Init

Author: reda-alaoui

src/main/java/com/cosium/standard_webhooks_consumer/CompositeVerificationKeyParser.java

@@ -0,0 +1,35 @@
+package com.cosium.standard_webhooks_consumer;
+
+import java.util.List;
+import java.util.Optional;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+class CompositeVerificationKeyParser {
+
+  private final List<VerificationKeyParser> parsers;
+
+  CompositeVerificationKeyParser(VerificationKeyParser... parsers) {
+    this.parsers = List.of(parsers);
+  }
+
+  public VerificationKey parse(String serializedVerificationKey) {
+    return parsers.stream()
+        .map(verificationKeyParser -> verificationKeyParser.parse(serializedVerificationKey))
+        .filter(Optional::isPresent)
+        .map(Optional::get)
+        .findFirst()
+        .orElseThrow(
+            () ->
+                new IllegalArgumentException(
+                    "Could not parse verification key <%s>"
+                        .formatted(conceal(serializedVerificationKey))));
+  }
+
+  private String conceal(String serializedVerificationKey) {
+    int halfLength = Math.round(serializedVerificationKey.length() / 2f);
+    return serializedVerificationKey.substring(0, halfLength)
+        + "*".repeat(serializedVerificationKey.length() - halfLength);
+  }
+}

src/main/java/com/cosium/standard_webhooks_consumer/IdentifiedSignature.java

@@ -0,0 +1,72 @@
+package com.cosium.standard_webhooks_consumer;
+
+import static java.util.Objects.requireNonNull;
+
+import java.net.http.HttpHeaders;
+import java.util.List;
+import java.util.Optional;
+import java.util.stream.Stream;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+record IdentifiedSignature(SignatureSchemeId schemeId, Signature content) {
+
+  private static final Logger LOGGER = LoggerFactory.getLogger(IdentifiedSignature.class);
+
+  private static final String MESSAGE_SIGNATURE_HEADER_NAME = "webhook-signature";
+
+  IdentifiedSignature {
+    requireNonNull(schemeId);
+    requireNonNull(content);
+  }
+
+  public static List<IdentifiedSignature> parseAtLeastOne(HttpHeaders headers)
+      throws WebhookSignatureVerificationException {
+    String messageSignatureHeaderValue =
+        headers.firstValue(MESSAGE_SIGNATURE_HEADER_NAME).orElse(null);
+    if (messageSignatureHeaderValue == null || messageSignatureHeaderValue.isBlank()) {
+      throw new WebhookSignatureVerificationException(
+          "No value found for header <%s>".formatted(MESSAGE_SIGNATURE_HEADER_NAME));
+    }
+
+    List<IdentifiedSignature> signatures =
+        Stream.of(messageSignatureHeaderValue.split(" "))
+            .map(IdentifiedSignature::parse)
+            .filter(Optional::isPresent)
+            .map(Optional::get)
+            .toList();
+
+    if (signatures.isEmpty()) {
+      throw new WebhookSignatureVerificationException(
+          "No well-formed signature(s) found for signature header value <%s>. A well-formed signature should have the form '$version,$base64encodedContent'."
+              .formatted(messageSignatureHeaderValue));
+    }
+
+    return signatures;
+  }
+
+  private static Optional<IdentifiedSignature> parse(String messageSignature) {
+    if (messageSignature == null || messageSignature.isBlank()) {
+      return Optional.empty();
+    }
+    String[] signatureParts = messageSignature.split(",");
+    if (signatureParts.length != 2) {
+      return Optional.empty();
+    }
+
+    IdentifiedSignature signature;
+    try {
+      signature =
+          new IdentifiedSignature(
+              new SignatureSchemeId(signatureParts[0]), new Signature(signatureParts[1]));
+    } catch (RuntimeException e) {
+      LOGGER.warn(e.getMessage());
+      return Optional.empty();
+    }
+
+    return Optional.of(signature);
+  }
+}

src/main/java/com/cosium/standard_webhooks_consumer/PublicKey.java

@@ -0,0 +1,82 @@
+package com.cosium.standard_webhooks_consumer;
+
+import static java.util.Objects.requireNonNull;
+
+import java.nio.charset.StandardCharsets;
+import java.security.InvalidKeyException;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.SignatureException;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.Base64;
+import java.util.Optional;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+class PublicKey implements VerificationKey {
+
+  private static final String SERIALIZATION_PREFIX = "whpk_";
+  private static final SignatureSchemeId SCHEME_ID = new SignatureSchemeId("v1a");
+  private static final String ALGORITHM = "Ed25519";
+
+  private final byte[] value;
+
+  private PublicKey(byte[] value) {
+    this.value = requireNonNull(value);
+  }
+
+  public static Optional<PublicKey> parseKey(String serializedVerificationKey) {
+    if (!serializedVerificationKey.startsWith(SERIALIZATION_PREFIX)) {
+      return Optional.empty();
+    }
+    return Optional.of(
+        new PublicKey(
+            Base64.getDecoder()
+                .decode(serializedVerificationKey.substring(SERIALIZATION_PREFIX.length()))));
+  }
+
+  @Override
+  public boolean supports(SignatureSchemeId signatureSchemeId) {
+    return SCHEME_ID.equals(signatureSchemeId);
+  }
+
+  @Override
+  public void verify(String messageId, long timestamp, String payload, Signature signatureToVerify)
+      throws WebhookSignatureVerificationException {
+    try {
+      doVerify(messageId, timestamp, payload, signatureToVerify);
+    } catch (NoSuchAlgorithmException
+        | InvalidKeyException
+        | SignatureException
+        | InvalidKeySpecException e) {
+      throw new WebhookSignatureVerificationException(e);
+    }
+  }
+
+  private void doVerify(
+      String messageId, long timestamp, String payload, Signature signatureToVerify)
+      throws NoSuchAlgorithmException,
+          InvalidKeyException,
+          SignatureException,
+          InvalidKeySpecException,
+          WebhookSignatureVerificationException {
+
+    java.security.Signature signature = java.security.Signature.getInstance(ALGORITHM);
+
+    java.security.PublicKey publicKey =
+        KeyFactory.getInstance(ALGORITHM)
+            .generatePublic(new X509EncodedKeySpec(Base64.getDecoder().decode(value), ALGORITHM));
+
+    String signedContent = "%s.%s.%s".formatted(messageId, timestamp, payload);
+    signature.initVerify(publicKey);
+    signature.update(signedContent.getBytes(StandardCharsets.UTF_8));
+
+    if (signature.verify(signatureToVerify.decode())) {
+      return;
+    }
+
+    throw new WebhookSignatureVerificationException("%s is not valid".formatted(signatureToVerify));
+  }
+}

src/main/java/com/cosium/standard_webhooks_consumer/SecretKey.java

@@ -0,0 +1,73 @@
+package com.cosium.standard_webhooks_consumer;
+
+import static java.util.Objects.requireNonNull;
+
+import java.nio.charset.StandardCharsets;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.util.Base64;
+import java.util.Optional;
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+class SecretKey implements VerificationKey {
+
+  private static final String SERIALIZATION_PREFIX = "whsec_";
+  private static final SignatureSchemeId SCHEME_ID = new SignatureSchemeId("v1");
+  private static final String ALGORITHM = "HmacSHA256";
+
+  private final byte[] value;
+
+  private SecretKey(byte[] value) {
+    this.value = requireNonNull(value);
+  }
+
+  public static Optional<SecretKey> parseKey(String serializedVerificationKey) {
+    if (!serializedVerificationKey.startsWith(SERIALIZATION_PREFIX)) {
+      return Optional.empty();
+    }
+    return Optional.of(
+        new SecretKey(
+            Base64.getDecoder()
+                .decode(serializedVerificationKey.substring(SERIALIZATION_PREFIX.length()))));
+  }
+
+  @Override
+  public boolean supports(SignatureSchemeId signatureSchemeId) {
+    return SCHEME_ID.equals(signatureSchemeId);
+  }
+
+  @Override
+  public void verify(String messageId, long timestamp, String payload, Signature signatureToVerify)
+      throws WebhookSignatureVerificationException {
+
+    String expectedBase64EncodedSignatureContent;
+    try {
+      expectedBase64EncodedSignatureContent = sign(messageId, timestamp, payload);
+    } catch (NoSuchAlgorithmException | InvalidKeyException e) {
+      throw new WebhookSignatureVerificationException(e);
+    }
+
+    if (expectedBase64EncodedSignatureContent.equals(signatureToVerify.base64EncodedValue())) {
+      return;
+    }
+
+    throw new WebhookSignatureVerificationException(
+        "The provided signature <%s> does not match the expected signature <%s>."
+            .formatted(
+                signatureToVerify.base64EncodedValue(), expectedBase64EncodedSignatureContent));
+  }
+
+  private String sign(String messageId, long timestamp, String payload)
+      throws NoSuchAlgorithmException, InvalidKeyException {
+    String contentToSign = "%s.%s.%s".formatted(messageId, timestamp, payload);
+    Mac sha512Hmac = Mac.getInstance(ALGORITHM);
+    SecretKeySpec keySpec = new SecretKeySpec(value, ALGORITHM);
+    sha512Hmac.init(keySpec);
+    byte[] macData = sha512Hmac.doFinal(contentToSign.getBytes(StandardCharsets.UTF_8));
+    return Base64.getEncoder().encodeToString(macData);
+  }
+}

src/main/java/com/cosium/standard_webhooks_consumer/Signature.java

@@ -0,0 +1,19 @@
+package com.cosium.standard_webhooks_consumer;
+
+import java.util.Base64;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+record Signature(String base64EncodedValue) {
+
+  Signature {
+    if (base64EncodedValue == null || base64EncodedValue.isBlank()) {
+      throw new IllegalArgumentException("base64EncodedValue cannot be blank");
+    }
+  }
+
+  public byte[] decode() {
+    return Base64.getDecoder().decode(base64EncodedValue);
+  }
+}

src/main/java/com/cosium/standard_webhooks_consumer/SignatureSchemeId.java

@@ -0,0 +1,13 @@
+package com.cosium.standard_webhooks_consumer;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+record SignatureSchemeId(String value) {
+
+  SignatureSchemeId {
+    if (value == null || value.isBlank()) {
+      throw new IllegalArgumentException("The value cannot be blank");
+    }
+  }
+}

src/main/java/com/cosium/standard_webhooks_consumer/VerificationKey.java

@@ -0,0 +1,12 @@
+package com.cosium.standard_webhooks_consumer;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+interface VerificationKey {
+
+  boolean supports(SignatureSchemeId signatureSchemeId);
+
+  void verify(String messageId, long timestamp, String payload, Signature signatureToVerify)
+      throws WebhookSignatureVerificationException;
+}

src/main/java/com/cosium/standard_webhooks_consumer/VerificationKeyParser.java

@@ -0,0 +1,11 @@
+package com.cosium.standard_webhooks_consumer;
+
+import java.util.Optional;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+interface VerificationKeyParser {
+
+  Optional<? extends VerificationKey> parse(String serializedVerificationKey);
+}

src/main/java/com/cosium/standard_webhooks_consumer/WebhookSignatureVerificationException.java

@@ -0,0 +1,15 @@
+package com.cosium.standard_webhooks_consumer;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+public final class WebhookSignatureVerificationException extends Exception {
+
+  WebhookSignatureVerificationException(Throwable cause) {
+    super(cause);
+  }
+
+  WebhookSignatureVerificationException(String message) {
+    super(message);
+  }
+}