diff --git a/MobileAuthApp/app/build.gradle b/MobileAuthApp/app/build.gradle
index a65bc6e..bc4a034 100644
--- a/MobileAuthApp/app/build.gradle
+++ b/MobileAuthApp/app/build.gradle
@@ -62,6 +62,13 @@ dependencies {
//SecureDataStoring
implementation("androidx.security:security-crypto:1.0.0")
+ implementation 'io.jsonwebtoken:jjwt-api:0.11.2'
+ runtimeOnly 'io.jsonwebtoken:jjwt-impl:0.11.2',
+ 'org.bouncycastle:bcprov-jdk15on:1.60',
+ 'io.jsonwebtoken:jjwt-gson:0.11.2'
+
+ implementation 'com.koushikdutta.ion:ion:3.1.0'
+
// Retrofit + Moshi Converter
implementation 'com.squareup.retrofit2:converter-moshi:2.9.0'
implementation 'com.squareup.moshi:moshi-kotlin:1.9.3'
diff --git a/MobileAuthApp/app/src/main/AndroidManifest.xml b/MobileAuthApp/app/src/main/AndroidManifest.xml
index d13134c..e9b29ca 100644
--- a/MobileAuthApp/app/src/main/AndroidManifest.xml
+++ b/MobileAuthApp/app/src/main/AndroidManifest.xml
@@ -3,6 +3,7 @@
package="com.tarkvaraprojekt.mobileauthapp">
+
- timer.cancel()
- requireActivity().runOnUiThread {
- binding!!.timeCounter.text = getString(R.string.card_detected)
- }
- val card = IsoDep.get(tag)
- card.timeout = 32768
- card.use {
- try {
- val comms = Comms(it, viewModel.userCan)
+ adapter.enableReaderMode(activity, { tag ->
+ timer.cancel()
+ requireActivity().runOnUiThread {
+ binding!!.timeCounter.text = getString(R.string.card_detected)
+ }
+ val card = IsoDep.get(tag)
+ card.timeout = 32768
+ card.use {
+ try {
+ val comms = Comms(it, viewModel.userCan)
+ if (args.auth) {
+ val jws = Authenticator(comms).authenticate(
+ intentParameters.challenge,
+ intentParameters.origin,
+ viewModel.userPin
+ )
+ intentParameters.setToken(jws)
+ } else {
val response = comms.readPersonalData(byteArrayOf(1, 2, 6, 3, 4, 8))
viewModel.setUserFirstName(response[1])
viewModel.setUserLastName(response[0])
@@ -92,26 +103,24 @@ class AuthFragment : Fragment() {
viewModel.setGender(response[3])
viewModel.setCitizenship(response[4])
viewModel.setExpiration(response[5])
- requireActivity().runOnUiThread {
- binding!!.timeCounter.text = getString(R.string.data_read)
- }
- } catch (e: Exception) {
- requireActivity().runOnUiThread {
- binding!!.timeCounter.text = getString(R.string.no_success)
- }
- // If the CAN is wrong we will also delete the saved CAN so that the user won't use it again.
- viewModel.deleteCan(requireContext())
- // Gives user some time to read the error message
- Thread.sleep(1000)
- goToTheStart()
- } finally {
- adapter.disableReaderMode(activity)
}
+ requireActivity().runOnUiThread {
+ binding!!.timeCounter.text = getString(R.string.data_read)
+ }
+ } catch (e: Exception) {
+ requireActivity().runOnUiThread {
+ binding!!.timeCounter.text = getString(R.string.no_success)
+ }
+ // If the CAN is wrong we will also delete the saved CAN so that the user won't use it again.
+ viewModel.deleteCan(requireContext())
+ // Gives user some time to read the error message
+ Thread.sleep(1000)
+ goToTheStart()
+ } finally {
+ adapter.disableReaderMode(activity)
}
- }, NfcAdapter.FLAG_READER_NFC_A, null)
- } else { //We want to create a JWT instead of reading the info from the card.
- goToNextFragment()
- }
+ }
+ }, NfcAdapter.FLAG_READER_NFC_A, null)
}
private fun goToNextFragment() {
@@ -132,8 +141,7 @@ class AuthFragment : Fragment() {
} else {
if (!args.mobile) {
//Currently for some reason the activity is not killed entirely. Must be looked into further.
- requireActivity().finish()
- exitProcess(0)
+ requireActivity().finishAndRemoveTask()
} else {
val resultIntent = Intent()
requireActivity().setResult(AppCompatActivity.RESULT_CANCELED, resultIntent)
diff --git a/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/CanFragment.kt b/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/CanFragment.kt
index 7ad1207..1b281aa 100644
--- a/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/CanFragment.kt
+++ b/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/CanFragment.kt
@@ -127,10 +127,14 @@ class CanFragment : Fragment() {
// TODO: Needs special handling when the app is launched with intent. Temporary solution at the moment.
if (args.saving) {
findNavController().navigate(R.id.action_canFragment_to_settingsFragment)
- } else if (args.auth) {
- val resultIntent = Intent()
- requireActivity().setResult(AppCompatActivity.RESULT_CANCELED, resultIntent)
- requireActivity().finish()
+ } else if (args.auth || args.mobile) {
+ if (args.mobile) {
+ val resultIntent = Intent()
+ requireActivity().setResult(AppCompatActivity.RESULT_CANCELED, resultIntent)
+ requireActivity().finish()
+ } else {
+ requireActivity().finishAndRemoveTask()
+ }
} else {
findNavController().navigate(R.id.action_canFragment_to_homeFragment)
}
diff --git a/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/HomeFragment.kt b/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/HomeFragment.kt
index e79c402..e1888f4 100644
--- a/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/HomeFragment.kt
+++ b/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/HomeFragment.kt
@@ -14,6 +14,7 @@ import com.tarkvaraprojekt.mobileauthapp.databinding.FragmentHomeBinding
import com.tarkvaraprojekt.mobileauthapp.model.ParametersViewModel
import com.tarkvaraprojekt.mobileauthapp.model.SmartCardViewModel
import java.lang.Exception
+import java.net.URLDecoder
/**
* HomeFragment is only shown to the user when then the user launches the application. When the application
@@ -30,6 +31,7 @@ class HomeFragment : Fragment() {
private var binding: FragmentHomeBinding? = null
+
override fun onCreateView(
inflater: LayoutInflater,
container: ViewGroup?,
@@ -56,11 +58,14 @@ class HomeFragment : Fragment() {
// We use !! because we want an exception when something is not right.
intentParams.setChallenge(requireActivity().intent.getStringExtra("challenge")!!)
intentParams.setAuthUrl(requireActivity().intent.getStringExtra("authUrl")!!)
+ intentParams.setOrigin(requireActivity().intent.getStringExtra("originUrl")!!)
} else { //Website
- // Currently the test website won't send the authUrl parameter
- //Log.i("intentDebugging", requireActivity().intent.data.toString())
- intentParams.setChallenge(requireActivity().intent.data!!.getQueryParameter("challenge")!!)
- //intentParams.setAuthUrl(requireActivity().intent.data!!.getQueryParameter("authUrl")!!)
+ var challenge = requireActivity().intent.data!!.getQueryParameter("challenge")!!
+ // TODO: Since due to encoding plus gets converted to space, temporary solution is to replace it back.
+ challenge = challenge.replace(" ", "+")
+ intentParams.setChallenge(challenge)
+ intentParams.setAuthUrl(requireActivity().intent.data!!.getQueryParameter("authUrl")!!)
+ intentParams.setOrigin(requireActivity().intent.data!!.getQueryParameter("originUrl")!!)
}
} catch (e: Exception) {
// There was a problem with parameters, which means that authentication is not possible.
diff --git a/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/NFC/Comms.java b/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/NFC/Comms.java
index a4d184b..bccb6ee 100644
--- a/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/NFC/Comms.java
+++ b/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/NFC/Comms.java
@@ -21,6 +21,7 @@ import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Arrays;
+import java.util.Base64;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
@@ -30,47 +31,43 @@ import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
public class Comms {
- private static final byte[] master = { // select Main AID
- 0, -92, 4, 12, 16, -96, 0, 0, 0, 119, 1, 8, 0, 7, 0, 0, -2, 0, 0, 1, 0
- };
- private static final byte[] MSESetAT = { // manage security environment: set authentication template
- 0, 34, -63, -92, 15, -128, 10, 4, 0, 127, 0, 7, 2, 2, 4, 2, 4, -125, 1, 2, 0
- };
+ private static final byte[] selectMaster = Hex.decode("00a4040c10a000000077010800070000fe00000100");
- private static final byte[] GAGetNonce = { // general authenticate: get nonce
- 16, -122, 0, 0, 2, 124, 0, 0
- };
+ private static final byte[] MSESetAT = Hex.decode("0022c1a40f800a04007f0007020204020483010200");
- private static final byte[] GAMapNonceIncomplete = {
- 16, -122, 0, 0, 69, 124, 67, -127, 65
- };
+ private static final byte[] GAGetNonce = Hex.decode("10860000027c0000");
- private static final byte[] GAKeyAgreementIncomplete = {
- 16, -122, 0, 0, 69, 124, 67, -125, 65
- };
+ private static final byte[] GAMapNonceIncomplete = Hex.decode("10860000457c438141");
- private static final byte[] GAMutualAuthenticationIncomplete = {
- 0, -122, 0, 0, 12, 124, 10, -123, 8
- };
+ private static final byte[] GAKeyAgreementIncomplete = Hex.decode("10860000457c438341");
- private static final byte[] dataForMACIncomplete = {
- 127, 73, 79, 6, 10, 4, 0, 127, 0, 7, 2, 2, 4, 2, 4, -122, 65
- };
+ private static final byte[] GAMutualAuthenticationIncomplete = Hex.decode("008600000c7c0a8508");
- private static final byte[] masterSec = {
- 12, -92, 4, 12, 45, -121, 33, 1
- };
+ private static final byte[] dataForMACIncomplete = Hex.decode("7f494f060a04007f000702020402048641");
- private static final byte[] personal = { // select personal data DF
- 12, -92, 1, 12, 29, -121, 17, 1
- };
+ private static final byte[] selectFile = Hex.decode("0ca4010c1d871101");
- private static final byte[] read = { // read binary
- 12, -80, 0, 0, 13, -105, 1, 0
- };
+ private static final byte[] readFile = Hex.decode("0cb000000d970100");
- private IsoDep idCard;
+ private static final byte[] verifyPIN1 = Hex.decode("0c2000011d871101");
+
+ private static final byte[] verifyPIN2 = Hex.decode("0c2000851d871101");
+
+ private static final byte[] MSESetEnv = Hex.decode("0c2241A41d871101");
+
+ private static final byte[] Env = Hex.decode("8004FF200800840181");
+
+ private static final byte[] InternalAuthenticate = Hex.decode("0c8800001d871101");
+
+ private static final byte[] IASECCFID = {0x3f, 0x00};
+ private static final byte[] personalDF = {0x50, 0x00};
+ private static final byte[] AWP = {(byte) 0xad, (byte) 0xf1};
+ private static final byte[] QSCD = {(byte) 0xad, (byte) 0xf2};
+ private static final byte[] authCert = {0x34, 0x01};
+ private static final byte[] signCert = {0x34, 0x1f};
+
+ private final IsoDep idCard;
private final byte[] keyEnc;
private final byte[] keyMAC;
private byte ssc; // Send sequence counter.
@@ -84,21 +81,12 @@ public class Comms {
public Comms(IsoDep idCard, String CAN) throws IOException, NoSuchPaddingException, InvalidKeyException, NoSuchAlgorithmException, IllegalBlockSizeException, BadPaddingException, InvalidAlgorithmParameterException {
idCard.connect();
-
this.idCard = idCard;
-
- long start = System.currentTimeMillis();
- byte[][] keys = PACE(CAN);
- Log.i("Pace duration", String.valueOf(System.currentTimeMillis() - start));
-
+ byte[][] keys = PACE(CAN.getBytes(StandardCharsets.UTF_8));
keyEnc = keys[0];
keyMAC = keys[1];
}
- public byte[] getAuthenticationCertificate() {
- return new byte[0];
- }
-
/**
* Calculates the message authentication code
*
@@ -151,40 +139,51 @@ public class Comms {
* @param CAN the card access number provided by the user
* @return the decrypted nonce
*/
- private byte[] decryptNonce(byte[] encryptedNonce, String CAN) throws NoSuchPaddingException, InvalidKeyException, NoSuchAlgorithmException, IllegalBlockSizeException, BadPaddingException, InvalidAlgorithmParameterException {
- byte[] decryptionKey = createKey(CAN.getBytes(StandardCharsets.UTF_8), (byte) 3);
+ private byte[] decryptNonce(byte[] encryptedNonce, byte[] CAN) throws NoSuchPaddingException, InvalidKeyException, NoSuchAlgorithmException, IllegalBlockSizeException, BadPaddingException, InvalidAlgorithmParameterException {
+ byte[] decryptionKey = createKey(CAN, (byte) 3);
Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(decryptionKey, "AES"), new IvParameterSpec(new byte[16]));
return cipher.doFinal(encryptedNonce);
}
+ /**
+ * Communicates with the card and logs the response
+ *
+ * @param APDU The command
+ * @param log Information for logging
+ * @return The response
+ */
+ private byte[] getResponse(byte[] APDU, String log) throws IOException {
+ byte[] response = idCard.transceive(APDU);
+ if (response[response.length - 2] != (byte) 0x90 || response[response.length - 1] != 0x00) {
+ throw new RuntimeException(String.format("%s failed.", log));
+ }
+ Log.i(log, Hex.toHexString(response));
+ return response;
+ }
+
/**
* Attempts to use the PACE protocol to create a secure channel with an Estonian ID-card
*
* @param CAN the card access number
*/
- private byte[][] PACE(String CAN) throws IOException, NoSuchPaddingException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IllegalBlockSizeException, BadPaddingException, InvalidKeyException {
+ private byte[][] PACE(byte[] CAN) throws IOException, NoSuchPaddingException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IllegalBlockSizeException, BadPaddingException, InvalidKeyException {
- // select the ECC applet on the chip
- byte[] response = idCard.transceive(master);
- Log.i("Select applet", Hex.toHexString(response));
+ // select the IAS-ECC application on the chip
+ getResponse(selectMaster, "Select the master application");
// initiate PACE
- response = idCard.transceive(MSESetAT);
- Log.i("Authentication template", Hex.toHexString(response));
+ getResponse(MSESetAT, "Set authentication template");
// get nonce
- response = idCard.transceive(GAGetNonce);
- Log.i("Get nonce", Hex.toHexString(response));
+ byte[] response = getResponse(GAGetNonce, "Get nonce");
byte[] decryptedNonce = decryptNonce(Arrays.copyOfRange(response, 4, response.length - 2), CAN);
// generate an EC keypair and exchange public keys with the chip
ECNamedCurveParameterSpec spec = ECNamedCurveTable.getParameterSpec("secp256r1");
BigInteger privateKey = new BigInteger(255, new SecureRandom()).add(BigInteger.ONE); // should be in [1, spec.getN()-1], but this is good enough for this application
ECPoint publicKey = spec.getG().multiply(privateKey).normalize();
- byte[] APDU = createAPDU(GAMapNonceIncomplete, publicKey.getEncoded(false), 66);
- response = idCard.transceive(APDU);
- Log.i("Map nonce", Hex.toHexString(response));
+ response = getResponse(createAPDU(GAMapNonceIncomplete, publicKey.getEncoded(false), 66), "Map nonce");
ECPoint cardPublicKey = spec.getCurve().decodePoint(Arrays.copyOfRange(response, 4, 69));
// calculate the new base point, use it to generate a new keypair, and exchange public keys
@@ -192,35 +191,41 @@ public class Comms {
ECPoint mappedECBasePoint = spec.getG().multiply(new BigInteger(1, decryptedNonce)).add(sharedSecret).normalize();
privateKey = new BigInteger(255, new SecureRandom()).add(BigInteger.ONE);
publicKey = mappedECBasePoint.multiply(privateKey).normalize();
- APDU = createAPDU(GAKeyAgreementIncomplete, publicKey.getEncoded(false), 66);
- response = idCard.transceive(APDU);
- Log.i("Key agreement", Hex.toHexString(response));
+ response = getResponse(createAPDU(GAKeyAgreementIncomplete, publicKey.getEncoded(false), 66), "Key agreement");
cardPublicKey = spec.getCurve().decodePoint(Arrays.copyOfRange(response, 4, 69));
// generate the session keys and exchange MACs to verify them
- sharedSecret = cardPublicKey.multiply(privateKey).normalize();
- byte[] encodedSecret = sharedSecret.getAffineXCoord().getEncoded();
- byte[] keyEnc = createKey(encodedSecret, (byte) 1);
- byte[] keyMAC = createKey(encodedSecret, (byte) 2);
- APDU = createAPDU(dataForMACIncomplete, cardPublicKey.getEncoded(false), 65);
- byte[] MAC = getMAC(APDU, keyMAC);
- APDU = createAPDU(GAMutualAuthenticationIncomplete, MAC, 9);
- response = idCard.transceive(APDU);
- Log.i("Mutual authentication", Hex.toHexString(response));
+ byte[] secret = cardPublicKey.multiply(privateKey).normalize().getAffineXCoord().getEncoded();
+ byte[] keyEnc = createKey(secret, (byte) 1);
+ byte[] keyMAC = createKey(secret, (byte) 2);
+ byte[] MAC = getMAC(createAPDU(dataForMACIncomplete, cardPublicKey.getEncoded(false), 65), keyMAC);
+ response = getResponse(createAPDU(GAMutualAuthenticationIncomplete, MAC, 9), "Mutual authentication");
- // if the chip-side verification fails, crash and burn
- if (response.length == 2) throw new RuntimeException("Invalid CAN.");
-
- // otherwise verify chip's MAC and return session keys
- APDU = createAPDU(dataForMACIncomplete, publicKey.getEncoded(false), 65);
- MAC = getMAC(APDU, keyMAC);
+ // verify chip's MAC and return session keys
+ MAC = getMAC(createAPDU(dataForMACIncomplete, publicKey.getEncoded(false), 65), keyMAC);
if (!Hex.toHexString(response, 4, 8).equals(Hex.toHexString(MAC))) {
- throw new RuntimeException("Could not verify chip's MAC."); // Should never happen.
+ throw new RuntimeException("Could not verify chip's MAC."); // *Should* never happen.
}
return new byte[][]{keyEnc, keyMAC};
}
+ /**
+ * Selects a file and reads its contents
+ *
+ * @param FID file identifier of the required file
+ * @param info string for logging
+ * @return decrypted file contents
+ */
+ private byte[] readFile(byte[] FID, String info) throws NoSuchPaddingException, InvalidKeyException, NoSuchAlgorithmException, IllegalBlockSizeException, BadPaddingException, InvalidAlgorithmParameterException, IOException {
+ selectFile(FID, info);
+ byte[] response = getResponse(new byte[0], readFile, "Read binary");
+ if (response[response.length - 2] != (byte) 0x90 || response[response.length - 1] != 0x00) {
+ throw new RuntimeException(String.format("Could not read %s", info));
+ }
+ return encryptDecryptData(Arrays.copyOfRange(response, 3, 19), Cipher.DECRYPT_MODE);
+ }
+
/**
* Encrypts or decrypts the APDU data
*
@@ -255,74 +260,182 @@ public class Comms {
byte[] macData = new byte[data.length > 0 ? 48 + length : 48];
macData[15] = ssc; // first block contains the ssc
System.arraycopy(incomplete, 0, macData, 16, 4); // second block has the command
- macData[20] = -128; // elements are terminated by 0x80 and zero-padded to the next block
+ macData[20] = (byte) 0x80; // elements are terminated by 0x80 and zero-padded to the next block
System.arraycopy(incomplete, 5, macData, 32, 3); // third block contains appropriately encapsulated data/Le
if (data.length > 0) { // if the APDU has data, add padding and encrypt it
byte[] paddedData = Arrays.copyOf(data, length);
- paddedData[data.length] = -128;
+ paddedData[data.length] = (byte) 0x80;
encryptedData = encryptDecryptData(paddedData, Cipher.ENCRYPT_MODE);
System.arraycopy(encryptedData, 0, macData, 35, encryptedData.length);
}
- macData[35 + encryptedData.length] = -128;
+ macData[35 + encryptedData.length] = (byte) 0x80;
byte[] MAC = getMAC(macData, keyMAC);
// construct the APDU using the encrypted data and the MAC
- byte[] APDU = new byte[incomplete.length + encryptedData.length + MAC.length + 3];
- System.arraycopy(incomplete, 0, APDU, 0, incomplete.length);
+ byte[] APDU = Arrays.copyOf(incomplete, incomplete.length + encryptedData.length + MAC.length + 3);
if (encryptedData.length > 0) {
System.arraycopy(encryptedData, 0, APDU, incomplete.length, encryptedData.length);
}
- System.arraycopy(new byte[]{-114, 8}, 0, APDU, incomplete.length + encryptedData.length, 2); // MAC is encapsulated using the tag 0x8E
+ System.arraycopy(new byte[]{(byte) 0x8E, 0x08}, 0, APDU, incomplete.length + encryptedData.length, 2); // MAC is encapsulated using the tag 0x8E
System.arraycopy(MAC, 0, APDU, incomplete.length + encryptedData.length + 2, MAC.length);
-
ssc++;
return APDU;
}
/**
- * Gets the contents of the personal data dedicated file
- *
- * @param FID the last bytes of file identifiers being requested
- * @return array containing the data strings
+ * Selects a FILE by its identifier
*
*/
- public String[] readPersonalData(byte[] FID) throws NoSuchPaddingException, InvalidKeyException, NoSuchAlgorithmException, IllegalBlockSizeException, BadPaddingException, InvalidAlgorithmParameterException, IOException {
+ private void selectFile(byte[] FID, String info) throws NoSuchPaddingException, InvalidKeyException, NoSuchAlgorithmException, IllegalBlockSizeException, BadPaddingException, InvalidAlgorithmParameterException, IOException {
+ byte[] response = getResponse(FID, selectFile, String.format("Select %s", info));
+ if (response[response.length - 2] != (byte) 0x90 || response[response.length - 1] != 0x00) {
+ throw new RuntimeException(String.format("Could not select %s", info));
+ }
+ }
- String[] personalData = new String[FID.length];
- byte[] data;
- byte[] APDU;
- byte[] response;
+ /**
+ * Gets the contents of the personal data dedicated file
+ *
+ * @param lastBytes the last bytes of the personal data file identifiers (0 < x < 16)
+ * @return array containing the corresponding data strings
+ */
+ public String[] readPersonalData(byte[] lastBytes) throws NoSuchPaddingException, InvalidKeyException, NoSuchAlgorithmException, IllegalBlockSizeException, BadPaddingException, InvalidAlgorithmParameterException, IOException {
+
+ String[] personalData = new String[lastBytes.length];
+ int stringIndex = 0;
+
+ // select the master application
+ selectFile(IASECCFID, "the master application");
// select the personal data dedicated file
- data = new byte[]{80, 0}; // personal data DF FID
- APDU = createSecureAPDU(data, personal);
- response = idCard.transceive(APDU);
- Log.i("Select personal data DF", Hex.toHexString(response));
+ selectFile(personalDF, "the personal data DF");
- // select and read the first 8 elementary files in the DF
- for (int i = 0; i < FID.length; i++) {
+ byte[] FID = Arrays.copyOf(personalDF, personalDF.length);
+ // select and read the personal data elementary files
+ for (byte index : lastBytes) {
- byte index = FID[i];
if (index > 15 || index < 1) throw new RuntimeException("Invalid personal data FID.");
-
- data[1] = index;
- APDU = createSecureAPDU(data, personal);
- response = idCard.transceive(APDU);
- Log.i(String.format("Select EF 500%d", index), Hex.toHexString(response));
-
- APDU = createSecureAPDU(new byte[0], read);
- response = idCard.transceive(APDU);
- Log.i(String.format("Read binary EF 500%d", index), Hex.toHexString(response));
+ FID[1] = index;
// store the decrypted datum
- byte[] raw = encryptDecryptData(Arrays.copyOfRange(response, 3, 19), Cipher.DECRYPT_MODE);
- int indexOfTerminator = Hex.toHexString(raw).lastIndexOf("80") / 2;
- personalData[i] = new String(Arrays.copyOfRange(raw, 0, indexOfTerminator));
+ byte[] response = readFile(FID, "a personal data EF");
+ int indexOfTerminator = Hex.toHexString(response).lastIndexOf("80") / 2;
+ personalData[stringIndex++] = new String(Arrays.copyOfRange(response, 0, indexOfTerminator));
}
-
return personalData;
}
+
+ /**
+ * Attempts to verify the selected PIN
+ *
+ * @param PIN user-provided PIN
+ * @param oneOrTwo true for PIN1, false for PIN2
+ */
+ private void verifyPIN(byte[] PIN, boolean oneOrTwo) throws NoSuchPaddingException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IllegalBlockSizeException, BadPaddingException, InvalidKeyException, IOException {
+
+ selectFile(IASECCFID, "the master application");
+ if (!oneOrTwo) {
+ selectFile(QSCD, "the application");
+ }
+
+ // pad the PIN and use the chip for verification
+ byte[] paddedPIN = Hex.decode("ffffffffffffffffffffffff");
+ System.arraycopy(PIN, 0, paddedPIN, 0, PIN.length);
+ byte[] response = getResponse(paddedPIN, oneOrTwo ? verifyPIN1 : verifyPIN2, "PIN verification");
+
+ if (response[response.length - 2] != (byte) 0x90 || response[response.length - 1] != 0x00) {
+ if (response[response.length - 2] == 0x69 && response[response.length - 1] == (byte) 0x83) {
+ throw new RuntimeException("Invalid PIN. Authentication method blocked.");
+ } else {
+ throw new RuntimeException(String.format("Invalid PIN. Attempts left: %d.", response[response.length - 1] + 64));
+ }
+ }
+ }
+
+ /**
+ * Retrieves the authentication or signature certificate from the chip
+ *
+ * @param authOrSign true for auth, false for sign cert
+ * @return the requested certificate
+ */
+ public byte[] getCertificate(boolean authOrSign) throws NoSuchPaddingException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IllegalBlockSizeException, BadPaddingException, InvalidKeyException, IOException {
+
+ selectFile(IASECCFID, "the master application");
+
+ selectFile(authOrSign ? AWP : QSCD, "the application");
+
+ selectFile(authOrSign ? authCert : signCert, "the certificate");
+
+ byte[] certificate = new byte[0];
+ byte[] readCert = Arrays.copyOf(readFile, readFile.length);
+ // Construct the certificate byte array n=indexOfTerminator bytes at a time
+ for (int i = 0; i < 16; i++) {
+
+ // Set the P1/P2 values to incrementally read the certificate
+ readCert[2] = (byte) (certificate.length / 256);
+ readCert[3] = (byte) (certificate.length % 256);
+ byte[] response = getResponse(new byte[0], readCert, "Read the certificate");
+ if (response[response.length - 2] == 0x6b && response[response.length - 1] == 0x00) {
+ throw new RuntimeException("Wrong read parameters.");
+ }
+
+ // Set the range containing a portion of the certificate and decrypt it
+ int start = response[2] == 1 ? 3 : 4;
+ int end = start + (response[start - 2] + 256) % 256 - 1;
+ byte[] decrypted = encryptDecryptData(Arrays.copyOfRange(response, start, end), Cipher.DECRYPT_MODE);
+ int indexOfTerminator = Hex.toHexString(decrypted).lastIndexOf("80") / 2;
+ certificate = Arrays.copyOf(certificate, certificate.length + indexOfTerminator);
+ System.arraycopy(decrypted, 0, certificate, certificate.length - indexOfTerminator, indexOfTerminator);
+
+ if (response[response.length - 2] == (byte) 0x90 && response[response.length - 1] == 0x00) {
+ break;
+ }
+ }
+
+ return certificate;
+
+ }
+
+ /**
+ * Signs the authentication token hash
+ *
+ * @param PIN1 PIN1
+ * @param token the token hash to be signed
+ * @return authentication token hash signature
+ */
+ public byte[] authenticate(String PIN1, byte[] token) throws NoSuchPaddingException, InvalidKeyException, NoSuchAlgorithmException, IllegalBlockSizeException, BadPaddingException, InvalidAlgorithmParameterException, IOException {
+
+ verifyPIN(PIN1.getBytes(StandardCharsets.UTF_8), true);
+
+ selectFile(AWP, "the AWP application");
+
+ byte[] response = getResponse(Env, MSESetEnv, "Set environment");
+ if (response[response.length - 2] != (byte) 0x90 || response[response.length - 1] != 0x00) {
+ throw new RuntimeException("Setting the environment failed.");
+ }
+
+ InternalAuthenticate[4] = (byte) (0x1d + 16 * (token.length / 16));
+ InternalAuthenticate[6] = (byte) (0x11 + 16 * (token.length / 16));
+ response = getResponse(token, InternalAuthenticate, "Internal Authenticate");
+
+ if (response[response.length - 2] != (byte) 0x90 || response[response.length - 1] != 0x00) {
+ throw new RuntimeException("Signing the token failed.");
+ }
+
+ byte[] signature = encryptDecryptData(Arrays.copyOfRange(response, 3, 115), Cipher.DECRYPT_MODE);
+ int indexOfTerminator = Hex.toHexString(signature).lastIndexOf("80") / 2;
+
+ return Arrays.copyOf(signature, indexOfTerminator);
+ }
+
+
+ private byte[] getResponse(byte[] data, byte[] command, String log) throws NoSuchPaddingException, InvalidKeyException, NoSuchAlgorithmException, IllegalBlockSizeException, BadPaddingException, InvalidAlgorithmParameterException, IOException {
+ byte[] response = idCard.transceive(createSecureAPDU(data, command));
+ Log.i(log, Hex.toHexString(response));
+ return response;
+ }
+
}
diff --git a/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/PinFragment.kt b/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/PinFragment.kt
index d6a78a4..86dbbc1 100644
--- a/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/PinFragment.kt
+++ b/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/PinFragment.kt
@@ -128,10 +128,14 @@ class PinFragment : Fragment() {
private fun goToTheStart() {
if (args.saving) {
findNavController().navigate(R.id.action_canFragment_to_settingsFragment)
- } else if (args.auth) {
- val resultIntent = Intent()
- requireActivity().setResult(AppCompatActivity.RESULT_CANCELED, resultIntent)
- requireActivity().finish()
+ } else if (args.auth || args.mobile) {
+ if (args.mobile) {
+ val resultIntent = Intent()
+ requireActivity().setResult(AppCompatActivity.RESULT_CANCELED, resultIntent)
+ requireActivity().finish()
+ } else {
+ requireActivity().finishAndRemoveTask()
+ }
} else {
findNavController().navigate(R.id.action_canFragment_to_homeFragment)
}
diff --git a/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/ResultFragment.kt b/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/ResultFragment.kt
index 8c61a02..e658c72 100644
--- a/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/ResultFragment.kt
+++ b/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/ResultFragment.kt
@@ -10,15 +10,10 @@ import androidx.appcompat.app.AppCompatActivity
import androidx.fragment.app.Fragment
import androidx.fragment.app.activityViewModels
import androidx.navigation.fragment.navArgs
+import com.google.gson.JsonObject
+import com.koushikdutta.ion.Ion
import com.tarkvaraprojekt.mobileauthapp.databinding.FragmentResultBinding
import com.tarkvaraprojekt.mobileauthapp.model.ParametersViewModel
-import com.tarkvaraprojekt.mobileauthapp.model.SmartCardViewModel
-import com.tarkvaraprojekt.mobileauthapp.network.TokenApi
-import com.tarkvaraprojekt.mobileauthapp.network.TokenItem
-import kotlinx.coroutines.CoroutineScope
-import kotlinx.coroutines.Dispatchers
-import kotlinx.coroutines.launch
-import kotlin.system.exitProcess
/**
* ResultFragment is used to create a JWT and to send response to the website/application
@@ -44,44 +39,52 @@ class ResultFragment : Fragment() {
override fun onViewCreated(view: View, savedInstanceState: Bundle?) {
super.onViewCreated(view, savedInstanceState)
- binding!!.resultBackButton.setOnClickListener {
- if (args.mobile) {
- createResponse()
- }
- }
+ binding!!.resultBackButton.visibility = View.GONE
+ postToken()
}
/**
* Makes a POST request to the backend server with a tokenItem
*/
fun postToken() {
- val tokenData = TokenItem(
- paramsModel.token,
- paramsModel.challenge
- )
- CoroutineScope(Dispatchers.Default).launch {
- val response = TokenApi.retrofitService.postToken(tokenData)
- if (response.isSuccessful) {
- //Success scenario here
- } else {
- //Failure scenario here
- if (args.mobile) {
- createResponse(false)
- } else {
- //Currently for some reason the activity is not killed entirely. Must be looked into further.
- requireActivity().finish()
- exitProcess(0)
+ val json = JsonObject()
+ json.addProperty("token", paramsModel.token)
+ json.addProperty("challenge", paramsModel.challenge)
+
+ Ion.getDefault(activity).conscryptMiddleware.enable(false)
+ Ion.with(activity)
+ .load(paramsModel.origin + paramsModel.authUrl)
+ .setJsonObjectBody(json)
+ .asJsonObject()
+ .setCallback { e, result ->
+ // do stuff with the result or error
+ if (result == null) {
+ // TODO: Set auth message failed and close the app
+ Log.i("Log thingy fail", "result was null")
+ if (args.mobile) {
+ createResponse(false)
+ } else {
+ requireActivity().finishAndRemoveTask()
+ }
+ } else {
+ Log.i("POST request response", result.toString())
+ if (args.mobile) {
+ createResponse(true, result.toString(), paramsModel.token)
+ } else {
+ requireActivity().finishAndRemoveTask()
+ }
+ }
}
- }
- }
}
/**
* Only used when the MobileAuthApp was launched by an app. Not for website use.
*/
- private fun createResponse(success: Boolean = true) {
+ private fun createResponse(success: Boolean = true, result: String = "noResult", token: String = "noToken") {
val responseCode = if (success) AppCompatActivity.RESULT_OK else AppCompatActivity.RESULT_CANCELED
val resultIntent = Intent()
+ resultIntent.putExtra("result", result)
+ resultIntent.putExtra("token", token)
requireActivity().setResult(responseCode, resultIntent)
requireActivity().finish()
}
diff --git a/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/auth/Authenticator.kt b/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/auth/Authenticator.kt
index a92d716..023602b 100644
--- a/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/auth/Authenticator.kt
+++ b/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/auth/Authenticator.kt
@@ -1,22 +1,59 @@
package com.tarkvaraprojekt.mobileauthapp.auth
-import android.nfc.tech.IsoDep
+import android.util.Log
import com.tarkvaraprojekt.mobileauthapp.NFC.Comms
-import java.math.BigInteger
+import io.jsonwebtoken.SignatureAlgorithm
+import java.nio.charset.StandardCharsets
+import java.security.MessageDigest
+import java.time.LocalDateTime
+import java.time.ZoneOffset
-class Authenticator(val comms : Comms) {
+class Authenticator(val comms: Comms) {
- public fun authenticate(nonce: BigInteger, challengeUrl: String, pin1: String) {
+ val type = "JWT"
+ val algorithm = "ES384"
+ var iss = "https://self-issued.me" // Will be specified at a later date.
+ val algorithmUsedForSigning = SignatureAlgorithm.ES384
+
+ fun authenticate(challenge: String, originUrl: String, pin1: String): String {
// Ask PIN 1 from the user and get the authentication certificate from the ID card.
- val authenticationCertificate : ByteArray = comms.getAuthenticationCertificate();
+ val authenticationCertificate: ByteArray = comms.getCertificate(true);
- // Create the authentication token (OpenID X509)
+ // Encode the certificate in base64.
+ val base64cert = java.util.Base64.getEncoder().encodeToString(authenticationCertificate)
- // Hash the authentication token.
+ // Get current epoch time.
+ val epoch = LocalDateTime.now(ZoneOffset.UTC).atZone(ZoneOffset.UTC).toEpochSecond()
+
+ // Get expiration time.
+ val exp = LocalDateTime.now(ZoneOffset.UTC).plusSeconds(5 * 60L).atZone(ZoneOffset.UTC)
+ .toEpochSecond()
+
+ // TODO: Get subject value.
+ val sub = "FAMILYNAME.NAME"
+
+ // Get header and claims.
+ val header = """{"typ":"$type","alg":"$algorithm","x5c":["$base64cert"]}"""
+ val claims =
+ """{"iat":"$epoch","exp":"$exp","aud":["$originUrl"],"iss":"$iss","sub":"$sub","nonce":"$challenge","cnf":{"tbh":""}}"""
+
+ val jwt = base64Encode(header.toByteArray(Charsets.UTF_8)) + "." + base64Encode(
+ claims.toByteArray(Charsets.UTF_8)
+ )
// Send the authentication token hash to the ID card for signing and get signed authentication token as response.
+ val encoded =
+ MessageDigest.getInstance("SHA-384").digest(jwt.toByteArray(StandardCharsets.UTF_8))
+ val signed = comms.authenticate(pin1, encoded)
// Return the signed authentication token.
+ return jwt + "." + base64Encode(signed)
}
+
+ fun base64Encode(bytes: ByteArray): String? {
+ val encoded = java.util.Base64.getUrlEncoder().encodeToString(bytes)
+ return encoded.replace("=", "")
+ }
+
}
\ No newline at end of file
diff --git a/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/model/ParametersViewModel.kt b/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/model/ParametersViewModel.kt
index 0a76f1d..dbac034 100644
--- a/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/model/ParametersViewModel.kt
+++ b/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/model/ParametersViewModel.kt
@@ -13,6 +13,9 @@ class ParametersViewModel: ViewModel() {
private var _token: String = ""
val token get() = _token
+ private var _origin: String = ""
+ val origin get() = _origin
+
fun setChallenge(newChallenge: String) {
_challenge = newChallenge
}
@@ -24,4 +27,8 @@ class ParametersViewModel: ViewModel() {
fun setToken(newToken: String) {
_token = newToken
}
+
+ fun setOrigin(newOrigin: String) {
+ _origin = newOrigin
+ }
}
\ No newline at end of file
diff --git a/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/network/TokenApiService.kt b/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/network/TokenApiService.kt
index 56ad1c1..67b952b 100644
--- a/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/network/TokenApiService.kt
+++ b/MobileAuthApp/app/src/main/java/com/tarkvaraprojekt/mobileauthapp/network/TokenApiService.kt
@@ -14,8 +14,8 @@ import retrofit2.http.POST
* Class for making HTTP requests
* Based on https://developer.android.com/courses/pathways/android-basics-kotlin-unit-4-pathway-2
*/
-private const val BASE_URL =
- "add-endpoint-url-here"
+const val BASE_URL =
+ "https://6bb0-85-253-195-252.ngrok.io"
private val moshi = Moshi.Builder().add(KotlinJsonAdapterFactory()).build()
private val retrofit = Retrofit.Builder().addConverterFactory(MoshiConverterFactory.create(moshi))
@@ -23,8 +23,8 @@ private val retrofit = Retrofit.Builder().addConverterFactory(MoshiConverterFact
interface TokenApiService {
@Headers("Content-Type: application/json")
- @POST("auth/authentication")
- suspend fun postToken(@Body data: TokenItem): Response
+ @POST("/auth/authentication")
+ suspend fun postToken(@Body data: String): Response
}
object TokenApi {
diff --git a/MobileAuthApp/app/src/main/res/values-en/strings.xml b/MobileAuthApp/app/src/main/res/values-en/strings.xml
index 7aa4439..36dce82 100644
--- a/MobileAuthApp/app/src/main/res/values-en/strings.xml
+++ b/MobileAuthApp/app/src/main/res/values-en/strings.xml
@@ -56,8 +56,8 @@
FORGET
- See Fragment vastutab vastuse tagastamise eest.
- Hiljem sulgeb rakendus automaatselt.
+ Controlling the created token
+ Wait for the app to closeSettings
diff --git a/MobileAuthApp/app/src/main/res/values-et/strings.xml b/MobileAuthApp/app/src/main/res/values-et/strings.xml
index 66afcfb..63c0eae 100644
--- a/MobileAuthApp/app/src/main/res/values-et/strings.xml
+++ b/MobileAuthApp/app/src/main/res/values-et/strings.xml
@@ -55,8 +55,8 @@
SUGU
- See Fragment vastutab vastuse tagastamise eest.
- Hiljem sulgeb rakendus automaatselt.
+ Tulemust kontrollitakse
+ Rakendus sulgeb ennast iseSeaded
diff --git a/MobileAuthApp/app/src/main/res/values/strings.xml b/MobileAuthApp/app/src/main/res/values/strings.xml
index 0a39206..9c2d2a7 100644
--- a/MobileAuthApp/app/src/main/res/values/strings.xml
+++ b/MobileAuthApp/app/src/main/res/values/strings.xml
@@ -55,8 +55,8 @@
FORGET
- See Fragment vastutab vastuse tagastamise eest.
- Hiljem sulgeb rakendus automaatselt.
+ Controlling the created token
+ Wait for the app to closeSettings
diff --git a/MobileAuthApp/build.gradle b/MobileAuthApp/build.gradle
index 0e1f251..0367823 100644
--- a/MobileAuthApp/build.gradle
+++ b/MobileAuthApp/build.gradle
@@ -9,7 +9,7 @@ buildscript {
kotlin_version = "1.4.30"
}
dependencies {
- classpath "com.android.tools.build:gradle:7.0.2"
+ classpath 'com.android.tools.build:gradle:7.0.3'
classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:1.5.20"
classpath "androidx.navigation:navigation-safe-args-gradle-plugin:$nav_version"
// NOTE: Do not place your application dependencies here; they belong
diff --git a/README.md b/README.md
index cccf57d..5d091a7 100644
--- a/README.md
+++ b/README.md
@@ -20,6 +20,9 @@ More info about installing third party applications on the Android phones: https
**NB! Before using the application make sure that the NFC is enabled on the phone, otherwise information can not be read from the ID card.**
+### Testing the application
+The project comes with a test mobile application and a test web application that can be used to try the MobileAuthApp authentication feature even if you don't have any web applications or mobile applications that require user authentication. Both projects come with a README file that help with a setup.
+
### Wiki pages relevant for the "Software project" subject
* [Project Vision](https://github.com/TanelOrumaa/Estonian-ID-card-mobile-authenticator-POC/wiki/Project-Vision) *last updated on 10.10*
* [Release Notes](https://github.com/TanelOrumaa/Estonian-ID-card-mobile-authenticator-POC/wiki/Release-notes) *last updated for iteration3 on 08.11*
diff --git a/TestMobileApp/README.md b/TestMobileApp/README.md
new file mode 100644
index 0000000..e84ab0d
--- /dev/null
+++ b/TestMobileApp/README.md
@@ -0,0 +1,10 @@
+# TestMobileApp overview
+### The purpose
+The TestMobileApp was created in order to demonstrate how a different application on the Android smartphone could use the MobileAuthApp for user authentication purposes.
+### Installing the application
+The application installation process is the same as with the MobileAuthApp. Check the guide in the project's [main readme file](https://github.com/TanelOrumaa/Estonian-ID-card-mobile-authenticator-POC#installing-the-application-on-the-phone).
+### Using the application
+In order to use this application a backend server must be running that can issue challenges and verify the token created by the MobileAuthApp.
+Use demoBackend application that is included in the project. Follow the demoBackend setup guide and once you have a backend running take the https address of the backend
+and add it in the TestMobileApp's MainActivty.kt file as the new value for the constant variable BASE_URL (this is easly noticeable in the class as it is pointed out with a comment).
+Now the app can be used.
diff --git a/TestMobileApp/app/src/main/java/com/example/testmobileapp/MainActivity.kt b/TestMobileApp/app/src/main/java/com/example/testmobileapp/MainActivity.kt
index 4184aad..afc6035 100644
--- a/TestMobileApp/app/src/main/java/com/example/testmobileapp/MainActivity.kt
+++ b/TestMobileApp/app/src/main/java/com/example/testmobileapp/MainActivity.kt
@@ -5,10 +5,18 @@ import android.content.Intent
import androidx.appcompat.app.AppCompatActivity
import android.os.Bundle
import android.util.Log
+import android.view.View
import androidx.activity.result.ActivityResultLauncher
import androidx.activity.result.contract.ActivityResultContracts
import com.example.testmobileapp.databinding.ActivityMainBinding
+import com.google.gson.JsonObject
import com.koushikdutta.ion.Ion
+import org.json.JSONObject
+
+/**
+ * Base url where the requests should be made. Add yours here. It must use https.
+ */
+private const val BASE_URL = "https-base-url-here"
/**
* Test mobile app to demonstrate how other applications can use MobileAuthApp.
@@ -18,9 +26,11 @@ class MainActivity : AppCompatActivity() {
private lateinit var authLauncher: ActivityResultLauncher
+ private lateinit var binding: ActivityMainBinding
+
override fun onCreate(savedInstanceState: Bundle?) {
super.onCreate(savedInstanceState)
- val binding = ActivityMainBinding.inflate(layoutInflater)
+ binding = ActivityMainBinding.inflate(layoutInflater)
setContentView(binding.root)
authLauncher = registerForActivityResult(ActivityResultContracts.StartActivityForResult()) { response ->
@@ -28,25 +38,45 @@ class MainActivity : AppCompatActivity() {
// Currently we are not actually checking whether we get a valid token.
// For testing purposes only, to make sure that we are able to get a response at all.
binding.loginTextView.text = getString(R.string.auth_success)
+ Log.i("getResult", response.data?.getStringExtra("token").toString())
+ Log.i("getResult", response.data?.getStringExtra("result").toString())
+ var user = ""
+ try {
+ val resultObject = JSONObject(response.data?.getStringExtra("result").toString())
+ user = resultObject.getString("principal")
+ } catch (e: Exception) {
+ Log.i("getResult", "unable to retrieve name from principal")
+ }
+ showResult(user)
+ /*
+ binding.loginOptionNfcButton.text = "Log Out"
+ binding.loginOptionNfcButton.setOnClickListener {
+ binding.loginOptionNfcButton.text = "NFC auth"
+ binding.loginOptionNfcButton.setOnClickListener { getData() }
+ }
+
+ */
}
if (response.resultCode == Activity.RESULT_CANCELED) {
binding.loginTextView.text = getString(R.string.auth_failure)
}
}
- binding.loginOptionNfcButton.setOnClickListener { launchAuth() }
- //binding.loginOptionNfcButton.setOnClickListener { getData() }
+ showLogin()
+
+ binding.loginOptionNfcButton.setOnClickListener { getData() }
}
/**
* Method that creates an intent to launch the MobileAuthApp
*/
- private fun launchAuth(challenge: String = "challenge", authUrl: String = "authUrl") {
+ private fun launchAuth(challenge: String = "challenge", originUrl: String = "baseUrl", authUrl: String = "authUrl") {
val launchIntent = Intent()
launchIntent.setClassName("com.tarkvaraprojekt.mobileauthapp", "com.tarkvaraprojekt.mobileauthapp.MainActivity")
launchIntent.putExtra("action", "auth")
launchIntent.putExtra("challenge", challenge)
+ launchIntent.putExtra("originUrl", originUrl)
launchIntent.putExtra("authUrl", authUrl)
launchIntent.putExtra("mobile", true)
authLauncher.launch(launchIntent)
@@ -58,19 +88,35 @@ class MainActivity : AppCompatActivity() {
*/
private fun getData() {
// Enter the server endpoint address to here
- val baseUrl = "enter-base-url-here"
- val url = "$baseUrl/auth/challenge"
+ val url = "$BASE_URL/auth/challenge"
+ Ion.getDefault(this).conscryptMiddleware.enable(false)
Ion.with(applicationContext)
.load(url)
.asJsonObject()
.setCallback { _, result ->
try {
// Get data from the result and call launchAuth method
- val challenge = result.asJsonObject["nonce"].toString()
- launchAuth(challenge, baseUrl)
+ val challenge = result.asJsonObject["nonce"].toString().replace("\"", "")
+ Log.v("Challenge", challenge)
+ launchAuth(challenge, BASE_URL, "/auth/authentication")
} catch (e: Exception) {
Log.i("GETrequest", "was unsuccessful")
}
}
}
+
+ private fun showLogin() {
+ binding.loginOptions.visibility = View.VISIBLE
+ }
+
+ private fun showResult(user: String) {
+ binding.loginOptions.visibility = View.GONE
+ binding.resultLayout.visibility = View.VISIBLE
+ binding.resultObject.text = getString(R.string.hello, user)
+ binding.buttonForget.setOnClickListener {
+ binding.resultObject.text = ""
+ binding.resultLayout.visibility = View.GONE
+ binding.loginOptions.visibility = View.VISIBLE
+ }
+ }
}
\ No newline at end of file
diff --git a/TestMobileApp/app/src/main/res/layout/activity_main.xml b/TestMobileApp/app/src/main/res/layout/activity_main.xml
index 33cefac..dab6a25 100644
--- a/TestMobileApp/app/src/main/res/layout/activity_main.xml
+++ b/TestMobileApp/app/src/main/res/layout/activity_main.xml
@@ -26,7 +26,8 @@
android:layout_margin="12dp"
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/login_text_view"
- app:layout_constraintEnd_toEndOf="parent">
+ app:layout_constraintEnd_toEndOf="parent"
+ android:visibility="gone">
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/TestMobileApp/app/src/main/res/values-en/strings.xml b/TestMobileApp/app/src/main/res/values-en/strings.xml
index 86688c5..ccbc137 100644
--- a/TestMobileApp/app/src/main/res/values-en/strings.xml
+++ b/TestMobileApp/app/src/main/res/values-en/strings.xml
@@ -4,6 +4,8 @@
LoginChoose login methodNFC auth
- Successful response
+ Logged inResponse failed
+ Forget
+ Hello, %s!
\ No newline at end of file
diff --git a/TestMobileApp/app/src/main/res/values-et/strings.xml b/TestMobileApp/app/src/main/res/values-et/strings.xml
index 0daf8b4..d4f3981 100644
--- a/TestMobileApp/app/src/main/res/values-et/strings.xml
+++ b/TestMobileApp/app/src/main/res/values-et/strings.xml
@@ -4,6 +4,8 @@
Logi sisseVali sobiv meetodNFC auth
- Vastus kätte saadud
+ Sisse logimine õnnestusVastust ei õnnestunud kätte saada
+ Unusta
+ Tere, %s!
\ No newline at end of file
diff --git a/TestMobileApp/app/src/main/res/values/strings.xml b/TestMobileApp/app/src/main/res/values/strings.xml
index 2353f0b..b340b7e 100644
--- a/TestMobileApp/app/src/main/res/values/strings.xml
+++ b/TestMobileApp/app/src/main/res/values/strings.xml
@@ -3,6 +3,8 @@
LoginChoose login methodNFC auth
- Successful response
+ Logged inResponse failed
+ Forget
+ Hello, %s!
\ No newline at end of file
diff --git a/demoBackend/.gitignore b/demoBackend/.gitignore
new file mode 100644
index 0000000..549e00a
--- /dev/null
+++ b/demoBackend/.gitignore
@@ -0,0 +1,33 @@
+HELP.md
+target/
+!.mvn/wrapper/maven-wrapper.jar
+!**/src/main/**/target/
+!**/src/test/**/target/
+
+### STS ###
+.apt_generated
+.classpath
+.factorypath
+.project
+.settings
+.springBeans
+.sts4-cache
+
+### IntelliJ IDEA ###
+.idea
+*.iws
+*.iml
+*.ipr
+
+### NetBeans ###
+/nbproject/private/
+/nbbuild/
+/dist/
+/nbdist/
+/.nb-gradle/
+build/
+!**/src/main/**/build/
+!**/src/test/**/build/
+
+### VS Code ###
+.vscode/
diff --git a/demoBackend/.mvn/wrapper/MavenWrapperDownloader.java b/demoBackend/.mvn/wrapper/MavenWrapperDownloader.java
new file mode 100644
index 0000000..a45eb6b
--- /dev/null
+++ b/demoBackend/.mvn/wrapper/MavenWrapperDownloader.java
@@ -0,0 +1,118 @@
+/*
+ * Copyright 2007-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import java.net.*;
+import java.io.*;
+import java.nio.channels.*;
+import java.util.Properties;
+
+public class MavenWrapperDownloader {
+
+ private static final String WRAPPER_VERSION = "0.5.6";
+ /**
+ * Default URL to download the maven-wrapper.jar from, if no 'downloadUrl' is provided.
+ */
+ private static final String DEFAULT_DOWNLOAD_URL = "https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/"
+ + WRAPPER_VERSION + "/maven-wrapper-" + WRAPPER_VERSION + ".jar";
+
+ /**
+ * Path to the maven-wrapper.properties file, which might contain a downloadUrl property to
+ * use instead of the default one.
+ */
+ private static final String MAVEN_WRAPPER_PROPERTIES_PATH =
+ ".mvn/wrapper/maven-wrapper.properties";
+
+ /**
+ * Path where the maven-wrapper.jar will be saved to.
+ */
+ private static final String MAVEN_WRAPPER_JAR_PATH =
+ ".mvn/wrapper/maven-wrapper.jar";
+
+ /**
+ * Name of the property which should be used to override the default download url for the wrapper.
+ */
+ private static final String PROPERTY_NAME_WRAPPER_URL = "wrapperUrl";
+
+ public static void main(String args[]) {
+ System.out.println("- Downloader started");
+ File baseDirectory = new File(args[0]);
+ System.out.println("- Using base directory: " + baseDirectory.getAbsolutePath());
+
+ // If the maven-wrapper.properties exists, read it and check if it contains a custom
+ // wrapperUrl parameter.
+ File mavenWrapperPropertyFile = new File(baseDirectory, MAVEN_WRAPPER_PROPERTIES_PATH);
+ String url = DEFAULT_DOWNLOAD_URL;
+ if (mavenWrapperPropertyFile.exists()) {
+ FileInputStream mavenWrapperPropertyFileInputStream = null;
+ try {
+ mavenWrapperPropertyFileInputStream = new FileInputStream(mavenWrapperPropertyFile);
+ Properties mavenWrapperProperties = new Properties();
+ mavenWrapperProperties.load(mavenWrapperPropertyFileInputStream);
+ url = mavenWrapperProperties.getProperty(PROPERTY_NAME_WRAPPER_URL, url);
+ } catch (IOException e) {
+ System.out.println("- ERROR loading '" + MAVEN_WRAPPER_PROPERTIES_PATH + "'");
+ } finally {
+ try {
+ if (mavenWrapperPropertyFileInputStream != null) {
+ mavenWrapperPropertyFileInputStream.close();
+ }
+ } catch (IOException e) {
+ // Ignore ...
+ }
+ }
+ }
+ System.out.println("- Downloading from: " + url);
+
+ File outputFile = new File(baseDirectory.getAbsolutePath(), MAVEN_WRAPPER_JAR_PATH);
+ if (!outputFile.getParentFile().exists()) {
+ if (!outputFile.getParentFile().mkdirs()) {
+ System.out.println(
+ "- ERROR creating output directory '" + outputFile.getParentFile().getAbsolutePath() + "'");
+ }
+ }
+ System.out.println("- Downloading to: " + outputFile.getAbsolutePath());
+ try {
+ downloadFileFromURL(url, outputFile);
+ System.out.println("Done");
+ System.exit(0);
+ } catch (Throwable e) {
+ System.out.println("- Error downloading");
+ e.printStackTrace();
+ System.exit(1);
+ }
+ }
+
+ private static void downloadFileFromURL(String urlString, File destination) throws Exception {
+ if (System.getenv("MVNW_USERNAME") != null && System.getenv("MVNW_PASSWORD") != null) {
+ String username = System.getenv("MVNW_USERNAME");
+ char[] password = System.getenv("MVNW_PASSWORD").toCharArray();
+ Authenticator.setDefault(new Authenticator() {
+ @Override
+ protected PasswordAuthentication getPasswordAuthentication() {
+ return new PasswordAuthentication(username, password);
+ }
+ });
+ }
+ URL website = new URL(urlString);
+ ReadableByteChannel rbc;
+ rbc = Channels.newChannel(website.openStream());
+ FileOutputStream fos = new FileOutputStream(destination);
+ fos.getChannel().transferFrom(rbc, 0, Long.MAX_VALUE);
+ fos.close();
+ rbc.close();
+ }
+
+}
diff --git a/demoBackend/.mvn/wrapper/maven-wrapper.jar b/demoBackend/.mvn/wrapper/maven-wrapper.jar
new file mode 100644
index 0000000..2cc7d4a
Binary files /dev/null and b/demoBackend/.mvn/wrapper/maven-wrapper.jar differ
diff --git a/demoBackend/.mvn/wrapper/maven-wrapper.properties b/demoBackend/.mvn/wrapper/maven-wrapper.properties
new file mode 100644
index 0000000..a9f1ef8
--- /dev/null
+++ b/demoBackend/.mvn/wrapper/maven-wrapper.properties
@@ -0,0 +1,2 @@
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.8.3/apache-maven-3.8.3-bin.zip
+wrapperUrl=https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar
diff --git a/demoBackend/README.md b/demoBackend/README.md
new file mode 100644
index 0000000..73cfe53
--- /dev/null
+++ b/demoBackend/README.md
@@ -0,0 +1,39 @@
+# Demo backend + website for mobile authentication project.
+
+## How to run.
+
+
+### 1. Clone GIT repository
+### 2. Setup HTTPS
+Since Web eID only works over HTTPS connection, you'll need to serve the backend and website with an HTTPS certificate. A suitable tool for that is ngrok (https://ngrok.com/).
+To use ngrok, download it and then run the command (may need administrator rights)
+```ngrok http 8080```
+and you should see something like this:
+```
+ngrok by @inconshreveable (Ctrl+C to quit)
+
+Session Status online
+Account TanelOrumaa (Plan: Free)
+Version 2.3.40
+Region United States (us)
+Web Interface http://127.0.0.1:4040
+Forwarding http://somethinghere.ngrok.io -> http://localhost:8080
+Forwarding https://somethinghere.ngrok.io -> http://localhost:8080
+
+Connections ttl opn rt1 rt5 p50 p90
+ 1508 0 0.00 0.00 2.31 75.59
+
+HTTP Requests
+-------------
+```
+
+Copy the second forwarding link (the one with https) and put it in ```com.tarkvaratehnika.demobackend.config.ApplicationConfiguration.kt``` as ```val WEBSITE_ORIGIN_URL = "https://yourlinkhere.com"```
+
+### 3. Run the project
+Use your favourite IDE or just run it via commandline with ```./mvnw spring-boot:run```
+
+On your Android device browser navigate to the url you copied earlier and you should see the website landing page. If you have the mobile authentication app installed, you should be able to log into the website with your Estonian ID-card.
+
+
+## Credits...
+...go out to creators of https://github.com/web-eid/web-eid-spring-boot-example. That example project was used in some parts as an example (files where inspiration was taken are correctly annotated with the appropriate license text).
\ No newline at end of file
diff --git a/demoBackend/mvnw b/demoBackend/mvnw
new file mode 100644
index 0000000..a16b543
--- /dev/null
+++ b/demoBackend/mvnw
@@ -0,0 +1,310 @@
+#!/bin/sh
+# ----------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+# ----------------------------------------------------------------------------
+
+# ----------------------------------------------------------------------------
+# Maven Start Up Batch script
+#
+# Required ENV vars:
+# ------------------
+# JAVA_HOME - location of a JDK home dir
+#
+# Optional ENV vars
+# -----------------
+# M2_HOME - location of maven2's installed home dir
+# MAVEN_OPTS - parameters passed to the Java VM when running Maven
+# e.g. to debug Maven itself, use
+# set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
+# MAVEN_SKIP_RC - flag to disable loading of mavenrc files
+# ----------------------------------------------------------------------------
+
+if [ -z "$MAVEN_SKIP_RC" ] ; then
+
+ if [ -f /etc/mavenrc ] ; then
+ . /etc/mavenrc
+ fi
+
+ if [ -f "$HOME/.mavenrc" ] ; then
+ . "$HOME/.mavenrc"
+ fi
+
+fi
+
+# OS specific support. $var _must_ be set to either true or false.
+cygwin=false;
+darwin=false;
+mingw=false
+case "`uname`" in
+ CYGWIN*) cygwin=true ;;
+ MINGW*) mingw=true;;
+ Darwin*) darwin=true
+ # Use /usr/libexec/java_home if available, otherwise fall back to /Library/Java/Home
+ # See https://developer.apple.com/library/mac/qa/qa1170/_index.html
+ if [ -z "$JAVA_HOME" ]; then
+ if [ -x "/usr/libexec/java_home" ]; then
+ export JAVA_HOME="`/usr/libexec/java_home`"
+ else
+ export JAVA_HOME="/Library/Java/Home"
+ fi
+ fi
+ ;;
+esac
+
+if [ -z "$JAVA_HOME" ] ; then
+ if [ -r /etc/gentoo-release ] ; then
+ JAVA_HOME=`java-config --jre-home`
+ fi
+fi
+
+if [ -z "$M2_HOME" ] ; then
+ ## resolve links - $0 may be a link to maven's home
+ PRG="$0"
+
+ # need this for relative symlinks
+ while [ -h "$PRG" ] ; do
+ ls=`ls -ld "$PRG"`
+ link=`expr "$ls" : '.*-> \(.*\)$'`
+ if expr "$link" : '/.*' > /dev/null; then
+ PRG="$link"
+ else
+ PRG="`dirname "$PRG"`/$link"
+ fi
+ done
+
+ saveddir=`pwd`
+
+ M2_HOME=`dirname "$PRG"`/..
+
+ # make it fully qualified
+ M2_HOME=`cd "$M2_HOME" && pwd`
+
+ cd "$saveddir"
+ # echo Using m2 at $M2_HOME
+fi
+
+# For Cygwin, ensure paths are in UNIX format before anything is touched
+if $cygwin ; then
+ [ -n "$M2_HOME" ] &&
+ M2_HOME=`cygpath --unix "$M2_HOME"`
+ [ -n "$JAVA_HOME" ] &&
+ JAVA_HOME=`cygpath --unix "$JAVA_HOME"`
+ [ -n "$CLASSPATH" ] &&
+ CLASSPATH=`cygpath --path --unix "$CLASSPATH"`
+fi
+
+# For Mingw, ensure paths are in UNIX format before anything is touched
+if $mingw ; then
+ [ -n "$M2_HOME" ] &&
+ M2_HOME="`(cd "$M2_HOME"; pwd)`"
+ [ -n "$JAVA_HOME" ] &&
+ JAVA_HOME="`(cd "$JAVA_HOME"; pwd)`"
+fi
+
+if [ -z "$JAVA_HOME" ]; then
+ javaExecutable="`which javac`"
+ if [ -n "$javaExecutable" ] && ! [ "`expr \"$javaExecutable\" : '\([^ ]*\)'`" = "no" ]; then
+ # readlink(1) is not available as standard on Solaris 10.
+ readLink=`which readlink`
+ if [ ! `expr "$readLink" : '\([^ ]*\)'` = "no" ]; then
+ if $darwin ; then
+ javaHome="`dirname \"$javaExecutable\"`"
+ javaExecutable="`cd \"$javaHome\" && pwd -P`/javac"
+ else
+ javaExecutable="`readlink -f \"$javaExecutable\"`"
+ fi
+ javaHome="`dirname \"$javaExecutable\"`"
+ javaHome=`expr "$javaHome" : '\(.*\)/bin'`
+ JAVA_HOME="$javaHome"
+ export JAVA_HOME
+ fi
+ fi
+fi
+
+if [ -z "$JAVACMD" ] ; then
+ if [ -n "$JAVA_HOME" ] ; then
+ if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
+ # IBM's JDK on AIX uses strange locations for the executables
+ JAVACMD="$JAVA_HOME/jre/sh/java"
+ else
+ JAVACMD="$JAVA_HOME/bin/java"
+ fi
+ else
+ JAVACMD="`which java`"
+ fi
+fi
+
+if [ ! -x "$JAVACMD" ] ; then
+ echo "Error: JAVA_HOME is not defined correctly." >&2
+ echo " We cannot execute $JAVACMD" >&2
+ exit 1
+fi
+
+if [ -z "$JAVA_HOME" ] ; then
+ echo "Warning: JAVA_HOME environment variable is not set."
+fi
+
+CLASSWORLDS_LAUNCHER=org.codehaus.plexus.classworlds.launcher.Launcher
+
+# traverses directory structure from process work directory to filesystem root
+# first directory with .mvn subdirectory is considered project base directory
+find_maven_basedir() {
+
+ if [ -z "$1" ]
+ then
+ echo "Path not specified to find_maven_basedir"
+ return 1
+ fi
+
+ basedir="$1"
+ wdir="$1"
+ while [ "$wdir" != '/' ] ; do
+ if [ -d "$wdir"/.mvn ] ; then
+ basedir=$wdir
+ break
+ fi
+ # workaround for JBEAP-8937 (on Solaris 10/Sparc)
+ if [ -d "${wdir}" ]; then
+ wdir=`cd "$wdir/.."; pwd`
+ fi
+ # end of workaround
+ done
+ echo "${basedir}"
+}
+
+# concatenates all lines of a file
+concat_lines() {
+ if [ -f "$1" ]; then
+ echo "$(tr -s '\n' ' ' < "$1")"
+ fi
+}
+
+BASE_DIR=`find_maven_basedir "$(pwd)"`
+if [ -z "$BASE_DIR" ]; then
+ exit 1;
+fi
+
+##########################################################################################
+# Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
+# This allows using the maven wrapper in projects that prohibit checking in binary data.
+##########################################################################################
+if [ -r "$BASE_DIR/.mvn/wrapper/maven-wrapper.jar" ]; then
+ if [ "$MVNW_VERBOSE" = true ]; then
+ echo "Found .mvn/wrapper/maven-wrapper.jar"
+ fi
+else
+ if [ "$MVNW_VERBOSE" = true ]; then
+ echo "Couldn't find .mvn/wrapper/maven-wrapper.jar, downloading it ..."
+ fi
+ if [ -n "$MVNW_REPOURL" ]; then
+ jarUrl="$MVNW_REPOURL/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar"
+ else
+ jarUrl="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar"
+ fi
+ while IFS="=" read key value; do
+ case "$key" in (wrapperUrl) jarUrl="$value"; break ;;
+ esac
+ done < "$BASE_DIR/.mvn/wrapper/maven-wrapper.properties"
+ if [ "$MVNW_VERBOSE" = true ]; then
+ echo "Downloading from: $jarUrl"
+ fi
+ wrapperJarPath="$BASE_DIR/.mvn/wrapper/maven-wrapper.jar"
+ if $cygwin; then
+ wrapperJarPath=`cygpath --path --windows "$wrapperJarPath"`
+ fi
+
+ if command -v wget > /dev/null; then
+ if [ "$MVNW_VERBOSE" = true ]; then
+ echo "Found wget ... using wget"
+ fi
+ if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
+ wget "$jarUrl" -O "$wrapperJarPath"
+ else
+ wget --http-user=$MVNW_USERNAME --http-password=$MVNW_PASSWORD "$jarUrl" -O "$wrapperJarPath"
+ fi
+ elif command -v curl > /dev/null; then
+ if [ "$MVNW_VERBOSE" = true ]; then
+ echo "Found curl ... using curl"
+ fi
+ if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
+ curl -o "$wrapperJarPath" "$jarUrl" -f
+ else
+ curl --user $MVNW_USERNAME:$MVNW_PASSWORD -o "$wrapperJarPath" "$jarUrl" -f
+ fi
+
+ else
+ if [ "$MVNW_VERBOSE" = true ]; then
+ echo "Falling back to using Java to download"
+ fi
+ javaClass="$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.java"
+ # For Cygwin, switch paths to Windows format before running javac
+ if $cygwin; then
+ javaClass=`cygpath --path --windows "$javaClass"`
+ fi
+ if [ -e "$javaClass" ]; then
+ if [ ! -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then
+ if [ "$MVNW_VERBOSE" = true ]; then
+ echo " - Compiling MavenWrapperDownloader.java ..."
+ fi
+ # Compiling the Java class
+ ("$JAVA_HOME/bin/javac" "$javaClass")
+ fi
+ if [ -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then
+ # Running the downloader
+ if [ "$MVNW_VERBOSE" = true ]; then
+ echo " - Running MavenWrapperDownloader.java ..."
+ fi
+ ("$JAVA_HOME/bin/java" -cp .mvn/wrapper MavenWrapperDownloader "$MAVEN_PROJECTBASEDIR")
+ fi
+ fi
+ fi
+fi
+##########################################################################################
+# End of extension
+##########################################################################################
+
+export MAVEN_PROJECTBASEDIR=${MAVEN_BASEDIR:-"$BASE_DIR"}
+if [ "$MVNW_VERBOSE" = true ]; then
+ echo $MAVEN_PROJECTBASEDIR
+fi
+MAVEN_OPTS="$(concat_lines "$MAVEN_PROJECTBASEDIR/.mvn/jvm.config") $MAVEN_OPTS"
+
+# For Cygwin, switch paths to Windows format before running java
+if $cygwin; then
+ [ -n "$M2_HOME" ] &&
+ M2_HOME=`cygpath --path --windows "$M2_HOME"`
+ [ -n "$JAVA_HOME" ] &&
+ JAVA_HOME=`cygpath --path --windows "$JAVA_HOME"`
+ [ -n "$CLASSPATH" ] &&
+ CLASSPATH=`cygpath --path --windows "$CLASSPATH"`
+ [ -n "$MAVEN_PROJECTBASEDIR" ] &&
+ MAVEN_PROJECTBASEDIR=`cygpath --path --windows "$MAVEN_PROJECTBASEDIR"`
+fi
+
+# Provide a "standardized" way to retrieve the CLI args that will
+# work with both Windows and non-Windows executions.
+MAVEN_CMD_LINE_ARGS="$MAVEN_CONFIG $@"
+export MAVEN_CMD_LINE_ARGS
+
+WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
+
+exec "$JAVACMD" \
+ $MAVEN_OPTS \
+ -classpath "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar" \
+ "-Dmaven.home=${M2_HOME}" "-Dmaven.multiModuleProjectDirectory=${MAVEN_PROJECTBASEDIR}" \
+ ${WRAPPER_LAUNCHER} $MAVEN_CONFIG "$@"
diff --git a/demoBackend/mvnw.cmd b/demoBackend/mvnw.cmd
new file mode 100644
index 0000000..c8d4337
--- /dev/null
+++ b/demoBackend/mvnw.cmd
@@ -0,0 +1,182 @@
+@REM ----------------------------------------------------------------------------
+@REM Licensed to the Apache Software Foundation (ASF) under one
+@REM or more contributor license agreements. See the NOTICE file
+@REM distributed with this work for additional information
+@REM regarding copyright ownership. The ASF licenses this file
+@REM to you under the Apache License, Version 2.0 (the
+@REM "License"); you may not use this file except in compliance
+@REM with the License. You may obtain a copy of the License at
+@REM
+@REM https://www.apache.org/licenses/LICENSE-2.0
+@REM
+@REM Unless required by applicable law or agreed to in writing,
+@REM software distributed under the License is distributed on an
+@REM "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+@REM KIND, either express or implied. See the License for the
+@REM specific language governing permissions and limitations
+@REM under the License.
+@REM ----------------------------------------------------------------------------
+
+@REM ----------------------------------------------------------------------------
+@REM Maven Start Up Batch script
+@REM
+@REM Required ENV vars:
+@REM JAVA_HOME - location of a JDK home dir
+@REM
+@REM Optional ENV vars
+@REM M2_HOME - location of maven2's installed home dir
+@REM MAVEN_BATCH_ECHO - set to 'on' to enable the echoing of the batch commands
+@REM MAVEN_BATCH_PAUSE - set to 'on' to wait for a keystroke before ending
+@REM MAVEN_OPTS - parameters passed to the Java VM when running Maven
+@REM e.g. to debug Maven itself, use
+@REM set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
+@REM MAVEN_SKIP_RC - flag to disable loading of mavenrc files
+@REM ----------------------------------------------------------------------------
+
+@REM Begin all REM lines with '@' in case MAVEN_BATCH_ECHO is 'on'
+@echo off
+@REM set title of command window
+title %0
+@REM enable echoing by setting MAVEN_BATCH_ECHO to 'on'
+@if "%MAVEN_BATCH_ECHO%" == "on" echo %MAVEN_BATCH_ECHO%
+
+@REM set %HOME% to equivalent of $HOME
+if "%HOME%" == "" (set "HOME=%HOMEDRIVE%%HOMEPATH%")
+
+@REM Execute a user defined script before this one
+if not "%MAVEN_SKIP_RC%" == "" goto skipRcPre
+@REM check for pre script, once with legacy .bat ending and once with .cmd ending
+if exist "%HOME%\mavenrc_pre.bat" call "%HOME%\mavenrc_pre.bat"
+if exist "%HOME%\mavenrc_pre.cmd" call "%HOME%\mavenrc_pre.cmd"
+:skipRcPre
+
+@setlocal
+
+set ERROR_CODE=0
+
+@REM To isolate internal variables from possible post scripts, we use another setlocal
+@setlocal
+
+@REM ==== START VALIDATION ====
+if not "%JAVA_HOME%" == "" goto OkJHome
+
+echo.
+echo Error: JAVA_HOME not found in your environment. >&2
+echo Please set the JAVA_HOME variable in your environment to match the >&2
+echo location of your Java installation. >&2
+echo.
+goto error
+
+:OkJHome
+if exist "%JAVA_HOME%\bin\java.exe" goto init
+
+echo.
+echo Error: JAVA_HOME is set to an invalid directory. >&2
+echo JAVA_HOME = "%JAVA_HOME%" >&2
+echo Please set the JAVA_HOME variable in your environment to match the >&2
+echo location of your Java installation. >&2
+echo.
+goto error
+
+@REM ==== END VALIDATION ====
+
+:init
+
+@REM Find the project base dir, i.e. the directory that contains the folder ".mvn".
+@REM Fallback to current working directory if not found.
+
+set MAVEN_PROJECTBASEDIR=%MAVEN_BASEDIR%
+IF NOT "%MAVEN_PROJECTBASEDIR%"=="" goto endDetectBaseDir
+
+set EXEC_DIR=%CD%
+set WDIR=%EXEC_DIR%
+:findBaseDir
+IF EXIST "%WDIR%"\.mvn goto baseDirFound
+cd ..
+IF "%WDIR%"=="%CD%" goto baseDirNotFound
+set WDIR=%CD%
+goto findBaseDir
+
+:baseDirFound
+set MAVEN_PROJECTBASEDIR=%WDIR%
+cd "%EXEC_DIR%"
+goto endDetectBaseDir
+
+:baseDirNotFound
+set MAVEN_PROJECTBASEDIR=%EXEC_DIR%
+cd "%EXEC_DIR%"
+
+:endDetectBaseDir
+
+IF NOT EXIST "%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config" goto endReadAdditionalConfig
+
+@setlocal EnableExtensions EnableDelayedExpansion
+for /F "usebackq delims=" %%a in ("%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config") do set JVM_CONFIG_MAVEN_PROPS=!JVM_CONFIG_MAVEN_PROPS! %%a
+@endlocal & set JVM_CONFIG_MAVEN_PROPS=%JVM_CONFIG_MAVEN_PROPS%
+
+:endReadAdditionalConfig
+
+SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe"
+set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar"
+set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
+
+set DOWNLOAD_URL="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar"
+
+FOR /F "tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO (
+ IF "%%A"=="wrapperUrl" SET DOWNLOAD_URL=%%B
+)
+
+@REM Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
+@REM This allows using the maven wrapper in projects that prohibit checking in binary data.
+if exist %WRAPPER_JAR% (
+ if "%MVNW_VERBOSE%" == "true" (
+ echo Found %WRAPPER_JAR%
+ )
+) else (
+ if not "%MVNW_REPOURL%" == "" (
+ SET DOWNLOAD_URL="%MVNW_REPOURL%/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar"
+ )
+ if "%MVNW_VERBOSE%" == "true" (
+ echo Couldn't find %WRAPPER_JAR%, downloading it ...
+ echo Downloading from: %DOWNLOAD_URL%
+ )
+
+ powershell -Command "&{"^
+ "$webclient = new-object System.Net.WebClient;"^
+ "if (-not ([string]::IsNullOrEmpty('%MVNW_USERNAME%') -and [string]::IsNullOrEmpty('%MVNW_PASSWORD%'))) {"^
+ "$webclient.Credentials = new-object System.Net.NetworkCredential('%MVNW_USERNAME%', '%MVNW_PASSWORD%');"^
+ "}"^
+ "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $webclient.DownloadFile('%DOWNLOAD_URL%', '%WRAPPER_JAR%')"^
+ "}"
+ if "%MVNW_VERBOSE%" == "true" (
+ echo Finished downloading %WRAPPER_JAR%
+ )
+)
+@REM End of extension
+
+@REM Provide a "standardized" way to retrieve the CLI args that will
+@REM work with both Windows and non-Windows executions.
+set MAVEN_CMD_LINE_ARGS=%*
+
+%MAVEN_JAVA_EXE% %JVM_CONFIG_MAVEN_PROPS% %MAVEN_OPTS% %MAVEN_DEBUG_OPTS% -classpath %WRAPPER_JAR% "-Dmaven.multiModuleProjectDirectory=%MAVEN_PROJECTBASEDIR%" %WRAPPER_LAUNCHER% %MAVEN_CONFIG% %*
+if ERRORLEVEL 1 goto error
+goto end
+
+:error
+set ERROR_CODE=1
+
+:end
+@endlocal & set ERROR_CODE=%ERROR_CODE%
+
+if not "%MAVEN_SKIP_RC%" == "" goto skipRcPost
+@REM check for post script, once with legacy .bat ending and once with .cmd ending
+if exist "%HOME%\mavenrc_post.bat" call "%HOME%\mavenrc_post.bat"
+if exist "%HOME%\mavenrc_post.cmd" call "%HOME%\mavenrc_post.cmd"
+:skipRcPost
+
+@REM pause the script if MAVEN_BATCH_PAUSE is set to 'on'
+if "%MAVEN_BATCH_PAUSE%" == "on" pause
+
+if "%MAVEN_TERMINATE_CMD%" == "on" exit %ERROR_CODE%
+
+exit /B %ERROR_CODE%
diff --git a/demoBackend/pom.xml b/demoBackend/pom.xml
new file mode 100644
index 0000000..8b1f7a3
--- /dev/null
+++ b/demoBackend/pom.xml
@@ -0,0 +1,121 @@
+
+
+ 4.0.0
+
+ org.springframework.boot
+ spring-boot-starter-parent
+ 2.5.6
+
+
+ com.tarkvaratehnika
+ demoBackend
+ 0.0.1-SNAPSHOT
+ demoBackend
+ demoBackend
+
+ 11
+ 1.5.31
+ 2.8.5
+ 1.1.1
+
+
+
+ org.springframework.boot
+ spring-boot-starter-web
+
+
+ com.fasterxml.jackson.module
+ jackson-module-kotlin
+
+
+ org.jetbrains.kotlin
+ kotlin-reflect
+
+
+ org.jetbrains.kotlin
+ kotlin-stdlib-jdk8
+
+
+
+ org.springframework.boot
+ spring-boot-starter-test
+ test
+
+
+ com.squareup.okhttp3
+ okhttp
+ 4.9.0
+
+
+ org.webeid.security
+ authtoken-validation
+ 1.2.0
+
+
+ javax.cache
+ cache-api
+ ${javaxcache.version}
+
+
+ com.github.ben-manes.caffeine
+ caffeine
+ ${caffeine.version}
+
+
+ com.github.ben-manes.caffeine
+ jcache
+ ${caffeine.version}
+
+
+ org.springframework.boot
+ spring-boot-starter-thymeleaf
+
+
+ org.springframework.boot
+ spring-boot-starter-security
+
+
+ org.springframework.security
+ spring-security-config
+
+
+
+
+
+ gitlab
+ https://gitlab.com/api/v4/projects/19948337/packages/maven
+
+
+
+
+ ${project.basedir}/src/main/kotlin
+ ${project.basedir}/src/test/kotlin
+
+
+ org.springframework.boot
+ spring-boot-maven-plugin
+
+
+ org.jetbrains.kotlin
+ kotlin-maven-plugin
+
+
+ -Xjsr305=strict
+
+
+ spring
+
+
+
+
+ org.jetbrains.kotlin
+ kotlin-maven-allopen
+ ${kotlin.version}
+
+
+
+
+
+
+
diff --git a/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/DemoBackendApplication.kt b/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/DemoBackendApplication.kt
new file mode 100644
index 0000000..271a50a
--- /dev/null
+++ b/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/DemoBackendApplication.kt
@@ -0,0 +1,13 @@
+package com.tarkvaratehnika.demobackend
+
+import org.springframework.boot.autoconfigure.EnableAutoConfiguration
+import org.springframework.boot.autoconfigure.SpringBootApplication
+import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration
+import org.springframework.boot.runApplication
+
+@SpringBootApplication(exclude=[SecurityAutoConfiguration::class])
+class DemoBackendApplication
+
+fun main(args: Array) {
+ runApplication(*args)
+}
diff --git a/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/config/ApplicationConfiguration.kt b/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/config/ApplicationConfiguration.kt
new file mode 100644
index 0000000..ca49fdb
--- /dev/null
+++ b/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/config/ApplicationConfiguration.kt
@@ -0,0 +1,16 @@
+package com.tarkvaratehnika.demobackend.config
+
+class ApplicationConfiguration {
+
+ companion object {
+ // URL for intent, do not edit.
+ val AUTH_APP_LAUNCH_INTENT = "authapp://start/"
+ // Endpoint for challenge.
+ val CHALLENGE_ENDPOINT_URL = "/auth/challenge"
+ // Endpoint for authentication
+ val AUTHENTICATION_ENDPOINT_URL = "/auth/authentication"
+ // URL for application. Use ngrok for HTTPS (or a tool of your own choice) and put the HTTPS link here.
+ val WEBSITE_ORIGIN_URL = "https://5d0c-85-253-195-195.ngrok.io"
+ }
+
+}
\ No newline at end of file
diff --git a/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/config/ValidationConfiguration.kt b/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/config/ValidationConfiguration.kt
new file mode 100644
index 0000000..3bdefc4
--- /dev/null
+++ b/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/config/ValidationConfiguration.kt
@@ -0,0 +1,167 @@
+package com.tarkvaratehnika.demobackend.config
+
+import com.github.benmanes.caffeine.jcache.spi.CaffeineCachingProvider
+import org.slf4j.Logger
+import org.slf4j.LoggerFactory
+import org.springframework.context.annotation.Bean
+import org.springframework.context.annotation.Configuration
+import org.springframework.core.io.support.PathMatchingResourcePatternResolver
+import org.webeid.security.exceptions.JceException
+import org.webeid.security.nonce.NonceGenerator
+import org.webeid.security.nonce.NonceGeneratorBuilder
+import org.webeid.security.validator.AuthTokenValidator
+import org.webeid.security.validator.AuthTokenValidatorBuilder
+import java.io.IOException
+import java.net.URI
+import java.security.KeyStore
+import java.security.KeyStoreException
+import java.security.NoSuchAlgorithmException
+import java.security.cert.CertificateException
+import java.security.cert.CertificateFactory
+import java.security.cert.X509Certificate
+import java.time.ZonedDateTime
+import java.util.concurrent.TimeUnit
+import javax.cache.Cache
+import javax.cache.CacheManager
+import javax.cache.Caching
+import javax.cache.configuration.CompleteConfiguration
+import javax.cache.configuration.FactoryBuilder
+import javax.cache.configuration.MutableConfiguration
+import javax.cache.expiry.CreatedExpiryPolicy
+import javax.cache.expiry.Duration
+
+import javax.cache.configuration.FactoryBuilder.factoryOf
+
+@Configuration
+class ValidationConfiguration {
+
+ private val LOG: Logger = LoggerFactory.getLogger(ValidationConfiguration::class.java)
+
+ private val NONCE_TTL_MINUTES: Long = 5
+ private val CACHE_NAME = "nonceCache"
+ private val CERTS_RESOURCE_PATH = "/certs/"
+ private val TRUSTED_CERTIFICATES_JKS = "trusted_certificates.jks"
+ private val TRUSTSTORE_PASSWORD = "changeit"
+ companion object {
+ const val ROLE_USER : String = "ROLE_USER"
+ }
+
+ init {
+ LOG.warn("Creating new ValidationConfiguration.")
+ }
+
+ @Bean
+ fun cacheManager(): CacheManager {
+ return Caching.getCachingProvider(CaffeineCachingProvider::class.java.name).cacheManager
+ }
+
+ @Bean
+ fun nonceCache(): Cache? {
+ val cacheManager: CacheManager = cacheManager()
+ var cache =
+ cacheManager.getCache(CACHE_NAME)
+
+ if (cache == null) {
+ LOG.warn("Creating new cache.")
+ cache = createNonceCache(cacheManager)
+ }
+ return cache
+ }
+
+ @Bean
+ fun generator(): NonceGenerator? {
+ return NonceGeneratorBuilder()
+ .withNonceTtl(java.time.Duration.ofMinutes(NONCE_TTL_MINUTES))
+ .withNonceCache(nonceCache())
+ .build()
+ }
+
+ private fun createNonceCache(cacheManager: CacheManager): Cache? {
+ val cacheConfig: CompleteConfiguration = MutableConfiguration()
+ .setTypes(String::class.java, ZonedDateTime::class.java)
+ .setExpiryPolicyFactory(
+ factoryOf(
+ CreatedExpiryPolicy(
+ Duration(
+ TimeUnit.MINUTES,
+ NONCE_TTL_MINUTES + 1
+ )
+ )
+ )
+ )
+ return cacheManager.createCache(CACHE_NAME, cacheConfig)
+ }
+
+ @Bean
+ fun loadTrustedCACertificatesFromCerFiles() : Array {
+ val caCertificates = ArrayList()
+
+ try {
+ val certFactory = CertificateFactory.getInstance("X.509")
+ val resolver = PathMatchingResourcePatternResolver()
+ val resources = resolver.getResources("$CERTS_RESOURCE_PATH/*.cer")
+
+ resources.forEach { resource ->
+ val caCertificate = certFactory.generateCertificate(resource.inputStream) as X509Certificate
+ caCertificates.add(caCertificate)
+ }
+ } catch (e : Exception) {
+ when (e){
+ is CertificateException, is IOException -> {
+ throw RuntimeException("Error initializing trusted CA certificates. $e")
+ }
+ }
+ }
+ return caCertificates.toTypedArray()
+ }
+
+ @Bean
+ fun loadTrustedCACertificatesFromTrustStore() : Array {
+ val caCertificates = ArrayList()
+
+ ValidationConfiguration::class.java.getResourceAsStream("$CERTS_RESOURCE_PATH/$TRUSTED_CERTIFICATES_JKS").use { inputStream ->
+ try {
+ if (inputStream == null) {
+ // No truststore files found.
+ return arrayOf()
+ }
+
+ val keyStore = KeyStore.getInstance(KeyStore.getDefaultType())
+ keyStore.load(inputStream, TRUSTSTORE_PASSWORD.toCharArray())
+ val aliases = keyStore.aliases()
+
+ while (aliases.hasMoreElements()) {
+ val alias = aliases.nextElement()
+ val certificate = keyStore.getCertificate(alias) as X509Certificate
+ caCertificates.add(certificate)
+ }
+
+
+ } catch (e : Exception) {
+ when (e) {
+ is IOException, is CertificateException, is KeyStoreException, is NoSuchAlgorithmException -> {
+ throw RuntimeException("Error initializing trusted CA certificates from trust store. $e")
+ }
+ }
+ }
+ }
+
+ return caCertificates.toTypedArray()
+ }
+
+ @Bean
+ fun validator() : AuthTokenValidator {
+ try {
+ return AuthTokenValidatorBuilder()
+ .withSiteOrigin(URI.create(ApplicationConfiguration.WEBSITE_ORIGIN_URL))
+ .withNonceCache(nonceCache())
+ .withTrustedCertificateAuthorities(*loadTrustedCACertificatesFromCerFiles())
+ .withTrustedCertificateAuthorities(*loadTrustedCACertificatesFromTrustStore())
+ .build()
+ } catch (e : JceException) {
+ throw RuntimeException("Error building the Web eID auth token validator.", e)
+ }
+ }
+
+
+}
\ No newline at end of file
diff --git a/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/dto/ChallengeDto.kt b/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/dto/ChallengeDto.kt
new file mode 100644
index 0000000..9703034
--- /dev/null
+++ b/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/dto/ChallengeDto.kt
@@ -0,0 +1,3 @@
+package com.tarkvaratehnika.demobackend.dto
+
+data class ChallengeDto(val nonce : String)
\ No newline at end of file
diff --git a/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/security/AuthTokenDTO.kt b/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/security/AuthTokenDTO.kt
new file mode 100644
index 0000000..6b50be8
--- /dev/null
+++ b/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/security/AuthTokenDTO.kt
@@ -0,0 +1,6 @@
+package com.tarkvaratehnika.demobackend.security
+
+import com.fasterxml.jackson.annotation.JsonProperty
+
+class AuthTokenDTO (val token : String, val challenge : String) {
+}
\ No newline at end of file
diff --git a/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/security/AuthTokenDTOAuthenticationProvider.kt b/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/security/AuthTokenDTOAuthenticationProvider.kt
new file mode 100644
index 0000000..122eb1b
--- /dev/null
+++ b/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/security/AuthTokenDTOAuthenticationProvider.kt
@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 2020, 2021 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package com.tarkvaratehnika.demobackend.security
+
+import com.tarkvaratehnika.demobackend.config.ValidationConfiguration
+import com.tarkvaratehnika.demobackend.config.ValidationConfiguration.Companion.ROLE_USER
+import com.tarkvaratehnika.demobackend.web.rest.AuthenticationController
+import org.slf4j.LoggerFactory
+import org.springframework.security.authentication.AuthenticationServiceException
+import org.springframework.security.core.Authentication
+import org.springframework.security.core.AuthenticationException
+import org.springframework.security.core.GrantedAuthority
+import org.springframework.security.core.authority.SimpleGrantedAuthority
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken
+import org.springframework.stereotype.Component
+import org.webeid.security.exceptions.TokenValidationException
+import org.webeid.security.validator.AuthTokenValidator
+import java.security.cert.CertificateEncodingException
+import java.security.cert.X509Certificate
+
+
+@Component
+object AuthTokenDTOAuthenticationProvider {
+
+ private val LOG = LoggerFactory.getLogger(AuthTokenDTOAuthenticationProvider::class.java)
+
+
+ private val USER_ROLE: GrantedAuthority = SimpleGrantedAuthority(ROLE_USER)
+
+
+ val tokenValidator: AuthTokenValidator = ValidationConfiguration().validator()
+
+ @Throws(AuthenticationException::class)
+ fun authenticate(auth : Authentication) : Authentication {
+ val authentication = auth as PreAuthenticatedAuthenticationToken
+ val token = (authentication.credentials as AuthTokenDTO).token
+ val challenge = (authentication.credentials as AuthTokenDTO).challenge
+ val authorities = arrayListOf()
+ authorities.add(USER_ROLE)
+
+ try {
+ val userCertificate: X509Certificate = tokenValidator.validate(token)
+ return WebEidAuthentication.fromCertificate(userCertificate, authorities, challenge)
+ } catch (e : TokenValidationException) {
+ // Validation failed.
+ throw AuthenticationServiceException("Token validation failed. " + e.message)
+ } catch (e : CertificateEncodingException) {
+ // Failed to extract subject fields from the certificate.
+ throw AuthenticationServiceException("Incorrect certificate subject fields: " + e.message)
+ }
+ }
+
+}
\ No newline at end of file
diff --git a/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/security/WebEidAuthentication.kt b/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/security/WebEidAuthentication.kt
new file mode 100644
index 0000000..c87ed42
--- /dev/null
+++ b/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/security/WebEidAuthentication.kt
@@ -0,0 +1,100 @@
+/*
+ * Copyright (c) 2020, 2021 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package com.tarkvaratehnika.demobackend.security
+
+import org.webeid.security.certificate.CertificateData
+
+import org.springframework.security.core.Authentication
+import org.springframework.security.core.GrantedAuthority
+import org.springframework.security.core.authority.SimpleGrantedAuthority
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken
+import java.security.cert.X509Certificate
+import java.util.*
+import java.util.concurrent.ThreadLocalRandom
+import kotlin.collections.ArrayList
+import kotlin.math.log
+
+class WebEidAuthentication(
+ private val principalName: String,
+ private val idCode: String,
+ private val authorities: ArrayList
+) : PreAuthenticatedAuthenticationToken(principalName, idCode, authorities), Authentication {
+
+ // Companion object is for static functions.
+ companion object {
+
+ private val loggedInUsers = HashMap()
+
+ fun fromCertificate(
+ userCertificate: X509Certificate,
+ authorities: ArrayList,
+ challenge: String
+ ): Authentication {
+ val principalName = getPrincipalNameFromCertificate(userCertificate)
+ val idCode = Objects.requireNonNull(CertificateData.getSubjectIdCode(userCertificate))
+ val authentication = WebEidAuthentication(principalName, idCode, authorities)
+ loggedInUsers[challenge] = authentication
+ return authentication
+ }
+
+ /**
+ * Function for getting a Spring authentication object by supplying a challenge.
+ * TODO: Figure out a more secure solution in the future.
+ */
+ fun fromChallenge(challenge: String): Authentication? {
+// if (ThreadLocalRandom.current().nextFloat() < 0.5f) { // TODO: For testing.
+// return null
+// }
+ val auth = loggedInUsers[challenge]
+ if (auth != null) {
+ // If challenge is valid, delete the authentication object from the map (so this can only be fetched once).
+ loggedInUsers.remove(challenge)
+ } else {
+ return null
+ }
+ return auth
+ }
+
+// // TODO: DELETE
+//
+// const val ROLE_USER: String = "ROLE_USER"
+// private val USER_ROLE: GrantedAuthority = SimpleGrantedAuthority(ROLE_USER)
+//
+// fun addAuth(challenge: String) {
+// val authorities = arrayListOf()
+// authorities.add(USER_ROLE)
+// val auth = WebEidAuthentication("Somename", "11111111111", authorities)
+// loggedInUsers[challenge] = auth
+// }
+//
+//
+// // TODO: DELETE UNTIL
+
+ private fun getPrincipalNameFromCertificate(userCertificate: X509Certificate): String {
+ return Objects.requireNonNull(CertificateData.getSubjectGivenName(userCertificate)) + " " +
+ Objects.requireNonNull(CertificateData.getSubjectSurname(userCertificate))
+ }
+ }
+
+
+}
\ No newline at end of file
diff --git a/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/web/LoginController.kt b/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/web/LoginController.kt
new file mode 100644
index 0000000..e4c6535
--- /dev/null
+++ b/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/web/LoginController.kt
@@ -0,0 +1,20 @@
+package com.tarkvaratehnika.demobackend.web
+
+import com.tarkvaratehnika.demobackend.config.ApplicationConfiguration
+import org.springframework.stereotype.Controller
+import org.springframework.ui.Model
+import org.springframework.web.bind.annotation.GetMapping
+
+@Controller
+class LoginController {
+
+ @GetMapping
+ fun login(model : Model) : String {
+ model.addAttribute("intentUrl", ApplicationConfiguration.AUTH_APP_LAUNCH_INTENT)
+ model.addAttribute("challengeUrl", ApplicationConfiguration.CHALLENGE_ENDPOINT_URL)
+ model.addAttribute("originUrl", ApplicationConfiguration.WEBSITE_ORIGIN_URL)
+ model.addAttribute("loggedInUrl", "/signature")
+ model.addAttribute("authenticationRequestUrl", ApplicationConfiguration.AUTHENTICATION_ENDPOINT_URL)
+ return "index"
+ }
+}
\ No newline at end of file
diff --git a/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/web/SignatureController.kt b/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/web/SignatureController.kt
new file mode 100644
index 0000000..d526fec
--- /dev/null
+++ b/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/web/SignatureController.kt
@@ -0,0 +1,20 @@
+package com.tarkvaratehnika.demobackend.web
+
+import com.tarkvaratehnika.demobackend.config.ValidationConfiguration.Companion.ROLE_USER
+import org.springframework.security.access.prepost.PreAuthorize
+import org.springframework.stereotype.Controller
+import org.springframework.ui.Model
+import org.springframework.web.bind.annotation.GetMapping
+
+@Controller
+class SignatureController {
+
+
+ @PreAuthorize("hasAuthority('$ROLE_USER')")
+ @GetMapping("signature")
+ fun signature(model : Model) : String {
+// model.addAttribute("intentUrl", ApplicationConfiguration.AUTH_APP_LAUNCH_INTENT)
+// model.addAttribute("challengeUrl", ApplicationConfiguration.CHALLENGE_ENDPOINT_URL)
+ return "signature"
+ }
+}
\ No newline at end of file
diff --git a/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/web/rest/AuthenticationController.kt b/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/web/rest/AuthenticationController.kt
new file mode 100644
index 0000000..6414441
--- /dev/null
+++ b/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/web/rest/AuthenticationController.kt
@@ -0,0 +1,40 @@
+package com.tarkvaratehnika.demobackend.web.rest
+
+import com.tarkvaratehnika.demobackend.security.AuthTokenDTO
+import com.tarkvaratehnika.demobackend.security.AuthTokenDTOAuthenticationProvider
+import com.tarkvaratehnika.demobackend.security.WebEidAuthentication
+import org.slf4j.LoggerFactory
+import org.springframework.http.HttpStatus
+import org.springframework.http.MediaType
+import org.springframework.security.core.Authentication
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken
+import org.springframework.web.bind.annotation.*
+import org.springframework.web.server.ResponseStatusException
+
+@RestController
+@RequestMapping("auth")
+class AuthenticationController {
+
+ private val LOG = LoggerFactory.getLogger(AuthenticationController::class.java)
+
+
+ @PostMapping("authentication", consumes = [MediaType.APPLICATION_JSON_VALUE], produces = [MediaType.APPLICATION_JSON_VALUE])
+ fun authenticate(@RequestBody body : String): Authentication {
+ val parts = body.split("\"")
+ val authToken = AuthTokenDTO(parts[3], parts[7])
+ // Create Spring Security Authentication object with supplied token as credentials.
+ val auth = PreAuthenticatedAuthenticationToken(null, authToken)
+
+ // Return authentication object if success.
+ return AuthTokenDTOAuthenticationProvider.authenticate(auth)
+ }
+
+ @GetMapping("authentication", produces = [MediaType.APPLICATION_JSON_VALUE])
+ fun getAuthenticated(@RequestParam challenge: String) : Authentication? {
+ val auth = WebEidAuthentication.fromChallenge(challenge)
+ if (auth == null) {
+ throw ResponseStatusException(HttpStatus.FORBIDDEN, "Not allowed.")
+ }
+ return auth
+ }
+}
\ No newline at end of file
diff --git a/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/web/rest/ChallengeController.kt b/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/web/rest/ChallengeController.kt
new file mode 100644
index 0000000..7333c9d
--- /dev/null
+++ b/demoBackend/src/main/kotlin/com/tarkvaratehnika/demobackend/web/rest/ChallengeController.kt
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 2020, 2021 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package com.tarkvaratehnika.demobackend.web.rest
+
+import com.tarkvaratehnika.demobackend.dto.ChallengeDto
+import com.tarkvaratehnika.demobackend.security.WebEidAuthentication
+import org.slf4j.LoggerFactory
+import org.springframework.web.bind.annotation.GetMapping
+import org.springframework.web.bind.annotation.RequestMapping
+import org.springframework.web.bind.annotation.RestController
+import org.webeid.security.nonce.NonceGenerator
+
+@RestController
+@RequestMapping("auth")
+class ChallengeController (val nonceGenerator: NonceGenerator) {
+
+ private val LOG = LoggerFactory.getLogger(ChallengeController::class.java)
+
+ @GetMapping("challenge")
+ fun challenge(): ChallengeDto {
+ val challengeDto = ChallengeDto(nonceGenerator.generateAndStoreNonce())
+ LOG.warn(challengeDto.nonce)
+// WebEidAuthentication.addAuth(challengeDto.nonce) // For testing.
+ return challengeDto
+ }
+
+}
+
diff --git a/demoBackend/src/main/resources/application.properties b/demoBackend/src/main/resources/application.properties
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/demoBackend/src/main/resources/application.properties
@@ -0,0 +1 @@
+
diff --git a/demoBackend/src/main/resources/certs/ESTEID-SK_2015.cer b/demoBackend/src/main/resources/certs/ESTEID-SK_2015.cer
new file mode 100644
index 0000000..b166955
Binary files /dev/null and b/demoBackend/src/main/resources/certs/ESTEID-SK_2015.cer differ
diff --git a/demoBackend/src/main/resources/certs/ESTEID2018.cer b/demoBackend/src/main/resources/certs/ESTEID2018.cer
new file mode 100644
index 0000000..6200181
Binary files /dev/null and b/demoBackend/src/main/resources/certs/ESTEID2018.cer differ
diff --git a/demoBackend/src/main/resources/certs/trusted_certificates.jks b/demoBackend/src/main/resources/certs/trusted_certificates.jks
new file mode 100644
index 0000000..0276f80
Binary files /dev/null and b/demoBackend/src/main/resources/certs/trusted_certificates.jks differ
diff --git a/demoBackend/src/main/resources/static/css/main.css b/demoBackend/src/main/resources/static/css/main.css
new file mode 100644
index 0000000..1b6bc96
--- /dev/null
+++ b/demoBackend/src/main/resources/static/css/main.css
@@ -0,0 +1,29 @@
+html {
+ font-size: 2vh;
+}
+
+.navbar {
+ padding-left: 1rem;
+ padding-right: 1rem;
+}
+
+.cont {
+ display: grid;
+ width: 80%;
+ padding-top: 10%;
+ margin-left: auto;
+ margin-right: auto;
+ justify-items: center;
+}
+
+h4 {
+ margin: 10%;
+}
+
+#loginButton {
+ width: 40%;
+}
+
+.cont > * {
+ margin: 1rem;
+}
\ No newline at end of file
diff --git a/demoBackend/src/main/resources/static/js/index.js b/demoBackend/src/main/resources/static/js/index.js
new file mode 100644
index 0000000..083655f
--- /dev/null
+++ b/demoBackend/src/main/resources/static/js/index.js
@@ -0,0 +1,14 @@
+window.onload = () => {
+ // Add event listener for login button.
+ let loginButton = document.getElementById("loginButton");
+
+ if (loginButton != null) {
+ loginButton.addEventListener("click", () => {
+ let action = loginButton.getAttribute("data-action");
+ loginButton.setAttribute("disabled", "true");
+ loginButton.textContent = "Logging in";
+ launchAuthApp(action);
+ })
+ }
+}
+
diff --git a/demoBackend/src/main/resources/static/js/main.js b/demoBackend/src/main/resources/static/js/main.js
new file mode 100644
index 0000000..46b607a
--- /dev/null
+++ b/demoBackend/src/main/resources/static/js/main.js
@@ -0,0 +1,71 @@
+const POLLING_INTERVAL = 1000;
+const POLLING_RETRIES = 120;
+
+function launchAuthApp(action) {
+ if (!isAndroid()) {
+ alert("Functionality only available for Android devices.")
+ return null
+ }
+
+ // Fetch challenge.
+ httpGetAsync(originUrl + challengeUrl, (body) => {
+ let data = JSON.parse(body);
+ let challenge = data.nonce;
+ let intent = createParametrizedIntentUrl(challenge, action, originUrl); // TODO: Error handling.
+ console.log(intent);
+ window.location.href = intent;
+ pollForAuth(POLLING_INTERVAL, challenge);
+ })
+}
+
+function pollForAuth(timeout, challenge) {
+ console.log("Polling for auth");
+ let encodedChallenge = encodeURIComponent(challenge);
+ let requestUrl = originUrl + authenticationRequestUrl + "?challenge=" + encodedChallenge;
+ let counter = 0;
+ let timer = setInterval(() => {
+ // Fetch authentication object.
+ httpGetAsync(requestUrl, (body) => {
+ console.log(body);
+ // If this is a successful request, stop the polling.
+ clearInterval(timer);
+ window.location.href = originUrl + loggedInUrl;
+ });
+ counter++;
+ if (counter > POLLING_RETRIES) {
+ clearInterval(timer); // Stop polling after some time.
+ let loginErrorAlert = document.getElementById("loginErrorAlert");
+ loginErrorAlert.classList.remove("d-none")
+ }
+ }, timeout)
+
+}
+
+function createParametrizedIntentUrl(challenge, action) {
+ if (action == null) {
+ console.error("There has to be an action for intent.")
+ }
+ else if (challenge == null) {
+ console.error("Challenge missing, can't authenticate without it.")
+ } else {
+ return intentUrl + "?" + "action=" + action + "&challenge=" + encodeURIComponent(challenge) + "&authUrl=" + authenticationRequestUrl + "&originUrl=" + originUrl;
+ }
+}
+
+function isAndroid() {
+ // Check if using Android device.
+ const ua = navigator.userAgent.toLowerCase();
+ return ua.indexOf("android") > -1;
+}
+
+function httpGetAsync(theUrl, callback) {
+ console.log("Sending a request.")
+ const xmlHttp = new XMLHttpRequest();
+ xmlHttp.onreadystatechange = function () {
+ if (xmlHttp.readyState === 4 && xmlHttp.status === 200) {
+ callback(xmlHttp.responseText);
+ }
+ }
+ xmlHttp.open("GET", theUrl, true); // true for asynchronous
+ xmlHttp.send(null);
+}
\ No newline at end of file
diff --git a/demoBackend/src/main/resources/templates/index.html b/demoBackend/src/main/resources/templates/index.html
new file mode 100644
index 0000000..a436fea
--- /dev/null
+++ b/demoBackend/src/main/resources/templates/index.html
@@ -0,0 +1,38 @@
+
+
+
+ Login
+
+
+
+
+
+
+
+
+
+
+
+
+
Welcome to Estonian ID card mobile authentication demo website. When using a mobile phone, you can log in to the
+ website using your ID card by using the button below.
+
Make sure you've installed the authentication app from: GitHub
+
+
+ Login failed. Refresh the page to try again.
+
+
+
+
\ No newline at end of file
diff --git a/demoBackend/src/main/resources/templates/signature.html b/demoBackend/src/main/resources/templates/signature.html
new file mode 100644
index 0000000..5c4bd12
--- /dev/null
+++ b/demoBackend/src/main/resources/templates/signature.html
@@ -0,0 +1,35 @@
+
+
+
+ Login
+
+
+
+
+
+
+
+
+
+
+
+
Congratulations! You have just authenticated yourself using your mobile phone and your ID-card. You can try to
+ give a signature to a file now.
+
This page is still WIP, signing a document feature will be implemented later.
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/demoBackend/src/test/kotlin/com/tarkvaratehnika/demobackend/DemoBackendApplicationTests.kt b/demoBackend/src/test/kotlin/com/tarkvaratehnika/demobackend/DemoBackendApplicationTests.kt
new file mode 100644
index 0000000..9e9ca3a
--- /dev/null
+++ b/demoBackend/src/test/kotlin/com/tarkvaratehnika/demobackend/DemoBackendApplicationTests.kt
@@ -0,0 +1,13 @@
+package com.tarkvaratehnika.demobackend
+
+import org.junit.jupiter.api.Test
+import org.springframework.boot.test.context.SpringBootTest
+
+@SpringBootTest
+class DemoBackendApplicationTests {
+
+ @Test
+ fun contextLoads() {
+ }
+
+}