Init

Author: reda-alaoui

README.md

@@ -1,3 +1,67 @@
+[![Build Status](https://github.com/Cosium/standard-webhooks-consumer/actions/workflows/ci.yml/badge.svg)](https://github.com/Cosium/standard-webhooks-consumer/actions/workflows/ci.yml)
+![Maven Central Version](https://img.shields.io/maven-central/v/com.cosium.standard_webhooks_consumer/standard-webhooks-consumer)
+
 # standard-webhooks-consumer
 
 https://www.standardwebhooks.com/ consumer side java library.
+
+# Maven dependency
+
+```xml
+<dependency>
+  <groupId>com.cosium.standard_webhooks_consumer</groupId>
+  <artifactId>standard-webhooks-consumer</artifactId>
+  <version>${standard-webhooks-consumer.version}</version>
+</dependency>
+```
+
+# Signature verification
+
+```java
+public class App {
+    
+    public void verifySymmetricSignature() throws WebhookSignatureVerificationException {
+        
+        WebhookSignatureVerifier verifier =
+                WebhookSignatureVerifier.builder("whsec_b6Ovv5eS7H5seJrGSStBYDivs8v2/KrFjfMaVZYsi7w=")
+                        .build();
+        HttpHeaders httpHeaders =
+                createHttpHeaders(
+                        Map.of(
+                                "webhook-id",
+                                "7a2486b3-31cf-4bd3-a460-df8845d16cd5",
+                                "webhook-timestamp",
+                                String.valueOf(1737987215),
+                                "webhook-signature",
+                                "v1,iayM3VaiYCEDP/CxWUFWcxUCJk2YmBDQHtHTsaHzrwo="));
+        verifier.verify(httpHeaders, "{\"greetings\": \"Hello World\"}");
+    }
+
+    public void verifyAsymmetricSignature() throws WebhookSignatureVerificationException {
+        
+        WebhookSignatureVerifier verifier =
+                WebhookSignatureVerifier.builder("whpk_MCowBQYDK2VwAyEAkp3dScDPIzT1CwUFUMdzyPbWOAQaCF9z4ucuKuZD7Io=")
+                        .build();
+        
+        HttpHeaders httpHeaders =
+                createHttpHeaders(
+                        Map.of(
+                                "webhook-id",
+                                "7a2486b3-31cf-4bd3-a460-df8845d16cd5",
+                                "webhook-timestamp",
+                                String.valueOf(1737987215),
+                                "webhook-signature",
+                                "v1a,XVbiOe+IzCKsXBuhb52iHLroqxFJofJNMQRL80I2kWO0+kXu2gcqgXAzontxDDgpMDw6SMh4sjzr+67EmUUzDg=="));
+     
+        verifier.verify(httpHeaders, "{\"greetings\": \"Hello World\"}");
+    }
+    
+    private HttpHeaders createHttpHeaders(Map<String, String> headers) {
+        return HttpHeaders.of(
+                headers.entrySet().stream()
+                        .map(entry -> Map.entry(entry.getKey(), List.of(entry.getValue())))
+                        .collect(Collectors.toMap(Map.Entry::getKey, Map.Entry::getValue)),
+                (s, s2) -> true);
+    }
+}
+```

pom.xml

@@ -17,6 +17,8 @@
   <version>1.0-SNAPSHOT</version>
 
   <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+
     <slf4j.version>2.0.15</slf4j.version>
     <logback-classic.version>1.4.5</logback-classic.version>
     <junit.version>5.10.2</junit.version>

src/main/java/com/cosium/standard_webhooks_consumer/CompositeVerificationKeyParser.java

@@ -0,0 +1,35 @@
+package com.cosium.standard_webhooks_consumer;
+
+import java.util.List;
+import java.util.Optional;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+class CompositeVerificationKeyParser {
+
+  private final List<VerificationKeyParser> parsers;
+
+  CompositeVerificationKeyParser(VerificationKeyParser... parsers) {
+    this.parsers = List.of(parsers);
+  }
+
+  public VerificationKey parse(String serializedVerificationKey) {
+    return parsers.stream()
+        .map(verificationKeyParser -> verificationKeyParser.parse(serializedVerificationKey))
+        .filter(Optional::isPresent)
+        .map(Optional::get)
+        .findFirst()
+        .orElseThrow(
+            () ->
+                new IllegalArgumentException(
+                    "Could not parse verification key <%s>"
+                        .formatted(conceal(serializedVerificationKey))));
+  }
+
+  private String conceal(String serializedVerificationKey) {
+    int halfLength = Math.round(serializedVerificationKey.length() / 2f);
+    return serializedVerificationKey.substring(0, halfLength)
+        + "*".repeat(serializedVerificationKey.length() - halfLength);
+  }
+}

src/main/java/com/cosium/standard_webhooks_consumer/IdentifiedSignature.java

@@ -0,0 +1,72 @@
+package com.cosium.standard_webhooks_consumer;
+
+import static java.util.Objects.requireNonNull;
+
+import java.net.http.HttpHeaders;
+import java.util.List;
+import java.util.Optional;
+import java.util.stream.Stream;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+record IdentifiedSignature(SignatureSchemeId schemeId, Signature content) {
+
+  private static final Logger LOGGER = LoggerFactory.getLogger(IdentifiedSignature.class);
+
+  private static final String MESSAGE_SIGNATURE_HEADER_NAME = "webhook-signature";
+
+  IdentifiedSignature {
+    requireNonNull(schemeId);
+    requireNonNull(content);
+  }
+
+  public static List<IdentifiedSignature> parseAtLeastOne(HttpHeaders headers)
+      throws WebhookSignatureVerificationException {
+    String messageSignatureHeaderValue =
+        headers.firstValue(MESSAGE_SIGNATURE_HEADER_NAME).orElse(null);
+    if (messageSignatureHeaderValue == null || messageSignatureHeaderValue.isBlank()) {
+      throw new WebhookSignatureVerificationException(
+          "No value found for header <%s>".formatted(MESSAGE_SIGNATURE_HEADER_NAME));
+    }
+
+    List<IdentifiedSignature> signatures =
+        Stream.of(messageSignatureHeaderValue.split(" "))
+            .map(IdentifiedSignature::parse)
+            .filter(Optional::isPresent)
+            .map(Optional::get)
+            .toList();
+
+    if (signatures.isEmpty()) {
+      throw new WebhookSignatureVerificationException(
+          "No well-formed signature(s) found for signature header value <%s>. A well-formed signature should have the form '$version,$base64encodedContent'."
+              .formatted(messageSignatureHeaderValue));
+    }
+
+    return signatures;
+  }
+
+  private static Optional<IdentifiedSignature> parse(String messageSignature) {
+    if (messageSignature == null || messageSignature.isBlank()) {
+      return Optional.empty();
+    }
+    String[] signatureParts = messageSignature.split(",");
+    if (signatureParts.length != 2) {
+      return Optional.empty();
+    }
+
+    IdentifiedSignature signature;
+    try {
+      signature =
+          new IdentifiedSignature(
+              new SignatureSchemeId(signatureParts[0]), new Signature(signatureParts[1]));
+    } catch (RuntimeException e) {
+      LOGGER.warn(e.getMessage());
+      return Optional.empty();
+    }
+
+    return Optional.of(signature);
+  }
+}

src/main/java/com/cosium/standard_webhooks_consumer/PublicKey.java

@@ -0,0 +1,82 @@
+package com.cosium.standard_webhooks_consumer;
+
+import static java.util.Objects.requireNonNull;
+
+import java.nio.charset.StandardCharsets;
+import java.security.InvalidKeyException;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.SignatureException;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.Base64;
+import java.util.Optional;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+class PublicKey implements VerificationKey {
+
+  private static final String SERIALIZATION_PREFIX = "whpk_";
+  private static final SignatureSchemeId SCHEME_ID = new SignatureSchemeId("v1a");
+  private static final String ALGORITHM = "Ed25519";
+
+  private final byte[] value;
+
+  private PublicKey(byte[] value) {
+    this.value = requireNonNull(value);
+  }
+
+  public static Optional<PublicKey> parseKey(String serializedVerificationKey) {
+    if (!serializedVerificationKey.startsWith(SERIALIZATION_PREFIX)) {
+      return Optional.empty();
+    }
+    return Optional.of(
+        new PublicKey(
+            Base64.getDecoder()
+                .decode(serializedVerificationKey.substring(SERIALIZATION_PREFIX.length()))));
+  }
+
+  @Override
+  public boolean supports(SignatureSchemeId signatureSchemeId) {
+    return SCHEME_ID.equals(signatureSchemeId);
+  }
+
+  @Override
+  public void verify(String messageId, long timestamp, String payload, Signature signatureToVerify)
+      throws WebhookSignatureVerificationException {
+    try {
+      doVerify(messageId, timestamp, payload, signatureToVerify);
+    } catch (NoSuchAlgorithmException
+        | InvalidKeyException
+        | SignatureException
+        | InvalidKeySpecException
+        | RuntimeException e) {
+      throw new WebhookSignatureVerificationException(e);
+    }
+  }
+
+  private void doVerify(
+      String messageId, long timestamp, String payload, Signature signatureToVerify)
+      throws NoSuchAlgorithmException,
+          InvalidKeyException,
+          SignatureException,
+          InvalidKeySpecException,
+          WebhookSignatureVerificationException {
+
+    java.security.Signature signature = java.security.Signature.getInstance(ALGORITHM);
+
+    java.security.PublicKey publicKey =
+        KeyFactory.getInstance(ALGORITHM).generatePublic(new X509EncodedKeySpec(value, ALGORITHM));
+
+    String signedContent = "%s.%s.%s".formatted(messageId, timestamp, payload);
+    signature.initVerify(publicKey);
+    signature.update(signedContent.getBytes(StandardCharsets.UTF_8));
+
+    if (signature.verify(signatureToVerify.decode())) {
+      return;
+    }
+
+    throw new WebhookSignatureVerificationException("%s is not valid".formatted(signatureToVerify));
+  }
+}

src/main/java/com/cosium/standard_webhooks_consumer/SecretKey.java

@@ -0,0 +1,80 @@
+package com.cosium.standard_webhooks_consumer;
+
+import static java.util.Objects.requireNonNull;
+
+import java.nio.charset.StandardCharsets;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.util.Base64;
+import java.util.Optional;
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+class SecretKey implements VerificationKey {
+
+  private static final String SERIALIZATION_PREFIX = "whsec_";
+  private static final SignatureSchemeId SCHEME_ID = new SignatureSchemeId("v1");
+  private static final String ALGORITHM = "HmacSHA256";
+
+  private final byte[] value;
+
+  private SecretKey(byte[] value) {
+    this.value = requireNonNull(value);
+  }
+
+  public static Optional<SecretKey> parseKey(String serializedVerificationKey) {
+    if (!serializedVerificationKey.startsWith(SERIALIZATION_PREFIX)) {
+      return Optional.empty();
+    }
+    return Optional.of(
+        new SecretKey(
+            Base64.getDecoder()
+                .decode(serializedVerificationKey.substring(SERIALIZATION_PREFIX.length()))));
+  }
+
+  @Override
+  public boolean supports(SignatureSchemeId signatureSchemeId) {
+    return SCHEME_ID.equals(signatureSchemeId);
+  }
+
+  @Override
+  public void verify(String messageId, long timestamp, String payload, Signature signatureToVerify)
+      throws WebhookSignatureVerificationException {
+
+    try {
+      doVerify(messageId, timestamp, payload, signatureToVerify);
+    } catch (RuntimeException e) {
+      throw new WebhookSignatureVerificationException(e);
+    }
+  }
+
+  private void doVerify(
+      String messageId, long timestamp, String payload, Signature signatureToVerify)
+      throws WebhookSignatureVerificationException {
+    String expectedBase64EncodedSignatureContent;
+    try {
+      expectedBase64EncodedSignatureContent = sign(messageId, timestamp, payload);
+    } catch (NoSuchAlgorithmException | InvalidKeyException e) {
+      throw new WebhookSignatureVerificationException(e);
+    }
+
+    if (expectedBase64EncodedSignatureContent.equals(signatureToVerify.base64EncodedValue())) {
+      return;
+    }
+
+    throw new WebhookSignatureVerificationException("%s is not valid".formatted(signatureToVerify));
+  }
+
+  private String sign(String messageId, long timestamp, String payload)
+      throws NoSuchAlgorithmException, InvalidKeyException {
+    String contentToSign = "%s.%s.%s".formatted(messageId, timestamp, payload);
+    Mac sha512Hmac = Mac.getInstance(ALGORITHM);
+    SecretKeySpec keySpec = new SecretKeySpec(value, ALGORITHM);
+    sha512Hmac.init(keySpec);
+    byte[] macData = sha512Hmac.doFinal(contentToSign.getBytes(StandardCharsets.UTF_8));
+    return Base64.getEncoder().encodeToString(macData);
+  }
+}

src/main/java/com/cosium/standard_webhooks_consumer/Signature.java

@@ -0,0 +1,19 @@
+package com.cosium.standard_webhooks_consumer;
+
+import java.util.Base64;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+record Signature(String base64EncodedValue) {
+
+  Signature {
+    if (base64EncodedValue == null || base64EncodedValue.isBlank()) {
+      throw new IllegalArgumentException("base64EncodedValue cannot be blank");
+    }
+  }
+
+  public byte[] decode() {
+    return Base64.getDecoder().decode(base64EncodedValue);
+  }
+}

src/main/java/com/cosium/standard_webhooks_consumer/SignatureSchemeId.java

@@ -0,0 +1,13 @@
+package com.cosium.standard_webhooks_consumer;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+record SignatureSchemeId(String value) {
+
+  SignatureSchemeId {
+    if (value == null || value.isBlank()) {
+      throw new IllegalArgumentException("The value cannot be blank");
+    }
+  }
+}

src/main/java/com/cosium/standard_webhooks_consumer/VerificationKey.java

@@ -0,0 +1,12 @@
+package com.cosium.standard_webhooks_consumer;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+interface VerificationKey {
+
+  boolean supports(SignatureSchemeId signatureSchemeId);
+
+  void verify(String messageId, long timestamp, String payload, Signature signatureToVerify)
+      throws WebhookSignatureVerificationException;
+}

src/main/java/com/cosium/standard_webhooks_consumer/VerificationKeyParser.java

@@ -0,0 +1,11 @@
+package com.cosium.standard_webhooks_consumer;
+
+import java.util.Optional;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+interface VerificationKeyParser {
+
+  Optional<? extends VerificationKey> parse(String serializedVerificationKey);
+}

src/main/java/com/cosium/standard_webhooks_consumer/WebhookSignatureVerificationException.java

@@ -0,0 +1,15 @@
+package com.cosium.standard_webhooks_consumer;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+public final class WebhookSignatureVerificationException extends Exception {
+
+  WebhookSignatureVerificationException(Throwable cause) {
+    super(cause);
+  }
+
+  WebhookSignatureVerificationException(String message) {
+    super(message);
+  }
+}

src/main/java/com/cosium/standard_webhooks_consumer/WebhookSignatureVerifier.java

@@ -0,0 +1,157 @@
+package com.cosium.standard_webhooks_consumer;
+
+import static java.util.Objects.requireNonNull;
+
+import java.net.http.HttpHeaders;
+import java.time.Clock;
+import java.time.Duration;
+import java.util.ArrayList;
+import java.util.List;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+public class WebhookSignatureVerifier {
+
+  private static final Logger LOGGER = LoggerFactory.getLogger(WebhookSignatureVerifier.class);
+
+  private static final CompositeVerificationKeyParser VERIFICATION_KEY_PARSER =
+      new CompositeVerificationKeyParser(SecretKey::parseKey, PublicKey::parseKey);
+
+  private static final String MESSAGE_ID_HEADER_NAME = "webhook-id";
+  private static final String MESSAGE_TIMESTAMP_HEADER_NAME = "webhook-timestamp";
+
+  private static final Duration DEFAULT_MESSAGE_TIMESTAMP_ALLOWED_SKEW = Duration.ofMinutes(5);
+
+  private final List<VerificationKey> verificationKeys;
+  private final Clock clock;
+  private final Duration messageTimestampAllowedSkew;
+
+  private WebhookSignatureVerifier(Builder builder) {
+
+    verificationKeys =
+        builder.serializedVerificationKeys.stream().map(VERIFICATION_KEY_PARSER::parse).toList();
+    clock = builder.clock;
+    messageTimestampAllowedSkew = builder.messageTimestampAllowedSkew;
+  }
+
+  /**
+   * @param serializedVerificationKey e.g. "v1,K5oZfzN95Z9UVu1EsfQmfVNQhnkZ2pj9o9NDN/H/pI4="
+   */
+  public static Builder builder(String serializedVerificationKey) {
+    return new Builder(serializedVerificationKey);
+  }
+
+  public void verify(HttpHeaders headers, String payload)
+      throws WebhookSignatureVerificationException {
+
+    String messageId = headers.firstValue(MESSAGE_ID_HEADER_NAME).orElse(null);
+    if (messageId == null || messageId.isBlank()) {
+      throw new WebhookSignatureVerificationException(
+          "No value found for header <%s>".formatted(MESSAGE_ID_HEADER_NAME));
+    }
+
+    String messageTimestampAsString =
+        headers.firstValue(MESSAGE_TIMESTAMP_HEADER_NAME).orElse(null);
+    if (messageTimestampAsString == null || messageTimestampAsString.isBlank()) {
+      throw new WebhookSignatureVerificationException(
+          "No value found for header <%s>".formatted(MESSAGE_TIMESTAMP_HEADER_NAME));
+    }
+
+    long timestamp = verifyTimestamp(messageTimestampAsString);
+
+    List<WebhookSignatureVerificationException> verificationExceptions = new ArrayList<>();
+
+    List<IdentifiedSignature> signatures = IdentifiedSignature.parseAtLeastOne(headers);
+    for (IdentifiedSignature signature : signatures) {
+      for (VerificationKey verificationKey : verificationKeys) {
+        SignatureSchemeId signatureSchemeId = signature.schemeId();
+        if (!verificationKey.supports(signatureSchemeId)) {
+          LOGGER.debug("{} does not support {}", verificationKey, signatureSchemeId);
+          continue;
+        }
+        try {
+          verificationKey.verify(messageId, timestamp, payload, signature.content());
+        } catch (WebhookSignatureVerificationException e) {
+          verificationExceptions.add(e);
+          continue;
+        }
+        return;
+      }
+    }
+
+    if (verificationExceptions.isEmpty()) {
+      throw new WebhookSignatureVerificationException(
+          "No supporting verification key found for any signature among %s".formatted(signatures));
+    }
+
+    WebhookSignatureVerificationException collectingException =
+        new WebhookSignatureVerificationException(
+            "No signature among %s is valid".formatted(signatures));
+    verificationExceptions.forEach(collectingException::addSuppressed);
+    throw collectingException;
+  }
+
+  private long verifyTimestamp(String messageTimestamp)
+      throws WebhookSignatureVerificationException {
+    long nowInSeconds = Duration.ofMillis(clock.millis()).toSeconds();
+
+    long timestamp;
+    try {
+      timestamp = Long.parseLong(messageTimestamp);
+    } catch (NumberFormatException e) {
+      throw new WebhookSignatureVerificationException(
+          "Cannot parse timestamp <%s>".formatted(messageTimestamp));
+    }
+
+    if (timestamp < (nowInSeconds - messageTimestampAllowedSkew.toSeconds())) {
+      throw new WebhookSignatureVerificationException(
+          "Message timestamp <%s seconds> is too old compared to the current timestamp <%s seconds>"
+              .formatted(timestamp, nowInSeconds));
+    }
+    if (timestamp > (nowInSeconds + messageTimestampAllowedSkew.toSeconds())) {
+      throw new WebhookSignatureVerificationException(
+          "Message timestamp <%s seconds> is too new compared to the current timestamp <%s seconds>"
+              .formatted(timestamp, nowInSeconds));
+    }
+    return timestamp;
+  }
+
+  public static class Builder {
+    private final List<String> serializedVerificationKeys = new ArrayList<>();
+    private Duration messageTimestampAllowedSkew = DEFAULT_MESSAGE_TIMESTAMP_ALLOWED_SKEW;
+    private Clock clock = Clock.systemDefaultZone();
+
+    private Builder(String serializedVerificationKey) {
+      serializedVerificationKeys.add(requireNonNull(serializedVerificationKey));
+    }
+
+    /**
+     * @param serializedVerificationKey e.g. "v1,K5oZfzN95Z9UVu1EsfQmfVNQhnkZ2pj9o9NDN/H/pI4="
+     */
+    public Builder addSerializedVerificationKey(String serializedVerificationKey) {
+      serializedVerificationKeys.add(requireNonNull(serializedVerificationKey));
+      return this;
+    }
+
+    /**
+     * @param messageTimestampAllowedSkew Allowable tolerance of the current timestamp to prevent
+     *     replay attacks.
+     */
+    public Builder messageTimestampAllowedSkew(Duration messageTimestampAllowedSkew) {
+      this.messageTimestampAllowedSkew = requireNonNull(messageTimestampAllowedSkew);
+      return this;
+    }
+
+    public Builder clock(Clock clock) {
+      this.clock = requireNonNull(clock);
+      return this;
+    }
+
+    public WebhookSignatureVerifier build() {
+      return new WebhookSignatureVerifier(this);
+    }
+  }
+}