Showcase API uses RSASSA-PSS (#57)

* Revert "fix: Add missing state parameter to authorization url" This reverts commit 29e6a90. * Revert "Revert "fix: Add missing state parameter to authorization url"" This reverts commit d3f05b2. * fix: Fix showcase API client not working after swagger update * fix: Add content-type as required header for jws signature * fix: Showcase API now uses RSASSA-PSS alhorithm for generating signatures --------- Co-authored-by: Alexandru Ionut Balan <[email protected]>
ing-bank · Apr 4, 2024 · 757d25e · 757d25e
1 parent ba97f77
commit 757d25e
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 4 deletions.
diff --git a/java/open-banking-common/src/main/java/com/ing/developer/common/OBSigner.java b/java/open-banking-common/src/main/java/com/ing/developer/common/OBSigner.java
@@ -61,7 +61,7 @@ public OBSigner(final Key key, final Signature signature, final Provider provide
 
         if (java.security.Signature.class.equals(algorithm.getType())) {
 
-            this.sign = new Asymmetric(PrivateKey.class.cast(key));
+            this.sign = new Asymmetric((PrivateKey) key);
 
         } else if (Mac.class.equals(algorithm.getType())) {
 
@@ -74,7 +74,6 @@ public OBSigner(final Key key, final Signature signature, final Provider provide
 
         // check that the JVM really knows the algorithm we are going to use
         try {
-
             sign.sign("validation".getBytes());
 
         } catch (final RuntimeException e) {

diff --git a/open-banking-driver-generator/src/main/resources/Java/libraries/jersey2/ApiClient.mustache b/open-banking-driver-generator/src/main/resources/Java/libraries/jersey2/ApiClient.mustache
@@ -1,5 +1,8 @@
 package {{invokerPackage}};
 
+import java.security.spec.AlgorithmParameterSpec;
+import java.security.spec.MGF1ParameterSpec;
+import java.security.spec.PSSParameterSpec;
 import java.util.Base64;
 import java.util.Date;
 import java.util.Locale;
@@ -1224,15 +1227,15 @@ public class ApiClient{{#jsr310}} extends JavaTimeFormatter{{/jsr310}} {
         sdf.setTimeZone(TimeZone.getTimeZone("GMT"));
         String sigT = sdf.format(date);
 
-        String jwsHeader="{\"b64\":false,\"x5t#S256\":\"" + encodedHexB64URL + "\",\"crit\":[ \"sigT\", \"sigD\", \"b64\"],\"sigT\":\"" + sigT + "\",\"sigD\":{ \"pars\":[ \"(request-target)\", \"content-type\", \"digest\" ], \"mId\":\"http://uri.etsi.org/19182/HttpHeaders\"},\"alg\":\"RS256\"}";
+        String jwsHeader="{\"b64\":false,\"x5t#S256\":\"" + encodedHexB64URL + "\",\"crit\":[ \"sigT\", \"sigD\", \"b64\"],\"sigT\":\"" + sigT + "\",\"sigD\":{ \"pars\":[ \"(request-target)\", \"content-type\", \"digest\" ], \"mId\":\"http://uri.etsi.org/19182/HttpHeaders\"},\"alg\":\"PS256\"}";
 
         String jwsHeaderBase64URL = Base64.getUrlEncoder()
                 .withoutPadding()
                 .encodeToString(jwsHeader.getBytes(StandardCharsets.UTF_8));
         String digest = digest("");
         String signingString = "(request-target): get /signed/greetings\ncontent-type: " + contentType + "\ndigest: " + digest;
 
-        String jwsSignatureValue = sign(signer, jwsHeaderBase64URL + "." + signingString).getSignature();
+        String jwsSignatureValue = signJws(token.client_id, signatureKey, jwsHeaderBase64URL + "." + signingString).getSignature();
         String jwsSignature = jwsHeaderBase64URL + ".." + jwsSignatureValue;
         mandatoryHeaders.put("X-JWS-Signature",jwsSignature);
         mandatoryHeaders.put("Digest", digest);
@@ -1525,6 +1528,16 @@ public class ApiClient{{#jsr310}} extends JavaTimeFormatter{{/jsr310}} {
       return new Signature(keyId, "rsa-sha256", null, "(request-target)", "date", "digest");
   }
 
+    private Signature signJws(String keyId, PrivateKey privateKey, String signingString) {
+        Signature signature = new Signature(keyId, "hs2019", "rsassa-pss", new PSSParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, 32, 1), null, Arrays.asList("(request-target)", "date", "digest"));
+        OBSigner jwsSigner = new OBSigner(privateKey, signature);
+        try {
+            return jwsSigner.sign(signingString);
+        } catch (IOException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
   private OBSigner getFeatSigner(String keyId, PrivateKey privateKey) {
       if (featSigner == null) {
           featSigner = new OBSigner(privateKey, getSignature(keyId));