        String responseUri,
+        String signingCertificate,
+        String hash,
+        String hashFunction
+    ) {
+    }
 }

example/src/main/java/eu/webeid/example/web/rest/SigningController.java

@@ -73,15 +73,14 @@ public FileDTO signature(@RequestBody SignatureDTO data) {
 
     @PostMapping("mobile/init")
     public ResponseEntity<MobileInitRequest> mobileInit(WebEidAuthentication authentication) throws CertificateException, IOException, NoSuchAlgorithmException {
-        return ResponseEntity.ok(mobileSigningService.initSigningRequest(authentication));
+        return ResponseEntity.ok(mobileSigningService.initCertificateOrSigningRequest(authentication));
     }
 
     @GetMapping("mobile/certificate")
     public ModelAndView mobileCertificateResponse() {
         return new ModelAndView("webeid-callback");
     }
 
-    @SuppressWarnings("javax.annotation.Tainted")
     @PostMapping("mobile/certificate")
     public ResponseEntity<MobileInitRequest> mobileCertificate(@RequestBody CertificateDTO certificateDTO, WebEidAuthentication authentication) throws CertificateException, IOException, NoSuchAlgorithmException {
         return ResponseEntity.ok(mobileSigningService.initSigningRequest(authentication, certificateDTO));