Add FAPI validations for DCR

components/org.wso2.carbon.identity.api.server.dcr/src/gen/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/dto/ApplicationDTO.java

@@ -48,6 +48,7 @@ public class ApplicationDTO  {
   private String subjectType = null;
   private String requestObjectEncryptionAlgorithm = null;
   private String requestObjectEncryptionMethod = null;
+  private String softwareStatement = null;
 
 
   /**
@@ -264,6 +265,16 @@ public void setRequestObjectEncryptionMethod(String requestObjectEncryptionMetho
     this.requestObjectEncryptionMethod = requestObjectEncryptionMethod;
   }
 
+  @ApiModelProperty(value = "")
+  @JsonProperty("software_statement")
+  public String getSoftwareStatement() {
+    return softwareStatement;
+  }
+
+  public void setSoftwareStatement(String softwareStatement) {
+    this.softwareStatement = softwareStatement;
+  }
+
   @Override
   public String toString()  {
     StringBuilder sb = new StringBuilder();

components/org.wso2.carbon.identity.api.server.dcr/src/main/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/util/DCRMUtils.java

@@ -159,6 +159,10 @@ public static void handleErrorResponse(DCRMException dcrmException, Log log) thr
                 status = Response.Status.UNAUTHORIZED;
             } else if (errorCode.startsWith(FORBIDDEN_STATUS)) {
                 status = Response.Status.FORBIDDEN;
+            } else if (errorCode.startsWith(DCRMConstants.ErrorCodes.INVALID_CLIENT_METADATA) ||
+                    errorCode.startsWith(DCRMConstants.ErrorCodes.INVALID_SOFTWARE_STATEMENT)) {
+                status = Response.Status.BAD_REQUEST;
+                isStatusOnly = false;
             }
         }
         throw buildDCRMEndpointException(status, errorCode, dcrmException.getMessage(), isStatusOnly);
@@ -229,6 +233,7 @@ public static ApplicationDTO getApplicationDTOFromApplication(Application applic
         applicationDTO.setRequestObjectEncryptionMethod(application.getRequestObjectEncryptionMethod());
         applicationDTO.setRequirePushAuthorizationRequest(application.isRequirePushedAuthorizationRequests());
         applicationDTO.setTlsClientCertificateBoundAccessToken(application.isTlsClientCertificateBoundAccessTokens());
+        applicationDTO.setSoftwareStatement(application.getSoftwareStatement());
         return applicationDTO;
     }
 
@@ -265,6 +270,9 @@ private static DCRMEndpointException buildDCRMEndpointException(Response.Status
             if (code.equals(DCRMConstants.ErrorMessages.BAD_REQUEST_INVALID_REDIRECT_URI.toString())) {
                 error = DCRMConstants.ErrorCodes.INVALID_REDIRECT_URI;
             }
+            if (code.equals(DCRMConstants.ErrorCodes.INVALID_SOFTWARE_STATEMENT)) {
+                error = DCRMConstants.ErrorCodes.INVALID_SOFTWARE_STATEMENT;
+            }
 
             ErrorDTO errorDTO = new ErrorDTO();
             errorDTO.setError(error);

components/org.wso2.carbon.identity.oauth.common/src/main/java/org/wso2/carbon/identity/oauth/common/OAuthConstants.java

@@ -227,8 +227,32 @@ public static SubjectType fromValue(String text) {
     public static final String ORG_ID = "org_id";
     public static final String IS_FAPI_CONFORMANT_APP = "isFAPIConformant";
     public static final String ENABLE_FAPI = "OAuth.OpenIDConnect.FAPI.EnableFAPIValidation";
-    public static final String IS_THIRD_PARTY_APP = "isThirdPartyApp";
+    public static final String ENABLE_DCR_FAPI_ENFORCEMENT = "OAuth.DCRM.EnableFAPIEnforcement";
+    public static final String FAPI_CLIENT_AUTH_METHOD_CONFIGURATION = "OAuth.OpenIDConnect.FAPI." +
+            "AllowedClientAuthenticationMethods.AllowedClientAuthenticationMethod";
+    public static final String FAPI_SIGNATURE_ALGORITHM_CONFIGURATION = "OAuth.OpenIDConnect.FAPI." +
+            "AllowedSignatureAlgorithms.AllowedSignatureAlgorithm";
+    public static final String VALIDATE_SECTOR_IDENTIFIER = "OAuth.DCRM.EnableSectorIdentifierURIValidation";
+    public static final String TOKEN_EP_SIGNATURE_ALG_CONFIGURATION = "OAuth.OpenIDConnect" +
+            ".SupportedTokenEndpointSigningAlgorithms.SupportedTokenEndpointSigningAlgorithm";
+    public static final String ID_TOKEN_SIGNATURE_ALG_CONFIGURATION = "OAuth.OpenIDConnect" +
+            ".SupportedIDTokenSigningAlgorithms.SupportedIDTokenSigningAlgorithm";
+    public static final String REQUEST_OBJECT_SIGNATURE_ALG_CONFIGURATION = "OAuth.OpenIDConnect" +
+            ".SupportedRequestObjectSigningAlgorithms.SupportedRequestObjectSigningAlgorithm";
+    public static final String ID_TOKEN_ENCRYPTION_ALGORITHM = "OAuth.OpenIDConnect." +
+            "SupportedIDTokenEncryptionAlgorithms.SupportedIDTokenEncryptionAlgorithm";
+    public static final String REQUEST_OBJECT_ENCRYPTION_ALGORITHM = "OAuth.OpenIDConnect." +
+            "SupportedRequestObjectEncryptionAlgorithms.SupportedRequestObjectEncryptionAlgorithm";
+    public static final String ID_TOKEN_ENCRYPTION_METHOD = "OAuth.OpenIDConnect.SupportedIDTokenEncryptionMethods." +
+            "SupportedIDTokenEncryptionMethod";
+    public static final String REQUEST_OBJECT_ENCRYPTION_METHOD = "OAuth.OpenIDConnect." +
+            "SupportedRequestObjectEncryptionMethods.SupportedRequestObjectEncryptionMethod";
+
 
+    public static final String IS_THIRD_PARTY_APP = "isThirdPartyApp";
+    public static final String PRIVATE_KEY_JWT = "private_key_jwt";
+    public static final String TLS_CLIENT_AUTH = "tls_client_auth";
+    public static final String RESTRICTED_ENCRYPTION_ALGORITHM = "RSA1_5";
 
     private OAuthConstants() {
 
@@ -600,6 +624,8 @@ public static class SignatureAlgorithms {
         public static final String SHA1 = "SHA-1";
         public static final String KID_HASHING_ALGORITHM = SHA256;
         public static final String PREVIOUS_KID_HASHING_ALGORITHM = SHA1;
+        public static final String PS256 = "PS256";
+        public static final String ES256 = "ES256";
 
         private SignatureAlgorithms() {
 

components/org.wso2.carbon.identity.oauth.dcr/pom.xml

@@ -163,6 +163,9 @@
                             org.wso2.carbon.user.api; version="${carbon.user.api.imp.pkg.version.range}",
                             org.wso2.carbon.identity.oauth.*;version="${identity.inbound.auth.oauth.imp.pkg.version.range}",
                             org.wso2.carbon.identity.oauth2.*;version="${identity.inbound.auth.oauth.imp.pkg.version.range}",
+
+                            com.nimbusds.jose.*; version="${nimbusds.osgi.version.range}",
+                            com.nimbusds.jwt; version="${nimbusds.osgi.version.range}",
                         </Import-Package>
                         <Export-Package>
                             !org.wso2.carbon.identity.oauth.dcr.internal,

components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/DCRMConstants.java

@@ -54,7 +54,8 @@ public enum ErrorMessages {
         ERROR_CODE_UNEXPECTED("Unexpected error"),
         TENANT_DOMAIN_MISMATCH("NOT_FOUND_60001", "Tenant domain in request does not match with the application " +
                 "tenant domain for consumer key: %s"),
-        FAILED_TO_VALIDATE_TENANT_DOMAIN("Error occurred during validating tenant domain for consumer key: %s");
+        FAILED_TO_VALIDATE_TENANT_DOMAIN("Error occurred during validating tenant domain for consumer key: %s"),
+        SIGNATURE_VALIDATION_FAILED("Signature validation failed for the software statement");
 
         private final String message;
         private final String errorCode;

components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/Application.java

@@ -48,6 +48,17 @@ public class Application implements Serializable {
     private boolean isRequestObjectSignatureValidationEnabled;
     private String idTokenEncryptionAlgorithm = null;
     private String idTokenEncryptionMethod = null;
+    private String softwareStatement = null;
+
+    public String getSoftwareStatement() {
+
+        return softwareStatement;
+    }
+
+    public void setSoftwareStatement(String softwareStatement) {
+
+        this.softwareStatement = softwareStatement;
+    }
 
     public String getClientName() {
 

components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/service/DCRMService.java

@@ -19,6 +19,7 @@
 package org.wso2.carbon.identity.oauth.dcr.service;
 
 import com.google.gson.Gson;
+import com.nimbusds.jwt.SignedJWT;
 import org.apache.commons.lang.ArrayUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
@@ -34,7 +35,9 @@
 import org.wso2.carbon.identity.application.common.util.IdentityApplicationConstants;
 import org.wso2.carbon.identity.application.mgt.ApplicationManagementService;
 import org.wso2.carbon.identity.application.mgt.ApplicationMgtUtil;
+import org.wso2.carbon.identity.core.util.IdentityUtil;
 import org.wso2.carbon.identity.oauth.IdentityOAuthAdminException;
+import org.wso2.carbon.identity.oauth.IdentityOAuthClientException;
 import org.wso2.carbon.identity.oauth.OAuthAdminService;
 import org.wso2.carbon.identity.oauth.common.OAuthConstants;
 import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
@@ -52,11 +55,15 @@
 import org.wso2.carbon.identity.oauth.dcr.util.ErrorCodes;
 import org.wso2.carbon.identity.oauth.dto.OAuthConsumerAppDTO;
 import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
+import org.wso2.carbon.identity.oauth2.util.JWTSignatureValidationUtils;
 import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
 
+import java.text.ParseException;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 import java.util.regex.Pattern;
 
 import static org.wso2.carbon.identity.oauth.Error.INVALID_OAUTH_CLIENT;
@@ -74,6 +81,8 @@ public class DCRMService {
     private static final String GRANT_TYPE_SEPARATOR = " ";
     private static final String APP_DISPLAY_NAME = "DisplayName";
     private static Pattern clientIdRegexPattern = null;
+    private static final String SSA_VALIDATION_JWKS = "OAuth.DCRM.SoftwareStatementJWKS";
+
 
     /**
      * Get OAuth2/OIDC application information with client_id.
@@ -292,8 +301,7 @@ public Application updateApplication(ApplicationUpdateRequest updateRequest, Str
                 appDTO.setIdTokenEncryptionMethod(updateRequest.getIdTokenEncryptionMethod());
             }
             if (updateRequest.getRequestObjectSignatureAlgorithm() != null) {
-                appDTO.setRequestObjectSignatureValidationEnabled
-                        (updateRequest.isRequireSignedRequestObject());
+                appDTO.setRequestObjectSignatureAlgorithm(updateRequest.getRequestObjectSignatureAlgorithm());
             }
             if (updateRequest.getTlsClientAuthSubjectDN() != null) {
                 appDTO.setTlsClientAuthSubjectDN(updateRequest.getTlsClientAuthSubjectDN());
@@ -315,14 +323,18 @@ public Application updateApplication(ApplicationUpdateRequest updateRequest, Str
             appDTO.setPkceSupportPlain(updateRequest.isExtPkceSupportPlain());
             appDTO.setBypassClientCredentials(updateRequest.isExtPublicClient());
             oAuthAdminService.updateConsumerApplication(appDTO);
+        } catch (IdentityOAuthClientException e) {
+            throw new DCRMClientException(DCRMConstants.ErrorCodes.INVALID_CLIENT_METADATA, e.getMessage(), e);
         } catch (IdentityOAuthAdminException e) {
             throw DCRMUtils.generateServerException(
                     DCRMConstants.ErrorMessages.FAILED_TO_UPDATE_APPLICATION, clientId, e);
         }
         OAuthConsumerAppDTO oAuthConsumerAppDTO = getApplicationById(clientId);
         // Setting the jwksURI to be sent in the response.
         oAuthConsumerAppDTO.setJwksURI(updateRequest.getJwksURI());
-        return buildResponse(oAuthConsumerAppDTO);
+        Application application = buildResponse(oAuthConsumerAppDTO);
+        application.setSoftwareStatement(updateRequest.getSoftwareStatement());
+        return application;
     }
 
     /**
@@ -414,6 +426,15 @@ private Application createOAuthApplication(ApplicationRegistrationRequest regist
             throw DCRMUtils.generateClientException(DCRMConstants.ErrorMessages.CONFLICT_EXISTING_CLIENT_ID,
                     registrationRequest.getConsumerKey());
         }
+        // Validate software statement assertion signature.
+        if (StringUtils.isNotEmpty(registrationRequest.getSoftwareStatement())) {
+            try {
+                validateSSASignature(registrationRequest.getSoftwareStatement());
+            } catch (IdentityOAuth2Exception e) {
+                throw new DCRMClientException(DCRMConstants.ErrorCodes.INVALID_SOFTWARE_STATEMENT,
+                        DCRMConstants.ErrorMessages.SIGNATURE_VALIDATION_FAILED.getMessage(), e);
+            }
+        }
 
         // Create a service provider.
         ServiceProvider serviceProvider = createServiceProvider(applicationOwner, tenantDomain, spName, templateName,
@@ -448,7 +469,9 @@ private Application createOAuthApplication(ApplicationRegistrationRequest regist
             deleteApplication(createdApp.getOauthConsumerKey());
             throw ex;
         }
-        return buildResponse(createdApp);
+        Application application = buildResponse(createdApp);
+        application.setSoftwareStatement(registrationRequest.getSoftwareStatement());
+        return application;
     }
 
     private Application buildResponse(OAuthConsumerAppDTO createdApp) {
@@ -603,6 +626,8 @@ private OAuthConsumerAppDTO createOAuthApp(ApplicationRegistrationRequest regist
         OAuthConsumerAppDTO createdApp;
         try {
             createdApp = oAuthAdminService.registerAndRetrieveOAuthApplicationData(oAuthConsumerApp);
+        } catch (IdentityOAuthClientException e) {
+            throw new DCRMClientException(DCRMConstants.ErrorCodes.INVALID_CLIENT_METADATA, e.getMessage(), e);
         } catch (IdentityOAuthAdminException e) {
             throw DCRMUtils.generateServerException(
                     DCRMConstants.ErrorMessages.FAILED_TO_REGISTER_APPLICATION, spName, e);
@@ -630,6 +655,19 @@ private ServiceProvider createServiceProvider(String applicationOwner, String te
         sp.setDescription("Service Provider for application " + spName);
         sp.setManagementApp(isManagementApp);
 
+        Map<String, Object> spProperties = new HashMap<>();
+        boolean enableFAPI = Boolean.parseBoolean(IdentityUtil.getProperty(OAuthConstants.ENABLE_FAPI));
+        if (enableFAPI) {
+            boolean enableFAPIDCR = Boolean.parseBoolean(IdentityUtil.getProperty(
+                    OAuthConstants.ENABLE_DCR_FAPI_ENFORCEMENT));
+            if (enableFAPIDCR) {
+                // Add FAPI conformant application nad isThirdParty property to the service provider.
+                spProperties.put(OAuthConstants.IS_FAPI_CONFORMANT_APP, true);
+            }
+        }
+        spProperties.put(OAuthConstants.IS_THIRD_PARTY_APP, true);
+        addSPProperties(spProperties, sp);
+
         createServiceProvider(sp, tenantDomain, applicationOwner, templateName);
 
         // Get created service provider.
@@ -925,4 +963,52 @@ private ServiceProvider cloneServiceProvider(ServiceProvider serviceProvider) {
         ServiceProvider clonedServiceProvider = gson.fromJson(gson.toJson(serviceProvider), ServiceProvider.class);
         return clonedServiceProvider;
     }
+
+    /**
+     * Validate SSA signature using jwks_uri.
+     * @param softwareStatement Software Statement
+     * @throws DCRMClientException
+     * @throws IdentityOAuth2Exception
+     */
+    private void validateSSASignature(String softwareStatement) throws DCRMClientException, IdentityOAuth2Exception {
+
+        String jwksURL = IdentityUtil.getProperty(SSA_VALIDATION_JWKS);
+        if (StringUtils.isNotEmpty(jwksURL)) {
+            try {
+                SignedJWT signedJWT = SignedJWT.parse(softwareStatement);
+                if (!JWTSignatureValidationUtils.validateUsingJWKSUri(signedJWT, jwksURL)) {
+                    throw new DCRMClientException(DCRMConstants.ErrorCodes.INVALID_SOFTWARE_STATEMENT,
+                            DCRMConstants.ErrorMessages.SIGNATURE_VALIDATION_FAILED.getMessage());
+                }
+            } catch (ParseException e) {
+                throw new DCRMClientException(DCRMConstants.ErrorCodes.INVALID_SOFTWARE_STATEMENT,
+                        DCRMConstants.ErrorMessages.SIGNATURE_VALIDATION_FAILED.getMessage(), e);
+            }
+
+        } else {
+            log.debug("Skipping Software Statement signature validation as jwks_uri is not configured.");
+        }
+    }
+
+    /**
+     * Add the properties to the service provider.
+     * @param spProperties Map of property name and values to be added.
+     * @param serviceProvider ServiceProvider object.
+     */
+    private void addSPProperties(Map<String, Object> spProperties, ServiceProvider serviceProvider) {
+
+        ServiceProviderProperty[] serviceProviderProperties = serviceProvider.getSpProperties();
+        for (Map.Entry<String, Object> entry : spProperties.entrySet()) {
+            boolean propertyExists = Arrays.stream(serviceProviderProperties)
+                    .anyMatch(property -> property.getName().equals(entry.getKey()));
+            if (!propertyExists) {
+                ServiceProviderProperty serviceProviderProperty = new ServiceProviderProperty();
+                serviceProviderProperty.setName(entry.getKey());
+                serviceProviderProperty.setValue(entry.getValue().toString());
+                serviceProviderProperties = (ServiceProviderProperty[]) ArrayUtils.add(serviceProviderProperties,
+                        serviceProviderProperty);
+            }
+        }
+        serviceProvider.setSpProperties(serviceProviderProperties);
+    }
 }