itext
diff --git a/‎csc/pom.xml‎
Lines changed: 67 additions & 0 deletions b/‎csc/pom.xml‎
Lines changed: 67 additions & 0 deletions
diff --git a/‎csc/src/main/java/com/itextpdf/signingexamples/csc/LavercaCscSignature.java‎
Lines changed: 102 additions & 0 deletions b/‎csc/src/main/java/com/itextpdf/signingexamples/csc/LavercaCscSignature.java‎
Lines changed: 102 additions & 0 deletions
diff --git a/‎csc/src/main/java/com/itextpdf/signingexamples/csc/digidentity/Authorization.java‎
Lines changed: 226 additions & 0 deletions b/‎csc/src/main/java/com/itextpdf/signingexamples/csc/digidentity/Authorization.java‎
Lines changed: 226 additions & 0 deletions
@@ -0,0 +1,67 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<modelVersion>4.0.0</modelVersion>
+<parent>
+<groupId>com.itextpdf.signingexamples</groupId>
+<artifactId>signing-examples-parent</artifactId>
+<version>9.0.0-SNAPSHOT</version>
+</parent>
+<artifactId>signing-examples-csc</artifactId>
+<packaging>bundle</packaging>
+<name>${project.groupId}/${project.artifactId}</name>
+<properties>
+<laverca-csc-client-version>1.2.0</laverca-csc-client-version>
+<maven.compiler.source>1.8</maven.compiler.source>
+<maven.compiler.target>1.8</maven.compiler.target>
+</properties>
+<dependencyManagement>
+<dependencies>
+<dependency>
+<groupId>fi.methics</groupId>
+<artifactId>laverca-csc-client</artifactId>
+<version>${laverca-csc-client-version}</version>
+</dependency>
+</dependencies>
+</dependencyManagement>
+<dependencies>
+<dependency>
+<groupId>com.itextpdf</groupId>
+<artifactId>forms</artifactId>
+</dependency>
+<dependency>
+<groupId>com.itextpdf</groupId>
+<artifactId>io</artifactId>
+</dependency>
+<dependency>
+<groupId>com.itextpdf</groupId>
+<artifactId>kernel</artifactId>
+</dependency>
+<dependency>
+<groupId>com.itextpdf</groupId>
+<artifactId>sign</artifactId>
+</dependency>
+<dependency>
+<groupId>fi.methics</groupId>
+<artifactId>laverca-csc-client</artifactId>
+</dependency>
+<dependency>
+<groupId>org.slf4j</groupId>
+<artifactId>slf4j-api</artifactId>
+</dependency>
+<dependency>
+<groupId>com.itextpdf</groupId>
+<artifactId>bouncy-castle-adapter</artifactId>
+<scope>test</scope>
+</dependency>
+<dependency>
+<groupId>org.junit.jupiter</groupId>
+<artifactId>junit-jupiter-api</artifactId>
+<scope>test</scope>
+</dependency>
+<dependency>
+<groupId>org.junit.jupiter</groupId>
+<artifactId>junit-jupiter-engine</artifactId>
+<scope>test</scope>
+</dependency>
+</dependencies>
+</project>
@@ -0,0 +1,102 @@
+package com.itextpdf.signingexamples.csc;
+
+import java.io.ByteArrayInputStream;
+import java.security.GeneralSecurityException;
+import java.security.MessageDigest;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import java.util.Collections;
+import java.util.List;
+
+import com.itextpdf.bouncycastleconnector.BouncyCastleFactoryCreator;
+import com.itextpdf.commons.bouncycastle.IBouncyCastleFactory;
+import com.itextpdf.kernel.crypto.DigestAlgorithms;
+import com.itextpdf.kernel.xmp.impl.Base64;
+import com.itextpdf.signatures.BouncyCastleDigest;
+import com.itextpdf.signatures.IExternalSignature;
+import com.itextpdf.signatures.ISignatureMechanismParams;
+import com.itextpdf.signatures.SignatureMechanisms;
+
+import fi.methics.laverca.csc.CscClient;
+import fi.methics.laverca.csc.json.credentials.CscCredentialsAuthorizeResp;
+import fi.methics.laverca.csc.json.credentials.CscCredentialsInfoResp;
+import fi.methics.laverca.csc.json.signatures.CscSignHashResp;
+
+/**
+ * @author mkl
+ */
+public class LavercaCscSignature implements IExternalSignature {
+ /** The Laverca CSC client. */
+ final CscClient client;
+
+ /** The Laverca CSC client. */
+ final String credentialID;
+
+ /** The certificate chain. */
+ Certificate[] chain;
+
+ /** The signature algorithm OID. */
+ String algorithmOid;
+
+ public LavercaCscSignature(CscClient client, String credentialID, String algorithm) throws GeneralSecurityException {
+ this.client = client;
+ this.credentialID = credentialID;
+
+ CscCredentialsInfoResp credentialInfo = client.getCredentialInfo(credentialID);
+
+ List<String> certificateStrings = credentialInfo.cert.certificates;
+ chain = new Certificate[certificateStrings.size()];
+ CertificateFactory certificateFactory = CertificateFactory.getInstance("X509");
+ for (int i = 0; i < certificateStrings.size(); i++) {
+ String certificateString = certificateStrings.get(i);
+ byte[] certificateBytes = Base64.decode(certificateString.getBytes());
+ chain[i] = certificateFactory.generateCertificate(new ByteArrayInputStream(certificateBytes));
+ }
+
+ IBouncyCastleFactory BOUNCY_CASTLE_FACTORY = BouncyCastleFactoryCreator.getFactory();
+ String algorithmOid = BOUNCY_CASTLE_FACTORY.getAlgorithmOid(algorithm);
+ if (algorithmOid == null)
+ algorithmOid = algorithm;
+ if (credentialInfo.key.algo.contains(algorithmOid))
+ this.algorithmOid = algorithmOid;
+ }
+
+ @Override
+ public String getDigestAlgorithmName() {
+ return DigestAlgorithms.getDigest(algorithmOid);
+ }
+
+ @Override
+ public String getSignatureAlgorithmName() {
+ return SignatureMechanisms.getAlgorithm(algorithmOid);
+ }
+
+ @Override
+ public ISignatureMechanismParams getSignatureMechanismParameters() {
+ // TODO Add RSASSA-PSS support
+ return null;
+ }
+
+ @Override
+ public byte[] sign(byte[] message) throws GeneralSecurityException {
+ MessageDigest messageDigest = new BouncyCastleDigest().getMessageDigest(getDigestAlgorithmName());
+ byte[] hash = messageDigest.digest(message);
+ String base64Hash = new String(Base64.encode(hash));
+
+ CscCredentialsInfoResp credentialInfo = client.getCredentialInfo(credentialID);
+ CscCredentialsAuthorizeResp authorize = null;
+ if (credentialInfo.isScal2()) {
+ authorize = client.authorize(credentialID, Collections.singletonList(base64Hash));
+ } else {
+ authorize = client.authorize(credentialID);
+ }
+
+ CscSignHashResp signhash = client.signHash(credentialID, authorize, Collections.singletonList(base64Hash), algorithmOid, null);
+
+ return Base64.decode(signhash.signatures.get(0).getBytes());
+ }
+
+ public Certificate[] getChain() {
+ return chain;
+ }
+}
@@ -0,0 +1,226 @@
+package com.itextpdf.signingexamples.csc.digidentity;
+
+import java.io.IOException;
+import java.lang.reflect.Field;
+
+import com.google.gson.annotations.SerializedName;
+
+import fi.methics.laverca.csc.CscClient;
+import fi.methics.laverca.csc.json.CscErrorResp;
+import fi.methics.laverca.csc.json.GsonMessage;
+import okhttp3.Credentials;
+import okhttp3.MultipartBody;
+import okhttp3.OkHttpClient;
+import okhttp3.Request;
+import okhttp3.RequestBody;
+import okhttp3.Response;
+
+/**
+ * This class implements Authorization for Digidentity Signing via
+ * their CSC API implementation. It employs their QR code based method
+ * to not depend on the availability of callback routing.
+ */
+public class Authorization {
+ //
+ // Constructors
+ //
+ public Authorization() {
+ this(new OkHttpClient());
+ }
+
+ public Authorization(OkHttpClient okHttpClient) {
+ this.okHttpClient = okHttpClient;
+ }
+
+ //
+ // Credentials
+ //
+ public Authorization withScope(String scope) {
+ this.scope = scope;
+ return this;
+ }
+
+ public Authorization withClient(String client) {
+ this.client = client;
+ return this;
+ }
+
+ public Authorization withSecret(String secret) {
+ this.secret = secret;
+ return this;
+ }
+
+ //
+ // QR code URL retrieval
+ //
+ public String retrieveQrCodeUri() throws IOException {
+ return retrieveQrCodeUri(OAUTH2_AUTHORIZE_URL);
+ }
+
+ public String retrieveQrCodeUri(String oAuth2AuthorizeUrl) throws IOException {
+ Request request = new Request.Builder()
+ .url(oAuth2AuthorizeUrl + "?client_id=" + client + "&scope=" + scope + "&response_type=code")
+ .method("GET", null)
+ .build();
+ Response response = okHttpClient.newCall(request).execute();
+
+ QrCodeUriResp qrCodeUriResp = QrCodeUriResp.fromResponse(response, QrCodeUriResp.class);
+
+ if (qrCodeUriResp.data == null)
+ throw new IOException("OAUTH2 AUTHORIZE Response: Missing or malformed data element");
+ if (qrCodeUriResp.data.id == null)
+ throw new IOException("OAUTH2 AUTHORIZE Response: Missing or malformed data.id element");
+ if (!"passwordless_login_session".equals(qrCodeUriResp.data.type))
+ throw new IOException("OAUTH2 AUTHORIZE Response: Missing or unexpected data.type element: " + qrCodeUriResp.data.type);
+ if (qrCodeUriResp.data.attributes == null)
+ throw new IOException("OAUTH2 AUTHORIZE Response: Missing or malformed data.attributes element");
+ if (!"qr_code".equals(qrCodeUriResp.data.attributes.type))
+ throw new IOException("OAUTH2 AUTHORIZE Response: Missing or unexpected data.attributes.type element: " + qrCodeUriResp.data.attributes.type);
+ if (qrCodeUriResp.data.attributes.qr_code_uri == null)
+ throw new IOException("OAUTH2 AUTHORIZE Response: Missing or malformed data.attributes.qr_code_uri element");
+
+ authorizationCode = qrCodeUriResp.data.id;
+ return qrCodeUriResp.data.attributes.qr_code_uri;
+ }
+
+ //
+ // Polling for the Digidentity authorization token
+ //
+ public void pollAuthorization(long pollInterval) throws IOException {
+ pollAuthorization(OAUTH2_TOKEN_URL, pollInterval);
+ }
+
+ public void pollAuthorization(String oauth2TokenUrl, long pollInterval) throws IOException {
+ if (pollInterval < 0)
+ pollInterval = 5000;
+
+ for (;;) {
+ try {
+ Thread.sleep(pollInterval);
+ } catch (InterruptedException e) {
+ Thread.currentThread().interrupt();
+ }
+
+ RequestBody body = new MultipartBody.Builder().setType(MultipartBody.FORM)
+ .addFormDataPart("code", authorizationCode)
+ .addFormDataPart("grant_type", "authorization_code")
+ .build();
+ Request request = new Request.Builder()
+ .url(oauth2TokenUrl)
+ .method("POST", body)
+ .addHeader("Authorization", Credentials.basic(client, secret))
+ .build();
+ Response response = okHttpClient.newCall(request).execute();
+
+ if (response.code() == 200) {
+ TokenResp digidentityToken = TokenResp.fromResponse(response, TokenResp.class);
+ accessToken = digidentityToken.access_token;
+ refreshToken = digidentityToken.refresh_token;
+ break;
+ }
+ if (response.code() == 400) {
+ CscErrorResp errorResp = CscErrorResp.fromResponse(response);
+ if ("session_not_found".equals(errorResp.error_description)) {
+ throw new IOException("OAUTH2 TOKEN Response: Session timeout OR non-existent session");
+ }
+ if (!"login_pending".equals(errorResp.error_description)) {
+ throw new IOException("OAUTH2 TOKEN Response: Unexpected error: " + errorResp.error_description);
+ }
+ } else {
+ throw new IOException("OAUTH2 TOKEN Response: Unexpected response: " + response);
+ }
+ }
+ }
+
+ //
+ // retrieve CSC token
+ //
+ public String retrieveCscToken() throws IOException {
+ return retrieveCscToken(DIGIDENTITY_API_BASE_URL);
+ }
+
+ public String retrieveCscToken(String digidentityApiBaseUrl) throws IOException {
+ RequestBody body = new MultipartBody.Builder().setType(MultipartBody.FORM)
+ .addFormDataPart("access_token", accessToken)
+ .build();
+ Request request = new Request.Builder()
+ .url(digidentityApiBaseUrl + "/api/esign/tokens")
+ .method("POST", body)
+ .build();
+ Response response = okHttpClient.newCall(request).execute();
+
+ TokenResp tokenResp = TokenResp.fromResponse(response, TokenResp.class);
+ if (tokenResp.access_token == null)
+ throw new IOException("API ESIGN TOKENS Response: Missing token");
+
+ return tokenResp.access_token;
+ }
+
+ static void injectCscToken(CscClient cscClient, String accessToken) throws IllegalAccessException, NoSuchFieldException {
+ Field accessTokenField = CscClient.class.getDeclaredField("access_token");
+ accessTokenField.setAccessible(true);
+ accessTokenField.set(cscClient, accessToken);
+ }
+
+ //
+ // variables and constants
+ //
+ public final static String OAUTH2_AUTHORIZE_URL = "https://auth.digidentity-preproduction.eu/oauth2/authorize.json";
+ public final static String OAUTH2_TOKEN_URL = "https://auth.digidentity-preproduction.eu/oauth2/token.json";
+ public final static String DIGIDENTITY_API_BASE_URL = "https://esign.digidentity-preproduction.eu";
+ public final static String CSC_API_BASE_URL = "https://esign.digidentity-preproduction.eu";
+
+ final OkHttpClient okHttpClient;
+
+ String scope;
+ String client;
+ String secret;
+
+ String authorizationCode;
+ String accessToken;
+ String refreshToken;
+
+ //
+ // classes for wrapping JSON data objects
+ //
+ static class TokenResp extends GsonMessage {
+ @SerializedName("access_token")
+ public String access_token;
+
+ @SerializedName("refresh_token")
+ public String refresh_token;
+
+ @SerializedName("scope")
+ public String scope;
+ 
+ @SerializedName("token_type")
+ public String token_type;
+
+ @SerializedName("expires_in")
+ public int expires_in;
+ }
+
+ static class QrCodeUriResp extends GsonMessage {
+ @SerializedName("data")
+ public QrCodeUriRespData data;
+ }
+
+ static class QrCodeUriRespData extends GsonMessage {
+ @SerializedName("id")
+ public String id;
+
+ @SerializedName("type")
+ public String type;
+
+ @SerializedName("attributes")
+ public QrCodeUriRespDataAttributes attributes;
+ }
+
+ static class QrCodeUriRespDataAttributes extends GsonMessage {
+ @SerializedName("type")
+ public String type;
+
+ @SerializedName("qr_code_uri")
+ public String qr_code_uri;
+ }
+}