smart-id-ruby-client 0.1.0

data/lib/smart_id_ruby/validation/certificate_validator.rb

@@ -0,0 +1,170 @@
+# frozen_string_literal: true
+
+require "openssl"
+require "net/http"
+require "uri"
+
+module SmartIdRuby
+  module Validation
+    # Validates X.509 certificate validity period and trust chain.
+    class CertificateValidator
+      def initialize(trusted_ca_cert_store: nil, use_system_store: true)
+        @trusted_ca_cert_store = trusted_ca_cert_store
+        @use_system_store = use_system_store
+      end
+
+      def validate(certificate)
+        validate_certificate_is_currently_valid(certificate)
+        validate_certificate_chain(certificate)
+      end
+
+      private
+
+      def validate_certificate_is_currently_valid(certificate)
+        now = Time.now
+        return if certificate.not_before <= now && now <= certificate.not_after
+
+        raise SmartIdRuby::Errors::UnprocessableResponseError, "Certificate is invalid"
+      rescue OpenSSL::X509::CertificateError, NoMethodError => e
+        logger.error("Certificate is expired or not yet valid: #{certificate_subject(certificate)} (#{e.class}: #{e.message})")
+        raise SmartIdRuby::Errors::UnprocessableResponseError, "Certificate is invalid"
+      end
+
+      def validate_certificate_chain(certificate)
+        store = OpenSSL::X509::Store.new
+        store.set_default_paths if @use_system_store
+
+        trusted_chain = []
+        if @trusted_ca_cert_store
+          @trusted_ca_cert_store.trust_anchors.each { |cert| store.add_cert(cert) }
+          @trusted_ca_cert_store.trusted_ca_certificates.each do |cert|
+            store.add_cert(cert)
+            trusted_chain << cert
+          end
+        end
+
+        store_context = OpenSSL::X509::StoreContext.new(store, certificate, trusted_chain)
+        if store_context.verify
+          log_validated_chain(store_context)
+          validate_ocsp_revocation!(certificate, Array(store_context.chain), store)
+          return
+        end
+
+        raise SmartIdRuby::Errors::UnprocessableResponseError, "Certificate chain validation failed"
+      rescue OpenSSL::X509::StoreError
+        raise SmartIdRuby::Errors::UnprocessableResponseError, "Certificate chain validation failed"
+      end
+
+      def log_validated_chain(store_context)
+        return unless logger.respond_to?(:debug?) && logger.debug?
+
+        chain = Array(store_context.chain)
+        leaf = chain[0]
+        intermediate = chain[1]
+        trust_anchor = chain.last
+        logger.debug(
+          "Leaf: #{certificate_common_name(leaf)}, " \
+          "Intermediate: #{certificate_common_name(intermediate)}, " \
+          "Trust anchor: #{certificate_common_name(trust_anchor)}"
+        )
+      rescue StandardError
+        # Keep certificate validation resilient even if debug chain details are unavailable.
+      end
+
+      def certificate_common_name(certificate)
+        return "N/A" unless certificate.respond_to?(:subject) && certificate.subject
+
+        entry = certificate.subject.to_a.find { |name, _value, _type| name == "CN" }
+        entry ? entry[1] : certificate.subject.to_s
+      end
+
+      def certificate_subject(certificate)
+        certificate&.subject&.to_s || "unknown"
+      end
+
+      def validate_ocsp_revocation!(certificate, chain, store)
+        return unless @trusted_ca_cert_store&.ocsp_enabled?
+
+        issuer = find_issuer_certificate(certificate, chain)
+        ocsp_url = extract_ocsp_url(certificate)
+        if issuer.nil? || ocsp_url.nil?
+          raise SmartIdRuby::Errors::UnprocessableResponseError, "OCSP validation failed"
+        end
+
+        cert_id = OpenSSL::OCSP::CertificateId.new(certificate, issuer, OpenSSL::Digest::SHA1.new)
+        request = OpenSSL::OCSP::Request.new
+        request.add_certid(cert_id)
+        request.add_nonce
+
+        response = perform_ocsp_request(ocsp_url, request.to_der)
+        unless response.status == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
+          raise SmartIdRuby::Errors::UnprocessableResponseError, "OCSP responder returned non-success status"
+        end
+
+        basic_response = response.basic
+        if basic_response.nil?
+          raise SmartIdRuby::Errors::UnprocessableResponseError, "OCSP response does not contain basic response"
+        end
+
+        verify_ocsp_response_signature!(basic_response, store)
+
+        status_entries = Array(basic_response.status)
+        cert_status = status_entries.first&.[](1)
+        case cert_status
+        when OpenSSL::OCSP::V_CERTSTATUS_GOOD
+          logger.debug("OCSP status for certificate is GOOD") if logger.respond_to?(:debug?) && logger.debug?
+        when OpenSSL::OCSP::V_CERTSTATUS_REVOKED
+          raise SmartIdRuby::Errors::UnprocessableResponseError, "Certificate is revoked according to OCSP response"
+        else
+          raise SmartIdRuby::Errors::UnprocessableResponseError, "Certificate OCSP status is unknown"
+        end
+      rescue OpenSSL::OCSP::OCSPError, OpenSSL::X509::StoreError, SocketError, SystemCallError, Timeout::Error => e
+        raise SmartIdRuby::Errors::UnprocessableResponseError, "OCSP validation failed: #{e.message}"
+      end
+
+      def find_issuer_certificate(certificate, chain)
+        issuer_subject = certificate&.issuer
+        Array(chain).find { |cert| cert != certificate && cert.subject == issuer_subject }
+      end
+
+      def extract_ocsp_url(certificate)
+        aia_ext = certificate.extensions.find { |ext| ext.oid == "authorityInfoAccess" }
+        return nil if aia_ext.nil?
+
+        match = aia_ext.value.to_s.match(/OCSP\s*-\s*URI:([^\s,]+)/i)
+        match && match[1]
+      rescue OpenSSL::X509::ExtensionError, NoMethodError
+        nil
+      end
+
+      def perform_ocsp_request(url, body)
+        uri = URI.parse(url)
+        request = Net::HTTP::Post.new(uri.request_uri)
+        request["Content-Type"] = "application/ocsp-request"
+        request["Accept"] = "application/ocsp-response"
+        request.body = body
+
+        response = Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == "https", read_timeout: 10, open_timeout: 10) do |http|
+          http.request(request)
+        end
+        unless response.code.to_i == 200
+          raise SmartIdRuby::Errors::UnprocessableResponseError, "OCSP responder returned HTTP #{response.code}"
+        end
+
+        OpenSSL::OCSP::Response.new(response.body)
+      end
+
+      def verify_ocsp_response_signature!(basic_response, store)
+        responder_chain = Array(basic_response.certs)
+        verified = basic_response.verify(responder_chain, store)
+        return if verified
+
+        raise SmartIdRuby::Errors::UnprocessableResponseError, "OCSP response signature is not valid"
+      end
+
+      def logger
+        SmartIdRuby.logger
+      end
+    end
+  end
+end

data/lib/smart_id_ruby/validation/device_link_authentication_response_validator.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+require "base64"
+require "openssl"
+
+module SmartIdRuby
+  module Validation
+    # Validates device-link authentication session status response and maps it to
+    # a typed authentication identity model.
+    class DeviceLinkAuthenticationResponseValidator < BaseAuthenticationResponseValidator
+      def initialize(signature_value_validator: SignatureValueValidator.new,
+                     signature_payload_builder: SignaturePayloadBuilder.new,
+                     certificate_validator: AuthenticationCertificateValidator.new,
+                     authentication_identity_mapper: AuthenticationIdentityMapper.new)
+        @signature_payload_builder = signature_payload_builder
+        super(
+          signature_value_validator: signature_value_validator,
+          certificate_validator: certificate_validator,
+          authentication_identity_mapper: authentication_identity_mapper
+        )
+      end
+
+      # Validates a completed device-link authentication session status.
+      #
+      # @param session_status [SmartIdRuby::Models::SessionStatus, Hash]
+      #   Session status received from Smart-ID RP API. Hash values are mapped to
+      #   {SmartIdRuby::Models::SessionStatus} before validation.
+      # @param authentication_session_request [Hash]
+      #   Request payload used for initializing the device-link authentication
+      #   session. Used to validate requested certificate level.
+      # @param user_challenge_verifier [String, nil]
+      #   Callback URL verifier value used in same-device flows. Required only
+      #   when flow type is Web2App or App2App.
+      # @param schema_name [String, nil]
+      #   RP schema name used in device link generation. Must be provided.
+      # @param _brokered_rp_name [String, nil]
+      #   The brokered RP name, used in the device link.
+      #
+      # @return [SmartIdRuby::Models::AuthenticationIdentity]
+      #
+      # @raise [SmartIdRuby::Errors::RequestSetupError]
+      #   If required input parameters are missing.
+      # @raise [SmartIdRuby::Errors::SessionNotCompleteError]
+      #   If session status state is not COMPLETE.
+      # @raise [SmartIdRuby::Errors::SessionEndResultError]
+      #   If session end result is not OK.
+      # @raise [SmartIdRuby::Errors::UnprocessableResponseError]
+      #   If response contains invalid or unsupported values.
+      private
+
+      def validate_user_challenge(user_challenge_verifier, signature)
+        flow_type = signature.flow_type
+        return unless %w[Web2App App2App].include?(flow_type)
+
+        if blank?(user_challenge_verifier)
+          raise SmartIdRuby::Errors::RequestSetupError,
+                "Parameter 'userChallengeVerifier' must be provided for 'flowType' - #{flow_type}"
+        end
+        url_user_challenge = Base64.urlsafe_encode64(OpenSSL::Digest::SHA256.digest(user_challenge_verifier), padding: false)
+        return if signature.user_challenge == url_user_challenge
+
+        raise SmartIdRuby::Errors::UnprocessableResponseError,
+              "Device link authentication 'signature.userChallenge' does not validate with 'userChallengeVerifier'"
+      end
+
+      def build_signature_payload(session_status, authentication_session_request, schema_name, brokered_rp_name)
+        @signature_payload_builder.build(
+          session_status: session_status,
+          authentication_session_request: authentication_session_request,
+          schema_name: schema_name,
+          brokered_rp_name: brokered_rp_name
+        )
+      end
+    end
+  end
+end

data/lib/smart_id_ruby/validation/error_result_handler.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+module SmartIdRuby
+  module Validation
+    # Handles non-OK session end results and raises mapped exceptions.
+    class ErrorResultHandler
+      def self.handle(result)
+        raise SmartIdRuby::Errors::RequestSetupError, "Parameter 'sessionResult' is not provided" if result.nil?
+
+        end_result = fetch_value(result, :end_result, :endResult)
+        if blank?(end_result)
+          raise SmartIdRuby::Errors::UnprocessableResponseError, "Session result field 'endResult' is empty"
+        end
+
+        case end_result
+        when "USER_REFUSED"
+          raise SmartIdRuby::Errors::UserRefusedError
+        when "TIMEOUT"
+          raise SmartIdRuby::Errors::SessionTimeoutError
+        when "DOCUMENT_UNUSABLE"
+          raise SmartIdRuby::Errors::DocumentUnusableError
+        when "WRONG_VC"
+          raise SmartIdRuby::Errors::UserSelectedWrongVerificationCodeError
+        when "REQUIRED_INTERACTION_NOT_SUPPORTED_BY_APP"
+          raise SmartIdRuby::Errors::RequiredInteractionNotSupportedByAppError
+        when "USER_REFUSED_CERT_CHOICE"
+          raise SmartIdRuby::Errors::UserRefusedCertChoiceError
+        when "USER_REFUSED_INTERACTION"
+          raise_user_refused_interaction_error(result)
+        when "PROTOCOL_FAILURE"
+          raise SmartIdRuby::Errors::ProtocolFailureError
+        when "EXPECTED_LINKED_SESSION"
+          raise SmartIdRuby::Errors::ExpectedLinkedSessionError
+        when "SERVER_ERROR"
+          raise SmartIdRuby::Errors::SmartIdServerError
+        when "ACCOUNT_UNUSABLE"
+          raise SmartIdRuby::Errors::UserAccountUnusableError
+        else
+          raise SmartIdRuby::Errors::UnprocessableResponseError, "Unexpected session result: #{end_result}"
+        end
+      end
+
+      def self.raise_user_refused_interaction_error(result)
+        details = fetch_value(result, :details)
+        interaction = fetch_value(details, :interaction)
+        if blank?(interaction)
+          raise SmartIdRuby::Errors::UnprocessableResponseError, "Details for refused interaction are missing"
+        end
+
+        case interaction
+        when "displayTextAndPIN"
+          raise SmartIdRuby::Errors::UserRefusedDisplayTextAndPinError
+        when "confirmationMessage"
+          raise SmartIdRuby::Errors::UserRefusedConfirmationMessageError
+        when "confirmationMessageAndVerificationCodeChoice"
+          raise SmartIdRuby::Errors::UserRefusedConfirmationMessageWithVerificationChoiceError
+        else
+          raise SmartIdRuby::Errors::UnprocessableResponseError, "Unexpected interaction type: #{interaction}"
+        end
+      end
+
+      def self.fetch_value(container, *keys)
+        return nil if container.nil?
+
+        keys.each do |key|
+          if container.respond_to?(:[])
+            value = container[key]
+            return value unless value.nil?
+
+            value = container[key.to_s]
+            return value unless value.nil?
+          end
+
+          method_name = key.to_s
+          return container.public_send(method_name) if container.respond_to?(method_name)
+        end
+
+        nil
+      end
+      private_class_method :fetch_value
+
+      def self.blank?(value)
+        value.nil? || value.to_s.strip.empty?
+      end
+      private_class_method :blank?
+    end
+  end
+end

data/lib/smart_id_ruby/validation/notification_authentication_response_validator.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require "base64"
+require "openssl"
+
+module SmartIdRuby
+  module Validation
+    # Validates notification authentication response data and returns authentication identity.
+    class NotificationAuthenticationResponseValidator < BaseAuthenticationResponseValidator
+
+      def validate(session_status, authentication_session_request, schema_name, brokered_rp_name = nil)
+        super(session_status, authentication_session_request, nil, schema_name, brokered_rp_name)
+      end
+    end
+  end
+end

data/lib/smart_id_ruby/validation/signature_payload_builder.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require "base64"
+require "openssl"
+
+module SmartIdRuby
+  module Validation
+    # Builds ACSP_V2 signature payload used for authentication signature verification.
+    class SignaturePayloadBuilder
+      def build(session_status:, authentication_session_request:, schema_name:, brokered_rp_name: nil)
+        signature_protocol_parameters = fetch_request_value(authentication_session_request, :signatureProtocolParameters)
+        rp_challenge = fetch_hash_value(signature_protocol_parameters, :rpChallenge)
+        relying_party_name = fetch_request_value(authentication_session_request, :relyingPartyName)
+        interactions = fetch_request_value(authentication_session_request, :interactions)
+        initial_callback_url = fetch_request_value(authentication_session_request, :initialCallbackUrl)
+        flow_type = session_status.signature.flow_type
+
+        payload_values = [
+          schema_name,
+          "ACSP_V2",
+          session_status.signature.server_random,
+          rp_challenge,
+          session_status.signature.user_challenge || "",
+          to_base64_utf8(relying_party_name),
+          blank?(brokered_rp_name) ? "" : to_base64_utf8(brokered_rp_name),
+          calculate_interactions_digest(interactions),
+          session_status.interaction_type_used,
+          flow_type == "QR" ? "" : initial_callback_url,
+          flow_type
+        ]
+        payload_values.join("|")
+      end
+
+      private
+
+      def calculate_interactions_digest(interactions)
+        digest = OpenSSL::Digest::SHA256.digest(interactions.to_s)
+        Base64.strict_encode64(digest)
+      end
+
+      def to_base64_utf8(input)
+        Base64.strict_encode64(input.to_s.encode("UTF-8"))
+      end
+
+      def fetch_request_value(payload, key)
+        return nil unless payload.respond_to?(:[])
+
+        payload[key] || payload[key.to_s]
+      end
+
+      def fetch_hash_value(payload, key)
+        return nil unless payload.respond_to?(:[])
+
+        payload[key] || payload[key.to_s]
+      end
+
+      def blank?(value)
+        value.nil? || value.to_s.strip.empty?
+      end
+    end
+  end
+end