|
| 1 | +# Validate signature after a successful authentication/authorization process |
| 2 | + |
| 3 | +After successfully performing a mobile signature process, it is a good idea to validate the obtained signature, to ensure it is correct from the |
| 4 | +following point of views: |
| 5 | +* the signing certificate (user certificate) is still valid |
| 6 | +* the signing certificate has a valid certificate path (it roots to a Certification Authority that is trusted in the context of the client) |
| 7 | +* the performed signature is correct |
| 8 | +* the DTBD/DTBS that was requested is identical to the one that was signed |
| 9 | + |
| 10 | +We start first with the code for performing a mobile signature: |
| 11 | + |
| 12 | +```java |
| 13 | +ClientConfiguration config = new ClientConfiguration(); |
| 14 | +// set all the configuration parameters for the client |
| 15 | + |
| 16 | +// use the config to create a new client; do this only once per application |
| 17 | +MIDClient client = new MIDClientImpl(config); |
| 18 | + |
| 19 | +// configure the request and send it to the Mobile ID backend |
| 20 | +SignatureRequest request = new SignatureRequest(); |
| 21 | +request.getDataToBeSigned().setData("Test: Do you want to login?"); |
| 22 | +request.setUserLanguage(UserLanguage.ENGLISH); |
| 23 | +request.getMobileUser().setMsisdn("41790000000"); |
| 24 | +request.setSignatureProfile(SignatureProfiles.DEFAULT_PROFILE); |
| 25 | + |
| 26 | +SignatureResponse response = client.requestSyncSignature(request); |
| 27 | + |
| 28 | +if (response.getStatus().getStatusCode() == StatusCode.SIGNATURE) { |
| 29 | + // at this point, we have successfully acquired a mobile signature |
| 30 | + // you can find it in response.getBase64Signature(), as a Base64-encoded CMS content |
| 31 | + |
| 32 | + // let's validate it |
| 33 | + |
| 34 | + // just like the client, the signature validator needs a bit of configuration |
| 35 | + SignatureValidationConfiguration svConfig = new SignatureValidationConfiguration(); |
| 36 | + // you can also set the truststore as a classpath file or as a byte array |
| 37 | + svConfig.setTrustStoreFile("signature-validation-truststore.jks"); |
| 38 | + svConfig.setTrustStoreType("jks") |
| 39 | + svConfig.setTrustStorePassword("secret"); // optional |
| 40 | + |
| 41 | + // now, with the config, let's create the signature validator and use it |
| 42 | + SignatureValidator validator = new SignatureValidatorImpl(svConfig); |
| 43 | + SignatureValidationResult result = validator.validateSignature(response.getBase64Signature(), request.getDataToBeSigned(), null); |
| 44 | + |
| 45 | + if (result.isValidationSuccessful()) { |
| 46 | + // all is good, the signature is perfectly valid |
| 47 | + // moreover, we can also get some extra data from the signature |
| 48 | + System.out.println("Mobile ID serial number = " + result.getMobileIdSerialNumber()); |
| 49 | + System.out.println("Signed DTBS = " + result.getSignedDtbs()); |
| 50 | + |
| 51 | + } else { |
| 52 | + // something failed |
| 53 | + System.out.println("Signature validation failure = " + result.getValidationFailureReason()); |
| 54 | + System.out.println("Signing certificate path validation = " + result.isSignerCertificatePathValid()); |
| 55 | + System.out.println("Signing certificate validation = " + result.isSignerCertificateValid()); |
| 56 | + System.out.println("Signature validation = " + result.isSignatureValid()); |
| 57 | + System.out.println("DTBS matching = " + result.isDtbsMatching()); |
| 58 | + if (result.getValidationException() != null) { |
| 59 | + result.getValidationException().printStackTrace(); |
| 60 | + } |
| 61 | + } |
| 62 | + |
| 63 | +} |
| 64 | +``` |
0 commit comments