Bump com.fasterxml.jackson.core:jackson-core from 2.14.2 to 2.15.0

.github/workflows/check.yaml

@@ -0,0 +1,39 @@
+name: Run dependency and spotbugs checks
+
+on:
+  workflow_run:
+    workflows: ["Run tests"]
+    types:
+      - completed
+
+permissions:
+    contents: read
+
+jobs:
+    run-checks:
+      name: Run dependency and spotbugs checks
+      runs-on: ubuntu-latest
+
+      steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup java
+        uses: actions/setup-java@v4
+        with:
+          java-version: '8'
+          distribution: 'temurin'
+          cache: maven
+
+      - name: Run dependency check
+        run: |
+          ./mvnw org.owasp:dependency-check-maven:check
+
+      - name: Archive dependency report
+        uses: actions/upload-artifact@v4
+        with:
+          name: dependency-report
+          path: target/dependency-check-report.html
+
+      - name: Run spotbugs check
+        run: |
+          ./mvnw spotbugs:check    

.github/workflows/publish.yaml

@@ -0,0 +1,53 @@
+name: Publish to maven repository
+
+on:
+  release:
+    types:
+      - published
+
+permissions:
+  contents: read
+
+jobs:
+  package_and_publish:
+    name: Publish to maven repository
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+    - name: Setup java SDK 8
+      uses: actions/setup-java@v4
+      with:
+        java-version: '8'
+        distribution: 'temurin'
+        cache: maven
+    -
+      name: Import GPG key
+      uses: crazy-max/ghaction-import-gpg@v6
+      with:
+        gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+        #passphrase: ${{ secrets.PASSPHRASE }}
+
+    - name: Create bundle and upload to oss.sonatype.org (staging)
+      # Fail on first error
+      run: |
+        set -e
+        version=${{ github.event.release.name }}
+        artifact=smart-id-java-client-$version
+        echo "[INFO] Artifact name: $artifact"
+        ./mvnw versions:set -DnewVersion="$version"
+        ./mvnw package -DskipTests
+        gpg -ab pom.xml
+        cd target
+        gpg -ab $artifact.jar
+        gpg -ab $artifact-sources.jar
+        gpg -ab $artifact-javadoc.jar
+        jar -cvf bundle.jar ../pom.xml ../pom.xml.asc $artifact.jar $artifact.jar.asc $artifact-javadoc.jar $artifact-javadoc.jar.asc $artifact-sources.jar $artifact-sources.jar.asc
+        CODE=$(curl -w "%{http_code}" -o curl_response.txt -s -ujorlina2 -u ${{ secrets.SONATYPEUN }}:${{ secrets.SONATYPEPW }} --request POST -F "[email protected]" "https://oss.sonatype.org/service/local/staging/bundle_upload")
+        echo "[INFO] ------------------------------------------------------------------------"
+        echo "[INFO] Upload to oss.sonatype.org ResponseCode: $CODE"
+        cat curl_response.txt
+        echo -e "\n[INFO] Login to oss.sonatype.org for releasing $artifact"
+        echo "[INFO] ------------------------------------------------------------------------"
+        [[ $CODE == 201 ]] && exit 0 || exit 1 
+

.github/workflows/tests.yaml

@@ -0,0 +1,37 @@
+name: Run tests
+
+on:
+    push:
+      branches: [ "master" ]
+    pull_request:
+      branches: [ "master" ]
+
+permissions:
+    contents: read
+
+jobs:
+    run-tests:
+      runs-on: ubuntu-latest
+      strategy:
+        matrix:
+          java-version: ['8', '11', '17']
+      name: Run tests with java SDK ${{ matrix.java-version }}
+
+      steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup java
+        uses: actions/setup-java@v4
+        with:
+          java-version: ${{ matrix.java-version }}
+          distribution: 'temurin'
+          cache: maven
+
+      - name: Check JAVA version (v${{ matrix.java-version }})
+        run: java -version
+
+      - name: Run tests
+        # Fail on first error
+        run: |
+          set -e
+          mvn test

README.md

@@ -1,4 +1,4 @@
-[![Build Status](https://travis-ci.com/SK-EID/smart-id-java-client.svg?branch=master)](https://travis-ci.com/SK-EID/smart-id-java-client)
+[![Tests](https://github.com/SK-EID/smart-id-java-client/actions/workflows/tests.yaml/badge.svg)](https://github.com/SK-EID/smart-id-java-client/actions/workflows/tests.yaml)
 [![Dependencies](https://img.shields.io/librariesio/release/maven/ee.sk.smartid:smart-id-java-client)](https://libraries.io/maven/ee.sk.smartid:smart-id-java-client)
 [![Coverage Status](https://img.shields.io/codecov/c/github/SK-EID/smart-id-java-client.svg)](https://codecov.io/github/SK-EID/smart-id-java-client/)
 [![Maven Central](https://maven-badges.herokuapp.com/maven-central/ee.sk.smartid/smart-id-java-client/badge.svg)](https://maven-badges.herokuapp.com/maven-central/ee.sk.smartid/smart-id-java-client)
@@ -360,6 +360,7 @@ smartIdSignature.getInteractionFlowUsed(); // which interaction was used
 
 The app can support different interaction flows and a Relying Party can demand a particular flow with or without a fallback possibility.
 Different interaction flows can support different amount of data to display information to user.
+By now all devices (app versions) are supporting a larger amount of data (displayText200) to be displayed to the user.
 
 Available interactions:
 * `displayTextAndPIN` with `displayText60`. The simplest interaction with max 60 chars of text and PIN entry on a single screen. Every app has this interaction available.

pom.xml

@@ -45,7 +45,7 @@
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <maven.compiler.source>1.8</maven.compiler.source>
         <maven.compiler.target>1.8</maven.compiler.target>
-        <jackson.version>2.14.2</jackson.version>
+        <jackson.version>2.15.0</jackson.version>
         <jackson.annotations.version>2.14.2</jackson.annotations.version>
         <jersey.version>3.0.10</jersey.version><!-- NB! 3.1.x does not work with Java 8 -->
         <resteasy.version>6.0.3.Final</resteasy.version><!-- 6.1+ doesn't work with Java 8 -->
@@ -117,7 +117,7 @@
         <dependency>
             <groupId>ch.qos.logback</groupId>
             <artifactId>logback-classic</artifactId>
-            <version>1.2.11</version>
+            <version>1.2.13</version>
             <scope>test</scope>
         </dependency>
         <dependency>

src/main/java/ee/sk/smartid/AuthenticationResponseValidator.java

@@ -38,6 +38,7 @@
 import javax.naming.InvalidNameException;
 import javax.naming.ldap.LdapName;
 import javax.naming.ldap.Rdn;
+import javax.security.auth.x500.X500Principal;
 import java.io.ByteArrayInputStream;
 import java.io.File;
 import java.io.IOException;
@@ -59,7 +60,7 @@ public class AuthenticationResponseValidator {
 
   private static final Logger logger = LoggerFactory.getLogger(AuthenticationResponseValidator.class);
 
-  private List<X509Certificate> trustedCACertificates = new ArrayList<>();
+  private final List<X509Certificate> trustedCACertificates = new ArrayList<>();
   /**
    * Constructs a new {@code AuthenticationResponseValidator}.
    * <p>
@@ -243,8 +244,68 @@ private boolean verifyCertificateExpiry(X509Certificate certificate) {
     return !certificate.getNotAfter().before(new Date());
   }
 
+  private static final class CertDnDetails {
+    private final String country;
+    private final String organization;
+    private final String commonName;
+
+    private CertDnDetails(String country, String organization, String commonName) {
+      this.country = country;
+      this.organization = organization;
+      this.commonName = commonName;
+    }
+
+    private static CertDnDetails from(X500Principal principal) {
+        String country = null;
+        String organization = null;
+        String commonName = null;
+        LdapName ldapName;
+        try {
+            ldapName = new LdapName(principal.getName());
+        } catch (InvalidNameException e) {
+            String errorMessage = "Error getting certificate distinguished name";
+            logger.error(errorMessage, e);
+            throw new SmartIdClientException(errorMessage, e);
+        }
+        for (Rdn rdn : ldapName.getRdns()) {
+            if (rdn.getType().equalsIgnoreCase("C")) {
+                country = rdn.getValue().toString();
+            } else if (rdn.getType().equalsIgnoreCase("O")) {
+                organization = rdn.getValue().toString();
+            } else if (rdn.getType().equalsIgnoreCase("CN")) {
+                commonName = rdn.getValue().toString();
+            }
+        }
+        return new CertDnDetails(country, organization, commonName);
+    }
+
+    private static boolean equal(CertDnDetails first, CertDnDetails second) {
+      return Objects.equals(first.country, second.country)
+          && Objects.equals(first.organization, second.organization)
+          && Objects.equals(first.commonName, second.commonName);
+    }
+  }
+
   private boolean isCertificateTrusted(X509Certificate certificate) {
+    CertDnDetails issuerDN = CertDnDetails.from(certificate.getIssuerX500Principal());
+
     for (X509Certificate trustedCACertificate : trustedCACertificates) {
+      logger.debug(
+        "Verifying signer's certificate '{}' against CA certificate '{}'",
+        certificate.getSubjectDN(),
+        trustedCACertificate.getSubjectDN()
+      );
+
+      CertDnDetails caCertDN = CertDnDetails.from(trustedCACertificate.getSubjectX500Principal());
+      if (!CertDnDetails.equal(issuerDN, caCertDN)) {
+        logger.debug(
+          "Skipped trusted CA certificate '{}', no match with signer's certificate issuer '{}'",
+          trustedCACertificate.getSubjectDN(),
+          certificate.getIssuerX500Principal().toString()
+        );
+        continue;
+      }
+
       try {
         certificate.verify(trustedCACertificate.getPublicKey());
         logger.info("Certificate verification passed for '{}' against CA certificate '{}' ", certificate.getSubjectDN() ,trustedCACertificate.getSubjectDN() );
@@ -254,6 +315,13 @@ private boolean isCertificateTrusted(X509Certificate certificate) {
         logger.debug("Error verifying signer's certificate: " + certificate.getSubjectDN() + " against CA certificate: " + trustedCACertificate.getSubjectDN(), e);
       }
     }
+
+    logger.error(
+      "No suitable trusted CA certificate found: '{}'."
+        + " Ensure that this CA certificate is present in the trusted CA certificate list",
+      certificate.getIssuerX500Principal().toString()
+    );
+
     return false;
   }