From 757d25e9e5e05a25153988bf89fdb50ac9ff92a1 Mon Sep 17 00:00:00 2001
From: Alexandru Ionut Balan
 <113347266+alexandru-ionut-balan@users.noreply.github.com>
Date: Thu, 4 Apr 2024 16:12:53 +0300
Subject: [PATCH] Showcase API uses RSASSA-PSS  (#57)

* Revert "fix: Add missing state parameter to authorization url"

This reverts commit 29e6a90f3eca66a56e712786834c61f70056fe20.

* Revert "Revert "fix: Add missing state parameter to authorization url""

This reverts commit d3f05b295dc8aa94671df7a0f0657a5d20e3a54b.

* fix: Fix showcase API client not working after swagger update

* fix: Add content-type as required header for jws signature

* fix: Showcase API now uses RSASSA-PSS alhorithm for generating signatures

---------

Co-authored-by: Alexandru Ionut Balan <alexandru-ionut.balan@ing.com>
---
 .../java/com/ing/developer/common/OBSigner.java |  3 +--
 .../Java/libraries/jersey2/ApiClient.mustache   | 17 +++++++++++++++--
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/java/open-banking-common/src/main/java/com/ing/developer/common/OBSigner.java b/java/open-banking-common/src/main/java/com/ing/developer/common/OBSigner.java
index 5e741bc..85837d0 100644
--- a/java/open-banking-common/src/main/java/com/ing/developer/common/OBSigner.java
+++ b/java/open-banking-common/src/main/java/com/ing/developer/common/OBSigner.java
@@ -61,7 +61,7 @@ public OBSigner(final Key key, final Signature signature, final Provider provide
 
         if (java.security.Signature.class.equals(algorithm.getType())) {
 
-            this.sign = new Asymmetric(PrivateKey.class.cast(key));
+            this.sign = new Asymmetric((PrivateKey) key);
 
         } else if (Mac.class.equals(algorithm.getType())) {
 
@@ -74,7 +74,6 @@ public OBSigner(final Key key, final Signature signature, final Provider provide
 
         // check that the JVM really knows the algorithm we are going to use
         try {
-
             sign.sign("validation".getBytes());
 
         } catch (final RuntimeException e) {
diff --git a/open-banking-driver-generator/src/main/resources/Java/libraries/jersey2/ApiClient.mustache b/open-banking-driver-generator/src/main/resources/Java/libraries/jersey2/ApiClient.mustache
index 7652c33..417d771 100644
--- a/open-banking-driver-generator/src/main/resources/Java/libraries/jersey2/ApiClient.mustache
+++ b/open-banking-driver-generator/src/main/resources/Java/libraries/jersey2/ApiClient.mustache
@@ -1,5 +1,8 @@
 package {{invokerPackage}};
 
+import java.security.spec.AlgorithmParameterSpec;
+import java.security.spec.MGF1ParameterSpec;
+import java.security.spec.PSSParameterSpec;
 import java.util.Base64;
 import java.util.Date;
 import java.util.Locale;
@@ -1224,7 +1227,7 @@ public class ApiClient{{#jsr310}} extends JavaTimeFormatter{{/jsr310}} {
         sdf.setTimeZone(TimeZone.getTimeZone("GMT"));
         String sigT = sdf.format(date);
 
-        String jwsHeader="{\"b64\":false,\"x5t#S256\":\"" + encodedHexB64URL + "\",\"crit\":[ \"sigT\", \"sigD\", \"b64\"],\"sigT\":\"" + sigT + "\",\"sigD\":{ \"pars\":[ \"(request-target)\", \"content-type\", \"digest\" ], \"mId\":\"http://uri.etsi.org/19182/HttpHeaders\"},\"alg\":\"RS256\"}";
+        String jwsHeader="{\"b64\":false,\"x5t#S256\":\"" + encodedHexB64URL + "\",\"crit\":[ \"sigT\", \"sigD\", \"b64\"],\"sigT\":\"" + sigT + "\",\"sigD\":{ \"pars\":[ \"(request-target)\", \"content-type\", \"digest\" ], \"mId\":\"http://uri.etsi.org/19182/HttpHeaders\"},\"alg\":\"PS256\"}";
 
         String jwsHeaderBase64URL = Base64.getUrlEncoder()
                 .withoutPadding()
@@ -1232,7 +1235,7 @@ public class ApiClient{{#jsr310}} extends JavaTimeFormatter{{/jsr310}} {
         String digest = digest("");
         String signingString = "(request-target): get /signed/greetings\ncontent-type: " + contentType + "\ndigest: " + digest;
 
-        String jwsSignatureValue = sign(signer, jwsHeaderBase64URL + "." + signingString).getSignature();
+        String jwsSignatureValue = signJws(token.client_id, signatureKey, jwsHeaderBase64URL + "." + signingString).getSignature();
         String jwsSignature = jwsHeaderBase64URL + ".." + jwsSignatureValue;
         mandatoryHeaders.put("X-JWS-Signature",jwsSignature);
         mandatoryHeaders.put("Digest", digest);
@@ -1525,6 +1528,16 @@ public class ApiClient{{#jsr310}} extends JavaTimeFormatter{{/jsr310}} {
       return new Signature(keyId, "rsa-sha256", null, "(request-target)", "date", "digest");
   }
 
+    private Signature signJws(String keyId, PrivateKey privateKey, String signingString) {
+        Signature signature = new Signature(keyId, "hs2019", "rsassa-pss", new PSSParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, 32, 1), null, Arrays.asList("(request-target)", "date", "digest"));
+        OBSigner jwsSigner = new OBSigner(privateKey, signature);
+        try {
+            return jwsSigner.sign(signingString);
+        } catch (IOException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
   private OBSigner getFeatSigner(String keyId, PrivateKey privateKey) {
       if (featSigner == null) {
           featSigner = new OBSigner(privateKey, getSignature(keyId));