Example 1 with MultiReadHttpServletRequest
use of com.forgerock.openbanking.aspsp.rs.filter.MultiReadHttpServletRequest in project openbanking-aspsp by OpenBankingToolkit.
the class DetachedJwsVerifier method verifyDetachedJws.
public void verifyDetachedJws(String detachedJws, OBVersion obVersion, HttpServletRequest request, String oauth2ClientId) throws OBErrorException {
if (StringUtils.isEmpty(detachedJws)) {
log.warn("Detached signature not provided");
throw new OBErrorException(OBRIErrorType.DETACHED_JWS_INVALID, detachedJws, "Not provided");
}
try {
MultiReadHttpServletRequest multiReadRequest = new MultiReadHttpServletRequest(request);
String body = multiReadRequest.getReader().lines().collect(Collectors.joining(System.lineSeparator()));
log.debug("Verify detached signature {} with payload {}", detachedJws, body);
// obVersion is only set from 3.1.3 onwards
if ((obVersion == null || obVersion.isBeforeVersion(v3_1_4)) && isBase64Encoded(detachedJws)) {
log.warn("Invalid detached signature {}, {}", detachedJws, "b64 claim header not set to false in version: " + obVersion);
throw new OBErrorException(OBRIErrorType.DETACHED_JWS_INVALID, detachedJws, "b64 claim header not set to false");
}
if (obVersion != null && obVersion.isAfterVersion(v3_1_3) && isB64ClaimHeaderPresent(detachedJws)) {
log.warn("Invalid detached signature {}, {}", detachedJws, "b64 claim header must not be present in version: " + obVersion);
throw new OBErrorException(OBRIErrorType.DETACHED_JWS_INVALID, detachedJws, "b64 claim header must not be present");
}
Tpp tpp = tppStoreService.findByClientId(oauth2ClientId).get();
DirectorySoftwareStatement softwareStatement = tpp.getDirectorySoftwareStatement();
String orgId = softwareStatement.getOrg_id();
String softwareId = softwareStatement.getSoftware_id();
String expectedIssuer = orgId + "/" + softwareId;
if (tpp.getRegistrationResponse().getJwks() != null) {
cryptoApiClient.validateDetachedJWSWithJWK(detachedJws, body, null, expectedIssuer, tpp.getRegistrationResponse().getJwks().getKeys().get(0));
} else {
cryptoApiClient.validateDetachedJWS(detachedJws, body, null, expectedIssuer, tpp.getRegistrationResponse().getJwks_uri());
}
} catch (InvalidTokenException e) {
log.warn("Invalid detached signature {}", detachedJws, e);
throw new OBErrorException(OBRIErrorType.DETACHED_JWS_INVALID, detachedJws, e.getMessage());
} catch (IOException e) {
log.error("Can't get the request body", e);
throw new OBErrorException(OBRIErrorType.DETACHED_JWS_UN_ACCESSIBLE);
} catch (ParseException e) {
log.error("Can't parse JWS", e);
throw new OBErrorException(OBRIErrorType.DETACHED_JWS_INVALID, detachedJws, e.getMessage());
}
}
Also used :
InvalidTokenException(com.forgerock.openbanking.jwt.exceptions.InvalidTokenException)
MultiReadHttpServletRequest(com.forgerock.openbanking.aspsp.rs.filter.MultiReadHttpServletRequest)
Tpp(com.forgerock.openbanking.model.Tpp)
DirectorySoftwareStatement(com.forgerock.openbanking.model.DirectorySoftwareStatement)
OBErrorException(com.forgerock.openbanking.exceptions.OBErrorException)
IOException(java.io.IOException)
ParseException(java.text.ParseException)
Aggregations
MultiReadHttpServletRequest (com.forgerock.openbanking.aspsp.rs.filter.MultiReadHttpServletRequest)1
OBErrorException (com.forgerock.openbanking.exceptions.OBErrorException)1
InvalidTokenException (com.forgerock.openbanking.jwt.exceptions.InvalidTokenException)1
DirectorySoftwareStatement (com.forgerock.openbanking.model.DirectorySoftwareStatement)1
Tpp (com.forgerock.openbanking.model.Tpp)1
IOException (java.io.IOException)1
ParseException (java.text.ParseException)1
