NFC-83 Use hashFunction from sign request when building sign result

SanderKondratjevNortal · SanderKondratjevNortal · commit 4fb4dad84386 · 2026-02-05T19:10:09.000+02:00
diff --git a/app/src/androidTest/kotlin/ee/ria/DigiDoc/viewmodel/WebEidViewModelTest.kt b/app/src/androidTest/kotlin/ee/ria/DigiDoc/viewmodel/WebEidViewModelTest.kt
@@ -445,18 +445,20 @@ class WebEidViewModelTest {
             val signingCert = "mock-sign-cert"
             val signature = byteArrayOf(1, 2, 3)
             val responseUri = "https://example.com/response"
+            val hashFunction = "SHA-384"
 
-            whenever(signService.buildSignPayload(signingCert, signature))
+            whenever(signService.buildSignPayload(signingCert, signature, hashFunction))
                 .thenReturn(JSONObject().put("signature", "mock-signature"))
 
             val deferred =
                 async {
                     viewModel.relyingPartyResponseEvents.first()
                 }
 
+            viewModel.handleSign(Uri.parse(createSignUri(signingCertBase64)))
             viewModel.handleWebEidSignResult(signingCert, signature, responseUri)
 
-            verify(signService).buildSignPayload(signingCert, signature)
+            verify(signService).buildSignPayload(signingCert, signature, hashFunction)
             val emittedUri = deferred.await()
             assert(emittedUri.toString().startsWith("https://example.com/response#"))
             assert(emittedUri.fragment != null)
@@ -474,18 +476,19 @@ class WebEidViewModelTest {
             val signingCert = "mock-sign-cert"
             val signature = byteArrayOf(1, 2, 3)
             val responseUri = "https://example.com/response"
+            val hashFunction = "SHA-384"
 
-            whenever(signService.buildSignPayload(signingCert, signature))
+            whenever(signService.buildSignPayload(signingCert, signature, hashFunction))
                 .thenThrow(RuntimeException("Test exception"))
 
             val deferred =
                 async {
                     viewModel.relyingPartyResponseEvents.first()
                 }
-
+            viewModel.handleSign(Uri.parse(createSignUri(signingCertBase64)))
             viewModel.handleWebEidSignResult(signingCert, signature, responseUri)
 
-            verify(signService).buildSignPayload(signingCert, signature)
+            verify(signService).buildSignPayload(signingCert, signature, hashFunction)
             val emittedUri = deferred.await()
             assert(emittedUri.toString().startsWith("https://example.com/response#"))
             assert(emittedUri.fragment != null)
@@ -509,7 +512,7 @@ class WebEidViewModelTest {
         }
         sb.append("}")
         val encoded = Base64.getEncoder().encodeToString(sb.toString().toByteArray())
-        return "web-eid://sign#$encoded"
+        return "web-eid-mobile://sign#$encoded"
     }
 
     private fun validSha384Base64(): String {
diff --git a/app/src/main/kotlin/ee/ria/DigiDoc/viewmodel/WebEidViewModel.kt b/app/src/main/kotlin/ee/ria/DigiDoc/viewmodel/WebEidViewModel.kt
@@ -165,7 +165,16 @@ class WebEidViewModel
             responseUri: String,
         ) {
             try {
-                val payload = signService.buildSignPayload(signingCert, signature)
+                val hashFunction =
+                    signRequest.value?.hashFunction
+                        ?: throw IllegalStateException("Missing signRequest")
+
+                val payload =
+                    signService.buildSignPayload(
+                        signingCert,
+                        signature,
+                        hashFunction,
+                    )
                 val response = WebEidResponseUtil.createResponseUri(responseUri, payload)
                 _relyingPartyResponseEvents.emit(response)
             } catch (e: Exception) {
diff --git a/web-eid-lib/src/androidTest/java/ee/ria/DigiDoc/webEid/WebEidSignServiceTest.kt b/web-eid-lib/src/androidTest/java/ee/ria/DigiDoc/webEid/WebEidSignServiceTest.kt
@@ -86,7 +86,8 @@ class WebEidSignServiceTest {
     @Test
     fun buildSignPayload_withValidInputs_returnsExpectedJson() {
         val signatureBytes = byteArrayOf(11, 22, 33, 44, 55)
-        val result = service.buildSignPayload(signingCertBase64, signatureBytes)
+        val hashFunction = "SHA-384"
+        val result = service.buildSignPayload(signingCertBase64, signatureBytes, hashFunction)
 
         assertEquals(
             setOf("signature", "signatureAlgorithm"),
@@ -107,8 +108,9 @@ class WebEidSignServiceTest {
     fun buildSignPayload_differentSignatures_produceDifferentJson() {
         val sig1 = byteArrayOf(1, 2, 3)
         val sig2 = byteArrayOf(4, 5, 6)
-        val result1 = service.buildSignPayload(signingCertBase64, sig1)
-        val result2 = service.buildSignPayload(signingCertBase64, sig2)
+        val hashFunction = "SHA-384"
+        val result1 = service.buildSignPayload(signingCertBase64, sig1, hashFunction)
+        val result2 = service.buildSignPayload(signingCertBase64, sig2, hashFunction)
 
         assertNotEquals(
             result1.getString("signature"),
diff --git a/web-eid-lib/src/androidTest/java/ee/ria/DigiDoc/webEid/utils/WebEidAlgorithmUtilTest.kt b/web-eid-lib/src/androidTest/java/ee/ria/DigiDoc/webEid/utils/WebEidAlgorithmUtilTest.kt
@@ -115,40 +115,22 @@ class WebEidAlgorithmUtilTest {
     }
 
     @Test
-    fun buildSignatureAlgorithm_ec256_returnsCorrectAlgorithmObject() {
+    fun buildSignatureAlgorithm_sha256_returnsCorrectAlgorithmObject() {
         val result =
-            WebEidAlgorithmUtil.buildSignatureAlgorithm(ecPublicKey256)
+            WebEidAlgorithmUtil.buildSignatureAlgorithm("SHA-256")
 
         assertEquals("ECC", result.getString("cryptoAlgorithm"))
         assertEquals("SHA-256", result.getString("hashFunction"))
         assertEquals("NONE", result.getString("paddingScheme"))
     }
 
     @Test
-    fun buildSignatureAlgorithm_ec384_returnsCorrectAlgorithmObject() {
+    fun buildSignatureAlgorithm_sha384_returnsCorrectAlgorithmObject() {
         val result =
-            WebEidAlgorithmUtil.buildSignatureAlgorithm(ecPublicKey384)
+            WebEidAlgorithmUtil.buildSignatureAlgorithm("SHA-384")
 
         assertEquals("ECC", result.getString("cryptoAlgorithm"))
         assertEquals("SHA-384", result.getString("hashFunction"))
         assertEquals("NONE", result.getString("paddingScheme"))
     }
-
-    @Test
-    fun buildSignatureAlgorithm_unsupportedKeyType_throwsException() {
-        val rsaKey =
-            KeyPairGenerator
-                .getInstance("RSA")
-                .apply {
-                    initialize(2048)
-                }.generateKeyPair()
-                .public
-
-        val exception =
-            assertThrows(IllegalArgumentException::class.java) {
-                WebEidAlgorithmUtil.buildSignatureAlgorithm(rsaKey)
-            }
-
-        assertTrue(exception.message!!.contains("Unsupported key type"))
-    }
 }
diff --git a/web-eid-lib/src/main/java/ee/ria/DigiDoc/webEid/WebEidSignService.kt b/web-eid-lib/src/main/java/ee/ria/DigiDoc/webEid/WebEidSignService.kt
@@ -29,5 +29,6 @@ interface WebEidSignService {
     fun buildSignPayload(
         signingCert: String,
         signature: ByteArray,
+        hashFunction: String,
     ): JSONObject
 }
diff --git a/web-eid-lib/src/main/java/ee/ria/DigiDoc/webEid/WebEidSignServiceImpl.kt b/web-eid-lib/src/main/java/ee/ria/DigiDoc/webEid/WebEidSignServiceImpl.kt
@@ -51,19 +51,10 @@ class WebEidSignServiceImpl
         override fun buildSignPayload(
             signingCert: String,
             signature: ByteArray,
-        ): JSONObject {
-            val certBytes = Base64.getDecoder().decode(signingCert)
-            val cert =
-                CertificateFactory
-                    .getInstance("X.509")
-                    .generateCertificate(certBytes.inputStream()) as X509Certificate
-
-            val publicKey = cert.publicKey
-            val signatureAlgorithm = buildSignatureAlgorithm(publicKey)
-
-            return JSONObject().apply {
+            hashFunction: String,
+        ): JSONObject =
+            JSONObject().apply {
                 put("signature", Base64.getEncoder().encodeToString(signature))
-                put("signatureAlgorithm", signatureAlgorithm)
+                put("signatureAlgorithm", buildSignatureAlgorithm(hashFunction))
             }
-        }
     }
diff --git a/web-eid-lib/src/main/java/ee/ria/DigiDoc/webEid/utils/WebEidAlgorithmUtil.kt b/web-eid-lib/src/main/java/ee/ria/DigiDoc/webEid/utils/WebEidAlgorithmUtil.kt
@@ -66,21 +66,12 @@ object WebEidAlgorithmUtil {
             else -> throw IllegalArgumentException("Unsupported EC key length")
         }
 
-    fun buildSignatureAlgorithm(publicKey: PublicKey): JSONObject {
-        val hashFunction =
-            when (getEcKeySize(publicKey)) {
-                256 -> "SHA-256"
-                384 -> "SHA-384"
-                521 -> "SHA-512"
-                else -> throw IllegalArgumentException("Unsupported EC key length")
-            }
-
-        return JSONObject().apply {
+    fun buildSignatureAlgorithm(hashFunction: String): JSONObject =
+        JSONObject().apply {
             put("cryptoAlgorithm", "ECC")
             put("hashFunction", hashFunction)
             put("paddingScheme", "NONE")
         }
-    }
 
     private fun getEcKeySize(publicKey: PublicKey): Int =
         when (publicKey) {

Original file line number	Diff line number	Diff line change
`@@ -29,5 +29,6 @@ interface WebEidSignService {`
`29`	`29`	`fun buildSignPayload(`
`30`	`30`	`signingCert: String,`
`31`	`31`	`signature: ByteArray,`
	`32`	`+ hashFunction: String,`
`32`	`33`	`): JSONObject`
`33`	`34`	`}`