Issue-1 - Signature response validation

Small updates in the documentation.
Add support for signature validation in the CLI mode

Author: Bogdan Mocanu

.gitignore

@@ -15,7 +15,7 @@ mobileid-client-samples/src/main/java/ch/swisscom/mid/client/samples/TestSoap.ja
 local-*.*
 api-docs
 
-# Local files that might be creating during testing
+# Local files that might be created during testing
 /truststore.jks
 /keystore.jks
 /config.properties

docs/configure-the-client.md

@@ -45,6 +45,14 @@ client.proxy.username=
 # The optional password to use during proxy authentication
 client.proxy.password=
 
+# ---
+# The Java truststore file with the CA certificates used for validating the signer's certificate path
+client.signatureValidation.trustStore.file=signature-validation-truststore.jks
+# The type of the truststore
+client.signatureValidation.trustStore.type=jks
+# The password that protects the truststore (optional)
+client.signatureValidation.trustStore.password=secret
+
 # --
 # The Java truststore file with the server certificates (e.g. CA certificates) to trust
 server.trustStore.file=truststore.jks

docs/use-the-client-via-cli.md

@@ -38,6 +38,8 @@ Arguments:
 
     -receipt                                            - For sign operation. Send a receipt after the signature is acquired successfully
 
+    -validate                                           - For sign operation. Validate the signature once it is successfully acquired
+
     -msisdn=41790000000                                 - The target MSISDN for the chosen operation
 
     -lang=en|de|it|fr                                   - The language to use during the talk with the mobile user. Choose from "en", "de", "it", "fr"

docs/validate-signatures.md

@@ -1,5 +1,7 @@
 # Validate signature after a successful authentication/authorization process
 
+## In code
+
 After successfully performing a mobile signature process, it is a good idea to validate the obtained signature, to ensure it is correct from the 
 following point of views:
 * the signing certificate (user certificate) is still valid
@@ -40,7 +42,7 @@ if (response.getStatus().getStatusCode() == StatusCode.SIGNATURE) {
 
     // now, with the config, let's create the signature validator and use it
     SignatureValidator validator = new SignatureValidatorImpl(svConfig);
-    SignatureValidationResult result = validator.validateSignature(response.getBase64Signature(), request.getDataToBeSigned(), null);
+    SignatureValidationResult result = validator.validateSignature(response.getBase64Signature(), request.getDataToBeSigned().getData(), null);
 
     if (result.isValidationSuccessful()) {
         // all is good, the signature is perfectly valid
@@ -50,7 +52,7 @@ if (response.getStatus().getStatusCode() == StatusCode.SIGNATURE) {
 
     } else {
         // something failed
-        System.out.println("Signature validation failure = " + result.getValidationFailureReason());
+        System.out.println("Validation failure reason = " + result.getValidationFailureReason());
         System.out.println("Signing certificate path validation = " + result.isSignerCertificatePathValid());
         System.out.println("Signing certificate validation = " + result.isSignerCertificateValid());
         System.out.println("Signature validation = " + result.isSignatureValid());
@@ -62,3 +64,22 @@ if (response.getStatus().getStatusCode() == StatusCode.SIGNATURE) {
 
 }
 ```
+
+## In CLI mode
+
+If you are using the Mobile ID Client in CLI mode, you can use the "-validate" flag to ask the client to validate the signature once it is 
+successfully acquired. 
+
+First you need to configure the signature validation truststore in your "config.properties" file:
+
+```properties
+client.signatureValidation.trustStore.file=signature-validation-truststore.jks
+client.signatureValidation.trustStore.type=jks
+client.signatureValidation.trustStore.password=secret
+```
+
+Then request a digital signature and ask for the validation of it at the end:
+
+```shell
+./bin/mid-client.sh -sign -msisdn=41790000000 -lang=en -dtbs "Do you want to login?" -validate  
+```

mid-java-client-core/src/main/java/ch/swisscom/mid/client/utils/Utils.java

@@ -107,6 +107,13 @@ public static String joinListOfStrings(List<String> theList, String separator) {
         return String.join(separator, theList);
     }
 
+    public static String getThisOrNull(String value) {
+        if (value == null || value.trim().length() == 0) {
+            return null;
+        }
+        return value;
+    }
+
     public static void assertNotNull(Object object, String messageForException) {
         if (object == null) {
             throw new IllegalArgumentException(messageForException);

mid-java-client-usage/src/main/java/ch/swisscom/mid/client/cli/Cli.java

@@ -3,6 +3,7 @@
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.SerializationFeature;
 
+import org.apache.commons.codec.binary.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -14,17 +15,15 @@
 import ch.qos.logback.classic.LoggerContext;
 import ch.swisscom.mid.client.MIDClient;
 import ch.swisscom.mid.client.MIDClientException;
-import ch.swisscom.mid.client.config.ClientConfiguration;
-import ch.swisscom.mid.client.config.DefaultConfiguration;
-import ch.swisscom.mid.client.config.HttpConfiguration;
-import ch.swisscom.mid.client.config.ProxyConfiguration;
-import ch.swisscom.mid.client.config.TlsConfiguration;
-import ch.swisscom.mid.client.config.UrlsConfiguration;
+import ch.swisscom.mid.client.SignatureValidator;
+import ch.swisscom.mid.client.config.*;
 import ch.swisscom.mid.client.impl.Loggers;
 import ch.swisscom.mid.client.impl.MIDClientImpl;
+import ch.swisscom.mid.client.impl.SignatureValidatorImpl;
 import ch.swisscom.mid.client.model.*;
 
 import static ch.swisscom.mid.client.samples.Utils.prettyPrintTheException;
+import static ch.swisscom.mid.client.utils.Utils.getThisOrNull;
 
 /**
  * Command line interface for the Mobile ID client. Allows the running of the MID Client from the command line, with most of
@@ -55,6 +54,7 @@ public class Cli {
     private static final String PARAM_REQUEST_TIMEOUT = "req-timeout";
     private static final String PARAM_REST = "rest";
     private static final String PARAM_SOAP = "soap";
+    private static final String PARAM_VALIDATE_SIGNATURE = "validate";
     private static final String PARAM_HELP = "help";
 
     private static final String PARAM_VERBOSE1 = "v";
@@ -83,6 +83,7 @@ public class Cli {
     private static final String receiptDtbd = "Login completed successfully";
     private static boolean syncSignature = false;
     private static boolean sendReceipt = false;
+    private static boolean validateSignature = false;
     private static String interfaceType;
     private static int verboseLevel;
 
@@ -183,17 +184,48 @@ public static void main(String[] args) {
                 }
                 System.out.println(response.toString());
 
-                if (sendReceipt && response.getStatus().getStatusCode() == StatusCode.SIGNATURE) {
-                    ReceiptRequest receiptRequest = new ReceiptRequest();
-                    receiptRequest.setStatusCode(StatusCode.REQUEST_OK);
-                    receiptRequest.getMessageToBeDisplayed().setData(receiptDtbd);
-                    receiptRequest.getRequestExtension().getReceiptProfile().setLanguage(lang);
-                    receiptRequest.setTrafficObserver(prettyPrinterTrafficObserver);
-
-                    ReceiptResponse receiptResponse = midClient.requestSyncReceipt(response.getTracking(), receiptRequest);
-                    finalResult = "Receipt response:\n" + jacksonMapper.writerWithDefaultPrettyPrinter().writeValueAsString(receiptResponse);
-                } else {
-                    finalResult = "Signature response:\n" + jacksonMapper.writerWithDefaultPrettyPrinter().writeValueAsString(response);
+                if (response.getStatus().getStatusCode() == StatusCode.SIGNATURE) {
+                    boolean signatureIsValid = false;
+                    if (validateSignature) {
+                        SignatureValidationConfiguration svConfig = new SignatureValidationConfiguration();
+                        svConfig.setTrustStoreFile(properties.getProperty("client.signatureValidation.trustStore.file"));
+                        svConfig.setTrustStoreType(properties.getProperty("client.signatureValidation.trustStore.type"));
+                        svConfig.setTrustStorePassword(getThisOrNull(properties.getProperty("client.signatureValidation.trustStore.password")));
+
+                        SignatureValidator validator = new SignatureValidatorImpl(svConfig);
+                        SignatureValidationResult result =
+                            validator.validateSignature(response.getBase64Signature(), request.getDataToBeSigned().getData(), null);
+                        if (result.isValidationSuccessful()) {
+                            signatureIsValid = true;
+                            System.out.println("Signature is valid!");
+                            System.out.println("Mobile ID serial number = " + result.getMobileIdSerialNumber());
+                            System.out.println("Signed DTBS = " + result.getSignedDtbs());
+                        } else {
+                            // something failed
+                            System.out.println("Validation failure reason = " + result.getValidationFailureReason());
+                            System.out.println("Signing certificate path validation = " + result.isSignerCertificatePathValid());
+                            System.out.println("Signing certificate validation = " + result.isSignerCertificateValid());
+                            System.out.println("Signature validation = " + result.isSignatureValid());
+                            System.out.println("DTBS matching = " + result.isDtbsMatching());
+                            if (result.getValidationException() != null) {
+                                result.getValidationException().printStackTrace();
+                            }
+                        }
+                    }
+                    if (sendReceipt) {
+                        if (!validateSignature || signatureIsValid) {
+                            ReceiptRequest receiptRequest = new ReceiptRequest();
+                            receiptRequest.setStatusCode(StatusCode.REQUEST_OK);
+                            receiptRequest.getMessageToBeDisplayed().setData(receiptDtbd);
+                            receiptRequest.getRequestExtension().getReceiptProfile().setLanguage(lang);
+                            receiptRequest.setTrafficObserver(prettyPrinterTrafficObserver);
+
+                            ReceiptResponse receiptResponse = midClient.requestSyncReceipt(response.getTracking(), receiptRequest);
+                            finalResult = "Receipt response:\n" + jacksonMapper.writerWithDefaultPrettyPrinter().writeValueAsString(receiptResponse);
+                        } else {
+                            System.out.println("Signature was NOT valid so sending receipt was skipped");
+                        }
+                    }
                 }
             }
         } catch (Exception e) {
@@ -318,6 +350,10 @@ private static void parseArguments(String[] args) {
                     sendReceipt = true;
                     break;
                 }
+                case PARAM_VALIDATE_SIGNATURE: {
+                    validateSignature = true;
+                    break;
+                }
                 case PARAM_MSISDN: {
                     if (argValue == null) {
                         if (argIndex + 1 < args.length) {
@@ -410,7 +446,8 @@ private static void runInit() {
         String[][] configPairs = new String[][]{
             new String[]{"/cli-files/config-sample.properties", "config.properties"},
             new String[]{"/cli-files/keystore.jks", "keystore.jks"},
-            new String[]{"/cli-files/truststore.jks", "truststore.jks"}
+            new String[]{"/cli-files/truststore.jks", "truststore.jks"},
+            new String[]{"/cli-files/signature-validation-truststore.jks", "signature-validation-truststore.jks"}
         };
         for (String[] configPair : configPairs) {
             String inputFile = configPair[0];

mid-java-client-usage/src/main/resources/cli-files/config-sample.properties

@@ -15,6 +15,10 @@ client.proxy.port=
 client.proxy.username=
 client.proxy.password=
 # --
+client.signatureValidation.trustStore.file=signature-validation-truststore.jks
+client.signatureValidation.trustStore.type=jks
+client.signatureValidation.trustStore.password=secret
+# --
 server.trustStore.file=truststore.jks
 server.trustStore.password=secret
 server.hostnameVerification=true

mid-java-client-usage/src/main/resources/cli-files/signature-validation-truststore.jks

@@ -22,6 +22,8 @@ Arguments:
 
     -receipt                                            - For sign operation. Send a receipt after the signature is acquired successfully
 
+    -validate                                           - For sign operation. Validate the signature once it is successfully acquired
+
     -msisdn=41790000000                                 - The target MSISDN for the chosen operation
 
     -lang=en|de|it|fr                                   - The language to use during the talk with the mobile user. Choose from "en", "de", "it", "fr"