Skip to content

Commit db82737

Browse files
author
Bogdan Mocanu
committed
Add or update documentation with info related to signature validation
1 parent 3c7bedb commit db82737

3 files changed

Lines changed: 74 additions & 1 deletion

File tree

README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@ To start using the Swisscom Mobile ID service and this client library, follow th
3131
5. Learn about the code and the overall architecture of the client. See the [ARCHITECTURE.md](ARCHITECTURE.md) file
3232

3333
For extra help:
34+
- [How to validate signatures](/docs/validate-signatures.md)
3435
- [How to use an HTTP proxy with or without authentication](/docs/configure-proxy-connection.md)
3536
- [How to solve the most common problems](/docs/troubleshoot-common-problems.md)
3637

docs/validate-signatures.md

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
# Validate signature after a successful authentication/authorization process
2+
3+
After successfully performing a mobile signature process, it is a good idea to validate the obtained signature, to ensure it is correct from the
4+
following point of views:
5+
* the signing certificate (user certificate) is still valid
6+
* the signing certificate has a valid certificate path (it roots to a Certification Authority that is trusted in the context of the client)
7+
* the performed signature is correct
8+
* the DTBD/DTBS that was requested is identical to the one that was signed
9+
10+
We start first with the code for performing a mobile signature:
11+
12+
```java
13+
ClientConfiguration config = new ClientConfiguration();
14+
// set all the configuration parameters for the client
15+
16+
// use the config to create a new client; do this only once per application
17+
MIDClient client = new MIDClientImpl(config);
18+
19+
// configure the request and send it to the Mobile ID backend
20+
SignatureRequest request = new SignatureRequest();
21+
request.getDataToBeSigned().setData("Test: Do you want to login?");
22+
request.setUserLanguage(UserLanguage.ENGLISH);
23+
request.getMobileUser().setMsisdn("41790000000");
24+
request.setSignatureProfile(SignatureProfiles.DEFAULT_PROFILE);
25+
26+
SignatureResponse response = client.requestSyncSignature(request);
27+
28+
if (response.getStatus().getStatusCode() == StatusCode.SIGNATURE) {
29+
// at this point, we have successfully acquired a mobile signature
30+
// you can find it in response.getBase64Signature(), as a Base64-encoded CMS content
31+
32+
// let's validate it
33+
34+
// just like the client, the signature validator needs a bit of configuration
35+
SignatureValidationConfiguration svConfig = new SignatureValidationConfiguration();
36+
// you can also set the truststore as a classpath file or as a byte array
37+
svConfig.setTrustStoreFile("signature-validation-truststore.jks");
38+
svConfig.setTrustStoreType("jks")
39+
svConfig.setTrustStorePassword("secret"); // optional
40+
41+
// now, with the config, let's create the signature validator and use it
42+
SignatureValidator validator = new SignatureValidatorImpl(svConfig);
43+
SignatureValidationResult result = validator.validateSignature(response.getBase64Signature(), request.getDataToBeSigned(), null);
44+
45+
if (result.isValidationSuccessful()) {
46+
// all is good, the signature is perfectly valid
47+
// moreover, we can also get some extra data from the signature
48+
System.out.println("Mobile ID serial number = " + result.getMobileIdSerialNumber());
49+
System.out.println("Signed DTBS = " + result.getSignedDtbs());
50+
51+
} else {
52+
// something failed
53+
System.out.println("Signature validation failure = " + result.getValidationFailureReason());
54+
System.out.println("Signing certificate path validation = " + result.isSignerCertificatePathValid());
55+
System.out.println("Signing certificate validation = " + result.isSignerCertificateValid());
56+
System.out.println("Signature validation = " + result.isSignatureValid());
57+
System.out.println("DTBS matching = " + result.isDtbsMatching());
58+
if (result.getValidationException() != null) {
59+
result.getValidationException().printStackTrace();
60+
}
61+
}
62+
63+
}
64+
```

docs/version-history.md

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,13 @@
11
# Version history
22

3+
# v1.5.0
4+
Add support for signature validation, after a mobile signature is successfully created. Add a new component that can be configured separately
5+
for validating the signing certificate, the certificate path, the actual signature and the DTBD/DTBS that was signed.
6+
7+
# v1.4.0
8+
Add support for HTTP proxy configuration. With this version, the Mobile ID Java client can be configured to use an HTTP proxy, with or
9+
without Basic authentication. This works both for command line and for programmatic mode.
10+
311
# v1.3.0
412
Add optional override of AP ID and AP Password for each request and for the tracking object of a signature operation.
513
This helps with sending requests on behalf of various APs, instead of relying only on the common AP ID + AP password
@@ -17,4 +25,4 @@ The artifacts are now available via Maven Central Repository.
1725
## v1.1.0
1826
First official release of the Mobile ID Java client.
1927
Contains the usage of the Geofencing additional service (instead of the deprecated Subscriber Info).
20-
Provides a new CLI parameter called "req-timeout" to allow for setting the signature request timeout.
28+
Provides a new CLI parameter called "req-timeout" to allow for setting the signature request timeout.

0 commit comments

Comments
 (0)