Merge branch 'RM-3893_authtoken-check' into 'master'

RM-3898: authtoken check

* use '/key-shares' OAS 1.0.1-draft
* requires cdoc2-client:SID-1.6.1-SNAPSHOT 
* Check authToken by using rules defined in https://gitlab.ext.cyber.ee/cdoc2/cdoc2-documentation/-/blob/RM-2776-authentication-protocol/cdoc2-system-docs/docs/03_system_architecture/ch05_ID_authentication_protocol.md?ref_type=heads#verifying-sd-jwt-verifying-authentication-ticket
* Clean-up unneeded dependencies and remove shared-crypto submodule that contained single class and name clashed with shared-crypto submodule from capsule-server
* Rename submobules from `cdoc2-server-db` and `cdoc2-server-openapi` to `cdoc2-css-db` and `cdoc2-css-openapi` so that these don't clash with existing modules from cdoc2-capsule-server submodules.

See merge request cdoc2/cdoc2-shares-server!4

README.md

@@ -4,14 +4,14 @@ CDOC2 Key Shares Server for [CDOC2](https://open-eid.github.io/CDOC2/).
 
 Implements `cdoc2-key-shares-openapi` [OpenAPI spec](https://github.com/open-eid/cdoc2-openapi/blob/master/cdoc2-key-shares-openapi.yaml) from [cdoc2-openapi](https://github.com/open-eid/cdoc2-openapi/)
 for Key Shares upload/download. Used by [cdoc2-java-ref-impl](https://github.com/open-eid/cdoc2-java-ref-impl) 
-and [DigiDoc4-Client](https://github.com/open-eid/DigiDoc4-Client) for CDOC2 encryption/decryption server scenarios.
+and [DigiDoc4-Client](https://github.com/open-eid/DigiDoc4-Client) for CDOC2 encryption/decryption Smart-ID/Mobile-ID scenarios.
 
 ## Structure
 
   - server              - Implements `/key-shares` API-s. 
   - server-db           - shared DB code. Liquibase based DB creation
   - server-openapi      - server stub generation from OpenAPI specifications
-  - cdoc2-shared-crypto - some shared crypto functions
+
 
 ## Preconditions for building
 * Java 17
@@ -73,12 +73,7 @@ See [getting-started.md](getting-started.md) and [admin-guide.md](admin-guide.md
 
 ### Running pre-built Docker/OCI images
 
-Download `cdoc2-shares-server` image from [open-eid Container registry](https://github.com/orgs/open-eid/packages?ecosystem=container)
-
-* See [cdoc2-gatling-tests/setup-load-testing](https://github.com/open-eid/cdoc2-gatling-tests/tree/master/setup-load-testing) for `docker run` examples 
-* See [cdoc2-java-ref-impl/test/config/server/docker-compose.yml](https://github.com/open-eid/cdoc2-java-ref-impl/blob/master/test/config/server/docker-compose.yml) for `docker compose` example
-
-To create `cdoc2` database required by `server` see [postgres.README.md](postgres.README.md)
+TODO:
 
 ## Releasing and versioning
 
@@ -90,7 +85,3 @@ See [VERSIONING.md](https://github.com/open-eid/cdoc2-java-ref-impl/blob/master/
 It will trigger `maven-release.yml` workflow that will deploy Maven packages to GitHub Maven package repository
 and build & publish Docker/OCI images.
 
-
-## Related projects
-
-* Gatling tests (load and functional) for cdoc2-shares-server https://github.com/open-eid/cdoc2-gatling-tests 

admin-guide.md

@@ -91,6 +91,14 @@ spring.datasource.driver-class-name=org.postgresql.Driver
 # change to 'debug' if you want to see logs. Run server with -Dlogging.config=target/test-classes/logback.xml
 logging.level.root=info
 logging.level.ee.cyber.cdoc2=trace
+
+# Enable/disable certificate revocation checking for auth ticket certificates, 
+# experimental feature, default value is "false"
+cdoc2.auth-x5c.revocation-checks.enabled=false
+
+# nonce validity time in seconds, default 300
+cdoc2.nonce.expiration.seconds=300
+
 ```
 
 #### Running

pom.xml

@@ -2,9 +2,9 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
-	<artifactId>cdoc2-shares-server</artifactId>
+	<artifactId>cdoc2-shares-server-pom</artifactId>
 	<groupId>ee.cyber.cdoc2</groupId>
-	<version>0.1.0-SNAPSHOT</version>
+	<version>0.2.0-SNAPSHOT</version>
 
 	<description>CDOC2 key shares server pom</description>
 
@@ -14,7 +14,6 @@
 		<module>server-openapi</module>
 		<module>server-db</module>
 		<module>shares-server</module>
-		<module>shared-crypto</module>
 	</modules>
 
 	<properties>

server-db/pom.xml

@@ -4,22 +4,16 @@
 
 	<parent>
 		<groupId>ee.cyber.cdoc2</groupId>
-		<artifactId>cdoc2-shares-server</artifactId>
-		<version>0.1.0-SNAPSHOT</version>
+		<artifactId>cdoc2-shares-server-pom</artifactId>
+		<version>0.2.0-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	</parent>
 
-	<artifactId>cdoc2-server-db</artifactId>
-	<version>0.1.0-SNAPSHOT</version>
+	<artifactId>cdoc2-css-db</artifactId>
+	<version>0.1.1-SNAPSHOT</version>
 	<packaging>jar</packaging>
 
 	<dependencies>
-		<dependency>
-			<groupId>ee.cyber.cdoc2</groupId>
-			<artifactId>cdoc2-shared-crypto</artifactId>
-			<version>0.1.0-SNAPSHOT</version>
-		</dependency>
-
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-data-jpa</artifactId>

shared-crypto/src/main/java/ee/cyber/cdoc2/shared/crypto/Crypto.java → server-db/src/main/java/ee/cyber/cdoc2/server/model/Crypto.java

@@ -1,4 +1,4 @@
-package ee.cyber.cdoc2.shared.crypto;
+package ee.cyber.cdoc2.server.model;
 
 import java.security.DrbgParameters;
 import java.security.NoSuchAlgorithmException;
@@ -26,7 +26,8 @@ public static synchronized SecureRandom getSecureRandom() throws NoSuchAlgorithm
 
     private static SecureRandom createSecureRandom() throws NoSuchAlgorithmException {
         log.debug("Initializing SecureRandom");
-        SecureRandom sRnd = SecureRandom.getInstance("DRBG", DrbgParameters.instantiation(256, DrbgParameters.Capability.PR_AND_RESEED, "CDOC2".getBytes()));
+        SecureRandom sRnd = SecureRandom.getInstance("DRBG",
+            DrbgParameters.instantiation(256, DrbgParameters.Capability.PR_AND_RESEED, "CDOC2".getBytes()));
         log.info("Initialized SecureRandom.");
         return sRnd;
     }

server-db/src/main/java/ee/cyber/cdoc2/server/model/entity/KeyShareDb.java

@@ -19,7 +19,7 @@
 import org.hibernate.type.SqlTypes;
 import org.springframework.data.jpa.domain.support.AuditingEntityListener;
 
-import ee.cyber.cdoc2.shared.crypto.Crypto;
+import ee.cyber.cdoc2.server.model.Crypto;
 
 
 /**

server-db/src/main/java/ee/cyber/cdoc2/server/model/entity/KeyShareNonceDb.java

@@ -18,7 +18,7 @@
 import org.hibernate.annotations.JdbcTypeCode;
 import org.hibernate.type.SqlTypes;
 
-import ee.cyber.cdoc2.shared.crypto.Crypto;
+import ee.cyber.cdoc2.server.model.Crypto;
 
 
 /**

server-db/src/main/java/ee/cyber/cdoc2/server/model/repository/KeyShareNonceRepository.java

@@ -5,7 +5,10 @@
 
 import ee.cyber.cdoc2.server.model.entity.KeyShareNonceDb;
 
+import java.util.Optional;
+
 
 public interface KeyShareNonceRepository extends JpaRepository<KeyShareNonceDb, Long> {
+    Optional<KeyShareNonceDb> findByShareIdAndNonce(String shareId, byte[] nonce);
 }
 

server-openapi/pom.xml

@@ -6,14 +6,14 @@
 
     <parent>
         <groupId>ee.cyber.cdoc2</groupId>
-        <artifactId>cdoc2-shares-server</artifactId>
-        <version>0.1.0-SNAPSHOT</version>
+        <artifactId>cdoc2-shares-server-pom</artifactId>
+        <version>0.2.0-SNAPSHOT</version>
         <relativePath>..</relativePath>
     </parent>
 
-    <artifactId>cdoc2-server-openapi</artifactId>
-    <version>0.1.0-SNAPSHOT</version>
-    <description>CDOC2 server stub generation from OpenAPI spec</description>
+    <artifactId>cdoc2-css-openapi</artifactId>
+    <version>0.1.1-SNAPSHOT</version>
+    <description>CDOC2 shares server stub generation from OpenAPI spec</description>
 
     <properties>
         <java.version>17</java.version>
@@ -28,7 +28,7 @@
         <spotbugs-annotations.version>4.8.3</spotbugs-annotations.version>
 
         <!--info.version from cdoc2-openapi/cdoc2-key-shares-openapi.yaml -->
-        <cdoc2-key-shares-openapi.version>1.0.0-draft</cdoc2-key-shares-openapi.version>
+        <cdoc2-key-shares-openapi.version>1.0.1-draft</cdoc2-key-shares-openapi.version>
 
     </properties>
 

shares-server/pom.xml

@@ -10,12 +10,16 @@
 	</parent>
 
 	<groupId>ee.cyber.cdoc2</groupId>
-	<artifactId>shares-server</artifactId>
-	<version>0.1.0-SNAPSHOT</version>
+	<artifactId>cdoc2-shares-server</artifactId>
+	<version>0.2.0-SNAPSHOT</version>
 	<packaging>jar</packaging>
 
-	<name>shares-server</name>
-	<description>CDOC2 server for creating and getting key shares capsules</description>
+	<name>cdoc2-shares-server</name>
+	<description>CDOC2 server for storing/retrieving key shares. Key shares are used to
+		split/recreate encryption/decryption key material for auth means (Smart-ID/Mobile-ID).
+		Implements `/key-shares` OAS https://github.com/open-eid/cdoc2-openapi . Full
+		auth means schema description https://open-eid.github.io/CDOC2/
+	</description>
 
 	<properties>
 		<java.version>17</java.version>
@@ -159,45 +163,38 @@
 	</profiles>
 
 	<dependencies>
-		<dependency>
-			<groupId>ee.cyber.cdoc2</groupId>
-			<artifactId>cdoc2-shared-crypto</artifactId>
-			<version>0.1.0-SNAPSHOT</version>
-		</dependency>
 
 		<dependency>
-			<groupId>ee.cyber.cdoc2</groupId>
-			<artifactId>cdoc2-server-openapi</artifactId>
-			<version>0.1.0-SNAPSHOT</version>
+			<groupId>ee.cyber.cdoc2.auth</groupId>
+			<artifactId>cdoc2-key-shares-auth</artifactId>
+			<version>0.1.1-SNAPSHOT</version>
 		</dependency>
 
 		<dependency>
 			<groupId>ee.cyber.cdoc2</groupId>
-			<artifactId>cdoc2-server-db</artifactId>
-			<version>0.1.0-SNAPSHOT</version>
+			<artifactId>cdoc2-css-openapi</artifactId>
+			<version>0.1.1-SNAPSHOT</version>
 		</dependency>
 
 		<dependency>
 			<groupId>ee.cyber.cdoc2</groupId>
-			<artifactId>cdoc2-lib</artifactId>
-			<version>SID-2.1.0-SNAPSHOT</version>
-			<scope>test</scope>
+			<artifactId>cdoc2-css-db</artifactId>
+			<version>0.1.1-SNAPSHOT</version>
 		</dependency>
 
 		<dependency>
 			<groupId>ee.cyber.cdoc2</groupId>
-			<artifactId>cdoc2-lib</artifactId>
-<!--			for successful pkcs11 tests version must be at least 1.5.0-SNAPSHOT-->
-			<version>SID-2.1.0-SNAPSHOT</version>
-			<!-- cdoc2-lib src/test compiled classes-->
-			<type>test-jar</type>
+			<artifactId>cdoc2-client</artifactId>
+			<version>SID-1.6.1-SNAPSHOT</version>
 			<scope>test</scope>
 		</dependency>
 
+		<!-- nimbus-jose-jwt JWK.parseFromPEMEncodedObjects() fails run-time with ClassNotFound for
+		 org/bouncycastle/openssl/jcajce/JcaPEMKeyConverter . Fix it -->
 		<dependency>
-			<groupId>ee.cyber.cdoc2</groupId>
-			<artifactId>cdoc2-client</artifactId>
-			<version>SID-1.6.0-SNAPSHOT</version>
+			<groupId>org.bouncycastle</groupId>
+			<artifactId>bcpkix-jdk18on</artifactId>
+			<version>1.78</version>
 			<scope>test</scope>
 		</dependency>