Search in sources :

Example 1 with MultiReadHttpServletRequest

use of com.forgerock.openbanking.aspsp.rs.filter.MultiReadHttpServletRequest in project openbanking-aspsp by OpenBankingToolkit.

the class DetachedJwsVerifier method verifyDetachedJws.

public void verifyDetachedJws(String detachedJws, OBVersion obVersion, HttpServletRequest request, String oauth2ClientId) throws OBErrorException {
    if (StringUtils.isEmpty(detachedJws)) {
        log.warn("Detached signature not provided");
        throw new OBErrorException(OBRIErrorType.DETACHED_JWS_INVALID, detachedJws, "Not provided");
    }
    try {
        MultiReadHttpServletRequest multiReadRequest = new MultiReadHttpServletRequest(request);
        String body = multiReadRequest.getReader().lines().collect(Collectors.joining(System.lineSeparator()));
        log.debug("Verify detached signature {} with payload {}", detachedJws, body);
        // obVersion is only set from 3.1.3 onwards
        if ((obVersion == null || obVersion.isBeforeVersion(v3_1_4)) && isBase64Encoded(detachedJws)) {
            log.warn("Invalid detached signature {}, {}", detachedJws, "b64 claim header not set to false in version: " + obVersion);
            throw new OBErrorException(OBRIErrorType.DETACHED_JWS_INVALID, detachedJws, "b64 claim header not set to false");
        }
        if (obVersion != null && obVersion.isAfterVersion(v3_1_3) && isB64ClaimHeaderPresent(detachedJws)) {
            log.warn("Invalid detached signature {}, {}", detachedJws, "b64 claim header must not be present in version: " + obVersion);
            throw new OBErrorException(OBRIErrorType.DETACHED_JWS_INVALID, detachedJws, "b64 claim header must not be present");
        }
        Tpp tpp = tppStoreService.findByClientId(oauth2ClientId).get();
        DirectorySoftwareStatement softwareStatement = tpp.getDirectorySoftwareStatement();
        String orgId = softwareStatement.getOrg_id();
        String softwareId = softwareStatement.getSoftware_id();
        String expectedIssuer = orgId + "/" + softwareId;
        if (tpp.getRegistrationResponse().getJwks() != null) {
            cryptoApiClient.validateDetachedJWSWithJWK(detachedJws, body, null, expectedIssuer, tpp.getRegistrationResponse().getJwks().getKeys().get(0));
        } else {
            cryptoApiClient.validateDetachedJWS(detachedJws, body, null, expectedIssuer, tpp.getRegistrationResponse().getJwks_uri());
        }
    } catch (InvalidTokenException e) {
        log.warn("Invalid detached signature {}", detachedJws, e);
        throw new OBErrorException(OBRIErrorType.DETACHED_JWS_INVALID, detachedJws, e.getMessage());
    } catch (IOException e) {
        log.error("Can't get the request body", e);
        throw new OBErrorException(OBRIErrorType.DETACHED_JWS_UN_ACCESSIBLE);
    } catch (ParseException e) {
        log.error("Can't parse JWS", e);
        throw new OBErrorException(OBRIErrorType.DETACHED_JWS_INVALID, detachedJws, e.getMessage());
    }
}
Also used : InvalidTokenException(com.forgerock.openbanking.jwt.exceptions.InvalidTokenException) MultiReadHttpServletRequest(com.forgerock.openbanking.aspsp.rs.filter.MultiReadHttpServletRequest) Tpp(com.forgerock.openbanking.model.Tpp) DirectorySoftwareStatement(com.forgerock.openbanking.model.DirectorySoftwareStatement) OBErrorException(com.forgerock.openbanking.exceptions.OBErrorException) IOException(java.io.IOException) ParseException(java.text.ParseException)

Aggregations

MultiReadHttpServletRequest (com.forgerock.openbanking.aspsp.rs.filter.MultiReadHttpServletRequest)1 OBErrorException (com.forgerock.openbanking.exceptions.OBErrorException)1 InvalidTokenException (com.forgerock.openbanking.jwt.exceptions.InvalidTokenException)1 DirectorySoftwareStatement (com.forgerock.openbanking.model.DirectorySoftwareStatement)1 Tpp (com.forgerock.openbanking.model.Tpp)1 IOException (java.io.IOException)1 ParseException (java.text.ParseException)1