NFC-82 NFC signing support for web-eid example

Signed-off-by: Sander Kondratjev <[email protected]>

Author: SanderKondratjevNortal

example/pom.xml

@@ -38,6 +38,10 @@
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-thymeleaf</artifactId>
 		</dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-validation</artifactId>
+        </dependency>
 
 		<dependency>
 			<groupId>org.digidoc4j</groupId>

example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java

@@ -22,13 +22,13 @@
 
 package eu.webeid.example.config;
 
-import eu.webeid.example.security.AuthTokenDTOAuthenticationProvider;
 import eu.webeid.example.security.WebEidAjaxLoginProcessingFilter;
 import eu.webeid.example.security.WebEidAuthenticationProvider;
 import eu.webeid.example.security.WebEidChallengeNonceFilter;
 import eu.webeid.example.security.WebEidMobileAuthInitFilter;
 import eu.webeid.example.security.ui.WebEidLoginPageGeneratingFilter;
 import eu.webeid.security.challenge.ChallengeNonceGenerator;
+import org.springframework.boot.context.properties.ConfigurationPropertiesScan;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
@@ -43,6 +43,7 @@
 import org.thymeleaf.web.servlet.JakartaServletWebApplication;
 
 @Configuration
+@ConfigurationPropertiesScan
 @EnableWebSecurity
 @EnableMethodSecurity(securedEnabled = true)
 public class ApplicationConfiguration {

example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java

@@ -79,24 +79,19 @@ public ChallengeNonceGenerator generator(ChallengeNonceStore challengeNonceStore
     }
 
     @Bean
-    public AuthTokenValidator validator(YAMLConfig yamlConfig) {
+    public AuthTokenValidator validator(WebEidAuthTokenProperties authTokenProperties) {
         try {
             return new AuthTokenValidatorBuilder()
-                .withSiteOrigin(URI.create(yamlConfig.getLocalOrigin()))
+                .withSiteOrigin(URI.create(authTokenProperties.validation().localOrigin()))
                 .withTrustedCertificateAuthorities(loadTrustedCACertificatesFromCerFiles())
-                .withTrustedCertificateAuthorities(loadTrustedCACertificatesFromTrustStore(yamlConfig))
-                .withOcspRequestTimeout(yamlConfig.getOcspRequestTimeout())
+                .withTrustedCertificateAuthorities(loadTrustedCACertificatesFromTrustStore(authTokenProperties))
+                .withOcspRequestTimeout(authTokenProperties.validation().ocspRequestTimeout())
                 .build();
         } catch (JceException e) {
             throw new RuntimeException("Error building the Web eID auth token validator.", e);
         }
     }
 
-    @Bean
-    public YAMLConfig yamlConfig() {
-        return new YAMLConfig();
-    }
-
     private X509Certificate[] loadTrustedCACertificatesFromCerFiles() {
         List<X509Certificate> caCertificates = new ArrayList<>();
 
@@ -118,7 +113,7 @@ private X509Certificate[] loadTrustedCACertificatesFromCerFiles() {
         return caCertificates.toArray(new X509Certificate[0]);
     }
 
-    private X509Certificate[] loadTrustedCACertificatesFromTrustStore(YAMLConfig yamlConfig) {
+    private X509Certificate[] loadTrustedCACertificatesFromTrustStore(WebEidAuthTokenProperties authTokenProperties) {
         List<X509Certificate> caCertificates = new ArrayList<>();
 
         try (InputStream is = ValidationConfiguration.class.getResourceAsStream(CERTS_RESOURCE_PATH + activeProfile + "/" + TRUSTED_CERTIFICATES_JKS)) {
@@ -127,7 +122,7 @@ private X509Certificate[] loadTrustedCACertificatesFromTrustStore(YAMLConfig yam
                 return new X509Certificate[0];
             }
             KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
-            keystore.load(is, yamlConfig.getTrustStorePassword().toCharArray());
+            keystore.load(is, authTokenProperties.validation().trustStorePassword().toCharArray());
             Enumeration<String> aliases = keystore.aliases();
             while (aliases.hasMoreElements()) {
                 String alias = aliases.nextElement();

example/src/main/java/eu/webeid/example/config/WebEidAuthTokenProperties.java

@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 2020-2025 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package eu.webeid.example.config;
+
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.NotNull;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.boot.context.properties.bind.DefaultValue;
+import org.springframework.validation.annotation.Validated;
+
+import java.time.Duration;
+
+@Validated
+@ConfigurationProperties(prefix = "web-eid-auth-token")
+public record WebEidAuthTokenProperties(WebEidAuthTokenValidation validation) {
+
+    public record WebEidAuthTokenValidation(
+        @NotBlank String localOrigin,
+        String siteCertHash,
+        @NotBlank String trustStorePassword,
+        @DefaultValue("5s") Duration ocspRequestTimeout,
+        @NotNull Boolean useDigiDoc4jProdConfiguration) {
+    }
+}

example/src/main/java/eu/webeid/example/config/WebEidMobileProperties.java

@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2020-2025 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package eu.webeid.example.config;
+
+import jakarta.validation.constraints.NotBlank;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.validation.annotation.Validated;
+
+@Validated
+@ConfigurationProperties(prefix = "web-eid-mobile")
+public record WebEidMobileProperties(
+    @NotBlank String baseRequestUri,
+    boolean requestSigningCert) {
+}

example/src/main/java/eu/webeid/example/config/YAMLConfig.java

@@ -22,7 +22,9 @@
 
 package eu.webeid.example.security;
 
+import eu.webeid.security.authtoken.SupportedSignatureAlgorithm;
 import eu.webeid.security.certificate.CertificateData;
+import org.springframework.lang.Nullable;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
@@ -36,21 +38,21 @@
 public class WebEidAuthentication extends PreAuthenticatedAuthenticationToken implements Authentication {
 
     private final String idCode;
+    private final transient String signingCertificate;
+    private final transient List<SupportedSignatureAlgorithm> supportedSignatureAlgorithms;
 
-    public static Authentication fromCertificate(X509Certificate userCertificate, List<GrantedAuthority> authorities) throws CertificateEncodingException {
-        final String principalName = getPrincipalNameFromCertificate(userCertificate);
-        final String idCode = CertificateData.getSubjectIdCode(userCertificate)
-                .orElseThrow(() -> new CertificateEncodingException("Certificate does not contain subject ID code"));
-        return new WebEidAuthentication(principalName, idCode, authorities);
-    }
-
-    public String getIdCode() {
-        return idCode;
-    }
-
-    private WebEidAuthentication(String principalName, String idCode, List<GrantedAuthority> authorities) {
+    private WebEidAuthentication(String principalName, String idCode, String signingCertificate, List<SupportedSignatureAlgorithm> supportedSignatureAlgorithms, List<GrantedAuthority> authorities) {
         super(principalName, idCode, authorities);
         this.idCode = idCode;
+        this.signingCertificate = signingCertificate;
+        this.supportedSignatureAlgorithms = supportedSignatureAlgorithms;
+    }
+
+    public static Authentication fromCertificate(X509Certificate userCertificate, @Nullable String signingCertificate, @Nullable List<SupportedSignatureAlgorithm> supportedSignatureAlgorithms, List<GrantedAuthority> authorities) throws CertificateEncodingException {
+        final String principalName = getPrincipalNameFromCertificate(userCertificate);
+        final String idCode = CertificateData.getSubjectIdCode(userCertificate)
+            .orElseThrow(() -> new CertificateEncodingException("Certificate does not contain subject ID code"));
+        return new WebEidAuthentication(principalName, idCode, signingCertificate, supportedSignatureAlgorithms, authorities);
     }
 
     private static String getPrincipalNameFromCertificate(X509Certificate userCertificate) throws CertificateEncodingException {
@@ -62,10 +64,22 @@ private static String getPrincipalNameFromCertificate(X509Certificate userCertif
         } else {
             // Organization certificates do not have given name and surname fields.
             return CertificateData.getSubjectCN(userCertificate)
-                    .orElseThrow(() -> new CertificateEncodingException("Certificate does not contain subject CN"));
+                .orElseThrow(() -> new CertificateEncodingException("Certificate does not contain subject CN"));
         }
     }
 
+    public String getIdCode() {
+        return idCode;
+    }
+
+    public String getSigningCertificate() {
+        return signingCertificate;
+    }
+
+    public List<SupportedSignatureAlgorithm> getSupportedSignatureAlgorithms() {
+        return supportedSignatureAlgorithms;
+    }
+
     @Override
     public boolean equals(Object o) {
         if (!super.equals(o)) return false;

example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java

@@ -22,6 +22,8 @@
 
 package eu.webeid.example.security;
 
+import eu.webeid.example.config.WebEidMobileProperties;
+import eu.webeid.security.authtoken.SupportedSignatureAlgorithm;
 import eu.webeid.security.authtoken.WebEidAuthToken;
 import eu.webeid.security.challenge.ChallengeNonceStore;
 import eu.webeid.security.exceptions.AuthTokenException;
@@ -41,6 +43,7 @@
 import java.security.cert.X509Certificate;
 import java.util.Collections;
 import java.util.List;
+import java.util.Optional;
 
 /**
  * Parses JWT from token string inside AuthTokenDTO and attempts authentication.
@@ -54,10 +57,12 @@ public class WebEidAuthenticationProvider implements AuthenticationProvider {
 
     private final AuthTokenValidator tokenValidator;
     private final ChallengeNonceStore challengeNonceStore;
+    private final WebEidMobileProperties webEidMobileProperties;
 
-    public WebEidAuthenticationProvider(AuthTokenValidator tokenValidator, ChallengeNonceStore challengeNonceStore) {
+    public WebEidAuthenticationProvider(AuthTokenValidator tokenValidator, ChallengeNonceStore challengeNonceStore, WebEidMobileProperties webEidMobileProperties) {
         this.tokenValidator = tokenValidator;
         this.challengeNonceStore = challengeNonceStore;
+        this.webEidMobileProperties = webEidMobileProperties;
     }
 
     @Override
@@ -72,7 +77,19 @@ public Authentication authenticate(Authentication auth) throws AuthenticationExc
         try {
             final String nonce = challengeNonceStore.getAndRemove().getBase64EncodedNonce();
             final X509Certificate userCertificate = tokenValidator.validate(authToken, nonce);
-            return WebEidAuthentication.fromCertificate(userCertificate, authorities);
+            final String signingCertificate = Optional.ofNullable(authToken)
+                .map(WebEidAuthToken::getUnverifiedSigningCertificate)
+                .orElse(null);
+            final List<SupportedSignatureAlgorithm> supportedSignatureAlgorithms = Optional.ofNullable(authToken)
+                .map(WebEidAuthToken::getSupportedSignatureAlgorithms)
+                .orElse(null);
+
+            if (webEidMobileProperties.requestSigningCert()) {
+                LOG.info("request-signing-cert=true -> Skipping signing certificate in authentication (demo mode)");
+                return WebEidAuthentication.fromCertificate(userCertificate, null, null, authorities);
+            }
+
+            return WebEidAuthentication.fromCertificate(userCertificate, signingCertificate, supportedSignatureAlgorithms, authorities);
         } catch (AuthTokenException e) {
             throw new AuthenticationServiceException("Web eID token validation failed", e);
         } catch (CertificateEncodingException e) {