Merge pull request #11 from MobileID-Strong-Authentication/dev-validate-sign-rsp

Introduced get-mid-sn operation, exposed getMIDSerialNumber method

Author: thomas4v

docs/use-the-client-programmatically.md

@@ -141,6 +141,38 @@ receiptRequest.addReceiptRequestExtension();
 ReceiptResponse receiptResponse = client.requestSyncReceipt(signatureResponse.getTracking(), receiptRequest);
 System.out.println(receiptResponse.toString());
 ```
+In order to obtain Mobile ID serial number for particular MSISDN one could do as it follows:
+```java
+SignatureRequest request = new SignatureRequest();
+request.setUserLanguage(UserLanguage.ENGLISH);
+request.getDataToBeSigned().setData("Test: Do you want to login?");
+request.getMobileUser().setMsisdn("41790000000");
+request.setSignatureProfile(SignatureProfiles.DEFAULT_PROFILE);
+
+SignatureResponse response = client.requestAsyncSignature(request);
+
+// poll for signature status
+while (response.getStatus().getStatusCode() == StatusCode.REQUEST_OK ||
+    response.getStatus().getStatusCode() == StatusCode.OUTSTANDING_TRANSACTION) {
+    Thread.sleep(5000);
+    System.out.println("Pending: " + response);
+    response = client.pollForSignatureStatus(response.getTracking());
+}
+System.out.println(response.toString());
+
+if (response.getStatus().getStatusCode() == StatusCode.SIGNATURE) {
+    // create validation configuration
+    SignatureValidationConfiguration svConfig = new SignatureValidationConfiguration();
+    svConfig.setTrustStoreFile(properties.getProperty("client.signatureValidation.trustStore.file"));
+    svConfig.setTrustStoreType(properties.getProperty("client.signatureValidation.trustStore.type"));
+    svConfig.setTrustStorePassword(getThisOrNull(properties.getProperty("client.signatureValidation.trustStore.password")));
+    
+    SignatureValidator validator = new SignatureValidatorImpl(svConfig);
+    // invoke getMIDSerialNumber method
+    String midSN = validator.getMIDSerialNumber(response.getBase64Signature(), null);
+    System.out.println("Received Mobile ID serial number=[" + midSN + "]");
+}
+```
 
 ## Custom AP ID and AP password per request
 

docs/use-the-client-via-cli.md

@@ -31,12 +31,17 @@ Arguments:
     -sign                                               - Request a digital signature to the target MSISDN. Arguments such as -lang, -dtbs
                                                           can customize what is displayed to the user and what is the signed content.
                                                           Cannot be used together with -profile-query
+                                                          
+    -get-mid-sn                                         - Request to receive Mobile ID serial number for specified MSISDN from digital signature
+                                                          Cannot be used together with -profile-query or -sign
 
     -sync                                               - For sign operation. Run the signature in synchronous mode (default is async)
 
     -async                                              - For sign operation. Run the signature in asynchronous (polling) mode (this is the default)
 
     -receipt                                            - For sign operation. Send a receipt after the signature is acquired successfully
+    
+    -geofencing                                         - For sign operation. Request additional geofencing data
 
     -validate                                           - For sign operation. Validate the signature once it is successfully acquired
 
@@ -75,10 +80,12 @@ Use cases:
     - ./bin/mid-client.sh -sign -sync -receipt -msisdn=41790000000 -lang=en -dtbs="Do you want to login?" -soap -vv
     - ./bin/mid-client.sh \
            -config=my-config.properties \
-           -sign -sync -receipt \
+           -sign -sync -receipt -geofencing \
            -msisdn=41790000000 \
            -lang=en -dtbs="Do you want to login?" \
            -soap -vv
+    - ./bin/mid-client.sh -get-mid-sn -msisdn=41790000000 -rest
+
 ```
 
 Use the _-init_ parameter to create a set of initial configuration files in the local directory. This files can then be customized/replaced
@@ -105,14 +112,19 @@ Get the same profile information using a particular configuration file and the S
 
 Request a digital signature to a particular phone number (MSISDN), in sync mode:
 ```shell
-./bin/mid-client.sh -sign -msisdn=41790000000 -lang=en -dtbs "Do you want to login?" -sync  
+./bin/mid-client.sh -sign -msisdn=41790000000 -geofencing -lang=en -dtbs "Do you want to login?" -sync  
 ```
 
 Request a digital signature to a particular phone number (MSISDN), in async mode (this is the default mode) and with signature receipt:
 ```shell
 ./bin/mid-client.sh -sign -msisdn=41790000000 -lang=en -dtbs "Do you want to login?" -receipt -req-timeout 120  
 ```
 
+Request a Mobile ID Serial number based on particular phone number (MSISDN), in async mode:
+```shell
+./bin/mid-client.sh -get-mid-sn -msisdn=41790000000 -rest
+```
+
 Note: when working with arguments that have values (such as _-msisdn_) you can pass the value either as the next argument:
 ```shell
 ./bin/mid-client.sh -sign -msisdn 41790000000

docs/version-history.md

@@ -1,5 +1,15 @@
 # Version history
 
+# v1.5.5
+Add support for sslContext configuration for mid-java-client-rest via sslContext property in TlsConfiguration instance.
+Introduced "geofencing" parameter to be used with SignatureRequest via cli. The change ensures geofencing data is returned 
+only when the geofencing parameter in the cli is explicitly set.
+Introduced get-mid-sn query/param for cli interface to retrieve Mobile ID serial number, exposed getMIDSerialNumber method 
+via SignatureValidator interface for programmatically retrieving mentioned property.
+
+# v1.5.4
+Update the httpclient5 to the latest version 5.2.1
+
 # v1.5.3
 Add support for sslContext configuration for mid-java-client-soap via sslContext property in TlsConfiguration instance. 
 

mid-java-client-core/src/main/java/ch/swisscom/mid/client/SignatureValidator.java

@@ -31,4 +31,11 @@ public interface SignatureValidator {
      */
     SignatureValidationResult validateSignature(String base64SignatureContent, String requestedDtbs, Traceable trace);
 
+    /**
+     * Retrieves mobile id serial number from Signature Response base64 SignatureContent element
+     *
+     * @param base64SignatureContent the Base64 encoded digital signature data from signature response
+     * @return mobile id serial number extracted from digital signature data from signature response
+     */
+    String getMIDSerialNumber(String base64SignatureContent, Traceable trace);
 }

mid-java-client-core/src/main/java/ch/swisscom/mid/client/impl/SignatureValidatorImpl.java

@@ -1,5 +1,11 @@
 package ch.swisscom.mid.client.impl;
 
+import ch.swisscom.mid.client.SignatureValidator;
+import ch.swisscom.mid.client.config.ConfigurationException;
+import ch.swisscom.mid.client.config.SignatureValidationConfiguration;
+import ch.swisscom.mid.client.model.SignatureValidationFailureReason;
+import ch.swisscom.mid.client.model.SignatureValidationResult;
+import ch.swisscom.mid.client.model.Traceable;
 import org.bouncycastle.cert.X509CertificateHolder;
 import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
 import org.bouncycastle.cms.CMSException;
@@ -18,27 +24,14 @@
 import java.nio.charset.StandardCharsets;
 import java.security.KeyStore;
 import java.security.Security;
-import java.security.cert.CertPathValidator;
-import java.security.cert.CertificateExpiredException;
-import java.security.cert.CertificateFactory;
-import java.security.cert.CertificateNotYetValidException;
-import java.security.cert.PKIXParameters;
-import java.security.cert.X509Certificate;
+import java.security.cert.*;
 import java.util.Base64;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
-import ch.swisscom.mid.client.SignatureValidator;
-import ch.swisscom.mid.client.config.ConfigurationException;
-import ch.swisscom.mid.client.config.SignatureValidationConfiguration;
-import ch.swisscom.mid.client.model.SignatureValidationFailureReason;
-import ch.swisscom.mid.client.model.SignatureValidationResult;
-import ch.swisscom.mid.client.model.Traceable;
-
-import static ch.swisscom.mid.client.utils.Utils.assertNotEmpty;
-import static ch.swisscom.mid.client.utils.Utils.printTrace;
+import static ch.swisscom.mid.client.utils.Utils.*;
 
 /**
  * Default implementation of {@link SignatureValidator}.
@@ -67,6 +60,7 @@ public SignatureValidationResult validateSignature(String base64SignatureContent
         assertNotEmpty(requestedDtbs, "The requestedDtbs parameter cannot be NULL" + printTrace(trace));
 
         SignatureValidationResult result = new SignatureValidationResult();
+        // 4 criteria to be met in parallel to mark digital signature as valid
         result.setSignatureValid(false);
         result.setSignerCertificateValid(false);
         result.setSignerCertificatePathValid(false);
@@ -107,7 +101,7 @@ public SignatureValidationResult validateSignature(String base64SignatureContent
         }
 
         // extract data from the signature
-        result.setMobileIdSerialNumber(getMIDSerialNumber(signerCert));
+        result.setMobileIdSerialNumber(extractMIDSerialNumber(signerCert));
         result.setSignedDtbs(getSignedDtbs(cmsSignedData));
 
         // check that the certificate is valid. It is if the current date and time are within the validity period
@@ -166,16 +160,48 @@ public SignatureValidationResult validateSignature(String base64SignatureContent
         return result;
     }
 
+    @Override
+    public String getMIDSerialNumber(String base64SignatureContent, Traceable trace) {
+        assertNotEmpty(base64SignatureContent, "The base64SignatureContent parameter cannot be NULL" + printTrace(trace));
+        CMSSignedData cmsSignedData;
+        X509Certificate signerCert = null;
+        List<X509Certificate> signerCertChain;
+        SignerInformation signerInfo;
+        try {
+            final JcaX509CertificateConverter x509CertificateConverter = new JcaX509CertificateConverter();
+            cmsSignedData = new CMSSignedData(Base64.getDecoder().decode(base64SignatureContent));
+
+            // Find the signer certificate and the entire certificate chain from the CMS content
+            final SignerInformationStore signerInfoStore = cmsSignedData.getSignerInfos();
+            signerInfo = signerInfoStore.getSigners().iterator().next();
+            signerCertChain = new LinkedList<>();
+
+            for (final X509CertificateHolder currentCertHolder : cmsSignedData.getCertificates().getMatches(null)) {
+                X509Certificate currentCert = x509CertificateConverter.getCertificate(currentCertHolder);
+                signerCertChain.add(currentCert);
+                if (signerInfo.getSID().match(currentCertHolder)) {
+                    signerCert = currentCert;
+                }
+            }
+        } catch (Exception e) {
+            log.warn("Failed to extract the signing certificate from the Base64 CMS content{}", printTrace(trace), e);
+            return null;
+        }
+        return extractMIDSerialNumber(signerCert);
+
+    }
+
     // ----------------------------------------------------------------------------------------------------
 
     private static final Pattern SERIAL_NUMBER_PATTERN = Pattern.compile(".*SERIALNUMBER=(.{16}).*");
 
     /**
-     * Get the user's unique Mobile ID SerialNumber from the signer certificate's SubjectDN
+     * Get the user's unique Mobile ID serial number from the signer certificate's SubjectDN
      *
      * @return the user's unique Mobile ID serial number.
      */
-    private String getMIDSerialNumber(X509Certificate signerCert) {
+    private String extractMIDSerialNumber(X509Certificate signerCert) {
+        assertNotNull(signerCert, "The signerCert param for Mobile ID serial number extraction cannot be NULL");
         Matcher matcher = SERIAL_NUMBER_PATTERN.matcher(signerCert.getSubjectX500Principal().toString().toUpperCase());
         if (matcher.find()) {
             return matcher.group(1);