Init

reda-alaoui · reda-alaoui · commit 3ddf448a8585 · 2025-01-27T14:56:35.000+01:00
diff --git a/src/main/java/com/cosium/standard_webhooks_consumer/CompositeVerificationKeyParser.java b/src/main/java/com/cosium/standard_webhooks_consumer/CompositeVerificationKeyParser.java
@@ -0,0 +1,35 @@
+package com.cosium.standard_webhooks_consumer;
+
+import java.util.List;
+import java.util.Optional;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+class CompositeVerificationKeyParser {
+
+  private final List<VerificationKeyParser> parsers;
+
+  CompositeVerificationKeyParser(VerificationKeyParser... parsers) {
+    this.parsers = List.of(parsers);
+  }
+
+  public VerificationKey parse(String serializedVerificationKey) {
+    return parsers.stream()
+        .map(verificationKeyParser -> verificationKeyParser.parse(serializedVerificationKey))
+        .filter(Optional::isPresent)
+        .map(Optional::get)
+        .findFirst()
+        .orElseThrow(
+            () ->
+                new IllegalArgumentException(
+                    "Could not parse verification key <%s>"
+                        .formatted(conceal(serializedVerificationKey))));
+  }
+
+  private String conceal(String serializedVerificationKey) {
+    int halfLength = Math.round(serializedVerificationKey.length() / 2f);
+    return serializedVerificationKey.substring(0, halfLength)
+        + "*".repeat(serializedVerificationKey.length() - halfLength);
+  }
+}
diff --git a/src/main/java/com/cosium/standard_webhooks_consumer/PublicKey.java b/src/main/java/com/cosium/standard_webhooks_consumer/PublicKey.java
@@ -0,0 +1,81 @@
+package com.cosium.standard_webhooks_consumer;
+
+import static java.util.Objects.requireNonNull;
+
+import java.nio.charset.StandardCharsets;
+import java.security.InvalidKeyException;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.SignatureException;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.Base64;
+import java.util.Optional;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+class PublicKey implements VerificationKey {
+
+  private static final String SERIALIZATION_PREFIX = "whpk_";
+  private static final String SCHEME_ID = "v1a";
+  private static final String ALGORITHM = "Ed25519";
+
+  private final byte[] value;
+
+  private PublicKey(byte[] value) {
+    this.value = requireNonNull(value);
+  }
+
+  public static Optional<PublicKey> parseKey(String serializedVerificationKey) {
+    if (!serializedVerificationKey.startsWith(SERIALIZATION_PREFIX)) {
+      return Optional.empty();
+    }
+    return Optional.of(
+        new PublicKey(
+            Base64.getDecoder()
+                .decode(serializedVerificationKey.substring(SERIALIZATION_PREFIX.length()))));
+  }
+
+  @Override
+  public void verify(String messageId, long timestamp, String payload, Signature signature)
+      throws SignatureNotSupportedException, WebhookSignatureVerificationException {
+    try {
+      doVerify(messageId, timestamp, payload, signature);
+    } catch (NoSuchAlgorithmException
+        | InvalidKeyException
+        | SignatureException
+        | InvalidKeySpecException e) {
+      throw new WebhookSignatureVerificationException(e);
+    }
+  }
+
+  private void doVerify(String messageId, long timestamp, String payload, Signature signature)
+      throws SignatureNotSupportedException,
+          NoSuchAlgorithmException,
+          InvalidKeyException,
+          SignatureException,
+          InvalidKeySpecException {
+
+    if (!SCHEME_ID.equals(signature.schemeId())) {
+      throw new SignatureNotSupportedException(
+          "%s does not support version <%s>".formatted(this, signature.schemeId()));
+    }
+
+    java.security.Signature signatureApi = java.security.Signature.getInstance(ALGORITHM);
+
+    java.security.PublicKey publicKey =
+        KeyFactory.getInstance(ALGORITHM)
+            .generatePublic(new X509EncodedKeySpec(Base64.getDecoder().decode(value), ALGORITHM));
+
+    String signedContent = "%s.%s.%s".formatted(messageId, timestamp, payload);
+    signatureApi.initVerify(publicKey);
+    signatureApi.update(signedContent.getBytes(StandardCharsets.UTF_8));
+
+    if (signatureApi.verify(Base64.getDecoder().decode(signature.base64EncodedSignature()))) {
+      return;
+    }
+
+    throw new SignatureNotSupportedException("The signature is not valid");
+  }
+}
diff --git a/src/main/java/com/cosium/standard_webhooks_consumer/SecretKey.java b/src/main/java/com/cosium/standard_webhooks_consumer/SecretKey.java
@@ -0,0 +1,71 @@
+package com.cosium.standard_webhooks_consumer;
+
+import static java.util.Objects.requireNonNull;
+
+import java.nio.charset.StandardCharsets;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.util.Base64;
+import java.util.Optional;
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+class SecretKey implements VerificationKey {
+
+  private static final String SERIALIZATION_PREFIX = "whsec_";
+  private static final String SCHEME_ID = "v1";
+  private static final String ALGORITHM = "HmacSHA256";
+
+  private final byte[] value;
+
+  private SecretKey(byte[] value) {
+    this.value = requireNonNull(value);
+  }
+
+  public static Optional<SecretKey> parseKey(String serializedVerificationKey) {
+    if (!serializedVerificationKey.startsWith(SERIALIZATION_PREFIX)) {
+      return Optional.empty();
+    }
+    return Optional.of(
+        new SecretKey(
+            Base64.getDecoder()
+                .decode(serializedVerificationKey.substring(SERIALIZATION_PREFIX.length()))));
+  }
+
+  @Override
+  public void verify(String messageId, long timestamp, String payload, Signature signature)
+      throws SignatureNotSupportedException, WebhookSignatureVerificationException {
+
+    if (!SCHEME_ID.equals(signature.schemeId())) {
+      throw new SignatureNotSupportedException(
+          "%s does not support version <%s>".formatted(this, signature.schemeId()));
+    }
+
+    String expectedBase64EncodedSignatureContent;
+    try {
+      expectedBase64EncodedSignatureContent = sign(messageId, timestamp, payload);
+    } catch (NoSuchAlgorithmException | InvalidKeyException e) {
+      throw new WebhookSignatureVerificationException(e);
+    }
+
+    if (expectedBase64EncodedSignatureContent.equals(signature.base64EncodedSignature())) {
+      return;
+    }
+
+    throw new SignatureNotSupportedException(
+        "The provided signature does not match the expected signature.");
+  }
+
+  private String sign(String messageId, long timestamp, String payload)
+      throws NoSuchAlgorithmException, InvalidKeyException {
+    String contentToSign = "%s.%s.%s".formatted(messageId, timestamp, payload);
+    Mac sha512Hmac = Mac.getInstance(ALGORITHM);
+    SecretKeySpec keySpec = new SecretKeySpec(value, ALGORITHM);
+    sha512Hmac.init(keySpec);
+    byte[] macData = sha512Hmac.doFinal(contentToSign.getBytes(StandardCharsets.UTF_8));
+    return Base64.getEncoder().encodeToString(macData);
+  }
+}
diff --git a/src/main/java/com/cosium/standard_webhooks_consumer/Signature.java b/src/main/java/com/cosium/standard_webhooks_consumer/Signature.java
@@ -0,0 +1,71 @@
+package com.cosium.standard_webhooks_consumer;
+
+import java.net.http.HttpHeaders;
+import java.util.List;
+import java.util.Optional;
+import java.util.stream.Stream;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+record Signature(String schemeId, String base64EncodedSignature) {
+
+  private static final Logger LOGGER = LoggerFactory.getLogger(Signature.class);
+
+  private static final String MESSAGE_SIGNATURE_HEADER_NAME = "webhook-signature";
+
+  Signature {
+    if (schemeId == null || schemeId.isBlank()) {
+      throw new IllegalArgumentException("Version cannot be null or blank");
+    }
+    if (base64EncodedSignature == null || base64EncodedSignature.isBlank()) {
+      throw new IllegalArgumentException("Base64EncodedSignature cannot be null or blank");
+    }
+  }
+
+  public static List<Signature> parseAtLeastOne(HttpHeaders headers)
+      throws WebhookSignatureVerificationException {
+    String messageSignatureHeaderValue =
+        headers.firstValue(MESSAGE_SIGNATURE_HEADER_NAME).orElse(null);
+    if (messageSignatureHeaderValue == null || messageSignatureHeaderValue.isBlank()) {
+      throw new WebhookSignatureVerificationException(
+          "No value found for header <%s>".formatted(MESSAGE_SIGNATURE_HEADER_NAME));
+    }
+
+    List<Signature> signatures =
+        Stream.of(messageSignatureHeaderValue.split(" "))
+            .map(Signature::createSignature)
+            .filter(Optional::isPresent)
+            .map(Optional::get)
+            .toList();
+
+    if (signatures.isEmpty()) {
+      throw new WebhookSignatureVerificationException(
+          "No signature found for header value <%s>".formatted(messageSignatureHeaderValue));
+    }
+
+    return signatures;
+  }
+
+  private static Optional<Signature> createSignature(String messageSignature) {
+    if (messageSignature == null || messageSignature.isBlank()) {
+      return Optional.empty();
+    }
+    String[] signatureParts = messageSignature.split(",");
+    if (signatureParts.length != 2) {
+      return Optional.empty();
+    }
+
+    Signature signature;
+    try {
+      signature = new Signature(signatureParts[0], signatureParts[1]);
+    } catch (RuntimeException e) {
+      LOGGER.warn(e.getMessage());
+      return Optional.empty();
+    }
+
+    return Optional.of(signature);
+  }
+}
diff --git a/src/main/java/com/cosium/standard_webhooks_consumer/SignatureNotSupportedException.java b/src/main/java/com/cosium/standard_webhooks_consumer/SignatureNotSupportedException.java
@@ -0,0 +1,11 @@
+package com.cosium.standard_webhooks_consumer;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+class SignatureNotSupportedException extends Exception {
+
+  SignatureNotSupportedException(String message) {
+    super(message);
+  }
+}
diff --git a/src/main/java/com/cosium/standard_webhooks_consumer/VerificationKey.java b/src/main/java/com/cosium/standard_webhooks_consumer/VerificationKey.java
@@ -0,0 +1,10 @@
+package com.cosium.standard_webhooks_consumer;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+interface VerificationKey {
+
+  void verify(String messageId, long timestamp, String payload, Signature signature)
+      throws SignatureNotSupportedException, WebhookSignatureVerificationException;
+}
diff --git a/src/main/java/com/cosium/standard_webhooks_consumer/VerificationKeyParser.java b/src/main/java/com/cosium/standard_webhooks_consumer/VerificationKeyParser.java
@@ -0,0 +1,11 @@
+package com.cosium.standard_webhooks_consumer;
+
+import java.util.Optional;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+interface VerificationKeyParser {
+
+  Optional<? extends VerificationKey> parse(String serializedVerificationKey);
+}
diff --git a/src/main/java/com/cosium/standard_webhooks_consumer/WebhookSignatureVerificationException.java b/src/main/java/com/cosium/standard_webhooks_consumer/WebhookSignatureVerificationException.java
@@ -0,0 +1,15 @@
+package com.cosium.standard_webhooks_consumer;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+public class WebhookSignatureVerificationException extends Exception {
+
+  WebhookSignatureVerificationException(Throwable cause) {
+    super(cause);
+  }
+
+  WebhookSignatureVerificationException(String message) {
+    super(message);
+  }
+}
diff --git a/src/main/java/com/cosium/standard_webhooks_consumer/WebhookSignatureVerifier.java b/src/main/java/com/cosium/standard_webhooks_consumer/WebhookSignatureVerifier.java
