To increase security of publicly available https endpoints, data can be signed using a signature and validated on retrieving them.
To add a validation, the SignatureValidator interface can be implemented:
validatemethod has two parameters:signaturethe signature as aByteArraycontentthe content encrypted as anInputStream
The validator can throw a SignatureValidationException if the validation fails.
This module implements already the CMS validation, which is standard for cryptographically verifying signed data and/or digital documents.
Data can be signed using a CMS signature, created with a X509 certificate.
The CMS implementation can be instantiated using of the available builder methods in CMSSignatureValidatorBuilder:
build:certificatesPem: a list of certificates in pem container format (base64 translation of the x509 ASN.1 keys). An example can be found in the tests.cnMatchingString: (optionally) a Common Name (CN) of the certificate to validate against the subject specifying distinguished names (RNDs) of the signing certificate.clock: aClockinstance used to check if any of the certificates have expired
build:certificatesPem: a list of certificates in pem container format (base64 translation of the x509 ASN.1 keys). An example can be found in the tests.signingCertificateBytes: a list of signing certificates asByteArraywhich are converted to x509 certificates and take part in the validation.clock: aClockinstance used to check if any of the certificates have expired
build: Same as previous, using the default UTCClock
Specifically for the CoronaCheck app, the X509 certificate used to sign the data that is provided by the event provider must comply with the following requirements:
- Issued by Staat der Nederlanden Private Root CA - G1 or one of its Sub-CAs. A list is available here.
- Must contain the legal name of the event provider. An extended guide for CoronaCheck requirements is available here.
License is released under the EUPL 1.2 license. See LICENSE for details.