a-sit-plus · n0900 · Sep 16, 2024 · Sep 9, 2024 · Sep 9, 2024 · Sep 11, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,9 @@
 
 Release 5.1.0:
  - tbd
+ - New Class `SignatureRequestFrom` to handle signature requests by reference
+ - Rename `AuthenticationRequestParser` to `RequestParser`
+   - `RequestParser` can now handle `SignatureRequestFrom`
 
 Release 5.0.0:
  - Remove `OidcSiopWallet.newDefaultInstance()` and replace it with a constructor

diff --git a/dif-data-classes/src/commonMain/kotlin/at/asitplus/dif/InputDescriptor.kt b/dif-data-classes/src/commonMain/kotlin/at/asitplus/dif/InputDescriptor.kt
@@ -2,15 +2,12 @@
 
 package at.asitplus.dif
 
-import at.asitplus.dif.rqes.Base64URLTransactionDataSerializer
-import at.asitplus.dif.rqes.TransactionDataEntry
+import at.asitplus.dif.rqes.serializers.Base64URLTransactionDataSerializer
+import at.asitplus.dif.rqes.collection_entries.TransactionData
 import com.benasher44.uuid.uuid4
 import kotlinx.serialization.SerialName
 import kotlinx.serialization.Serializable
 import kotlinx.serialization.UseSerializers
-import kotlinx.serialization.json.JsonContentPolymorphicSerializer
-import kotlinx.serialization.json.JsonElement
-import kotlinx.serialization.json.jsonObject
 
 @Serializable(with = InputDescriptorSerializer::class)
 sealed interface InputDescriptor {
@@ -63,13 +60,6 @@ data class QesInputDescriptor(
     @SerialName("constraints")
     override val constraints: Constraint? = null,
     @SerialName("transaction_data")
-    val transactionData: List<@Serializable(Base64URLTransactionDataSerializer::class) TransactionDataEntry>,
+    val transactionData: List<@Serializable(Base64URLTransactionDataSerializer::class) TransactionData>,
 ) : InputDescriptor
 
-
-object InputDescriptorSerializer : JsonContentPolymorphicSerializer<InputDescriptor>(InputDescriptor::class) {
-    override fun selectDeserializer(element: JsonElement) = when {
-        "transaction_data" in element.jsonObject -> QesInputDescriptor.serializer()
-        else -> DifInputDescriptor.serializer()
-    }
-}
diff --git a/dif-data-classes/src/commonMain/kotlin/at/asitplus/dif/InputDescriptorSerializer.kt b/dif-data-classes/src/commonMain/kotlin/at/asitplus/dif/InputDescriptorSerializer.kt
@@ -0,0 +1,13 @@
+package at.asitplus.dif
+
+import kotlinx.serialization.json.JsonContentPolymorphicSerializer
+import kotlinx.serialization.json.JsonElement
+import kotlinx.serialization.json.jsonObject
+
+
+object InputDescriptorSerializer : JsonContentPolymorphicSerializer<InputDescriptor>(InputDescriptor::class) {
+    override fun selectDeserializer(element: JsonElement) = when {
+        "transaction_data" in element.jsonObject -> QesInputDescriptor.serializer()
+        else -> DifInputDescriptor.serializer()
+    }
+}
diff --git a/dif-data-classes/src/commonMain/kotlin/at/asitplus/dif/rqes/CSCSignatureRequestParameters.kt b/dif-data-classes/src/commonMain/kotlin/at/asitplus/dif/rqes/CSCSignatureRequestParameters.kt
@@ -0,0 +1,206 @@
+package at.asitplus.dif.rqes
+
+import at.asitplus.dif.rqes.serializers.Asn1EncodableBase64Serializer
+import at.asitplus.dif.rqes.serializers.CSCSignatureRequestParameterSerializer
+import at.asitplus.dif.rqes.collection_entries.Document
+import at.asitplus.dif.rqes.collection_entries.DocumentDigestEntries.CscDocumentDigest
+import at.asitplus.dif.rqes.enums.OperationModeEnum
+import at.asitplus.dif.rqes.enums.SignatureQualifierEnum
+import at.asitplus.signum.indispensable.Digest
+import at.asitplus.signum.indispensable.SignatureAlgorithm
+import at.asitplus.signum.indispensable.asn1.Asn1Element
+import at.asitplus.signum.indispensable.asn1.ObjectIdentifier
+import kotlinx.serialization.SerialName
+import kotlinx.serialization.Serializable
+import kotlinx.serialization.Transient
+
+@Serializable(with = CSCSignatureRequestParameterSerializer::class)
+sealed interface CSCSignatureRequestParameters {
+    /**
+     * The credentialID as defined in the Input parameter table in `/credentials/info`
+     */
+    val credentialId: String?
+
+    /**
+     * The Signature Activation Data returned by the Credential Authorization
+     * methods. Not needed if the signing application has passed an access token in
+     * the “Authorization” HTTP header with scope “credential”, which is also good for
+     * the credential identified by credentialID.
+     * Note: For backward compatibility, signing applications MAY pass access tokens
+     * with scope “credential” in this parameter.
+     */
+    val sad: String?
+
+    /**
+     * The type of operation mode requested to the remote signing server
+     * The default value is “S”, so if the parameter is omitted then the remote signing
+     * server will manage the request in synchronous operation mode.
+     */
+    val operationMode: OperationModeEnum?
+
+    /**
+     * Maximum period of time, expressed in milliseconds, until which the server
+     * SHALL keep the request outcome(s) available for the client application retrieval.
+     * This parameter MAY be specified only if the parameter operationMode is “A”.
+     */
+    val validityPeriod: Int?
+
+    /**
+     * Value of one location where the server will notify the signature creation
+     * operation completion, as an URI value. This parameter MAY be specified only if
+     * the parameter operationMode is “A”.
+     */
+    val responseUri: String?
+
+    /**
+     * Arbitrary data from the signature application. It can be used to handle a
+     * transaction identifier or other application-spe cific data that may be useful for
+     * debugging purposes
+     */
+    val clientData: String?
+}
+
+@Serializable
+data class SignHashParameters(
+
+    @SerialName("credentialID")
+    override val credentialId: String,
+
+    @SerialName("SAD")
+    override val sad: String? = null,
+
+    @SerialName("operationMode")
+    override val operationMode: OperationModeEnum = OperationModeEnum.SYNCHRONOUS,
+
+    @SerialName("validity_period")
+    override val validityPeriod: Int? = null,
+
+    @SerialName("response_uri")
+    override val responseUri: String? = null,
+
+    @SerialName("clientData")
+    override val clientData: String? = null,
+
+    /**
+     * Input-type is JsonArray - do not use HashesSerializer!
+     * One or more base64-encoded hash values to be signed
+     */
+    @SerialName("hashes")
+    val hashes: Hashes,
+
+    /**
+     * String containing the OID of the hash algorithm used to generate the hashes
+     */
+    @SerialName("hashAlgorithmOID")
+    val hashAlgorithmOid: ObjectIdentifier? = null,
+
+    /**
+     * The OID of the algorithm to use for signing. It SHALL be one of the values
+     * allowed by the credential as returned in keyAlgo as defined in `credentials/info` or as defined
+     * in `credentials/list`
+     */
+    @SerialName("signAlgo")
+    val signAlgoOid: ObjectIdentifier,
+
+    /**
+     * The Base64-encoded DER-encoded ASN.1 signature algorithm parameters if required by
+     * the signature algorithm - Necessary for RSASSA-PSS for example
+     */
+    @SerialName("signAlgoParams")
+    @Serializable(with = Asn1EncodableBase64Serializer::class)
+    val signAlgoParams: Asn1Element? = null,
+
+    ) : CSCSignatureRequestParameters {
+
+    @Transient
+    val signAlgorithm: SignatureAlgorithm? = getSignAlgorithm(signAlgoOid, signAlgoParams)
+
+    @Transient
+    val hashAlgorithm: Digest = getHashAlgorithm(hashAlgorithmOid, signAlgorithm)
+
+    override fun equals(other: Any?): Boolean {
+        if (this === other) return true
+        if (other == null || this::class != other::class) return false
+
+        other as SignHashParameters
+        if (!hashes.contentEquals(other.hashes)) return false
+        if (credentialId != other.credentialId) return false
+        if (sad != other.sad) return false
+        if (operationMode != other.operationMode) return false
+        if (validityPeriod != other.validityPeriod) return false
+        if (responseUri != other.responseUri) return false
+        if (clientData != other.clientData) return false
+        if (hashAlgorithmOid != other.hashAlgorithmOid) return false
+        if (signAlgoOid != other.signAlgoOid) return false
+        if (signAlgoParams != other.signAlgoParams) return false
+        if (signAlgorithm != other.signAlgorithm) return false
+        if (hashAlgorithm != other.hashAlgorithm) return false
+
+        return true
+    }
+
+    override fun hashCode(): Int {
+        var result = hashes.contentHashCode()
+        result = 31 * result + (sad?.hashCode() ?: 0)
+        result = 31 * result + operationMode.hashCode()
+        result = 31 * result + (validityPeriod ?: 0)
+        result = 31 * result + (responseUri?.hashCode() ?: 0)
+        result = 31 * result + (clientData?.hashCode() ?: 0)
+        result = 31 * result + credentialId.hashCode()
+        result = 31 * result + (hashAlgorithmOid?.hashCode() ?: 0)
+        result = 31 * result + signAlgoOid.hashCode()
+        result = 31 * result + (signAlgoParams?.hashCode() ?: 0)
+        result = 31 * result + (signAlgorithm?.hashCode() ?: 0)
+        result = 31 * result + hashAlgorithm.hashCode()
+        return result
+    }
+}
+
+@Serializable
+data class SignDocParameters(
+
+    @SerialName("credentialID")
+    override val credentialId: String? = null,
+
+    @SerialName("SAD")
+    override val sad: String? = null,
+
+    @SerialName("operationMode")
+    override val operationMode: OperationModeEnum = OperationModeEnum.SYNCHRONOUS,
+
+    @SerialName("validity_period")
+    override val validityPeriod: Int? = null,
+
+    @SerialName("response_uri")
+    override val responseUri: String? = null,
+
+    @SerialName("clientData")
+    override val clientData: String? = null,
+
+    /**
+     * Identifier of the signature type to be created, e.g. “eu_eidas_qes” to denote
+     * a Qualified Electronic Signature according to eIDAS
+     */
+    @SerialName("signatureQualifier")
+    val signatureQualifier: SignatureQualifierEnum? = null,
+
+    @SerialName("documentDigests")
+    val documentDigests: Collection<CscDocumentDigest>? = null,
+
+    @SerialName("documents")
+    val documents: Collection<Document>? = null,
+
+    /**
+     * This parameter SHALL be set to “true” to request the service to return the
+     * “validationInfo”. The default value is “false”, i.e. no
+     * “validationInfo” info is provided.
+     */
+    @SerialName("returnValidationInformation")
+    val returnValidationInformation: Boolean = false,
+
+) : CSCSignatureRequestParameters {
+    init {
+        require(credentialId != null || signatureQualifier != null) { "Either credentialId or signatureQualifier must not be null (both can be present)" }
+        require(documentDigests != null || documents != null) { "Either documentDigests or documents must not be null (both can be present)" }
+    }
+}
diff --git a/dif-data-classes/src/commonMain/kotlin/at/asitplus/dif/rqes/Hashes.kt b/dif-data-classes/src/commonMain/kotlin/at/asitplus/dif/rqes/Hashes.kt
@@ -0,0 +1,14 @@
+package at.asitplus.dif.rqes
+
+import at.asitplus.signum.indispensable.io.ByteArrayBase64Serializer
+import kotlinx.serialization.Serializable
+
+typealias Hashes = List<@Serializable(ByteArrayBase64Serializer::class) ByteArray>
+
+fun Hashes.contentEquals(other: List<ByteArray>): Boolean {
+    if (size != other.size) return false
+    this.forEachIndexed {i, entry -> if (!entry.contentEquals(other[i])) return false }
+    return true
+}
+
+fun Hashes.contentHashCode(): Int = this.sumOf {  31 * it.contentHashCode() }
diff --git a/dif-data-classes/src/commonMain/kotlin/at/asitplus/dif/rqes/Misc.kt b/dif-data-classes/src/commonMain/kotlin/at/asitplus/dif/rqes/Misc.kt
@@ -0,0 +1,35 @@
+package at.asitplus.dif.rqes
+
+import at.asitplus.signum.indispensable.Digest
+import at.asitplus.signum.indispensable.SignatureAlgorithm
+import at.asitplus.signum.indispensable.X509SignatureAlgorithm
+import at.asitplus.signum.indispensable.asn1.Asn1Element
+import at.asitplus.signum.indispensable.asn1.ObjectIdentifier
+import at.asitplus.signum.indispensable.asn1.encoding.Asn1
+import io.github.aakira.napier.Napier
+
+
+internal fun getSignAlgorithm(signAlgoOid: ObjectIdentifier, signAlgoParams: Asn1Element?): SignatureAlgorithm? =
+    kotlin.runCatching {
+        X509SignatureAlgorithm.doDecode(Asn1.Sequence {
+            +signAlgoOid
+            +(signAlgoParams ?: Asn1.Null())
+        }).also {
+            require(it.digest != Digest.SHA1)
+        }.algorithm
+    }.getOrElse {
+        Napier.w { "Could not resolve $signAlgoOid" }
+        null
+    }
+
+@Throws(Exception::class)
+fun getHashAlgorithm(hashAlgorithmOid: ObjectIdentifier?, signatureAlgorithm: SignatureAlgorithm? = null) =
+    hashAlgorithmOid?.let {
+        Digest.entries.find { digest -> digest.oid == it }
+    } ?: when(signatureAlgorithm) {
+        //TODO change as soon as digest is a member of the interface
+        is SignatureAlgorithm.ECDSA -> signatureAlgorithm.digest
+        is SignatureAlgorithm.HMAC -> signatureAlgorithm.digest
+        is SignatureAlgorithm.RSA -> signatureAlgorithm.digest
+        null -> null
+    } ?: throw Exception("Unknown hashing algorithm defined with oid $hashAlgorithmOid or signature algorithm $signatureAlgorithm")
diff --git a/dif-data-classes/src/commonMain/kotlin/at/asitplus/dif/rqes/RqesConstants.kt b/dif-data-classes/src/commonMain/kotlin/at/asitplus/dif/rqes/RqesConstants.kt
@@ -1,9 +1,5 @@
 package at.asitplus.dif.rqes
 
 object RqesConstants {
-
     const val SCOPE = "credential"
-
-    const val SIGNATURE_QUALIFIER = "eu_eidas_qes"
-
 }