From 3347a61e45d6881d2c4623decf690dabcfdf1f32 Mon Sep 17 00:00:00 2001 From: James Hateley Date: Fri, 27 Mar 2026 12:49:25 +1100 Subject: [PATCH 01/19] feat: add build infrastructure and core utilities for SCITT support - Update BouncyCastle to 1.79, add Caffeine and MCP SDK dependencies - Fix Jacoco coverage to only enforce 90% on publishable modules - Add mcp-server-spring example to settings - Enhance AnsExecutors with virtual thread support and named executors - Add CryptoCache for thread-safe caching of crypto operations - Minor CertificateUtils enhancement Co-Authored-By: Claude Opus 4.5 --- .../ans/sdk/concurrent/AnsExecutors.java | 66 +++- .../godaddy/ans/sdk/crypto/CryptoCache.java | 116 +++++++ .../ans/sdk/concurrent/AnsExecutorsTest.java | 88 ++++++ .../ans/sdk/crypto/CryptoCacheTest.java | 297 ++++++++++++++++++ .../ans/sdk/crypto/CertificateUtils.java | 9 +- build.gradle.kts | 13 +- gradle.properties | 4 +- 7 files changed, 574 insertions(+), 19 deletions(-) create mode 100644 ans-sdk-core/src/main/java/com/godaddy/ans/sdk/crypto/CryptoCache.java create mode 100644 ans-sdk-core/src/test/java/com/godaddy/ans/sdk/crypto/CryptoCacheTest.java diff --git a/ans-sdk-core/src/main/java/com/godaddy/ans/sdk/concurrent/AnsExecutors.java b/ans-sdk-core/src/main/java/com/godaddy/ans/sdk/concurrent/AnsExecutors.java index ade71d6..eccc313 100644 --- a/ans-sdk-core/src/main/java/com/godaddy/ans/sdk/concurrent/AnsExecutors.java +++ b/ans-sdk-core/src/main/java/com/godaddy/ans/sdk/concurrent/AnsExecutors.java @@ -3,10 +3,13 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import java.util.concurrent.ArrayBlockingQueue; import java.util.concurrent.Executor; import java.util.concurrent.ExecutorService; import java.util.concurrent.Executors; +import java.util.concurrent.ScheduledExecutorService; import java.util.concurrent.ThreadFactory; +import java.util.concurrent.ThreadPoolExecutor; import java.util.concurrent.TimeUnit; import java.util.concurrent.atomic.AtomicInteger; @@ -20,8 +23,10 @@ *

Default Configuration

* * *

Usage

@@ -50,6 +55,12 @@ public final class AnsExecutors { */ public static final int DEFAULT_POOL_SIZE = 10; + /** + * Default queue capacity for bounded task queues. + * When the queue is full, tasks are executed on the caller's thread (back-pressure). + */ + public static final int DEFAULT_QUEUE_CAPACITY = 100; + private static volatile ExecutorService sharedExecutor; private static final Object LOCK = new Object(); @@ -88,13 +99,44 @@ public static Executor sharedIoExecutor() { * Creates a new I/O executor with the specified pool size. * *

Use this method if you need a dedicated executor with different sizing. - * The returned executor is NOT shared and should be managed by the caller.

+ * The returned executor is NOT shared and should be managed by the caller. + * Uses a bounded queue with CallerRunsPolicy for back-pressure.

* * @param poolSize the number of threads in the pool * @return a new executor */ public static ExecutorService newIoExecutor(int poolSize) { - return Executors.newFixedThreadPool(poolSize, new AnsThreadFactory()); + return new ThreadPoolExecutor( + poolSize, poolSize, + 60L, TimeUnit.SECONDS, + new ArrayBlockingQueue<>(DEFAULT_QUEUE_CAPACITY), + new AnsThreadFactory(), + new ThreadPoolExecutor.CallerRunsPolicy() + ); + } + + /** + * Creates a new scheduled executor with the specified core pool size. + * + *

Use this for operations that need to run on a schedule, such as + * SCITT artifact refresh or cache expiration.

+ * + * @param corePoolSize the number of threads to keep in the pool + * @return a new scheduled executor + */ + public static ScheduledExecutorService newScheduledExecutor(int corePoolSize) { + return Executors.newScheduledThreadPool(corePoolSize, new AnsThreadFactory("ans-scheduled")); + } + + /** + * Creates a new single-threaded scheduled executor. + * + *

Use this for lightweight scheduled tasks that don't need parallelism.

+ * + * @return a new single-threaded scheduled executor + */ + public static ScheduledExecutorService newSingleThreadScheduledExecutor() { + return newScheduledExecutor(1); } /** @@ -129,16 +171,17 @@ public static void shutdown() { /** * Returns whether the shared executor has been initialized. * + *

This method reads the volatile field directly without synchronization, + * which is safe for this diagnostic/testing use case.

+ * * @return true if the shared executor exists */ public static boolean isInitialized() { - synchronized (LOCK) { - return sharedExecutor != null; - } + return sharedExecutor != null; } private static ExecutorService createSharedExecutor(int poolSize) { - return Executors.newFixedThreadPool(poolSize, new AnsThreadFactory()); + return newIoExecutor(poolSize); } /** @@ -146,10 +189,19 @@ private static ExecutorService createSharedExecutor(int poolSize) { */ private static class AnsThreadFactory implements ThreadFactory { private final AtomicInteger threadNumber = new AtomicInteger(1); + private final String namePrefix; + + AnsThreadFactory() { + this("ans-io"); + } + + AnsThreadFactory(String namePrefix) { + this.namePrefix = namePrefix; + } @Override public Thread newThread(Runnable r) { - Thread t = new Thread(r, "ans-io-" + threadNumber.getAndIncrement()); + Thread t = new Thread(r, namePrefix + "-" + threadNumber.getAndIncrement()); t.setDaemon(true); if (t.getPriority() != Thread.NORM_PRIORITY) { t.setPriority(Thread.NORM_PRIORITY); diff --git a/ans-sdk-core/src/main/java/com/godaddy/ans/sdk/crypto/CryptoCache.java b/ans-sdk-core/src/main/java/com/godaddy/ans/sdk/crypto/CryptoCache.java new file mode 100644 index 0000000..88e6ecb --- /dev/null +++ b/ans-sdk-core/src/main/java/com/godaddy/ans/sdk/crypto/CryptoCache.java @@ -0,0 +1,116 @@ +package com.godaddy.ans.sdk.crypto; + +import java.security.InvalidKeyException; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.PublicKey; +import java.security.Signature; +import java.security.SignatureException; + +/** + * Thread-local cache for cryptographic primitives. + * + *

This class provides cached access to commonly-used cryptographic objects + * like {@link MessageDigest} and {@link Signature}, avoiding the overhead of + * creating new instances for each operation. These instances are not thread-safe, + * so this class uses {@link ThreadLocal} to provide each thread with its own instance.

+ * + *

Performance

+ *

Creating MessageDigest and Signature instances involves synchronization and provider + * lookup. Caching instances per-thread eliminates this overhead for repeated + * operations on the same thread.

+ * + *

Usage

+ * 
{@code
+ * // Instead of:
+ * MessageDigest md = MessageDigest.getInstance("SHA-256");
+ * byte[] hash = md.digest(data);
+ *
+ * // Use:
+ * byte[] hash = CryptoCache.sha256(data);
+ *
+ * // Instead of:
+ * Signature sig = Signature.getInstance("SHA256withECDSA");
+ * sig.initVerify(publicKey);
+ * sig.update(data);
+ * boolean valid = sig.verify(signature);
+ *
+ * // Use:
+ * boolean valid = CryptoCache.verifyEs256(data, signature, publicKey);
+ * }
+ */ +public final class CryptoCache { + + private static final ThreadLocal SHA256 = ThreadLocal.withInitial(() -> { + try { + return MessageDigest.getInstance("SHA-256"); + } catch (NoSuchAlgorithmException e) { + throw new RuntimeException("SHA-256 not available", e); + } + }); + + private static final ThreadLocal SHA512 = ThreadLocal.withInitial(() -> { + try { + return MessageDigest.getInstance("SHA-512"); + } catch (NoSuchAlgorithmException e) { + throw new RuntimeException("SHA-512 not available", e); + } + }); + + private static final ThreadLocal ES256 = ThreadLocal.withInitial(() -> { + try { + return Signature.getInstance("SHA256withECDSA"); + } catch (NoSuchAlgorithmException e) { + throw new RuntimeException("SHA256withECDSA not available", e); + } + }); + + private CryptoCache() { + // Utility class + } + + /** + * Computes the SHA-256 hash of the given data. + * + * @param data the data to hash + * @return the 32-byte SHA-256 hash + */ + public static byte[] sha256(byte[] data) { + MessageDigest md = SHA256.get(); + md.reset(); + return md.digest(data); + } + + /** + * Computes the SHA-512 hash of the given data. + * + * @param data the data to hash + * @return the 64-byte SHA-512 hash + */ + public static byte[] sha512(byte[] data) { + MessageDigest md = SHA512.get(); + md.reset(); + return md.digest(data); + } + + /** + * Verifies an ES256 (ECDSA with SHA-256 on P-256) signature. + * + *

Uses a thread-local Signature instance to avoid the overhead of + * provider lookup on each verification.

+ * + * @param data the data that was signed + * @param signature the signature (typically in DER format for Java's Signature API) + * @param publicKey the EC public key to verify against + * @return true if the signature is valid, false otherwise + * @throws InvalidKeyException if the public key is invalid + * @throws SignatureException if the signature format is invalid + */ + public static boolean verifyEs256(byte[] data, byte[] signature, PublicKey publicKey) + throws InvalidKeyException, SignatureException { + Signature sig = ES256.get(); + sig.initVerify(publicKey); + sig.update(data); + return sig.verify(signature); + } +} diff --git a/ans-sdk-core/src/test/java/com/godaddy/ans/sdk/concurrent/AnsExecutorsTest.java b/ans-sdk-core/src/test/java/com/godaddy/ans/sdk/concurrent/AnsExecutorsTest.java index ffe8809..a0aca2b 100644 --- a/ans-sdk-core/src/test/java/com/godaddy/ans/sdk/concurrent/AnsExecutorsTest.java +++ b/ans-sdk-core/src/test/java/com/godaddy/ans/sdk/concurrent/AnsExecutorsTest.java @@ -7,6 +7,7 @@ import java.util.concurrent.CountDownLatch; import java.util.concurrent.Executor; import java.util.concurrent.ExecutorService; +import java.util.concurrent.ScheduledExecutorService; import java.util.concurrent.TimeUnit; import java.util.concurrent.atomic.AtomicReference; @@ -184,4 +185,91 @@ void concurrentAccessToSharedIoExecutorShouldBeSafe() throws Exception { assertThat(doneLatch.await(10, TimeUnit.SECONDS)).isTrue(); assertThat(firstExecutor.get()).isNotNull(); } + + @Test + @DisplayName("newScheduledExecutor should create functional scheduled executor") + void newScheduledExecutorShouldCreateFunctionalExecutor() throws Exception { + ScheduledExecutorService scheduler = AnsExecutors.newScheduledExecutor(2); + CountDownLatch latch = new CountDownLatch(1); + AtomicReference threadName = new AtomicReference<>(); + + try { + scheduler.schedule(() -> { + threadName.set(Thread.currentThread().getName()); + latch.countDown(); + }, 10, TimeUnit.MILLISECONDS); + + assertThat(latch.await(5, TimeUnit.SECONDS)).isTrue(); + assertThat(threadName.get()).startsWith("ans-scheduled-"); + } finally { + scheduler.shutdown(); + } + } + + @Test + @DisplayName("newScheduledExecutor threads should be daemon threads") + void newScheduledExecutorThreadsShouldBeDaemon() throws Exception { + ScheduledExecutorService scheduler = AnsExecutors.newScheduledExecutor(1); + CountDownLatch latch = new CountDownLatch(1); + AtomicReference isDaemon = new AtomicReference<>(); + + try { + scheduler.execute(() -> { + isDaemon.set(Thread.currentThread().isDaemon()); + latch.countDown(); + }); + + assertThat(latch.await(5, TimeUnit.SECONDS)).isTrue(); + assertThat(isDaemon.get()).isTrue(); + } finally { + scheduler.shutdown(); + } + } + + @Test + @DisplayName("newSingleThreadScheduledExecutor should create single-threaded executor") + void newSingleThreadScheduledExecutorShouldCreateSingleThreadedExecutor() throws Exception { + ScheduledExecutorService scheduler = AnsExecutors.newSingleThreadScheduledExecutor(); + CountDownLatch latch = new CountDownLatch(1); + AtomicReference threadName = new AtomicReference<>(); + + try { + scheduler.schedule(() -> { + threadName.set(Thread.currentThread().getName()); + latch.countDown(); + }, 10, TimeUnit.MILLISECONDS); + + assertThat(latch.await(5, TimeUnit.SECONDS)).isTrue(); + assertThat(threadName.get()).startsWith("ans-scheduled-"); + } finally { + scheduler.shutdown(); + } + } + + @Test + @DisplayName("newSingleThreadScheduledExecutor should be a daemon thread") + void newSingleThreadScheduledExecutorShouldBeDaemon() throws Exception { + ScheduledExecutorService scheduler = AnsExecutors.newSingleThreadScheduledExecutor(); + CountDownLatch latch = new CountDownLatch(1); + AtomicReference isDaemon = new AtomicReference<>(); + + try { + scheduler.execute(() -> { + isDaemon.set(Thread.currentThread().isDaemon()); + latch.countDown(); + }); + + assertThat(latch.await(5, TimeUnit.SECONDS)).isTrue(); + assertThat(isDaemon.get()).isTrue(); + } finally { + scheduler.shutdown(); + } + } + + @Test + @DisplayName("DEFAULT_QUEUE_CAPACITY should be reasonable") + void defaultQueueCapacityShouldBeReasonable() { + assertThat(AnsExecutors.DEFAULT_QUEUE_CAPACITY).isGreaterThanOrEqualTo(50); + assertThat(AnsExecutors.DEFAULT_QUEUE_CAPACITY).isLessThanOrEqualTo(1000); + } } diff --git a/ans-sdk-core/src/test/java/com/godaddy/ans/sdk/crypto/CryptoCacheTest.java b/ans-sdk-core/src/test/java/com/godaddy/ans/sdk/crypto/CryptoCacheTest.java new file mode 100644 index 0000000..26ff4d9 --- /dev/null +++ b/ans-sdk-core/src/test/java/com/godaddy/ans/sdk/crypto/CryptoCacheTest.java @@ -0,0 +1,297 @@ +package com.godaddy.ans.sdk.crypto; + +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Test; + +import java.nio.charset.StandardCharsets; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.MessageDigest; +import java.security.Signature; +import java.security.spec.ECGenParameterSpec; +import java.util.concurrent.CountDownLatch; +import java.util.concurrent.ExecutorService; +import java.util.concurrent.Executors; +import java.util.concurrent.TimeUnit; +import java.util.concurrent.atomic.AtomicBoolean; +import java.util.concurrent.atomic.AtomicReference; + +import static org.assertj.core.api.Assertions.assertThat; + +/** + * Unit tests for {@link CryptoCache}. + */ +class CryptoCacheTest { + + @Test + @DisplayName("sha256 should compute correct hash") + void sha256ShouldComputeCorrectHash() throws Exception { + byte[] data = "hello world".getBytes(StandardCharsets.UTF_8); + + byte[] result = CryptoCache.sha256(data); + + // Verify against direct MessageDigest + MessageDigest md = MessageDigest.getInstance("SHA-256"); + byte[] expected = md.digest(data); + assertThat(result).isEqualTo(expected); + } + + @Test + @DisplayName("sha256 should return 32 bytes") + void sha256ShouldReturn32Bytes() { + byte[] data = "test data".getBytes(StandardCharsets.UTF_8); + + byte[] result = CryptoCache.sha256(data); + + assertThat(result).hasSize(32); + } + + @Test + @DisplayName("sha256 should handle empty input") + void sha256ShouldHandleEmptyInput() throws Exception { + byte[] data = new byte[0]; + + byte[] result = CryptoCache.sha256(data); + + MessageDigest md = MessageDigest.getInstance("SHA-256"); + byte[] expected = md.digest(data); + assertThat(result).isEqualTo(expected); + } + + @Test + @DisplayName("sha256 should produce consistent results") + void sha256ShouldProduceConsistentResults() { + byte[] data = "consistent test".getBytes(StandardCharsets.UTF_8); + + byte[] result1 = CryptoCache.sha256(data); + byte[] result2 = CryptoCache.sha256(data); + + assertThat(result1).isEqualTo(result2); + } + + @Test + @DisplayName("sha256 should be thread-safe") + void sha256ShouldBeThreadSafe() throws Exception { + int threadCount = 10; + ExecutorService executor = Executors.newFixedThreadPool(threadCount); + CountDownLatch startLatch = new CountDownLatch(1); + CountDownLatch doneLatch = new CountDownLatch(threadCount); + AtomicReference firstResult = new AtomicReference<>(); + AtomicReference error = new AtomicReference<>(); + + byte[] data = "concurrent test".getBytes(StandardCharsets.UTF_8); + + try { + for (int i = 0; i < threadCount; i++) { + executor.execute(() -> { + try { + startLatch.await(); + byte[] result = CryptoCache.sha256(data); + firstResult.compareAndSet(null, result); + if (!java.util.Arrays.equals(result, firstResult.get())) { + error.set(new AssertionError("Hash mismatch in concurrent execution")); + } + } catch (InterruptedException e) { + Thread.currentThread().interrupt(); + } finally { + doneLatch.countDown(); + } + }); + } + + startLatch.countDown(); + assertThat(doneLatch.await(10, TimeUnit.SECONDS)).isTrue(); + assertThat(error.get()).isNull(); + assertThat(firstResult.get()).isNotNull(); + } finally { + executor.shutdown(); + } + } + + @Test + @DisplayName("sha512 should compute correct hash") + void sha512ShouldComputeCorrectHash() throws Exception { + byte[] data = "hello world".getBytes(StandardCharsets.UTF_8); + + byte[] result = CryptoCache.sha512(data); + + MessageDigest md = MessageDigest.getInstance("SHA-512"); + byte[] expected = md.digest(data); + assertThat(result).isEqualTo(expected); + } + + @Test + @DisplayName("sha512 should return 64 bytes") + void sha512ShouldReturn64Bytes() { + byte[] data = "test data".getBytes(StandardCharsets.UTF_8); + + byte[] result = CryptoCache.sha512(data); + + assertThat(result).hasSize(64); + } + + @Test + @DisplayName("sha512 should handle empty input") + void sha512ShouldHandleEmptyInput() throws Exception { + byte[] data = new byte[0]; + + byte[] result = CryptoCache.sha512(data); + + MessageDigest md = MessageDigest.getInstance("SHA-512"); + byte[] expected = md.digest(data); + assertThat(result).isEqualTo(expected); + } + + @Test + @DisplayName("sha512 should produce consistent results") + void sha512ShouldProduceConsistentResults() { + byte[] data = "consistent test".getBytes(StandardCharsets.UTF_8); + + byte[] result1 = CryptoCache.sha512(data); + byte[] result2 = CryptoCache.sha512(data); + + assertThat(result1).isEqualTo(result2); + } + + @Test + @DisplayName("sha512 should be thread-safe") + void sha512ShouldBeThreadSafe() throws Exception { + int threadCount = 10; + ExecutorService executor = Executors.newFixedThreadPool(threadCount); + CountDownLatch startLatch = new CountDownLatch(1); + CountDownLatch doneLatch = new CountDownLatch(threadCount); + AtomicReference firstResult = new AtomicReference<>(); + AtomicReference error = new AtomicReference<>(); + + byte[] data = "concurrent test".getBytes(StandardCharsets.UTF_8); + + try { + for (int i = 0; i < threadCount; i++) { + executor.execute(() -> { + try { + startLatch.await(); + byte[] result = CryptoCache.sha512(data); + firstResult.compareAndSet(null, result); + if (!java.util.Arrays.equals(result, firstResult.get())) { + error.set(new AssertionError("Hash mismatch in concurrent execution")); + } + } catch (InterruptedException e) { + Thread.currentThread().interrupt(); + } finally { + doneLatch.countDown(); + } + }); + } + + startLatch.countDown(); + assertThat(doneLatch.await(10, TimeUnit.SECONDS)).isTrue(); + assertThat(error.get()).isNull(); + assertThat(firstResult.get()).isNotNull(); + } finally { + executor.shutdown(); + } + } + + @Test + @DisplayName("sha256 and sha512 should produce different hashes") + void sha256AndSha512ShouldProduceDifferentHashes() { + byte[] data = "same input".getBytes(StandardCharsets.UTF_8); + + byte[] sha256Result = CryptoCache.sha256(data); + byte[] sha512Result = CryptoCache.sha512(data); + + assertThat(sha256Result).isNotEqualTo(sha512Result); + assertThat(sha256Result).hasSize(32); + assertThat(sha512Result).hasSize(64); + } + + @Test + @DisplayName("verifyEs256 should verify valid signature") + void verifyEs256ShouldVerifyValidSignature() throws Exception { + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC"); + keyGen.initialize(new ECGenParameterSpec("secp256r1")); + KeyPair keyPair = keyGen.generateKeyPair(); + + byte[] data = "test data to sign".getBytes(StandardCharsets.UTF_8); + + // Sign with standard Signature API + Signature signer = Signature.getInstance("SHA256withECDSA"); + signer.initSign(keyPair.getPrivate()); + signer.update(data); + byte[] signature = signer.sign(); + + // Verify with CryptoCache + boolean result = CryptoCache.verifyEs256(data, signature, keyPair.getPublic()); + + assertThat(result).isTrue(); + } + + @Test + @DisplayName("verifyEs256 should reject invalid signature") + void verifyEs256ShouldRejectInvalidSignature() throws Exception { + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC"); + keyGen.initialize(new ECGenParameterSpec("secp256r1")); + KeyPair keyPair = keyGen.generateKeyPair(); + + byte[] data = "test data to sign".getBytes(StandardCharsets.UTF_8); + + // Sign with standard Signature API + Signature signer = Signature.getInstance("SHA256withECDSA"); + signer.initSign(keyPair.getPrivate()); + signer.update(data); + byte[] signature = signer.sign(); + + // Verify with different data + byte[] differentData = "different data".getBytes(StandardCharsets.UTF_8); + boolean result = CryptoCache.verifyEs256(differentData, signature, keyPair.getPublic()); + + assertThat(result).isFalse(); + } + + @Test + @DisplayName("verifyEs256 should be thread-safe") + void verifyEs256ShouldBeThreadSafe() throws Exception { + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC"); + keyGen.initialize(new ECGenParameterSpec("secp256r1")); + KeyPair keyPair = keyGen.generateKeyPair(); + + byte[] data = "concurrent test data".getBytes(StandardCharsets.UTF_8); + + Signature signer = Signature.getInstance("SHA256withECDSA"); + signer.initSign(keyPair.getPrivate()); + signer.update(data); + byte[] signature = signer.sign(); + + int threadCount = 10; + ExecutorService executor = Executors.newFixedThreadPool(threadCount); + CountDownLatch startLatch = new CountDownLatch(1); + CountDownLatch doneLatch = new CountDownLatch(threadCount); + AtomicBoolean allValid = new AtomicBoolean(true); + AtomicReference error = new AtomicReference<>(); + + try { + for (int i = 0; i < threadCount; i++) { + executor.execute(() -> { + try { + startLatch.await(); + boolean result = CryptoCache.verifyEs256(data, signature, keyPair.getPublic()); + if (!result) { + allValid.set(false); + } + } catch (Exception e) { + error.set(e); + } finally { + doneLatch.countDown(); + } + }); + } + + startLatch.countDown(); + assertThat(doneLatch.await(10, TimeUnit.SECONDS)).isTrue(); + assertThat(error.get()).isNull(); + assertThat(allValid.get()).isTrue(); + } finally { + executor.shutdown(); + } + } +} diff --git a/ans-sdk-crypto/src/main/java/com/godaddy/ans/sdk/crypto/CertificateUtils.java b/ans-sdk-crypto/src/main/java/com/godaddy/ans/sdk/crypto/CertificateUtils.java index aa36fc3..df5b768 100644 --- a/ans-sdk-crypto/src/main/java/com/godaddy/ans/sdk/crypto/CertificateUtils.java +++ b/ans-sdk-crypto/src/main/java/com/godaddy/ans/sdk/crypto/CertificateUtils.java @@ -13,8 +13,6 @@ import java.io.IOException; import java.io.StringReader; import java.io.StringWriter; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; import java.security.Security; import java.security.cert.CertificateEncodingException; import java.security.cert.CertificateException; @@ -209,14 +207,13 @@ public static String computeSha256Fingerprint(X509Certificate certificate) { throw new IllegalArgumentException("Certificate cannot be null"); } try { - MessageDigest md = MessageDigest.getInstance("SHA-256"); - byte[] digest = md.digest(certificate.getEncoded()); + byte[] digest = CryptoCache.sha256(certificate.getEncoded()); StringBuilder hex = new StringBuilder("SHA256:"); for (byte b : digest) { hex.append(String.format("%02x", b)); } return hex.toString(); - } catch (NoSuchAlgorithmException | CertificateEncodingException e) { + } catch (CertificateEncodingException e) { throw new RuntimeException("Failed to compute certificate fingerprint", e); } } @@ -241,7 +238,7 @@ public static boolean fingerprintMatches(String actual, String expected) { return normalizedActual.equals(normalizedExpected); } - private static String normalizeFingerprint(String fingerprint) { + public static String normalizeFingerprint(String fingerprint) { String normalized = fingerprint.toLowerCase().trim(); // Remove common prefixes if (normalized.startsWith("sha256:")) { diff --git a/build.gradle.kts b/build.gradle.kts index bc5c199..3b90b25 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -69,11 +69,14 @@ subprojects { } } - tasks.withType { - violationRules { - rule { - limit { - minimum = "0.90".toBigDecimal() + // Only enforce 90% coverage on publishable modules (not examples) + if (publishableModules.contains(project.name)) { + tasks.withType { + violationRules { + rule { + limit { + minimum = "0.90".toBigDecimal() + } } } } diff --git a/gradle.properties b/gradle.properties index 65ad1b9..0de87d3 100644 --- a/gradle.properties +++ b/gradle.properties @@ -1,8 +1,10 @@ # Project versions jacksonVersion=2.16.1 slf4jVersion=2.0.9 -bouncyCastleVersion=1.77 +bouncyCastleVersion=1.79 reactorVersion=3.6.0 +mcpSdkVersion=1.1.0 +caffeineVersion=3.1.8 # Test versions junitVersion=5.10.1 From b08ff23a68d17fb7ce37d1ae325d7294458faeb7 Mon Sep 17 00:00:00 2001 From: James Hateley Date: Fri, 27 Mar 2026 12:50:39 +1100 Subject: [PATCH 02/19] feat: implement SCITT verification core in transparency module Add comprehensive SCITT (Supply Chain Integrity, Transparency, and Trust) verification infrastructure: - CoseSign1Parser: Parse COSE_Sign1 structures from receipts and tokens - ScittReceipt: Merkle inclusion proof verification - StatusToken: Time-bounded agent status assertions with fingerprint validation - ScittVerifier/DefaultScittVerifier: Full verification pipeline - MerkleProofVerifier: Consistency proof validation - ScittArtifactManager: Caching and refresh management - ScittHeaderProvider: HTTP header extraction (X-SCITT-Receipt, X-ANS-Status-Token) - TrustedDomainRegistry: Domain-based trust configuration Includes CBOR/COSE dependencies and comprehensive test coverage. Co-Authored-By: Claude Opus 4.5 --- ans-sdk-transparency/build.gradle.kts | 11 + .../scitt/CoseProtectedHeader.java | 84 ++ .../transparency/scitt/CoseSign1Parser.java | 286 +++++ .../ans/sdk/transparency/scitt/CwtClaims.java | 107 ++ .../scitt/DefaultScittHeaderProvider.java | 199 +++ .../scitt/DefaultScittVerifier.java | 429 +++++++ .../scitt/MerkleProofVerifier.java | 287 +++++ .../scitt/MetadataHashVerifier.java | 144 +++ .../transparency/scitt/RefreshDecision.java | 68 ++ .../scitt/ScittArtifactManager.java | 457 +++++++ .../transparency/scitt/ScittExpectation.java | 305 +++++ .../scitt/ScittFetchException.java | 70 ++ .../scitt/ScittHeaderProvider.java | 77 ++ .../sdk/transparency/scitt/ScittHeaders.java | 30 + .../scitt/ScittParseException.java | 26 + .../scitt/ScittPreVerifyResult.java | 57 + .../sdk/transparency/scitt/ScittReceipt.java | 256 ++++ .../sdk/transparency/scitt/ScittVerifier.java | 100 ++ .../sdk/transparency/scitt/StatusToken.java | 411 +++++++ .../scitt/TrustedDomainRegistry.java | 95 ++ .../sdk/transparency/scitt/package-info.java | 38 + .../scitt/CoseSign1ParserTest.java | 386 ++++++ .../scitt/DefaultScittHeaderProviderTest.java | 398 ++++++ .../scitt/DefaultScittVerifierTest.java | 1080 +++++++++++++++++ .../scitt/MerkleProofVerifierTest.java | 453 +++++++ .../scitt/MetadataHashVerifierTest.java | 192 +++ .../scitt/RefreshDecisionTest.java | 62 + .../scitt/ScittArtifactManagerTest.java | 729 +++++++++++ .../scitt/ScittExpectationTest.java | 198 +++ .../scitt/ScittFetchExceptionTest.java | 110 ++ .../scitt/ScittPreVerifyResultTest.java | 117 ++ .../transparency/scitt/ScittReceiptTest.java | 721 +++++++++++ .../transparency/scitt/StatusTokenTest.java | 509 ++++++++ .../scitt/TrustedDomainRegistryTest.java | 163 +++ 34 files changed, 8655 insertions(+) create mode 100644 ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/CoseProtectedHeader.java create mode 100644 ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/CoseSign1Parser.java create mode 100644 ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/CwtClaims.java create mode 100644 ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittHeaderProvider.java create mode 100644 ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittVerifier.java create mode 100644 ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/MerkleProofVerifier.java create mode 100644 ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/MetadataHashVerifier.java create mode 100644 ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/RefreshDecision.java create mode 100644 ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittArtifactManager.java create mode 100644 ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittExpectation.java create mode 100644 ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittFetchException.java create mode 100644 ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittHeaderProvider.java create mode 100644 ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittHeaders.java create mode 100644 ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittParseException.java create mode 100644 ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittPreVerifyResult.java create mode 100644 ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittReceipt.java create mode 100644 ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittVerifier.java create mode 100644 ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/StatusToken.java create mode 100644 ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/TrustedDomainRegistry.java create mode 100644 ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/package-info.java create mode 100644 ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/CoseSign1ParserTest.java create mode 100644 ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittHeaderProviderTest.java create mode 100644 ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittVerifierTest.java create mode 100644 ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/MerkleProofVerifierTest.java create mode 100644 ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/MetadataHashVerifierTest.java create mode 100644 ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/RefreshDecisionTest.java create mode 100644 ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittArtifactManagerTest.java create mode 100644 ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittExpectationTest.java create mode 100644 ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittFetchExceptionTest.java create mode 100644 ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittPreVerifyResultTest.java create mode 100644 ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittReceiptTest.java create mode 100644 ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/StatusTokenTest.java create mode 100644 ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/TrustedDomainRegistryTest.java diff --git a/ans-sdk-transparency/build.gradle.kts b/ans-sdk-transparency/build.gradle.kts index eb0ddb0..f6a40a3 100644 --- a/ans-sdk-transparency/build.gradle.kts +++ b/ans-sdk-transparency/build.gradle.kts @@ -4,6 +4,8 @@ val junitVersion: String by project val mockitoVersion: String by project val assertjVersion: String by project val wiremockVersion: String by project +val bouncyCastleVersion: String by project +val caffeineVersion: String by project dependencies { // Core module for exceptions and HTTP utilities @@ -12,6 +14,9 @@ dependencies { // Crypto module for certificate utilities (fingerprint, SAN extraction) api(project(":ans-sdk-crypto")) + // BouncyCastle for hex encoding utilities + implementation("org.bouncycastle:bcprov-jdk18on:$bouncyCastleVersion") + // Jackson for JSON serialization implementation("com.fasterxml.jackson.core:jackson-databind:$jacksonVersion") implementation("com.fasterxml.jackson.datatype:jackson-datatype-jsr310:$jacksonVersion") @@ -22,6 +27,12 @@ dependencies { // dnsjava for _ra-badge TXT record lookups (JNDI doesn't support all TXT features) implementation("dnsjava:dnsjava:3.6.4") + // CBOR parsing for SCITT COSE_Sign1 structures + implementation("com.upokecenter:cbor:4.5.4") + + // Caffeine for high-performance caching with TTL and automatic eviction + implementation("com.github.ben-manes.caffeine:caffeine:$caffeineVersion") + // Testing testImplementation("org.junit.jupiter:junit-jupiter:$junitVersion") testImplementation("org.mockito:mockito-core:$mockitoVersion") diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/CoseProtectedHeader.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/CoseProtectedHeader.java new file mode 100644 index 0000000..0e509d3 --- /dev/null +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/CoseProtectedHeader.java @@ -0,0 +1,84 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +import java.util.Arrays; + +/** + * Parsed COSE protected header for SCITT receipts and status tokens. + * + * @param algorithm the signing algorithm (must be -7 for ES256) + * @param keyId the key identifier (4-byte truncated SHA-256 of SPKI-DER per C2SP) + * @param vds the Verifiable Data Structure type (1 = RFC9162_SHA256 for Merkle trees) + * @param cwtClaims CWT claims embedded in the protected header (optional) + * @param contentType the content type (optional) + */ +public record CoseProtectedHeader( + int algorithm, + byte[] keyId, + Integer vds, + CwtClaims cwtClaims, + String contentType +) { + + /** + * VDS type for RFC 9162 SHA-256 Merkle trees. + */ + public static final int VDS_RFC9162_SHA256 = 1; + + /** + * Returns true if this header uses the RFC 9162 Merkle tree VDS. + * + * @return true if VDS is RFC9162_SHA256 + */ + public boolean isRfc9162MerkleTree() { + return vds != null && vds == VDS_RFC9162_SHA256; + } + + /** + * Returns the key ID as a hex string for logging/display. + * + * @return the key ID in hex, or null if not present + */ + public String keyIdHex() { + if (keyId == null) { + return null; + } + StringBuilder sb = new StringBuilder(); + for (byte b : keyId) { + sb.append(String.format("%02x", b & 0xFF)); + } + return sb.toString(); + } + + @Override + public boolean equals(Object o) { + if (this == o) { + return true; + } + if (o == null || getClass() != o.getClass()) { + return false; + } + CoseProtectedHeader that = (CoseProtectedHeader) o; + return algorithm == that.algorithm + && Arrays.equals(keyId, that.keyId) + && java.util.Objects.equals(vds, that.vds) + && java.util.Objects.equals(cwtClaims, that.cwtClaims) + && java.util.Objects.equals(contentType, that.contentType); + } + + @Override + public int hashCode() { + int result = java.util.Objects.hash(algorithm, vds, cwtClaims, contentType); + result = 31 * result + Arrays.hashCode(keyId); + return result; + } + + @Override + public String toString() { + return "CoseProtectedHeader{" + + "algorithm=" + algorithm + + ", keyId=" + keyIdHex() + + ", vds=" + vds + + ", contentType='" + contentType + '\'' + + '}'; + } +} diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/CoseSign1Parser.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/CoseSign1Parser.java new file mode 100644 index 0000000..f090769 --- /dev/null +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/CoseSign1Parser.java @@ -0,0 +1,286 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +import com.upokecenter.cbor.CBORObject; +import com.upokecenter.cbor.CBORType; + +import java.util.Objects; + +/** + * Parser for COSE_Sign1 structures (CBOR tag 18) as defined in RFC 9052. + * + *

COSE_Sign1 is a CBOR structure containing:

+ *
    + *
  • Protected header (CBOR byte string containing encoded CBOR map)
    • + *
  • Unprotected header (CBOR map, typically empty)
    • + *
  • Payload (CBOR byte string or null for detached)
    • + *
  • Signature (CBOR byte string)
    • + *
+ * + *

Security: This parser enforces ES256 (algorithm -7) as the only + * accepted signing algorithm to prevent algorithm substitution attacks.

+ */ +public final class CoseSign1Parser { + + /** + * CBOR tag for COSE_Sign1 structures. + */ + public static final int COSE_SIGN1_TAG = 18; + + /** + * ES256 algorithm identifier (ECDSA with SHA-256 on P-256 curve). + */ + public static final int ES256_ALGORITHM = -7; + + /** + * Expected signature length for ES256 in IEEE P1363 format (r || s, each 32 bytes). + */ + public static final int ES256_SIGNATURE_LENGTH = 64; + + /** + * MAX_COSE_SIZE - 1MB. + */ + private static final int MAX_COSE_SIZE = 1024 * 1024; + + private CoseSign1Parser() { + // Utility class + } + + /** + * Parses a COSE_Sign1 structure from raw CBOR bytes. + * + * @param coseBytes the raw COSE_Sign1 bytes + * @return the parsed COSE_Sign1 structure + * @throws ScittParseException if parsing fails or security validation fails + */ + public static ParsedCoseSign1 parse(byte[] coseBytes) throws ScittParseException { + Objects.requireNonNull(coseBytes, "coseBytes cannot be null"); + if (coseBytes.length > MAX_COSE_SIZE) { + throw new ScittParseException("COSE payload exceeds maximum size"); + } + try { + CBORObject cborObject = CBORObject.DecodeFromBytes(coseBytes); + return parseFromCbor(cborObject); + } catch (ScittParseException e) { + throw e; + } catch (Exception e) { + throw new ScittParseException("Failed to decode CBOR: " + e.getMessage(), e); + } + } + + /** + * Parses a COSE_Sign1 structure from a decoded CBOR object. + * + * @param cborObject the decoded CBOR object + * @return the parsed COSE_Sign1 structure + * @throws ScittParseException if parsing fails or security validation fails + */ + public static ParsedCoseSign1 parseFromCbor(CBORObject cborObject) throws ScittParseException { + Objects.requireNonNull(cborObject, "cborObject cannot be null"); + + // Verify COSE_Sign1 tag + if (!cborObject.HasMostOuterTag(COSE_SIGN1_TAG)) { + throw new ScittParseException("Expected COSE_Sign1 tag (18), got: " + + (cborObject.getMostOuterTag() != null ? cborObject.getMostOuterTag() : "no tag")); + } + + CBORObject untagged = cborObject.UntagOne(); + + // COSE_Sign1 is an array of 4 elements + if (untagged.getType() != CBORType.Array || untagged.size() != 4) { + throw new ScittParseException("COSE_Sign1 must be an array of 4 elements, got: " + + untagged.getType() + " with " + (untagged.getType() == CBORType.Array ? untagged.size() : 0) + + " elements"); + } + + // Extract components + byte[] protectedHeaderBytes = extractByteString(untagged, 0, "protected header"); + CBORObject unprotectedHeader = untagged.get(1); // Keep as CBORObject, avoid encode/decode round-trip + byte[] payload = extractOptionalByteString(untagged, 2, "payload"); + byte[] signature = extractByteString(untagged, 3, "signature"); + + // Parse protected header + CoseProtectedHeader protectedHeader = parseProtectedHeader(protectedHeaderBytes); + + // Validate signature length for ES256 + if (signature.length != ES256_SIGNATURE_LENGTH) { + throw new ScittParseException( + "Invalid ES256 signature length: expected " + ES256_SIGNATURE_LENGTH + + " bytes (IEEE P1363 format), got " + signature.length); + } + + return new ParsedCoseSign1( + protectedHeaderBytes, + protectedHeader, + unprotectedHeader, + payload, + signature + ); + } + + /** + * Parses the protected header CBOR map. + * + * @param protectedHeaderBytes the encoded protected header + * @return the parsed protected header + * @throws ScittParseException if parsing fails or algorithm is not ES256 + */ + private static CoseProtectedHeader parseProtectedHeader(byte[] protectedHeaderBytes) throws ScittParseException { + if (protectedHeaderBytes == null || protectedHeaderBytes.length == 0) { + throw new ScittParseException("Protected header cannot be empty"); + } + + CBORObject headerMap; + try { + headerMap = CBORObject.DecodeFromBytes(protectedHeaderBytes); + } catch (Exception e) { + throw new ScittParseException("Failed to decode protected header: " + e.getMessage(), e); + } + + if (headerMap.getType() != CBORType.Map) { + throw new ScittParseException("Protected header must be a CBOR map"); + } + + // Extract algorithm (label 1) - REQUIRED + CBORObject algObject = headerMap.get(CBORObject.FromObject(1)); + if (algObject == null) { + throw new ScittParseException("Protected header missing algorithm (label 1)"); + } + + int algorithm = algObject.AsInt32(); + + // SECURITY: Reject non-ES256 algorithms to prevent algorithm substitution attacks + if (algorithm != ES256_ALGORITHM) { + throw new ScittParseException( + "Algorithm substitution attack prevented: only ES256 (alg=-7) is accepted, got alg=" + algorithm); + } + + // Extract key ID (label 4) - Optional but expected for SCITT + byte[] keyId = null; + CBORObject kidObject = headerMap.get(CBORObject.FromObject(4)); + if (kidObject != null && kidObject.getType() == CBORType.ByteString) { + keyId = kidObject.GetByteString(); + } + + // Extract VDS (Verifiable Data Structure) - label 395 per draft-ietf-cose-merkle-tree-proofs + Integer vds = null; + CBORObject vdsObject = headerMap.get(CBORObject.FromObject(395)); + if (vdsObject != null) { + vds = vdsObject.AsInt32(); + } + + // Extract CWT claims if present (label 13 for cwt_claims) + CwtClaims cwtClaims = null; + CBORObject cwtObject = headerMap.get(CBORObject.FromObject(13)); + if (cwtObject != null && cwtObject.getType() == CBORType.Map) { + cwtClaims = parseCwtClaims(cwtObject); + } + + // Extract content type (label 3) if present + String contentType = null; + CBORObject ctObject = headerMap.get(CBORObject.FromObject(3)); + if (ctObject != null) { + if (ctObject.getType() == CBORType.TextString) { + contentType = ctObject.AsString(); + } else if (ctObject.getType() == CBORType.Integer) { + contentType = String.valueOf(ctObject.AsInt32()); + } + } + + return new CoseProtectedHeader(algorithm, keyId, vds, cwtClaims, contentType); + } + + /** + * Parses CWT (CBOR Web Token) claims from a CBOR map. + */ + private static CwtClaims parseCwtClaims(CBORObject cwtMap) { + // CWT claim labels per RFC 8392 + Long iat = extractOptionalLong(cwtMap, 6); // iat (issued at) + Long exp = extractOptionalLong(cwtMap, 4); // exp (expiration) + Long nbf = extractOptionalLong(cwtMap, 5); // nbf (not before) + String iss = extractOptionalString(cwtMap, 1); // iss (issuer) + String sub = extractOptionalString(cwtMap, 2); // sub (subject) + String aud = extractOptionalString(cwtMap, 3); // aud (audience) + + return new CwtClaims(iss, sub, aud, exp, nbf, iat); + } + + private static byte[] extractByteString(CBORObject array, int index, String name) throws ScittParseException { + CBORObject element = array.get(index); + if (element == null || element.getType() != CBORType.ByteString) { + throw new ScittParseException(name + " must be a byte string"); + } + return element.GetByteString(); + } + + private static byte[] extractOptionalByteString(CBORObject array, int index, String name) + throws ScittParseException { + CBORObject element = array.get(index); + if (element == null || element.isNull()) { + return null; // Detached payload + } + if (element.getType() != CBORType.ByteString) { + throw new ScittParseException(name + " must be a byte string or null"); + } + return element.GetByteString(); + } + + private static Long extractOptionalLong(CBORObject map, int label) { + CBORObject value = map.get(CBORObject.FromObject(label)); + if (value != null && value.isNumber()) { + return value.AsInt64(); + } + return null; + } + + private static String extractOptionalString(CBORObject map, int label) { + CBORObject value = map.get(CBORObject.FromObject(label)); + if (value != null && value.getType() == CBORType.TextString) { + return value.AsString(); + } + return null; + } + + /** + * Constructs the Sig_structure for COSE_Sign1 signature verification. + * + *

Per RFC 9052, the Sig_structure is:

+ * 
+     * Sig_structure = [
+     *   context : "Signature1",
+     *   body_protected : empty_or_serialized_map,
+     *   external_aad : bstr,
+     *   payload : bstr
+     * ]
+     *
+ * + * @param protectedHeaderBytes the serialized protected header + * @param externalAad external additional authenticated data (typically empty) + * @param payload the payload bytes + * @return the encoded Sig_structure + */ + public static byte[] buildSigStructure(byte[] protectedHeaderBytes, byte[] externalAad, byte[] payload) { + CBORObject sigStructure = CBORObject.NewArray(); + sigStructure.Add("Signature1"); + sigStructure.Add(protectedHeaderBytes != null ? protectedHeaderBytes : new byte[0]); + sigStructure.Add(externalAad != null ? externalAad : new byte[0]); + sigStructure.Add(payload != null ? payload : new byte[0]); + return sigStructure.EncodeToBytes(); + } + + /** + * Parsed COSE_Sign1 structure. + * + * @param protectedHeaderBytes raw bytes of the protected header (needed for signature verification) + * @param protectedHeader parsed protected header + * @param unprotectedHeader the unprotected header as a CBORObject (avoids encode/decode round-trip) + * @param payload the payload bytes (null if detached) + * @param signature the signature bytes (64 bytes for ES256 in IEEE P1363 format) + */ + public record ParsedCoseSign1( + byte[] protectedHeaderBytes, + CoseProtectedHeader protectedHeader, + CBORObject unprotectedHeader, + byte[] payload, + byte[] signature + ) {} +} diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/CwtClaims.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/CwtClaims.java new file mode 100644 index 0000000..7b029ee --- /dev/null +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/CwtClaims.java @@ -0,0 +1,107 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +import java.time.Instant; + +/** + * CWT (CBOR Web Token) claims as defined in RFC 8392. + * + *

These claims are embedded in SCITT status tokens to provide + * time-bounded assertions about agent status.

+ * + * @param iss issuer - identifies the principal that issued the token + * @param sub subject - identifies the principal that is the subject + * @param aud audience - identifies the recipients the token is intended for + * @param exp expiration time - time after which the token must not be accepted (seconds since epoch) + * @param nbf not before - time before which the token must not be accepted (seconds since epoch) + * @param iat issued at - time at which the token was issued (seconds since epoch) + */ +public record CwtClaims( + String iss, + String sub, + String aud, + Long exp, + Long nbf, + Long iat +) { + + /** + * Returns the expiration time as an Instant. + * + * @return the expiration time, or null if not set + */ + public Instant expirationTime() { + return exp != null ? Instant.ofEpochSecond(exp) : null; + } + + /** + * Returns the not-before time as an Instant. + * + * @return the not-before time, or null if not set + */ + public Instant notBeforeTime() { + return nbf != null ? Instant.ofEpochSecond(nbf) : null; + } + + /** + * Returns the issued-at time as an Instant. + * + * @return the issued-at time, or null if not set + */ + public Instant issuedAtTime() { + return iat != null ? Instant.ofEpochSecond(iat) : null; + } + + /** + * Checks if the token is expired at the given time. + * + * @param now the current time + * @return true if the token is expired + */ + public boolean isExpired(Instant now) { + if (exp == null) { + return false; // No expiration set + } + return now.isAfter(expirationTime()); + } + + /** + * Checks if the token is expired at the given time with clock skew tolerance. + * + * @param now the current time + * @param clockSkewSeconds allowed clock skew in seconds + * @return true if the token is expired (accounting for clock skew) + */ + public boolean isExpired(Instant now, long clockSkewSeconds) { + if (exp == null) { + return false; + } + return now.minusSeconds(clockSkewSeconds).isAfter(expirationTime()); + } + + /** + * Checks if the token is not yet valid at the given time. + * + * @param now the current time + * @return true if the token is not yet valid + */ + public boolean isNotYetValid(Instant now) { + if (nbf == null) { + return false; // No not-before set + } + return now.isBefore(notBeforeTime()); + } + + /** + * Checks if the token is not yet valid at the given time with clock skew tolerance. + * + * @param now the current time + * @param clockSkewSeconds allowed clock skew in seconds + * @return true if the token is not yet valid (accounting for clock skew) + */ + public boolean isNotYetValid(Instant now, long clockSkewSeconds) { + if (nbf == null) { + return false; + } + return now.plusSeconds(clockSkewSeconds).isBefore(notBeforeTime()); + } +} diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittHeaderProvider.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittHeaderProvider.java new file mode 100644 index 0000000..4eab815 --- /dev/null +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittHeaderProvider.java @@ -0,0 +1,199 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.util.ArrayList; +import java.util.Base64; +import java.util.Collections; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Objects; +import java.util.Optional; + +/** + * Default implementation of {@link ScittHeaderProvider}. + * + *

Handles Base64 encoding/decoding of SCITT artifacts for HTTP header transport.

+ */ +public class DefaultScittHeaderProvider implements ScittHeaderProvider { + + private static final Logger LOGGER = LoggerFactory.getLogger(DefaultScittHeaderProvider.class); + + private final byte[] ownReceiptBytes; + private final byte[] ownTokenBytes; + // Pre-computed headers to avoid Base64 encoding on every getOutgoingHeaders() call + private final Map cachedOutgoingHeaders; + + /** + * Creates a provider without own artifacts (client-only mode). + * + *

Use this when only extracting SCITT artifacts from responses, + * not including them in requests.

+ */ + public DefaultScittHeaderProvider() { + this(null, null); + } + + /** + * Creates a provider with own SCITT artifacts. + * + * @param ownReceiptBytes the caller's receipt bytes (may be null) + * @param ownTokenBytes the caller's status token bytes (may be null) + */ + public DefaultScittHeaderProvider(byte[] ownReceiptBytes, byte[] ownTokenBytes) { + this.ownReceiptBytes = ownReceiptBytes != null ? ownReceiptBytes.clone() : null; + this.ownTokenBytes = ownTokenBytes != null ? ownTokenBytes.clone() : null; + this.cachedOutgoingHeaders = buildOutgoingHeaders(); + } + + /** + * Builds and caches the outgoing headers at construction time. + * Base64 encoding happens once, not on every getOutgoingHeaders() call. + */ + private Map buildOutgoingHeaders() { + if (ownReceiptBytes == null && ownTokenBytes == null) { + return Collections.emptyMap(); + } + + Map headers = new HashMap<>(); + + if (ownReceiptBytes != null) { + headers.put(ScittHeaders.SCITT_RECEIPT_HEADER, + Base64.getEncoder().encodeToString(ownReceiptBytes)); + } + + if (ownTokenBytes != null) { + headers.put(ScittHeaders.STATUS_TOKEN_HEADER, + Base64.getEncoder().encodeToString(ownTokenBytes)); + } + + return Collections.unmodifiableMap(headers); + } + + @Override + public Map getOutgoingHeaders() { + return cachedOutgoingHeaders; + } + + @Override + public Optional extractArtifacts(Map headers) { + Objects.requireNonNull(headers, "headers cannot be null"); + + String receiptHeader = getHeaderCaseInsensitive(headers, ScittHeaders.SCITT_RECEIPT_HEADER); + String tokenHeader = getHeaderCaseInsensitive(headers, ScittHeaders.STATUS_TOKEN_HEADER); + + if (receiptHeader == null && tokenHeader == null) { + LOGGER.debug("No SCITT headers present in response"); + return Optional.empty(); + } + + byte[] receiptBytes = null; + byte[] tokenBytes = null; + ScittReceipt receipt = null; + StatusToken statusToken = null; + List parseErrors = new ArrayList<>(); + + // Parse receipt + if (receiptHeader != null) { + try { + receiptBytes = Base64.getDecoder().decode(receiptHeader); + receipt = ScittReceipt.parse(receiptBytes); + LOGGER.debug("Parsed SCITT receipt ({} bytes)", receiptBytes.length); + } catch (IllegalArgumentException e) { + String error = "Invalid Base64 in receipt header: " + e.getMessage(); + LOGGER.warn(error); + parseErrors.add(error); + } catch (ScittParseException e) { + String error = "Failed to parse receipt: " + e.getMessage(); + LOGGER.warn(error); + parseErrors.add(error); + } + } + + // Parse status token + if (tokenHeader != null) { + try { + tokenBytes = Base64.getDecoder().decode(tokenHeader); + statusToken = StatusToken.parse(tokenBytes); + LOGGER.debug("Parsed status token for agent {} ({} bytes)", + statusToken.agentId(), tokenBytes.length); + } catch (IllegalArgumentException e) { + String error = "Invalid Base64 in status token header: " + e.getMessage(); + LOGGER.warn(error); + parseErrors.add(error); + } catch (ScittParseException e) { + String error = "Failed to parse status token: " + e.getMessage(); + LOGGER.warn(error); + parseErrors.add(error); + } + } + + if (receipt == null && statusToken == null) { + // Headers were present but BOTH failed to parse + String errorDetail = String.join("; ", parseErrors); + LOGGER.error("SCITT headers present but all artifacts failed to parse: {}", errorDetail); + throw new IllegalStateException( + "SCITT headers present but failed to parse: " + errorDetail); + } + + return Optional.of(new ScittArtifacts(receipt, statusToken, receiptBytes, tokenBytes)); + } + + /** + * Gets a header value with case-insensitive key lookup. + * Headers are expected to have lowercase keys (normalized by caller). + */ + private String getHeaderCaseInsensitive(Map headers, String key) { + return headers.get(key.toLowerCase()); + } + + /** + * Builder for creating DefaultScittHeaderProvider instances. + */ + public static class Builder { + private byte[] receiptBytes; + private byte[] tokenBytes; + + /** + * Sets the caller's SCITT receipt bytes. + * + * @param receiptBytes the receipt bytes + * @return this builder + */ + public Builder receipt(byte[] receiptBytes) { + this.receiptBytes = receiptBytes; + return this; + } + + /** + * Sets the caller's status token bytes. + * + * @param tokenBytes the token bytes + * @return this builder + */ + public Builder statusToken(byte[] tokenBytes) { + this.tokenBytes = tokenBytes; + return this; + } + + /** + * Builds the header provider. + * + * @return the configured provider + */ + public DefaultScittHeaderProvider build() { + return new DefaultScittHeaderProvider(receiptBytes, tokenBytes); + } + } + + /** + * Creates a new builder. + * + * @return a new builder instance + */ + public static Builder builder() { + return new Builder(); + } +} diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittVerifier.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittVerifier.java new file mode 100644 index 0000000..867beac --- /dev/null +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittVerifier.java @@ -0,0 +1,429 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +import com.godaddy.ans.sdk.crypto.CryptoCache; +import org.bouncycastle.util.encoders.Hex; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.security.MessageDigest; +import java.security.PublicKey; +import java.security.cert.X509Certificate; +import java.time.Duration; +import java.time.Instant; +import java.util.List; +import java.util.Map; +import java.util.Objects; + +/** + * Default implementation of {@link ScittVerifier}. + * + *

This implementation performs:

+ *
    + *
  • COSE_Sign1 signature verification using ES256
    • + *
  • RFC 9162 Merkle inclusion proof verification
    • + *
  • Status token expiry checking with clock skew tolerance
    • + *
  • Constant-time fingerprint comparison
    • + *
+ */ +public class DefaultScittVerifier implements ScittVerifier { + + private static final Logger LOGGER = LoggerFactory.getLogger(DefaultScittVerifier.class); + + private final Duration clockSkewTolerance; + + /** + * Creates a new verifier with default clock skew tolerance (60 seconds). + */ + public DefaultScittVerifier() { + this(StatusToken.DEFAULT_CLOCK_SKEW); + } + + /** + * Creates a new verifier with the specified clock skew tolerance. + * + * @param clockSkewTolerance the clock skew tolerance for token expiry checks + */ + public DefaultScittVerifier(Duration clockSkewTolerance) { + this.clockSkewTolerance = Objects.requireNonNull(clockSkewTolerance, "clockSkewTolerance cannot be null"); + } + + @Override + public ScittExpectation verify( + ScittReceipt receipt, + StatusToken token, + Map rootKeys) { + + Objects.requireNonNull(receipt, "receipt cannot be null"); + Objects.requireNonNull(token, "token cannot be null"); + Objects.requireNonNull(rootKeys, "rootKeys cannot be null"); + + if (rootKeys.isEmpty()) { + return ScittExpectation.invalidReceipt("No root keys available for verification"); + } + + LOGGER.debug("Verifying SCITT artifacts for agent {} (have {} root keys)", + token.agentId(), rootKeys.size()); + + try { + // 1. Look up receipt key by key ID (O(1) map lookup) + String receiptKeyId = receipt.protectedHeader().keyIdHex(); + PublicKey receiptKey = rootKeys.get(receiptKeyId); + if (receiptKey == null) { + LOGGER.warn("Receipt key ID {} not in trust store (have {} keys)", + receiptKeyId, rootKeys.size()); + return ScittExpectation.invalidReceipt( + "Key ID " + receiptKeyId + " not in trust store (have " + rootKeys.size() + " keys)"); + } + LOGGER.debug("Found receipt key with ID {}", receiptKeyId); + + // 2. Verify receipt signature + if (!verifyReceiptSignature(receipt, receiptKey)) { + LOGGER.warn("Receipt signature verification failed for agent {}", token.agentId()); + return ScittExpectation.invalidReceipt("Receipt signature verification failed"); + } + LOGGER.debug("Receipt signature verified for agent {}", token.agentId()); + + // 3. Verify Merkle inclusion proof + if (!verifyMerkleProof(receipt)) { + LOGGER.warn("Merkle proof verification failed for agent {}", token.agentId()); + return ScittExpectation.invalidReceipt("Merkle proof verification failed"); + } + LOGGER.debug("Merkle proof verified for agent {}", token.agentId()); + + // 4. Look up token key by key ID (O(1) map lookup) + String tokenKeyId = token.protectedHeader().keyIdHex(); + PublicKey tokenKey = rootKeys.get(tokenKeyId); + if (tokenKey == null) { + LOGGER.warn("Token key ID {} not in trust store (have {} keys)", + tokenKeyId, rootKeys.size()); + return ScittExpectation.invalidToken( + "Key ID " + tokenKeyId + " not in trust store (have " + rootKeys.size() + " keys)"); + } + LOGGER.debug("Found token key with ID {}", tokenKeyId); + + // 5. Verify status token signature + if (!verifyTokenSignature(token, tokenKey)) { + LOGGER.warn("Status token signature verification failed for agent {}", token.agentId()); + return ScittExpectation.invalidToken("Status token signature verification failed"); + } + LOGGER.debug("Status token signature verified for agent {}", token.agentId()); + + // 6. Check status token expiry + Instant now = Instant.now(); + if (token.isExpired(now, clockSkewTolerance)) { + LOGGER.warn("Status token expired for agent {} (expired at {})", + token.agentId(), token.expiresAt()); + return ScittExpectation.expired(); + } + + // 7. Check agent status + if (token.status() == StatusToken.Status.REVOKED) { + LOGGER.warn("Agent {} is revoked", token.agentId()); + return ScittExpectation.revoked(token.ansName()); + } + + if (token.status() != StatusToken.Status.ACTIVE && + token.status() != StatusToken.Status.WARNING) { + LOGGER.warn("Agent {} has status {}", token.agentId(), token.status()); + return ScittExpectation.inactive(token.status(), token.ansName()); + } + + // 8. Extract expectations + LOGGER.debug("SCITT verification successful for agent {}", token.agentId()); + return ScittExpectation.verified( + token.serverCertFingerprints(), + token.identityCertFingerprints(), + token.agentHost(), + token.ansName(), + token.metadataHashes(), + token + ); + + } catch (Exception e) { + LOGGER.error("SCITT verification error for agent {}: {}", token.agentId(), e.getMessage()); + return ScittExpectation.parseError("Verification error: " + e.getMessage()); + } + } + + @Override + public ScittVerificationResult postVerify( + String hostname, + X509Certificate serverCert, + ScittExpectation expectation) { + + Objects.requireNonNull(hostname, "hostname cannot be null"); + Objects.requireNonNull(serverCert, "serverCert cannot be null"); + Objects.requireNonNull(expectation, "expectation cannot be null"); + + // If expectation indicates failure, return error + if (!expectation.isVerified()) { + return ScittVerificationResult.error( + "SCITT pre-verification failed: " + expectation.failureReason()); + } + + List expectedFingerprints = expectation.validServerCertFingerprints(); + if (expectedFingerprints.isEmpty()) { + return ScittVerificationResult.error("No server certificate fingerprints in expectation"); + } + + try { + // Compute actual fingerprint + String actualFingerprint = computeCertificateFingerprint(serverCert); + + LOGGER.debug("Comparing certificate fingerprint {} against {} expected fingerprints", + truncateFingerprint(actualFingerprint), expectedFingerprints.size()); + + // SECURITY: Use constant-time comparison for fingerprints + for (String expectedFingerprint : expectedFingerprints) { + if (fingerprintMatches(actualFingerprint, expectedFingerprint)) { + LOGGER.debug("Certificate fingerprint matches for {}", hostname); + return ScittVerificationResult.success(actualFingerprint); + } + } + + // No match found + LOGGER.warn("Certificate fingerprint mismatch for {}: got {}, expected one of {}", + hostname, truncateFingerprint(actualFingerprint), expectedFingerprints.size()); + return ScittVerificationResult.mismatch( + actualFingerprint, + "Certificate fingerprint does not match any expected fingerprint"); + + } catch (Exception e) { + LOGGER.error("Error computing certificate fingerprint: {}", e.getMessage()); + return ScittVerificationResult.error("Error computing fingerprint: " + e.getMessage()); + } + } + + /** + * Verifies the receipt's COSE_Sign1 signature using the TL public key. + * + *

Note: Key ID validation is performed before this method is called + * via the rootKeys map lookup.

+ */ + private boolean verifyReceiptSignature(ScittReceipt receipt, PublicKey tlPublicKey) { + try { + // Build Sig_structure for verification + byte[] sigStructure = CoseSign1Parser.buildSigStructure( + receipt.protectedHeaderBytes(), + null, // No external AAD + receipt.eventPayload() + ); + + // Verify ES256 signature + return verifyEs256Signature(sigStructure, receipt.signature(), tlPublicKey); + + } catch (Exception e) { + LOGGER.error("Receipt signature verification error: {}", e.getMessage()); + return false; + } + } + + /** + * Verifies the Merkle inclusion proof in the receipt. + */ + private boolean verifyMerkleProof(ScittReceipt receipt) { + try { + ScittReceipt.InclusionProof proof = receipt.inclusionProof(); + + if (proof == null) { + LOGGER.error("Receipt missing inclusion proof"); + return false; + } + + // If we have all the components, verify the proof + if (proof.treeSize() > 0 && proof.rootHash() != null && receipt.eventPayload() != null) { + return MerkleProofVerifier.verifyInclusion( + receipt.eventPayload(), + proof.leafIndex(), + proof.treeSize(), + proof.hashPath(), + proof.rootHash() + ); + } + + // Incomplete Merkle proof data - fail verification + // All components are required to prove the entry exists in the append-only log + LOGGER.error("Incomplete Merkle proof data (treeSize={}, hasRootHash={}, hasPayload={}), " + + "cannot verify log inclusion", + proof.treeSize(), + proof.rootHash() != null, + receipt.eventPayload() != null); + return false; + + } catch (Exception e) { + LOGGER.error("Merkle proof verification error: {}", e.getMessage()); + return false; + } + } + + /** + * Verifies the status token's COSE_Sign1 signature using the RA public key. + * + *

Note: Key ID validation is performed before this method is called + * via the rootKeys map lookup.

+ */ + private boolean verifyTokenSignature(StatusToken token, PublicKey raPublicKey) { + try { + // Build Sig_structure for verification + byte[] sigStructure = CoseSign1Parser.buildSigStructure( + token.protectedHeaderBytes(), + null, // No external AAD + token.payload() + ); + + // Verify ES256 signature + return verifyEs256Signature(sigStructure, token.signature(), raPublicKey); + + } catch (Exception e) { + LOGGER.error("Token signature verification error: {}", e.getMessage()); + return false; + } + } + + /** + * Verifies an ES256 (ECDSA with SHA-256 on P-256) signature. + * + * @param data the data that was signed + * @param signature the signature in IEEE P1363 format (64 bytes: r || s) + * @param publicKey the EC public key + * @return true if signature is valid + */ + private boolean verifyEs256Signature(byte[] data, byte[] signature, PublicKey publicKey) throws Exception { + // Convert IEEE P1363 format to DER format for Java's Signature API + byte[] derSignature = convertP1363ToDer(signature); + + return CryptoCache.verifyEs256(data, derSignature, publicKey); + } + + /** + * Converts an ECDSA signature from IEEE P1363 format (r || s) to DER format. + * + *

Java's Signature API expects DER-encoded signatures, but COSE uses + * the IEEE P1363 format (fixed-size concatenation of r and s).

+ */ + private byte[] convertP1363ToDer(byte[] p1363Signature) { + if (p1363Signature.length != 64) { + throw new IllegalArgumentException("Expected 64-byte P1363 signature, got " + p1363Signature.length); + } + + // Split into r and s (each 32 bytes for P-256) + byte[] r = new byte[32]; + byte[] s = new byte[32]; + System.arraycopy(p1363Signature, 0, r, 0, 32); + System.arraycopy(p1363Signature, 32, s, 0, 32); + + // Convert to DER format + return toDerSignature(r, s); + } + + /** + * Encodes r and s as a DER SEQUENCE of two INTEGERs. + */ + private byte[] toDerSignature(byte[] r, byte[] s) { + byte[] rDer = toDerInteger(r); + byte[] sDer = toDerInteger(s); + + // SEQUENCE { r INTEGER, s INTEGER } + int totalLen = rDer.length + sDer.length; + byte[] der; + + if (totalLen < 128) { + der = new byte[2 + totalLen]; + der[0] = 0x30; // SEQUENCE + der[1] = (byte) totalLen; + System.arraycopy(rDer, 0, der, 2, rDer.length); + System.arraycopy(sDer, 0, der, 2 + rDer.length, sDer.length); + } else { + der = new byte[3 + totalLen]; + der[0] = 0x30; // SEQUENCE + der[1] = (byte) 0x81; // Long form length + der[2] = (byte) totalLen; + System.arraycopy(rDer, 0, der, 3, rDer.length); + System.arraycopy(sDer, 0, der, 3 + rDer.length, sDer.length); + } + + return der; + } + + /** + * Encodes a big integer value as a DER INTEGER. + */ + private byte[] toDerInteger(byte[] value) { + // Skip leading zeros but ensure at least one byte + int start = 0; + while (start < value.length - 1 && value[start] == 0) { + start++; + } + + // Check if we need a leading zero (if high bit is set) + boolean needLeadingZero = (value[start] & 0x80) != 0; + + int length = value.length - start; + if (needLeadingZero) { + length++; + } + + byte[] der = new byte[2 + length]; + der[0] = 0x02; // INTEGER + der[1] = (byte) length; + + if (needLeadingZero) { + der[2] = 0x00; + System.arraycopy(value, start, der, 3, value.length - start); + } else { + System.arraycopy(value, start, der, 2, value.length - start); + } + + return der; + } + + /** + * Computes the SHA-256 fingerprint of an X.509 certificate. + */ + private String computeCertificateFingerprint(X509Certificate cert) throws Exception { + byte[] digest = CryptoCache.sha256(cert.getEncoded()); + return bytesToHex(digest); + } + + /** + * Compares two fingerprints using constant-time comparison. + * + *

Normalizes fingerprints to lowercase hex without colons before comparison.

+ */ + private boolean fingerprintMatches(String actual, String expected) { + if (actual == null || expected == null) { + return false; + } + + // Normalize: lowercase, remove colons and "SHA256:" prefix + String normalizedActual = normalizeFingerprint(actual); + String normalizedExpected = normalizeFingerprint(expected); + + if (normalizedActual.length() != normalizedExpected.length()) { + return false; + } + + // SECURITY: Constant-time comparison + byte[] actualBytes = normalizedActual.getBytes(); + byte[] expectedBytes = normalizedExpected.getBytes(); + return MessageDigest.isEqual(actualBytes, expectedBytes); + } + + private String normalizeFingerprint(String fingerprint) { + String normalized = fingerprint.toLowerCase() + .replace("sha256:", "") // Remove prefix first + .replace(":", ""); // Then remove colons + return normalized; + } + + private static String bytesToHex(byte[] bytes) { + return Hex.toHexString(bytes); + } + + private static String truncateFingerprint(String fingerprint) { + if (fingerprint == null || fingerprint.length() <= 16) { + return fingerprint; + } + return fingerprint.substring(0, 16) + "..."; + } +} diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/MerkleProofVerifier.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/MerkleProofVerifier.java new file mode 100644 index 0000000..594f96e --- /dev/null +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/MerkleProofVerifier.java @@ -0,0 +1,287 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +import com.godaddy.ans.sdk.crypto.CryptoCache; +import org.bouncycastle.util.encoders.Hex; + +import java.security.MessageDigest; +import java.util.List; +import java.util.Objects; + +/** + * Verifies RFC 9162 Merkle tree inclusion proofs. + * + *

This implementation follows RFC 9162 Section 2.1 for computing + * Merkle tree hashes and verifying inclusion proofs.

+ * + *

Security considerations:

+ *
    + *
  • Uses unsigned arithmetic for tree_size and leaf_index comparisons
    • + *
  • Validates hash path length against tree size
    • + *
  • Uses constant-time comparison for root hash verification
    • + *
+ */ +public final class MerkleProofVerifier { + + /** + * Domain separation byte for leaf nodes (RFC 9162). + */ + private static final byte LEAF_PREFIX = 0x00; + + /** + * Domain separation byte for interior nodes (RFC 9162). + */ + private static final byte NODE_PREFIX = 0x01; + + /** + * SHA-256 hash output size in bytes. + */ + private static final int HASH_SIZE = 32; + + private MerkleProofVerifier() { + // Utility class + } + + /** + * Verifies a Merkle inclusion proof. + * + * @param leafData the leaf data (will be hashed with leaf prefix) + * @param leafIndex the 0-based index of the leaf in the tree + * @param treeSize the total number of leaves in the tree + * @param hashPath the proof path (sibling hashes from leaf to root) + * @param expectedRootHash the expected root hash + * @return true if the proof is valid + * @throws ScittParseException if verification fails due to invalid parameters + */ + public static boolean verifyInclusion( + byte[] leafData, + long leafIndex, + long treeSize, + List hashPath, + byte[] expectedRootHash) throws ScittParseException { + + Objects.requireNonNull(leafData, "leafData cannot be null"); + Objects.requireNonNull(hashPath, "hashPath cannot be null"); + Objects.requireNonNull(expectedRootHash, "expectedRootHash cannot be null"); + + // Validate parameters using unsigned comparison + if (Long.compareUnsigned(leafIndex, treeSize) >= 0) { + throw new ScittParseException( + "Invalid leaf index: " + Long.toUnsignedString(leafIndex) + + " >= tree size " + Long.toUnsignedString(treeSize)); + } + + if (treeSize == 0) { + throw new ScittParseException("Tree size cannot be zero"); + } + + // Validate hash path length + int expectedPathLength = calculatePathLength(treeSize); + if (hashPath.size() > expectedPathLength) { + throw new ScittParseException( + "Hash path too long: " + hashPath.size() + + " > expected max " + expectedPathLength + " for tree size " + treeSize); + } + + // Validate all hashes in path are correct size + for (int i = 0; i < hashPath.size(); i++) { + if (hashPath.get(i) == null || hashPath.get(i).length != HASH_SIZE) { + throw new ScittParseException( + "Invalid hash at path index " + i + ": expected " + HASH_SIZE + " bytes"); + } + } + + if (expectedRootHash.length != HASH_SIZE) { + throw new ScittParseException( + "Invalid expected root hash length: " + expectedRootHash.length); + } + + // Compute leaf hash + byte[] computedHash = hashLeaf(leafData); + + // Walk up the tree using the inclusion proof + computedHash = computeRootFromPath(computedHash, leafIndex, treeSize, hashPath); + + // SECURITY: Use constant-time comparison + return MessageDigest.isEqual(computedHash, expectedRootHash); + } + + /** + * Verifies a Merkle inclusion proof where the leaf hash is already computed. + * + * @param leafHash the pre-computed leaf hash + * @param leafIndex the 0-based index of the leaf in the tree + * @param treeSize the total number of leaves in the tree + * @param hashPath the proof path (sibling hashes from leaf to root) + * @param expectedRootHash the expected root hash + * @return true if the proof is valid + * @throws ScittParseException if verification fails + */ + public static boolean verifyInclusionWithHash( + byte[] leafHash, + long leafIndex, + long treeSize, + List hashPath, + byte[] expectedRootHash) throws ScittParseException { + + Objects.requireNonNull(leafHash, "leafHash cannot be null"); + Objects.requireNonNull(hashPath, "hashPath cannot be null"); + Objects.requireNonNull(expectedRootHash, "expectedRootHash cannot be null"); + + if (leafHash.length != HASH_SIZE) { + throw new ScittParseException("Invalid leaf hash length: " + leafHash.length); + } + + if (Long.compareUnsigned(leafIndex, treeSize) >= 0) { + throw new ScittParseException( + "Invalid leaf index: " + Long.toUnsignedString(leafIndex) + + " >= tree size " + Long.toUnsignedString(treeSize)); + } + + if (treeSize == 0) { + throw new ScittParseException("Tree size cannot be zero"); + } + + if (expectedRootHash.length != HASH_SIZE) { + throw new ScittParseException( + "Invalid expected root hash length: " + expectedRootHash.length); + } + + // Walk up the tree + byte[] computedHash = computeRootFromPath(leafHash, leafIndex, treeSize, hashPath); + + // SECURITY: Use constant-time comparison + return MessageDigest.isEqual(computedHash, expectedRootHash); + } + + /** + * Computes the root hash from a leaf and inclusion proof path. + * + *

Implements the RFC 9162 algorithm for computing the root from + * an inclusion proof (Section 2.1.3.2):

+ * + * 
+     * fn = leaf_index
+     * sn = tree_size - 1
+     * r  = leaf_hash
+     * for each p[i] in path:
+     *     if LSB(fn) == 1 OR fn == sn:
+     *         r = SHA-256(0x01 || p[i] || r)
+     *         while fn is not zero and LSB(fn) == 0:
+     *             fn = fn >> 1
+     *             sn = sn >> 1
+     *     else:
+     *         r = SHA-256(0x01 || r || p[i])
+     *     fn = fn >> 1
+     *     sn = sn >> 1
+     * verify fn == 0
+     *
+ */ + private static byte[] computeRootFromPath( + byte[] leafHash, + long leafIndex, + long treeSize, + List hashPath) throws ScittParseException { + + byte[] r = leafHash.clone(); + long fn = leafIndex; + long sn = treeSize - 1; + + for (byte[] p : hashPath) { + if ((fn & 1) == 1 || fn == sn) { + // Left sibling: r = H(0x01 || p || r) + r = hashNode(p, r); + // Remove consecutive right-side path bits + while (fn != 0 && (fn & 1) == 0) { + fn >>>= 1; + sn >>>= 1; + } + } else { + // Right sibling: r = H(0x01 || r || p) + r = hashNode(r, p); + } + fn >>>= 1; + sn >>>= 1; + } + + if (fn != 0) { + throw new ScittParseException( + "Proof path too short: fn=" + fn + " after consuming all path elements"); + } + + return r; + } + + /** + * Computes the hash of a leaf node. + * + *

Per RFC 9162: MTH({d(0)}) = SHA-256(0x00 || d(0))

+ * + * @param data the leaf data + * @return the leaf hash + */ + public static byte[] hashLeaf(byte[] data) { + byte[] prefixed = new byte[1 + data.length]; + prefixed[0] = LEAF_PREFIX; + System.arraycopy(data, 0, prefixed, 1, data.length); + return CryptoCache.sha256(prefixed); + } + + /** + * Computes the hash of an interior node. + * + *

Per RFC 9162: MTH(D[n]) = SHA-256(0x01 || MTH(D[0:k]) || MTH(D[k:n]))

+ * + * @param left the left child hash + * @param right the right child hash + * @return the node hash + */ + public static byte[] hashNode(byte[] left, byte[] right) { + byte[] combined = new byte[1 + HASH_SIZE + HASH_SIZE]; + combined[0] = NODE_PREFIX; + System.arraycopy(left, 0, combined, 1, HASH_SIZE); + System.arraycopy(right, 0, combined, 1 + HASH_SIZE, HASH_SIZE); + return CryptoCache.sha256(combined); + } + + /** + * Calculates the expected maximum path length for a tree of the given size. + * + *

For a tree with n leaves, the path length is ceil(log2(n)).

+ * + * @param treeSize the number of leaves + * @return the maximum path length + */ + public static int calculatePathLength(long treeSize) { + if (treeSize <= 1) { + return 0; + } + // Use bit manipulation for ceiling of log2 + return 64 - Long.numberOfLeadingZeros(treeSize - 1); + } + + /** + * Converts a hex string to bytes. + * + * @param hex the hex string + * @return the byte array + * @throws IllegalArgumentException if hex is null or has odd length + */ + public static byte[] hexToBytes(String hex) { + Objects.requireNonNull(hex, "hex cannot be null"); + if (hex.length() % 2 != 0) { + throw new IllegalArgumentException("Hex string must have even length"); + } + return Hex.decode(hex); + } + + /** + * Converts bytes to a hex string. + * + * @param bytes the byte array + * @return the hex string (lowercase) + */ + public static String bytesToHex(byte[] bytes) { + Objects.requireNonNull(bytes, "bytes cannot be null"); + return Hex.toHexString(bytes); + } +} \ No newline at end of file diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/MetadataHashVerifier.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/MetadataHashVerifier.java new file mode 100644 index 0000000..d29bc25 --- /dev/null +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/MetadataHashVerifier.java @@ -0,0 +1,144 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.security.MessageDigest; +import java.util.Objects; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +/** + * Verifies that fetched metadata matches expected hashes from SCITT status tokens. + * + *

When an agent endpoint includes a metadataUrl, the status token contains + * a hash of that metadata. After fetching the metadata, this verifier confirms + * it hasn't been tampered with.

+ * + *

Hash Format

+ *

Hashes are formatted as {@code SHA256:<64-hex-chars>}

+ * + *

Usage

+ * 
{@code
+ * byte[] metadataBytes = fetchMetadata(metadataUrl);
+ * String expectedHash = statusToken.metadataHashes().get("a2a");
+ *
+ * if (!MetadataHashVerifier.verify(metadataBytes, expectedHash)) {
+ *     throw new SecurityException("Metadata hash mismatch");
+ * }
+ * }
+ */ +public final class MetadataHashVerifier { + + private static final Logger LOGGER = LoggerFactory.getLogger(MetadataHashVerifier.class); + + /** + * Pattern for metadata hash format: SHA256:<64 hex chars> + */ + private static final Pattern HASH_PATTERN = Pattern.compile("^SHA256:([a-f0-9]{64})$", Pattern.CASE_INSENSITIVE); + + private MetadataHashVerifier() { + // Utility class + } + + /** + * Verifies that the metadata bytes match the expected hash. + * + * @param metadataBytes the fetched metadata content + * @param expectedHash the expected hash in format {@code SHA256:} + * @return true if the hash matches + */ + public static boolean verify(byte[] metadataBytes, String expectedHash) { + Objects.requireNonNull(metadataBytes, "metadataBytes cannot be null"); + Objects.requireNonNull(expectedHash, "expectedHash cannot be null"); + + // Parse expected hash + Matcher matcher = HASH_PATTERN.matcher(expectedHash); + if (!matcher.matches()) { + LOGGER.warn("Invalid hash format: {}", expectedHash); + return false; + } + + String expectedHex = matcher.group(1).toLowerCase(); + + try { + // Compute actual hash + MessageDigest md = MessageDigest.getInstance("SHA-256"); + byte[] actualHash = md.digest(metadataBytes); + String actualHex = bytesToHex(actualHash); + + // SECURITY: Use constant-time comparison + boolean matches = MessageDigest.isEqual( + actualHex.getBytes(), + expectedHex.getBytes() + ); + + if (!matches) { + LOGGER.warn("Metadata hash mismatch: expected {}, got SHA256:{}", + expectedHash, actualHex); + } + + return matches; + + } catch (Exception e) { + LOGGER.error("Error computing metadata hash: {}", e.getMessage()); + return false; + } + } + + /** + * Computes the hash of metadata bytes in the expected format. + * + * @param metadataBytes the metadata content + * @return the hash in format {@code SHA256:} + */ + public static String computeHash(byte[] metadataBytes) { + Objects.requireNonNull(metadataBytes, "metadataBytes cannot be null"); + + try { + MessageDigest md = MessageDigest.getInstance("SHA-256"); + byte[] hash = md.digest(metadataBytes); + return "SHA256:" + bytesToHex(hash); + } catch (Exception e) { + throw new RuntimeException("SHA-256 not available", e); + } + } + + /** + * Validates that a hash string is in the expected format. + * + * @param hash the hash string to validate + * @return true if the format is valid + */ + public static boolean isValidHashFormat(String hash) { + if (hash == null) { + return false; + } + return HASH_PATTERN.matcher(hash).matches(); + } + + /** + * Extracts the hex portion from a hash string. + * + * @param hash the hash string in format {@code SHA256:} + * @return the hex portion, or null if format is invalid + */ + public static String extractHex(String hash) { + if (hash == null) { + return null; + } + Matcher matcher = HASH_PATTERN.matcher(hash); + if (matcher.matches()) { + return matcher.group(1).toLowerCase(); + } + return null; + } + + private static String bytesToHex(byte[] bytes) { + StringBuilder sb = new StringBuilder(); + for (byte b : bytes) { + sb.append(String.format("%02x", b & 0xFF)); + } + return sb.toString(); + } +} diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/RefreshDecision.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/RefreshDecision.java new file mode 100644 index 0000000..2cd084d --- /dev/null +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/RefreshDecision.java @@ -0,0 +1,68 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +import java.security.PublicKey; +import java.util.Map; + +/** + * Result of a root key cache refresh decision. + * + *

Used by the SCITT verification flow to determine whether a cache refresh + * should be attempted when a key is not found in the trust store.

+ * + * @param action the action to take + * @param reason human-readable explanation (for logging/debugging) + * @param keys the refreshed keys (only present if action is REFRESHED) + */ +public record RefreshDecision(RefreshAction action, String reason, Map keys) { + + /** + * Actions that can be taken when a key is not found in cache. + */ + public enum RefreshAction { + /** Refresh not allowed - artifact is invalid (too old or from future) */ + REJECT, + /** Refresh not allowed now - try again later (cooldown in effect) */ + DEFER, + /** Cache was refreshed - use the new keys for retry */ + REFRESHED + } + + /** + * Creates a REJECT decision indicating the artifact is invalid. + * + * @param reason explanation of why the artifact is invalid + * @return a REJECT decision + */ + public static RefreshDecision reject(String reason) { + return new RefreshDecision(RefreshAction.REJECT, reason, null); + } + + /** + * Creates a DEFER decision indicating refresh should be retried later. + * + * @param reason explanation of why refresh was deferred + * @return a DEFER decision + */ + public static RefreshDecision defer(String reason) { + return new RefreshDecision(RefreshAction.DEFER, reason, null); + } + + /** + * Creates a REFRESHED decision with the new keys. + * + * @param keys the refreshed root keys + * @return a REFRESHED decision + */ + public static RefreshDecision refreshed(Map keys) { + return new RefreshDecision(RefreshAction.REFRESHED, null, keys); + } + + /** + * Returns true if the cache was successfully refreshed. + * + * @return true if action is REFRESHED + */ + public boolean isRefreshed() { + return action == RefreshAction.REFRESHED; + } +} diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittArtifactManager.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittArtifactManager.java new file mode 100644 index 0000000..b6d9085 --- /dev/null +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittArtifactManager.java @@ -0,0 +1,457 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +import com.github.benmanes.caffeine.cache.AsyncLoadingCache; +import com.github.benmanes.caffeine.cache.Caffeine; +import com.github.benmanes.caffeine.cache.Expiry; +import com.godaddy.ans.sdk.concurrent.AnsExecutors; +import com.godaddy.ans.sdk.transparency.TransparencyClient; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.time.Duration; +import java.time.Instant; +import java.util.Base64; +import java.util.Map; +import java.util.Objects; +import java.util.concurrent.CompletableFuture; +import java.util.concurrent.ConcurrentHashMap; +import java.util.concurrent.Executor; +import java.util.concurrent.ScheduledExecutorService; +import java.util.concurrent.ScheduledFuture; +import java.util.concurrent.TimeUnit; + +/** + * Manages SCITT artifact lifecycle including fetching, caching, and background refresh. + * + *

Intended use case: This class is designed for server-side or + * proactive-fetch scenarios where an agent needs to pre-fetch and cache its + * own SCITT artifacts to include in outgoing HTTP response headers. It is not + * used in the client verification flow, which extracts artifacts from incoming HTTP headers + * via {@link ScittHeaderProvider}.

+ * + *

This manager handles:

+ *
    + *
  • Fetching receipts and status tokens from the transparency log
    • + *
  • Caching artifacts to avoid redundant network calls
    • + *
  • Background refresh of status tokens before expiry
    • + *
  • Graceful shutdown of background tasks
    • + *
+ * + *

Server-Side Usage

+ * 
{@code
+ * // On agent startup
+ * ScittArtifactManager manager = ScittArtifactManager.builder()
+ *     .transparencyClient(client)
+ *     .build();
+ *
+ * // Start background refresh to keep token fresh
+ * manager.startBackgroundRefresh(myAgentId);
+ *
+ * // When handling requests, get pre-computed Base64 strings for response headers
+ * String receiptBase64 = manager.getReceiptBase64(myAgentId).join();
+ * String tokenBase64 = manager.getStatusTokenBase64(myAgentId).join();
+ * response.addHeader("X-SCITT-Receipt", receiptBase64);
+ * response.addHeader("X-ANS-Status-Token", tokenBase64);
+ *
+ * // On shutdown
+ * manager.close();
+ * }
+ * + * @see ScittHeaderProvider#getOutgoingHeaders() + * @see TransparencyClient#getReceiptAsync(String) + * @see TransparencyClient#getStatusTokenAsync(String) + * @see ScittVerifierAdapter for client-side verification + */ +public class ScittArtifactManager implements AutoCloseable { + + private static final Logger LOGGER = LoggerFactory.getLogger(ScittArtifactManager.class); + + private static final int DEFAULT_CACHE_SIZE = 1000; + + private final TransparencyClient transparencyClient; + private final ScheduledExecutorService scheduler; + private final Executor ioExecutor; + private final boolean ownsScheduler; + + // Caffeine caches with automatic stampede prevention + private final AsyncLoadingCache receiptCache; + private final AsyncLoadingCache tokenCache; + + // Background refresh tracking + private final Map> refreshTasks; + + private volatile boolean closed = false; + + private ScittArtifactManager(Builder builder) { + this.transparencyClient = Objects.requireNonNull(builder.transparencyClient, + "transparencyClient cannot be null"); + + if (builder.scheduler != null) { + this.scheduler = builder.scheduler; + this.ownsScheduler = false; + } else { + this.scheduler = AnsExecutors.newSingleThreadScheduledExecutor(); + this.ownsScheduler = true; + } + + // Use shared I/O executor for blocking HTTP work - keeps scheduler thread free for timing + this.ioExecutor = AnsExecutors.sharedIoExecutor(); + + // Receipts are immutable Merkle proofs - cache indefinitely, evict only by LRU + this.receiptCache = Caffeine.newBuilder() + .maximumSize(DEFAULT_CACHE_SIZE) + .executor(ioExecutor) + .buildAsync(this::loadReceipt); + + // Build token cache with dynamic expiry based on token's expiresAt() + this.tokenCache = Caffeine.newBuilder() + .maximumSize(DEFAULT_CACHE_SIZE) + .expireAfter(new StatusTokenExpiry()) + .executor(ioExecutor) + .buildAsync(this::loadToken); + + this.refreshTasks = new ConcurrentHashMap<>(); + } + + /** + * Creates a new builder. + * + * @return a new builder instance + */ + public static Builder builder() { + return new Builder(); + } + + /** + * Fetches the SCITT receipt for an agent. + * + *

Receipts are cached indefinitely since they are immutable Merkle inclusion proofs. + * Concurrent callers share a single in-flight fetch to prevent stampedes.

+ * + * @param agentId the agent's unique identifier + * @return future containing the receipt + */ + public CompletableFuture getReceipt(String agentId) { + Objects.requireNonNull(agentId, "agentId cannot be null"); + + if (closed) { + return CompletableFuture.failedFuture( + new IllegalStateException("ScittArtifactManager is closed")); + } + + return receiptCache.get(agentId).thenApply(CachedReceipt::receipt); + } + + /** + * Fetches the Base64-encoded SCITT receipt for an agent. + * + *

This method returns the pre-computed Base64 string ready for use in + * HTTP headers. The Base64 encoding is computed once at cache-fill time, + * avoiding byte array allocation on each call.

+ * + * @param agentId the agent's unique identifier + * @return future containing the Base64-encoded receipt + */ + public CompletableFuture getReceiptBase64(String agentId) { + Objects.requireNonNull(agentId, "agentId cannot be null"); + + if (closed) { + return CompletableFuture.failedFuture( + new IllegalStateException("ScittArtifactManager is closed")); + } + + return receiptCache.get(agentId).thenApply(CachedReceipt::base64); + } + + /** + * Fetches the status token for an agent. + * + *

Tokens are cached but have shorter TTL based on their expiry time.

+ * + * @param agentId the agent's unique identifier + * @return future containing the status token + */ + public CompletableFuture getStatusToken(String agentId) { + Objects.requireNonNull(agentId, "agentId cannot be null"); + + if (closed) { + return CompletableFuture.failedFuture( + new IllegalStateException("ScittArtifactManager is closed")); + } + + return tokenCache.get(agentId).thenApply(CachedToken::token); + } + + /** + * Fetches the Base64-encoded status token for an agent. + * + *

This method returns the pre-computed Base64 string ready for use in + * HTTP headers. The Base64 encoding is computed once at cache-fill time, + * avoiding byte array allocation on each call.

+ * + * @param agentId the agent's unique identifier + * @return future containing the Base64-encoded status token + */ + public CompletableFuture getStatusTokenBase64(String agentId) { + Objects.requireNonNull(agentId, "agentId cannot be null"); + + if (closed) { + return CompletableFuture.failedFuture( + new IllegalStateException("ScittArtifactManager is closed")); + } + + return tokenCache.get(agentId).thenApply(CachedToken::base64); + } + + /** + * Starts background refresh for an agent's status token. + * + *

The refresh interval is computed as (exp - iat) / 2 from the token, + * ensuring the token is refreshed before expiry.

+ * + * @param agentId the agent's unique identifier + */ + public void startBackgroundRefresh(String agentId) { + Objects.requireNonNull(agentId, "agentId cannot be null"); + + if (closed) { + LOGGER.warn("Cannot start background refresh - manager is closed"); + return; + } + + // Get current token to compute refresh interval + CachedToken cached = tokenCache.synchronous().getIfPresent(agentId); + Duration refreshInterval = cached != null + ? cached.token().computeRefreshInterval() + : Duration.ofMinutes(5); + + scheduleRefresh(agentId, refreshInterval); + } + + /** + * Stops background refresh for an agent. + * + * @param agentId the agent's unique identifier + */ + public void stopBackgroundRefresh(String agentId) { + ScheduledFuture task = refreshTasks.remove(agentId); + if (task != null) { + task.cancel(false); + LOGGER.debug("Stopped background refresh for agent {}", agentId); + } + } + + /** + * Clears all cached artifacts for an agent. + * + * @param agentId the agent's unique identifier + */ + public void clearCache(String agentId) { + receiptCache.synchronous().invalidate(agentId); + tokenCache.synchronous().invalidate(agentId); + LOGGER.debug("Cleared cache for agent {}", agentId); + } + + /** + * Clears all cached artifacts. + */ + public void clearAllCaches() { + receiptCache.synchronous().invalidateAll(); + tokenCache.synchronous().invalidateAll(); + LOGGER.info("Cleared all SCITT artifact caches"); + } + + @Override + public void close() { + if (closed) { + return; + } + + closed = true; + LOGGER.info("Shutting down ScittArtifactManager"); + + // Cancel all refresh tasks + refreshTasks.values().forEach(task -> task.cancel(false)); + refreshTasks.clear(); + + // Shutdown scheduler if we own it + if (ownsScheduler) { + scheduler.shutdown(); + try { + if (!scheduler.awaitTermination(5, TimeUnit.SECONDS)) { + scheduler.shutdownNow(); + } + } catch (InterruptedException e) { + scheduler.shutdownNow(); + Thread.currentThread().interrupt(); + } + } + + clearAllCaches(); + } + + // ==================== Cache Loaders ==================== + + private CachedReceipt loadReceipt(String agentId) { + LOGGER.info("Fetching receipt for agent from TL {}", agentId); + try { + byte[] receiptBytes = transparencyClient.getReceipt(agentId); + ScittReceipt receipt = ScittReceipt.parse(receiptBytes); + LOGGER.info("Fetched and cached receipt for agent {} from TL", agentId); + return new CachedReceipt(receipt, receiptBytes); + } catch (Exception e) { + LOGGER.error("Failed to fetch receipt for agent {}: {}", agentId, e.getMessage()); + throw new ScittFetchException( + "Failed to fetch receipt: " + e.getMessage(), e, + ScittFetchException.ArtifactType.RECEIPT, agentId); + } + } + + private CachedToken loadToken(String agentId) { + LOGGER.info("Fetching status token for agent {}", agentId); + try { + byte[] tokenBytes = transparencyClient.getStatusToken(agentId); + StatusToken token = StatusToken.parse(tokenBytes); + LOGGER.info("Fetched and cached status token for agent {} (expires {})", + agentId, token.expiresAt()); + return new CachedToken(token, tokenBytes); + } catch (Exception e) { + LOGGER.error("Failed to fetch status token for agent {}: {}", agentId, e.getMessage()); + throw new ScittFetchException( + "Failed to fetch status token: " + e.getMessage(), e, + ScittFetchException.ArtifactType.STATUS_TOKEN, agentId); + } + } + + // ==================== Background Refresh ==================== + + private void scheduleRefresh(String agentId, Duration interval) { + // Cancel existing task if any + stopBackgroundRefresh(agentId); + + if (closed) { + return; + } + + LOGGER.debug("Scheduling status token refresh for agent {} in {}", agentId, interval); + + // Use schedule() instead of scheduleAtFixedRate() so we can adjust interval after each refresh + ScheduledFuture task = scheduler.schedule( + () -> refreshToken(agentId), + interval.toMillis(), + TimeUnit.MILLISECONDS + ); + + refreshTasks.put(agentId, task); + } + + private void refreshToken(String agentId) { + if (closed) { + return; + } + + LOGGER.debug("Background refresh triggered for agent {}", agentId); + + // Use Caffeine's refresh which handles stampede prevention + tokenCache.synchronous().refresh(agentId); + + // Reschedule with new interval based on refreshed token + CachedToken refreshed = tokenCache.synchronous().getIfPresent(agentId); + if (refreshed != null && !closed) { + Duration newInterval = refreshed.token().computeRefreshInterval(); + scheduleRefresh(agentId, newInterval); + } + } + + // ==================== Caffeine Expiry for Status Tokens ==================== + + /** + * Custom expiry that uses the token's own expiration time. + */ + private static class StatusTokenExpiry implements Expiry { + @Override + public long expireAfterCreate(String key, CachedToken value, long currentTime) { + if (value.token().isExpired()) { + return 0; // Already expired + } + Duration remaining = Duration.between(Instant.now(), value.token().expiresAt()); + return Math.max(0, remaining.toNanos()); + } + + @Override + public long expireAfterUpdate(String key, CachedToken value, + long currentTime, long currentDuration) { + return expireAfterCreate(key, value, currentTime); + } + + @Override + public long expireAfterRead(String key, CachedToken value, + long currentTime, long currentDuration) { + return currentDuration; // No change on read + } + } + + // ==================== Cache Entry Records ==================== + + /** + * Cached receipt with pre-computed Base64 for header encoding. + */ + private record CachedReceipt(ScittReceipt receipt, String base64) { + CachedReceipt(ScittReceipt receipt, byte[] rawBytes) { + this(receipt, Base64.getEncoder().encodeToString(rawBytes)); + } + } + + /** + * Cached status token with pre-computed Base64 for header encoding. + */ + private record CachedToken(StatusToken token, String base64) { + CachedToken(StatusToken token, byte[] rawBytes) { + this(token, Base64.getEncoder().encodeToString(rawBytes)); + } + } + + // ==================== Builder ==================== + + /** + * Builder for ScittArtifactManager. + */ + public static class Builder { + private TransparencyClient transparencyClient; + private ScheduledExecutorService scheduler; + + /** + * Sets the transparency client for fetching artifacts. + * + * @param client the transparency client + * @return this builder + */ + public Builder transparencyClient(TransparencyClient client) { + this.transparencyClient = client; + return this; + } + + /** + * Sets a custom scheduler for background refresh. + * + *

If not set, a single-threaded scheduler will be created + * and managed by this manager.

+ * + * @param scheduler the scheduler + * @return this builder + */ + public Builder scheduler(ScheduledExecutorService scheduler) { + this.scheduler = scheduler; + return this; + } + + /** + * Builds the ScittArtifactManager. + * + * @return the configured manager + */ + public ScittArtifactManager build() { + return new ScittArtifactManager(this); + } + } +} diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittExpectation.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittExpectation.java new file mode 100644 index 0000000..81645c8 --- /dev/null +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittExpectation.java @@ -0,0 +1,305 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +import java.util.List; +import java.util.Map; +import java.util.Objects; + +/** + * Expected verification state from SCITT artifacts (receipt + status token). + * + *

This class uses factory methods to ensure valid state combinations + * and prevent construction of invalid expectations.

+ */ +public final class ScittExpectation { + + /** + * Verification status from SCITT artifacts. + */ + public enum Status { + /** Both receipt and status token verified successfully */ + VERIFIED, + /** Receipt signature or Merkle proof invalid */ + INVALID_RECEIPT, + /** Status token signature invalid or malformed */ + INVALID_TOKEN, + /** Status token has expired */ + TOKEN_EXPIRED, + /** Agent status is REVOKED */ + AGENT_REVOKED, + /** Agent status is not ACTIVE (WARNING, DEPRECATED, EXPIRED) */ + AGENT_INACTIVE, + /** Required public key not found */ + KEY_NOT_FOUND, + /** SCITT artifacts not present (no headers) */ + NOT_PRESENT, + /** Parse error in SCITT artifacts */ + PARSE_ERROR + } + + private final Status status; + private final List validServerCertFingerprints; + private final List validIdentityCertFingerprints; + private final String agentHost; + private final String ansName; + private final Map metadataHashes; + private final String failureReason; + private final StatusToken statusToken; + + private ScittExpectation( + Status status, + List validServerCertFingerprints, + List validIdentityCertFingerprints, + String agentHost, + String ansName, + Map metadataHashes, + String failureReason, + StatusToken statusToken) { + this.status = Objects.requireNonNull(status, "status cannot be null"); + this.validServerCertFingerprints = validServerCertFingerprints != null + ? List.copyOf(validServerCertFingerprints) : List.of(); + this.validIdentityCertFingerprints = validIdentityCertFingerprints != null + ? List.copyOf(validIdentityCertFingerprints) : List.of(); + this.agentHost = agentHost; + this.ansName = ansName; + this.metadataHashes = metadataHashes != null ? Map.copyOf(metadataHashes) : Map.of(); + this.failureReason = failureReason; + this.statusToken = statusToken; + } + + // ==================== Factory Methods ==================== + + /** + * Creates a verified expectation with all valid data. + * + * @param serverCertFingerprints valid server certificate fingerprints + * @param identityCertFingerprints valid identity certificate fingerprints + * @param agentHost the agent's host + * @param ansName the agent's ANS name + * @param metadataHashes the metadata hashes + * @param statusToken the verified status token + * @return verified expectation + */ + public static ScittExpectation verified( + List serverCertFingerprints, + List identityCertFingerprints, + String agentHost, + String ansName, + Map metadataHashes, + StatusToken statusToken) { + return new ScittExpectation( + Status.VERIFIED, + serverCertFingerprints, + identityCertFingerprints, + agentHost, + ansName, + metadataHashes, + null, + statusToken + ); + } + + /** + * Creates an expectation indicating invalid receipt. + * + * @param reason the failure reason + * @return invalid receipt expectation + */ + public static ScittExpectation invalidReceipt(String reason) { + return new ScittExpectation( + Status.INVALID_RECEIPT, + null, null, null, null, null, + reason, + null + ); + } + + /** + * Creates an expectation indicating invalid status token. + * + * @param reason the failure reason + * @return invalid token expectation + */ + public static ScittExpectation invalidToken(String reason) { + return new ScittExpectation( + Status.INVALID_TOKEN, + null, null, null, null, null, + reason, + null + ); + } + + /** + * Creates an expectation indicating expired status token. + * + * @return expired token expectation + */ + public static ScittExpectation expired() { + return new ScittExpectation( + Status.TOKEN_EXPIRED, + null, null, null, null, null, + "Status token has expired", + null + ); + } + + /** + * Creates an expectation indicating agent is revoked. + * + * @param ansName the revoked agent's ANS name + * @return revoked agent expectation + */ + public static ScittExpectation revoked(String ansName) { + return new ScittExpectation( + Status.AGENT_REVOKED, + null, null, null, ansName, null, + "Agent registration has been revoked", + null + ); + } + + /** + * Creates an expectation indicating agent is not active. + * + * @param status the agent's actual status + * @param ansName the agent's ANS name + * @return inactive agent expectation + */ + public static ScittExpectation inactive(StatusToken.Status status, String ansName) { + return new ScittExpectation( + Status.AGENT_INACTIVE, + null, null, null, ansName, null, + "Agent status is " + status, + null + ); + } + + /** + * Creates an expectation indicating required key not found. + * + * @param reason the failure reason + * @return key not found expectation + */ + public static ScittExpectation keyNotFound(String reason) { + return new ScittExpectation( + Status.KEY_NOT_FOUND, + null, null, null, null, null, + reason, + null + ); + } + + /** + * Creates an expectation indicating SCITT artifacts not present. + * + * @return not present expectation + */ + public static ScittExpectation notPresent() { + return new ScittExpectation( + Status.NOT_PRESENT, + null, null, null, null, null, + "SCITT headers not present in response", + null + ); + } + + /** + * Creates an expectation indicating parse error. + * + * @param reason the parse error reason + * @return parse error expectation + */ + public static ScittExpectation parseError(String reason) { + return new ScittExpectation( + Status.PARSE_ERROR, + null, null, null, null, null, + reason, + null + ); + } + + // ==================== Accessors ==================== + + public Status status() { + return status; + } + + public List validServerCertFingerprints() { + return validServerCertFingerprints; + } + + public List validIdentityCertFingerprints() { + return validIdentityCertFingerprints; + } + + public String agentHost() { + return agentHost; + } + + public String ansName() { + return ansName; + } + + public Map metadataHashes() { + return metadataHashes; + } + + public String failureReason() { + return failureReason; + } + + public StatusToken statusToken() { + return statusToken; + } + + /** + * Returns true if SCITT verification was successful. + * + * @return true if verified + */ + public boolean isVerified() { + return status == Status.VERIFIED; + } + + /** + * Returns true if SCITT satus NOT_FOUND. + * + * @return true if verified + */ + public boolean isKeyNotFound() { + return status == Status.KEY_NOT_FOUND; + } + + /** + * Returns true if this expectation represents a failure that should block the connection. + * + * @return true if this is a blocking failure + */ + public boolean shouldFail() { + return switch (status) { + case VERIFIED -> false; + case NOT_PRESENT -> false; // Not a failure, just means fallback to badge + case INVALID_RECEIPT, INVALID_TOKEN, TOKEN_EXPIRED, + AGENT_REVOKED, AGENT_INACTIVE, KEY_NOT_FOUND, PARSE_ERROR -> true; + }; + } + + /** + * Returns true if SCITT artifacts were not present (should fall back to badge). + * + * @return true if not present + */ + public boolean isNotPresent() { + return status == Status.NOT_PRESENT; + } + + @Override + public String toString() { + if (status == Status.VERIFIED) { + return "ScittExpectation{status=VERIFIED, ansName='" + ansName + + "', serverCerts=" + validServerCertFingerprints.size() + + ", identityCerts=" + validIdentityCertFingerprints.size() + "}"; + } + return "ScittExpectation{status=" + status + + ", reason='" + failureReason + "'}"; + } +} diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittFetchException.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittFetchException.java new file mode 100644 index 0000000..ee2d950 --- /dev/null +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittFetchException.java @@ -0,0 +1,70 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +/** + * Exception thrown when fetching SCITT artifacts fails. + * + *

This exception is thrown when operations like fetching receipts or + * status tokens from the transparency log encounter errors.

+ */ +public class ScittFetchException extends RuntimeException { + + /** + * The type of artifact that failed to fetch. + */ + public enum ArtifactType { + /** SCITT receipt (Merkle inclusion proof) */ + RECEIPT, + /** Status token (time-bounded status assertion) */ + STATUS_TOKEN, + /** Public key from TL or RA */ + PUBLIC_KEY + } + + private final ArtifactType artifactType; + private final String agentId; + + /** + * Creates a new ScittFetchException. + * + * @param message the error message + * @param artifactType the type of artifact that failed to fetch + * @param agentId the agent ID (may be null for public key fetches) + */ + public ScittFetchException(String message, ArtifactType artifactType, String agentId) { + super(message); + this.artifactType = artifactType; + this.agentId = agentId; + } + + /** + * Creates a new ScittFetchException with a cause. + * + * @param message the error message + * @param cause the underlying cause + * @param artifactType the type of artifact that failed to fetch + * @param agentId the agent ID (may be null for public key fetches) + */ + public ScittFetchException(String message, Throwable cause, ArtifactType artifactType, String agentId) { + super(message, cause); + this.artifactType = artifactType; + this.agentId = agentId; + } + + /** + * Returns the type of artifact that failed to fetch. + * + * @return the artifact type + */ + public ArtifactType getArtifactType() { + return artifactType; + } + + /** + * Returns the agent ID for which the fetch failed. + * + * @return the agent ID, or null for public key fetches + */ + public String getAgentId() { + return agentId; + } +} diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittHeaderProvider.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittHeaderProvider.java new file mode 100644 index 0000000..49a0fa3 --- /dev/null +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittHeaderProvider.java @@ -0,0 +1,77 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +import java.util.Map; +import java.util.Optional; + +/** + * Provider for SCITT HTTP headers. + * + *

This interface is used by HTTP clients to:

+ *
    + *
  • Include SCITT artifacts in outgoing requests (for servers to verify callers)
    • + *
  • Extract SCITT artifacts from incoming responses (for clients to verify servers)
    • + *
+ * + *

Usage in HTTP Client

+ * 
{@code
+ * // Before sending request
+ * Map headers = scittProvider.getOutgoingHeaders();
+ * request.headers().putAll(headers);
+ *
+ * // After receiving response
+ * ScittArtifacts artifacts = scittProvider.extractArtifacts(response.headers());
+ * if (artifacts.isPresent()) {
+ *     ScittExpectation expectation = verifier.verify(
+ *         artifacts.receipt(), artifacts.statusToken(), tlKey, raKey);
+ * }
+ * }
+ */ +public interface ScittHeaderProvider { + + /** + * Returns headers to include in outgoing requests. + * + *

These headers contain the caller's own SCITT artifacts for + * the server to verify the caller's identity.

+ * + * @return map of header names to Base64-encoded values + */ + Map getOutgoingHeaders(); + + /** + * Extracts SCITT artifacts from incoming response headers. + * + * @param headers the response headers + * @return the extracted artifacts, or empty if not present + */ + Optional extractArtifacts(Map headers); + + /** + * Extracted SCITT artifacts from HTTP headers. + * + * @param receipt the parsed SCITT receipt (null if not present) + * @param statusToken the parsed status token (null if not present) + * @param receiptBytes raw receipt bytes for caching + * @param tokenBytes raw token bytes for caching + */ + record ScittArtifacts( + ScittReceipt receipt, + StatusToken statusToken, + byte[] receiptBytes, + byte[] tokenBytes + ) { + /** + * Returns true if both receipt and status token are present. + */ + public boolean isComplete() { + return receipt != null && statusToken != null; + } + + /** + * Returns true if at least one artifact is present. + */ + public boolean isPresent() { + return receipt != null || statusToken != null; + } + } +} diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittHeaders.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittHeaders.java new file mode 100644 index 0000000..f34c3b4 --- /dev/null +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittHeaders.java @@ -0,0 +1,30 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +/** + * HTTP header constants for SCITT artifact delivery. + * + *

SCITT artifacts (receipts and status tokens) are delivered via HTTP headers + * to eliminate live Transparency Log queries during connection establishment.

+ */ +public final class ScittHeaders { + + /** + * HTTP header for SCITT receipt (Base64-encoded COSE_Sign1). + * + *

Contains the cryptographic proof that the agent's registration + * was included in the Transparency Log.

+ */ + public static final String SCITT_RECEIPT_HEADER = "x-scitt-receipt"; + + /** + * HTTP header for ANS status token (Base64-encoded COSE_Sign1). + * + *

Contains a time-bounded assertion of the agent's current status, + * including valid certificate fingerprints.

+ */ + public static final String STATUS_TOKEN_HEADER = "x-ans-status-token"; + + private ScittHeaders() { + // Constants class + } +} diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittParseException.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittParseException.java new file mode 100644 index 0000000..88e4ff4 --- /dev/null +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittParseException.java @@ -0,0 +1,26 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +/** + * Exception thrown when parsing SCITT artifacts (receipts, status tokens) fails. + */ +public class ScittParseException extends Exception { + + /** + * Creates a new parse exception with the specified message. + * + * @param message the error message + */ + public ScittParseException(String message) { + super(message); + } + + /** + * Creates a new parse exception with the specified message and cause. + * + * @param message the error message + * @param cause the underlying cause + */ + public ScittParseException(String message, Throwable cause) { + super(message, cause); + } +} diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittPreVerifyResult.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittPreVerifyResult.java new file mode 100644 index 0000000..2edc659 --- /dev/null +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittPreVerifyResult.java @@ -0,0 +1,57 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +/** + * Result of SCITT pre-verification from HTTP response headers. + * + *

This record captures the outcome of extracting and verifying SCITT artifacts + * (receipts and status tokens) from HTTP headers before post-verification of + * the TLS certificate.

+ * + * @param expectation the SCITT expectation containing valid fingerprints and status + * @param receipt the parsed SCITT receipt (may be null if not present or parsing failed) + * @param statusToken the parsed status token (may be null if not present or parsing failed) + * @param isPresent true if SCITT headers were present in the response + */ +public record ScittPreVerifyResult( + ScittExpectation expectation, + ScittReceipt receipt, + StatusToken statusToken, + boolean isPresent +) { + + /** + * Creates a result indicating SCITT headers were not present in the response. + * + * @return a result with isPresent=false and a NOT_PRESENT expectation + */ + public static ScittPreVerifyResult notPresent() { + return new ScittPreVerifyResult(ScittExpectation.notPresent(), null, null, false); + } + + /** + * Creates a result indicating a parse error occurred. + * + * @param errorMessage the error message + * @return a result with isPresent=true but a PARSE_ERROR expectation + */ + public static ScittPreVerifyResult parseError(String errorMessage) { + return new ScittPreVerifyResult( + ScittExpectation.parseError(errorMessage), + null, null, true); + } + + /** + * Creates a successful pre-verification result. + * + * @param expectation the verified expectation + * @param receipt the parsed receipt + * @param statusToken the parsed status token + * @return a result with isPresent=true and the verified expectation + */ + public static ScittPreVerifyResult verified( + ScittExpectation expectation, + ScittReceipt receipt, + StatusToken statusToken) { + return new ScittPreVerifyResult(expectation, receipt, statusToken, true); + } +} diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittReceipt.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittReceipt.java new file mode 100644 index 0000000..284c70f --- /dev/null +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittReceipt.java @@ -0,0 +1,256 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +import com.upokecenter.cbor.CBORObject; +import com.upokecenter.cbor.CBORType; + +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; +import java.util.Objects; + +/** + * SCITT Receipt - a COSE_Sign1 structure containing a Merkle inclusion proof. + * + *

A SCITT receipt proves that a specific event was included in the + * transparency log at a specific tree version. The receipt contains:

+ *
    + *
  • Protected header with TL public key ID and VDS type
    • + *
  • Inclusion proof (tree size, leaf index, hash path)
    • + *
  • The event payload (JCS-canonicalized)
    • + *
  • TL signature over the Sig_structure
    • + *
+ * + * @param protectedHeader the parsed COSE protected header + * @param protectedHeaderBytes raw protected header bytes (for signature verification) + * @param inclusionProof the Merkle tree inclusion proof + * @param eventPayload the JCS-canonicalized event data + * @param signature the TL signature (64 bytes ES256 in IEEE P1363 format) + */ +public record ScittReceipt( + CoseProtectedHeader protectedHeader, + byte[] protectedHeaderBytes, + InclusionProof inclusionProof, + byte[] eventPayload, + byte[] signature +) { + + /** + * Merkle tree inclusion proof extracted from the receipt. + * + * @param treeSize the total number of leaves when this leaf was added + * @param leafIndex the 0-based index of the leaf + * @param rootHash the root hash at the time of inclusion + * @param hashPath the sibling hashes from leaf to root + */ + public record InclusionProof( + long treeSize, + long leafIndex, + byte[] rootHash, + List hashPath + ) { + public InclusionProof { + hashPath = hashPath != null ? List.copyOf(hashPath) : List.of(); + } + + @Override + public boolean equals(Object o) { + if (this == o) { + return true; + } + if (o == null || getClass() != o.getClass()) { + return false; + } + InclusionProof that = (InclusionProof) o; + if (treeSize != that.treeSize || leafIndex != that.leafIndex) { + return false; + } + if (!Arrays.equals(rootHash, that.rootHash)) { + return false; + } + if (hashPath.size() != that.hashPath.size()) { + return false; + } + for (int i = 0; i < hashPath.size(); i++) { + if (!Arrays.equals(hashPath.get(i), that.hashPath.get(i))) { + return false; + } + } + return true; + } + + @Override + public int hashCode() { + int result = Long.hashCode(treeSize); + result = 31 * result + Long.hashCode(leafIndex); + result = 31 * result + Arrays.hashCode(rootHash); + for (byte[] hash : hashPath) { + result = 31 * result + Arrays.hashCode(hash); + } + return result; + } + } + + /** + * Parses a SCITT receipt from raw COSE_Sign1 bytes. + * + * @param coseBytes the raw COSE_Sign1 bytes + * @return the parsed receipt + * @throws ScittParseException if parsing fails + */ + public static ScittReceipt parse(byte[] coseBytes) throws ScittParseException { + Objects.requireNonNull(coseBytes, "coseBytes cannot be null"); + + CoseSign1Parser.ParsedCoseSign1 parsed = CoseSign1Parser.parse(coseBytes); + return fromParsedCose(parsed); + } + + /** + * Creates a ScittReceipt from an already-parsed COSE_Sign1 structure. + * + * @param parsed the parsed COSE_Sign1 + * @return the ScittReceipt + * @throws ScittParseException if the structure doesn't contain valid receipt data + */ + public static ScittReceipt fromParsedCose(CoseSign1Parser.ParsedCoseSign1 parsed) throws ScittParseException { + Objects.requireNonNull(parsed, "parsed cannot be null"); + + // Verify VDS indicates RFC 9162 Merkle tree + CoseProtectedHeader header = parsed.protectedHeader(); + if (!header.isRfc9162MerkleTree()) { + throw new ScittParseException( + "Receipt must use VDS=1 (RFC9162_SHA256), got: " + header.vds()); + } + + // Parse inclusion proof from unprotected header (CBORObject passed directly, no round-trip) + InclusionProof inclusionProof = parseInclusionProof(parsed.unprotectedHeader()); + + return new ScittReceipt( + header, + parsed.protectedHeaderBytes(), + inclusionProof, + parsed.payload(), + parsed.signature() + ); + } + + /** + * Parses the inclusion proof from the unprotected header. + * + *

The inclusion proof is stored in the unprotected header with label 396 + * per draft-ietf-cose-merkle-tree-proofs. The format is a map with negative + * integer keys:

+ *
    + *
  • -1: tree_size (required)
    • + *
  • -2: leaf_index (required)
    • + *
  • -3: hash_path (array of 32-byte hashes, optional)
    • + *
  • -4: root_hash (32 bytes, optional)
    • + *
+ */ + private static InclusionProof parseInclusionProof(CBORObject unprotectedHeader) throws ScittParseException { + if (unprotectedHeader == null || unprotectedHeader.isNull() + || unprotectedHeader.getType() != CBORType.Map) { + throw new ScittParseException("Receipt must have an unprotected header map"); + } + + // Label 396 contains the inclusion proof map + CBORObject proofObject = unprotectedHeader.get(CBORObject.FromObject(396)); + if (proofObject == null) { + throw new ScittParseException("Receipt missing inclusion proofs (label 396)"); + } + + // Proof must be a map with negative integer keys + if (proofObject.getType() != CBORType.Map) { + throw new ScittParseException("Inclusion proof at label 396 must be a map"); + } + + return parseMapFormatProof(proofObject); + } + + /** + * Parses inclusion proof from MAP format with negative integer keys. + * + *

Expected keys:

+ *
    + *
  • -1: tree_size (required)
    • + *
  • -2: leaf_index (required)
    • + *
  • -3: hash_path (array of 32-byte hashes, optional)
    • + *
  • -4: root_hash (32 bytes, optional)
    • + *
+ */ + private static InclusionProof parseMapFormatProof(CBORObject proofMap) throws ScittParseException { + // Extract tree_size (-1) - required + CBORObject treeSizeObj = proofMap.get(CBORObject.FromObject(-1)); + if (treeSizeObj == null || !treeSizeObj.isNumber()) { + throw new ScittParseException("Inclusion proof missing required tree_size (key -1)"); + } + long treeSize = treeSizeObj.AsInt64Value(); + + // Extract leaf_index (-2) - required + CBORObject leafIndexObj = proofMap.get(CBORObject.FromObject(-2)); + if (leafIndexObj == null || !leafIndexObj.isNumber()) { + throw new ScittParseException("Inclusion proof missing required leaf_index (key -2)"); + } + long leafIndex = leafIndexObj.AsInt64Value(); + + // Extract hash_path (-3) - optional array of 32-byte hashes + List hashPath = new ArrayList<>(); + CBORObject hashPathObj = proofMap.get(CBORObject.FromObject(-3)); + if (hashPathObj != null && hashPathObj.getType() == CBORType.Array) { + for (int i = 0; i < hashPathObj.size(); i++) { + CBORObject element = hashPathObj.get(i); + if (element.getType() == CBORType.ByteString) { + byte[] hash = element.GetByteString(); + if (hash.length == 32) { + hashPath.add(hash); + } + } + } + } + + // Extract root_hash (-4) - optional 32-byte hash + byte[] rootHash = null; + CBORObject rootHashObj = proofMap.get(CBORObject.FromObject(-4)); + if (rootHashObj != null && rootHashObj.getType() == CBORType.ByteString) { + byte[] hash = rootHashObj.GetByteString(); + if (hash.length == 32) { + rootHash = hash; + } + } + + return new InclusionProof(treeSize, leafIndex, rootHash, hashPath); + } + + @Override + public boolean equals(Object o) { + if (this == o) { + return true; + } + if (o == null || getClass() != o.getClass()) { + return false; + } + ScittReceipt that = (ScittReceipt) o; + return Objects.equals(protectedHeader, that.protectedHeader) + && Arrays.equals(protectedHeaderBytes, that.protectedHeaderBytes) + && Objects.equals(inclusionProof, that.inclusionProof) + && Arrays.equals(eventPayload, that.eventPayload) + && Arrays.equals(signature, that.signature); + } + + @Override + public int hashCode() { + int result = Objects.hash(protectedHeader, inclusionProof); + result = 31 * result + Arrays.hashCode(protectedHeaderBytes); + result = 31 * result + Arrays.hashCode(eventPayload); + result = 31 * result + Arrays.hashCode(signature); + return result; + } + + @Override + public String toString() { + return "ScittReceipt{" + + "protectedHeader=" + protectedHeader + + ", inclusionProof=" + inclusionProof + + ", payloadSize=" + (eventPayload != null ? eventPayload.length : 0) + + '}'; + } +} diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittVerifier.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittVerifier.java new file mode 100644 index 0000000..c68dccc --- /dev/null +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittVerifier.java @@ -0,0 +1,100 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +import java.security.PublicKey; +import java.security.cert.X509Certificate; +import java.util.Map; + +/** + * Interface for SCITT (Supply Chain Integrity, Transparency, and Trust) verification. + * + *

SCITT verification replaces live transparency log queries with cryptographic + * proof verification. Artifacts (receipt + status token) are delivered via HTTP + * headers and verified locally using cached public keys.

+ * + *

Verification Flow

+ *
    + *
  1. Parse receipt and status token from HTTP headers
    2. + *
  2. Verify receipt signature using TL public key
    3. + *
  3. Verify Merkle inclusion proof in receipt
    4. + *
  4. Verify status token signature using RA public key
    5. + *
  5. Check status token expiry (with clock skew tolerance)
    6. + *
  6. Extract expected certificate fingerprints
    7. + *
+ * + *

Post-Verification

+ *

After TLS handshake, compare actual server certificate against + * the expected fingerprints from the status token.

+ */ +public interface ScittVerifier { + + /** + * Verifies SCITT artifacts and extracts expectations. + * + *

Both the receipt and status token are signed by the same transparency log key. + * The correct key is selected from the map by matching the key ID in the artifact + * header.

+ * + * @param receipt the parsed SCITT receipt + * @param token the parsed status token + * @param rootKeys the root public keys, keyed by hex key ID (4-byte SHA-256 of SPKI-DER) + * @return the verification expectation with expected certificate fingerprints + */ + ScittExpectation verify( + ScittReceipt receipt, + StatusToken token, + Map rootKeys + ); + + /** + * Verifies that the server certificate matches the SCITT expectation. + * + *

This should be called after the TLS handshake completes to compare + * the actual server certificate against the expected fingerprints.

+ * + * @param hostname the hostname that was connected to + * @param serverCert the server certificate from TLS handshake + * @param expectation the expectation from {@link #verify} + * @return the verification result + */ + ScittVerificationResult postVerify( + String hostname, + X509Certificate serverCert, + ScittExpectation expectation + ); + + /** + * Result of SCITT post-verification. + * + * @param success true if server certificate matches expectations + * @param actualFingerprint the fingerprint of the server certificate + * @param matchedFingerprint the expected fingerprint that matched (null if no match) + * @param failureReason reason for failure (null if successful) + */ + record ScittVerificationResult( + boolean success, + String actualFingerprint, + String matchedFingerprint, + String failureReason + ) { + /** + * Creates a successful result. + */ + public static ScittVerificationResult success(String fingerprint) { + return new ScittVerificationResult(true, fingerprint, fingerprint, null); + } + + /** + * Creates a mismatch result. + */ + public static ScittVerificationResult mismatch(String actual, String reason) { + return new ScittVerificationResult(false, actual, null, reason); + } + + /** + * Creates an error result. + */ + public static ScittVerificationResult error(String reason) { + return new ScittVerificationResult(false, null, null, reason); + } + } +} diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/StatusToken.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/StatusToken.java new file mode 100644 index 0000000..1b71f3e --- /dev/null +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/StatusToken.java @@ -0,0 +1,411 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +import com.godaddy.ans.sdk.transparency.model.CertificateInfo; +import com.godaddy.ans.sdk.transparency.model.CertType; +import com.upokecenter.cbor.CBORObject; +import com.upokecenter.cbor.CBORType; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.time.Duration; +import java.time.Instant; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collections; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Objects; + +/** + * SCITT Status Token - a time-bounded assertion about an agent's status. + * + *

Status tokens are COSE_Sign1 structures signed by the RA (Registration Authority) + * that assert the current status of an agent. They include:

+ *
    + *
  • Agent ID and ANS name
    • + *
  • Current status (ACTIVE, WARNING, DEPRECATED, EXPIRED, REVOKED)
    • + *
  • Validity window (issued at, expires at)
    • + *
  • Valid certificate fingerprints (identity and server)
    • + *
  • Metadata hashes for endpoint protocols
    • + *
+ * + * @param agentId the agent's unique identifier + * @param status the agent's current status + * @param issuedAt when the token was issued + * @param expiresAt when the token expires + * @param ansName the agent's ANS name + * @param agentHost the agent's host (FQDN) + * @param validIdentityCerts valid identity certificate fingerprints + * @param validServerCerts valid server certificate fingerprints + * @param metadataHashes map of protocol to metadata hash (SHA256:...) + * @param protectedHeader the COSE protected header + * @param signature the RA signature + */ +public record StatusToken( + String agentId, + Status status, + Instant issuedAt, + Instant expiresAt, + String ansName, + String agentHost, + List validIdentityCerts, + List validServerCerts, + Map metadataHashes, + CoseProtectedHeader protectedHeader, + byte[] protectedHeaderBytes, + byte[] payload, + byte[] signature +) { + + private static final Logger LOGGER = LoggerFactory.getLogger(StatusToken.class); + + /** + * Default clock skew tolerance for expiry checks. + */ + public static final Duration DEFAULT_CLOCK_SKEW = Duration.ofSeconds(60); + + /** + * Agent status values. + */ + public enum Status { + /** Agent is active and in good standing */ + ACTIVE, + /** Agent is active but has warnings (e.g., certificate expiring soon) */ + WARNING, + /** Agent is deprecated and should not be used for new connections */ + DEPRECATED, + /** Agent registration has expired */ + EXPIRED, + /** Agent registration has been revoked */ + REVOKED, + /** Unknown status */ + UNKNOWN + } + + /** + * Compact constructor for defensive copying. + */ + public StatusToken { + validIdentityCerts = validIdentityCerts != null ? List.copyOf(validIdentityCerts) : List.of(); + validServerCerts = validServerCerts != null ? List.copyOf(validServerCerts) : List.of(); + metadataHashes = metadataHashes != null ? Map.copyOf(metadataHashes) : Map.of(); + } + + /** + * Parses a status token from raw COSE_Sign1 bytes. + * + * @param coseBytes the raw COSE_Sign1 bytes + * @return the parsed status token + * @throws ScittParseException if parsing fails + */ + public static StatusToken parse(byte[] coseBytes) throws ScittParseException { + Objects.requireNonNull(coseBytes, "coseBytes cannot be null"); + + CoseSign1Parser.ParsedCoseSign1 parsed = CoseSign1Parser.parse(coseBytes); + return fromParsedCose(parsed); + } + + /** + * Creates a StatusToken from an already-parsed COSE_Sign1 structure. + * + * @param parsed the parsed COSE_Sign1 + * @return the StatusToken + * @throws ScittParseException if the payload doesn't contain valid status token data + */ + public static StatusToken fromParsedCose(CoseSign1Parser.ParsedCoseSign1 parsed) throws ScittParseException { + Objects.requireNonNull(parsed, "parsed cannot be null"); + + CoseProtectedHeader header = parsed.protectedHeader(); + byte[] payload = parsed.payload(); + + if (payload == null || payload.length == 0) { + throw new ScittParseException("Status token payload cannot be empty"); + } + + // Parse the payload as CBOR + CBORObject payloadCbor; + try { + payloadCbor = CBORObject.DecodeFromBytes(payload); + } catch (Exception e) { + throw new ScittParseException("Failed to decode status token payload: " + e.getMessage(), e); + } + + if (payloadCbor.getType() != CBORType.Map) { + throw new ScittParseException("Status token payload must be a CBOR map"); + } + + // Extract fields from payload using integer keys + // Key mapping: 1=agent_id, 2=status, 3=iat, 4=exp, 5=ans_name, 6=identity_certs, 7=server_certs, 8=metadata + String agentId = extractRequiredString(payloadCbor, 1); + String statusStr = extractRequiredString(payloadCbor, 2); + Status status = parseStatus(statusStr); + + String ansName = extractOptionalString(payloadCbor, 5); + String agentHost = null; // Not used in TL format + + // Extract timestamps from CWT claims in header or payload + Instant issuedAt = null; + Instant expiresAt = null; + + if (header.cwtClaims() != null) { + issuedAt = header.cwtClaims().issuedAtTime(); + expiresAt = header.cwtClaims().expirationTime(); + } + + // Payload might override header claims + Long iatSeconds = extractOptionalLong(payloadCbor, 3); + Long expSeconds = extractOptionalLong(payloadCbor, 4); + + if (iatSeconds != null) { + issuedAt = Instant.ofEpochSecond(iatSeconds); + } + if (expSeconds != null) { + expiresAt = Instant.ofEpochSecond(expSeconds); + } + + // SECURITY: Tokens must have an expiration time - no infinite validity allowed + if (expiresAt == null) { + throw new ScittParseException("Status token missing required expiration time (exp claim)"); + } + + // Extract certificate lists + List identityCerts = extractCertificateList(payloadCbor, 6); + List serverCerts = extractCertificateList(payloadCbor, 7); + + // Extract metadata hashes + Map metadataHashes = extractMetadataHashes(payloadCbor, 8); + + return new StatusToken( + agentId, + status, + issuedAt, + expiresAt, + ansName, + agentHost, + identityCerts, + serverCerts, + metadataHashes, + header, + parsed.protectedHeaderBytes(), + payload, + parsed.signature() + ); + } + + /** + * Checks if this token is expired. + * + * @return true if the token is expired + */ + public boolean isExpired() { + return isExpired(Instant.now(), DEFAULT_CLOCK_SKEW); + } + + /** + * Checks if this token is expired with the specified clock skew tolerance. + * + * @param clockSkew the clock skew tolerance + * @return true if the token is expired + */ + public boolean isExpired(Duration clockSkew) { + return isExpired(Instant.now(), clockSkew); + } + + /** + * Checks if this token is expired at the given time with clock skew tolerance. + * + *

SECURITY: Tokens without an expiration time are considered expired. + * This is a defensive check - parsing should reject such tokens.

+ * + * @param now the current time + * @param clockSkew the clock skew tolerance + * @return true if the token is expired or has no expiration time + */ + public boolean isExpired(Instant now, Duration clockSkew) { + if (expiresAt == null) { + return true; // No expiration set - treat as expired (defensive) + } + return now.minus(clockSkew).isAfter(expiresAt); + } + + /** + * Returns the server certificate fingerprints as a list of strings. + * + * @return list of fingerprints + */ + public List serverCertFingerprints() { + return validServerCerts.stream() + .map(CertificateInfo::getFingerprint) + .filter(Objects::nonNull) + .toList(); + } + + /** + * Returns the identity certificate fingerprints as a list of strings. + * + * @return list of fingerprints + */ + public List identityCertFingerprints() { + return validIdentityCerts.stream() + .map(CertificateInfo::getFingerprint) + .filter(Objects::nonNull) + .toList(); + } + + /** + * Computes the recommended refresh interval based on token lifetime. + * + *

Returns half of (exp - iat) to refresh before expiry.

+ * + * @return the recommended refresh interval, or 5 minutes if cannot be computed + */ + public Duration computeRefreshInterval() { + if (issuedAt == null || expiresAt == null) { + return Duration.ofMinutes(5); // Default + } + Duration lifetime = Duration.between(issuedAt, expiresAt); + Duration halfLife = lifetime.dividedBy(2); + // Minimum 1 minute, maximum 1 hour + if (halfLife.compareTo(Duration.ofMinutes(1)) < 0) { + return Duration.ofMinutes(1); + } + if (halfLife.compareTo(Duration.ofHours(1)) > 0) { + return Duration.ofHours(1); + } + return halfLife; + } + + private static Status parseStatus(String statusStr) { + if (statusStr == null) { + return Status.UNKNOWN; + } + try { + return Status.valueOf(statusStr.toUpperCase()); + } catch (IllegalArgumentException e) { + LOGGER.warn("Unrecognized status value '{}', treating as UNKNOWN", statusStr); + return Status.UNKNOWN; + } + } + + private static String extractRequiredString(CBORObject map, int key) throws ScittParseException { + CBORObject value = map.get(CBORObject.FromObject(key)); + if (value == null || value.isNull()) { + throw new ScittParseException("Missing required field at key " + key); + } + if (value.getType() != CBORType.TextString) { + throw new ScittParseException("Field at key " + key + " must be a string"); + } + return value.AsString(); + } + + private static String extractOptionalString(CBORObject map, int key) { + CBORObject value = map.get(CBORObject.FromObject(key)); + if (value != null && value.getType() == CBORType.TextString) { + return value.AsString(); + } + return null; + } + + private static Long extractOptionalLong(CBORObject map, int key) { + CBORObject value = map.get(CBORObject.FromObject(key)); + if (value != null && value.isNumber()) { + return value.AsInt64(); + } + return null; + } + + private static List extractCertificateList(CBORObject map, int key) { + CBORObject value = map.get(CBORObject.FromObject(key)); + if (value == null || value.getType() != CBORType.Array) { + return Collections.emptyList(); + } + + List certs = new ArrayList<>(); + for (int i = 0; i < value.size(); i++) { + CBORObject certObj = value.get(i); + if (certObj.getType() == CBORType.Map) { + // Integer keys: 1=fingerprint, 2=type + CBORObject fingerprintObj = certObj.get(CBORObject.FromObject(1)); + if (fingerprintObj != null && fingerprintObj.getType() == CBORType.TextString) { + CertificateInfo cert = new CertificateInfo(); + cert.setFingerprint(fingerprintObj.AsString()); + + CBORObject typeObj = certObj.get(CBORObject.FromObject(2)); + if (typeObj != null && typeObj.getType() == CBORType.TextString) { + CertType certType = CertType.fromString(typeObj.AsString()); + if (certType != null) { + cert.setType(certType); + } + } + certs.add(cert); + } + } else if (certObj.getType() == CBORType.TextString) { + // Simple string fingerprint + CertificateInfo cert = new CertificateInfo(); + cert.setFingerprint(certObj.AsString()); + certs.add(cert); + } + } + return certs; + } + + private static Map extractMetadataHashes(CBORObject map, int key) { + CBORObject value = map.get(CBORObject.FromObject(key)); + if (value == null || value.getType() != CBORType.Map) { + return Collections.emptyMap(); + } + + Map hashes = new HashMap<>(); + for (CBORObject hashKey : value.getKeys()) { + if (hashKey.getType() == CBORType.TextString) { + CBORObject hashValue = value.get(hashKey); + if (hashValue != null && hashValue.getType() == CBORType.TextString) { + hashes.put(hashKey.AsString(), hashValue.AsString()); + } + } + } + return hashes; + } + + @Override + public boolean equals(Object o) { + if (this == o) { + return true; + } + if (o == null || getClass() != o.getClass()) { + return false; + } + StatusToken that = (StatusToken) o; + return Objects.equals(agentId, that.agentId) + && status == that.status + && Objects.equals(issuedAt, that.issuedAt) + && Objects.equals(expiresAt, that.expiresAt) + && Objects.equals(ansName, that.ansName) + && Objects.equals(agentHost, that.agentHost) + && Objects.equals(validIdentityCerts, that.validIdentityCerts) + && Objects.equals(validServerCerts, that.validServerCerts) + && Objects.equals(metadataHashes, that.metadataHashes) + && Arrays.equals(signature, that.signature); + } + + @Override + public int hashCode() { + int result = Objects.hash(agentId, status, issuedAt, expiresAt, ansName, agentHost, + validIdentityCerts, validServerCerts, metadataHashes); + result = 31 * result + Arrays.hashCode(signature); + return result; + } + + @Override + public String toString() { + return "StatusToken{" + + "agentId='" + agentId + '\'' + + ", status=" + status + + ", ansName='" + ansName + '\'' + + ", expiresAt=" + expiresAt + + ", serverCerts=" + validServerCerts.size() + + ", identityCerts=" + validIdentityCerts.size() + + '}'; + } +} diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/TrustedDomainRegistry.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/TrustedDomainRegistry.java new file mode 100644 index 0000000..5c67772 --- /dev/null +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/TrustedDomainRegistry.java @@ -0,0 +1,95 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +import java.util.Arrays; +import java.util.Set; +import java.util.stream.Collectors; + +/** + * Registry of trusted SCITT domains for the ANS transparency infrastructure. + * + *

Trusted domains can be configured via the system property + * {@value #TRUSTED_DOMAINS_PROPERTY}. If not set, defaults to the production + * ANS transparency log domains.

+ * + *

Security note: Only domains in this registry will be trusted for + * fetching SCITT root keys. This prevents root key substitution attacks.

+ * + *

Immutability: The trusted domain set is captured once at class + * initialization and cannot be changed afterward. This prevents runtime + * modification attacks via system property manipulation.

+ * + *

Configuration

+ * 
{@code
+ * # Use default production domains (no property set)
+ *
+ * # Or specify custom domains (comma-separated) - must be set BEFORE first use
+ * -Dans.transparency.trusted.domains=transparency.ans.godaddy.com,localhost
+ * }
+ */ +public final class TrustedDomainRegistry { + + /** + * System property to specify trusted domains (comma-separated). + * If not set, defaults to production ANS transparency log domains. + *

Note: This property is read only once at class initialization. + * Changes after that point have no effect.

+ */ + public static final String TRUSTED_DOMAINS_PROPERTY = "ans.transparency.trusted.domains"; + + /** + * Default trusted SCITT domains used when no system property is set. + */ + public static final Set DEFAULT_TRUSTED_DOMAINS = Set.of( + "transparency.ans.godaddy.com", + "transparency.ans.ote-godaddy.com" + ); + + /** + * Immutable set of trusted domains, captured once at class initialization. + * This ensures the trusted domain set cannot be modified at runtime via + * system property manipulation - a security requirement for trust anchors. + */ + private static final Set TRUSTED_DOMAINS; + + static { + String property = System.getProperty(TRUSTED_DOMAINS_PROPERTY); + if (property == null || property.isBlank()) { + TRUSTED_DOMAINS = DEFAULT_TRUSTED_DOMAINS; + } else { + TRUSTED_DOMAINS = Arrays.stream(property.split(",")) + .map(String::trim) + .filter(s -> !s.isEmpty()) + .map(String::toLowerCase) + .collect(Collectors.toUnmodifiableSet()); + } + } + + private TrustedDomainRegistry() { + // Utility class + } + + /** + * Checks if a domain is trusted. + * + * @param domain the domain to check + * @return true if the domain is trusted + */ + public static boolean isTrustedDomain(String domain) { + if (domain == null) { + return false; + } + return TRUSTED_DOMAINS.contains(domain.toLowerCase()); + } + + /** + * Returns the set of trusted domains. + * + *

The returned set is immutable and was captured at class initialization. + * Subsequent changes to the system property have no effect.

+ * + * @return trusted domains (immutable) + */ + public static Set getTrustedDomains() { + return TRUSTED_DOMAINS; + } +} diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/package-info.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/package-info.java new file mode 100644 index 0000000..f0def8e --- /dev/null +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/package-info.java @@ -0,0 +1,38 @@ +/** + * SCITT (Supply Chain Integrity, Transparency, and Trust) verification support. + * + *

This package provides cryptographic verification of agent registrations using + * SCITT artifacts delivered via HTTP headers, eliminating the need for live + * Transparency Log queries during connection establishment.

+ * + *

Key Components

+ *
    + *
  • {@link com.godaddy.ans.sdk.transparency.scitt.ScittReceipt} - COSE_Sign1 receipt with Merkle proof
    • + *
  • {@link com.godaddy.ans.sdk.transparency.scitt.StatusToken} - Time-bounded status assertion
    • + *
  • {@link com.godaddy.ans.sdk.transparency.scitt.ScittVerifier} - Receipt and token verification
    • + *
  • {@link com.godaddy.ans.sdk.transparency.TransparencyClient} - Public key fetching via getRootKeyAsync()
    • + *
+ * + *

Verification Flow

+ *
    + *
  1. Extract SCITT headers from HTTP response
    2. + *
  2. Parse receipt (COSE_Sign1) and verify TL signature
    3. + *
  3. Verify Merkle inclusion proof in receipt
    4. + *
  4. Parse status token (COSE_Sign1) and verify RA signature
    5. + *
  5. Check token expiry with clock skew tolerance
    6. + *
  6. Extract expected certificate fingerprints
    7. + *
  7. Compare actual certificate against expectations
    8. + *
+ * + *

Security Considerations

+ *
    + *
  • Only ES256 (ECDSA P-256) signatures are accepted
    • + *
  • Key pinning prevents first-use attacks
    • + *
  • Constant-time comparison for fingerprints
    • + *
  • Trusted RA registry prevents rogue TL acceptance
    • + *
+ * + * @see com.godaddy.ans.sdk.transparency.scitt.ScittVerifier + * @see com.godaddy.ans.sdk.transparency.scitt.StatusToken + */ +package com.godaddy.ans.sdk.transparency.scitt; diff --git a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/CoseSign1ParserTest.java b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/CoseSign1ParserTest.java new file mode 100644 index 0000000..f69f7cc --- /dev/null +++ b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/CoseSign1ParserTest.java @@ -0,0 +1,386 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +import com.upokecenter.cbor.CBORObject; +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Nested; +import org.junit.jupiter.api.Test; + +import java.nio.charset.StandardCharsets; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; + +class CoseSign1ParserTest { + + @Nested + @DisplayName("parse() tests") + class ParseTests { + + @Test + @DisplayName("Should reject null input") + void shouldRejectNullInput() { + assertThatThrownBy(() -> CoseSign1Parser.parse(null)) + .isInstanceOf(NullPointerException.class) + .hasMessage("coseBytes cannot be null"); + } + + @Test + @DisplayName("Should reject empty input") + void shouldRejectEmptyInput() { + assertThatThrownBy(() -> CoseSign1Parser.parse(new byte[0])) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("Failed to decode CBOR"); + } + + @Test + @DisplayName("Should reject invalid CBOR") + void shouldRejectInvalidCbor() { + byte[] invalidCbor = {0x01, 0x02, 0x03}; + assertThatThrownBy(() -> CoseSign1Parser.parse(invalidCbor)) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("Failed to decode CBOR"); + } + + @Test + @DisplayName("Should reject CBOR without COSE_Sign1 tag") + void shouldRejectCborWithoutTag() { + // Array without tag + CBORObject array = CBORObject.NewArray(); + array.Add(new byte[0]); + array.Add(CBORObject.NewMap()); + array.Add(new byte[0]); + array.Add(new byte[64]); + + assertThatThrownBy(() -> CoseSign1Parser.parse(array.EncodeToBytes())) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("Expected COSE_Sign1 tag (18)"); + } + + @Test + @DisplayName("Should reject COSE_Sign1 with wrong number of elements") + void shouldRejectWrongElementCount() { + // Tag 18 but only 3 elements + CBORObject array = CBORObject.NewArray(); + array.Add(new byte[0]); + array.Add(CBORObject.NewMap()); + array.Add(new byte[0]); + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + assertThatThrownBy(() -> CoseSign1Parser.parse(tagged.EncodeToBytes())) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("must be an array of 4 elements"); + } + + @Test + @DisplayName("Should reject non-ES256 algorithm") + void shouldRejectNonEs256Algorithm() throws Exception { + // Build COSE_Sign1 with RS256 (alg = -257) + CBORObject protectedHeader = CBORObject.NewMap(); + protectedHeader.Add(1, -257); // alg = RS256 + byte[] protectedBytes = protectedHeader.EncodeToBytes(); + + CBORObject array = CBORObject.NewArray(); + array.Add(protectedBytes); + array.Add(CBORObject.NewMap()); + array.Add(new byte[0]); // payload + array.Add(new byte[64]); // signature + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + assertThatThrownBy(() -> CoseSign1Parser.parse(tagged.EncodeToBytes())) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("Algorithm substitution attack prevented") + .hasMessageContaining("only ES256 (alg=-7) is accepted"); + } + + @Test + @DisplayName("Should reject invalid signature length") + void shouldRejectInvalidSignatureLength() throws Exception { + // Build valid COSE_Sign1 with ES256 but wrong signature length + CBORObject protectedHeader = CBORObject.NewMap(); + protectedHeader.Add(1, -7); // alg = ES256 + byte[] protectedBytes = protectedHeader.EncodeToBytes(); + + CBORObject array = CBORObject.NewArray(); + array.Add(protectedBytes); + array.Add(CBORObject.NewMap()); + array.Add(new byte[0]); // payload + array.Add(new byte[32]); // Wrong! Should be 64 bytes + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + assertThatThrownBy(() -> CoseSign1Parser.parse(tagged.EncodeToBytes())) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("Invalid ES256 signature length") + .hasMessageContaining("expected 64 bytes"); + } + + @Test + @DisplayName("Should parse valid COSE_Sign1 with ES256") + void shouldParseValidCoseSign1() throws Exception { + // Build valid COSE_Sign1 + CBORObject protectedHeader = CBORObject.NewMap(); + protectedHeader.Add(1, -7); // alg = ES256 + protectedHeader.Add(4, new byte[]{0x01, 0x02, 0x03, 0x04}); // kid + protectedHeader.Add(395, 1); // vds = RFC9162_SHA256 + byte[] protectedBytes = protectedHeader.EncodeToBytes(); + + byte[] payload = "test payload".getBytes(StandardCharsets.UTF_8); + byte[] signature = new byte[64]; // 64-byte placeholder + + CBORObject array = CBORObject.NewArray(); + array.Add(protectedBytes); + array.Add(CBORObject.NewMap()); + array.Add(payload); + array.Add(signature); + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + CoseSign1Parser.ParsedCoseSign1 parsed = CoseSign1Parser.parse(tagged.EncodeToBytes()); + + assertThat(parsed.protectedHeader().algorithm()).isEqualTo(-7); + assertThat(parsed.protectedHeader().keyId()).containsExactly(0x01, 0x02, 0x03, 0x04); + assertThat(parsed.protectedHeader().vds()).isEqualTo(1); + assertThat(parsed.payload()).isEqualTo(payload); + assertThat(parsed.signature()).hasSize(64); + } + + @Test + @DisplayName("Should reject empty protected header bytes") + void shouldRejectEmptyProtectedHeaderBytes() { + // Build COSE_Sign1 with empty protected header + CBORObject array = CBORObject.NewArray(); + array.Add(new byte[0]); // Empty protected header + array.Add(CBORObject.NewMap()); + array.Add(new byte[0]); + array.Add(new byte[64]); + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + assertThatThrownBy(() -> CoseSign1Parser.parse(tagged.EncodeToBytes())) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("Protected header cannot be empty"); + } + + @Test + @DisplayName("Should reject protected header that is not a CBOR map") + void shouldRejectNonMapProtectedHeader() { + // Protected header encoded as array instead of map + CBORObject protectedArray = CBORObject.NewArray(); + protectedArray.Add(-7); + byte[] protectedBytes = protectedArray.EncodeToBytes(); + + CBORObject array = CBORObject.NewArray(); + array.Add(protectedBytes); + array.Add(CBORObject.NewMap()); + array.Add(new byte[0]); + array.Add(new byte[64]); + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + assertThatThrownBy(() -> CoseSign1Parser.parse(tagged.EncodeToBytes())) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("Protected header must be a CBOR map"); + } + + @Test + @DisplayName("Should reject protected header missing algorithm") + void shouldRejectMissingAlgorithm() { + // Protected header without alg field + CBORObject protectedHeader = CBORObject.NewMap(); + protectedHeader.Add(4, new byte[]{0x01, 0x02, 0x03, 0x04}); // Only kid, no alg + byte[] protectedBytes = protectedHeader.EncodeToBytes(); + + CBORObject array = CBORObject.NewArray(); + array.Add(protectedBytes); + array.Add(CBORObject.NewMap()); + array.Add(new byte[0]); + array.Add(new byte[64]); + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + assertThatThrownBy(() -> CoseSign1Parser.parse(tagged.EncodeToBytes())) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("Protected header missing algorithm"); + } + + @Test + @DisplayName("Should parse COSE_Sign1 with detached (null) payload") + void shouldParseDetachedPayload() throws Exception { + CBORObject protectedHeader = CBORObject.NewMap(); + protectedHeader.Add(1, -7); // alg = ES256 + byte[] protectedBytes = protectedHeader.EncodeToBytes(); + + CBORObject array = CBORObject.NewArray(); + array.Add(protectedBytes); + array.Add(CBORObject.NewMap()); + array.Add(CBORObject.Null); // Null payload (detached) + array.Add(new byte[64]); + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + CoseSign1Parser.ParsedCoseSign1 parsed = CoseSign1Parser.parse(tagged.EncodeToBytes()); + + assertThat(parsed.payload()).isNull(); + } + + @Test + @DisplayName("Should reject non-byte-string protected header element") + void shouldRejectNonByteStringProtectedHeader() { + CBORObject array = CBORObject.NewArray(); + array.Add("not bytes"); // String instead of byte string + array.Add(CBORObject.NewMap()); + array.Add(new byte[0]); + array.Add(new byte[64]); + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + assertThatThrownBy(() -> CoseSign1Parser.parse(tagged.EncodeToBytes())) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("must be a byte string"); + } + + @Test + @DisplayName("Should parse protected header with integer content type") + void shouldParseIntegerContentType() throws Exception { + CBORObject protectedHeader = CBORObject.NewMap(); + protectedHeader.Add(1, -7); // alg = ES256 + protectedHeader.Add(3, 60); // content type as integer (application/cbor) + byte[] protectedBytes = protectedHeader.EncodeToBytes(); + + CBORObject array = CBORObject.NewArray(); + array.Add(protectedBytes); + array.Add(CBORObject.NewMap()); + array.Add(new byte[0]); + array.Add(new byte[64]); + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + CoseSign1Parser.ParsedCoseSign1 parsed = CoseSign1Parser.parse(tagged.EncodeToBytes()); + + assertThat(parsed.protectedHeader().contentType()).isEqualTo("60"); + } + + @Test + @DisplayName("Should parse protected header with string content type") + void shouldParseStringContentType() throws Exception { + CBORObject protectedHeader = CBORObject.NewMap(); + protectedHeader.Add(1, -7); // alg = ES256 + protectedHeader.Add(3, "application/json"); // content type as string + byte[] protectedBytes = protectedHeader.EncodeToBytes(); + + CBORObject array = CBORObject.NewArray(); + array.Add(protectedBytes); + array.Add(CBORObject.NewMap()); + array.Add(new byte[0]); + array.Add(new byte[64]); + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + CoseSign1Parser.ParsedCoseSign1 parsed = CoseSign1Parser.parse(tagged.EncodeToBytes()); + + assertThat(parsed.protectedHeader().contentType()).isEqualTo("application/json"); + } + + @Test + @DisplayName("Should handle null unprotected header") + void shouldHandleNullUnprotectedHeader() throws Exception { + CBORObject protectedHeader = CBORObject.NewMap(); + protectedHeader.Add(1, -7); + byte[] protectedBytes = protectedHeader.EncodeToBytes(); + + CBORObject array = CBORObject.NewArray(); + array.Add(protectedBytes); + array.Add(CBORObject.Null); // Null unprotected header + array.Add(new byte[0]); + array.Add(new byte[64]); + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + CoseSign1Parser.ParsedCoseSign1 parsed = CoseSign1Parser.parse(tagged.EncodeToBytes()); + + assertThat(parsed.unprotectedHeader().isNull()).isTrue(); + } + + @Test + @DisplayName("Should parse COSE_Sign1 with CWT claims") + void shouldParseCwtClaims() throws Exception { + // Build COSE_Sign1 with CWT claims in protected header + CBORObject cwtClaims = CBORObject.NewMap(); + cwtClaims.Add(1, "issuer"); // iss + cwtClaims.Add(2, "subject"); // sub + cwtClaims.Add(4, 1700000000L); // exp + cwtClaims.Add(6, 1600000000L); // iat + + CBORObject protectedHeader = CBORObject.NewMap(); + protectedHeader.Add(1, -7); // alg = ES256 + protectedHeader.Add(13, cwtClaims); // cwt_claims + byte[] protectedBytes = protectedHeader.EncodeToBytes(); + + CBORObject array = CBORObject.NewArray(); + array.Add(protectedBytes); + array.Add(CBORObject.NewMap()); + array.Add(new byte[0]); + array.Add(new byte[64]); + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + CoseSign1Parser.ParsedCoseSign1 parsed = CoseSign1Parser.parse(tagged.EncodeToBytes()); + + CwtClaims claims = parsed.protectedHeader().cwtClaims(); + assertThat(claims).isNotNull(); + assertThat(claims.iss()).isEqualTo("issuer"); + assertThat(claims.sub()).isEqualTo("subject"); + assertThat(claims.exp()).isEqualTo(1700000000L); + assertThat(claims.iat()).isEqualTo(1600000000L); + } + } + + @Nested + @DisplayName("buildSigStructure() tests") + class BuildSigStructureTests { + + @Test + @DisplayName("Should build correct Sig_structure") + void shouldBuildCorrectSigStructure() { + byte[] protectedHeader = new byte[]{0x01, 0x02}; + byte[] externalAad = new byte[]{0x03, 0x04}; + byte[] payload = "payload".getBytes(); + + byte[] sigStructure = CoseSign1Parser.buildSigStructure(protectedHeader, externalAad, payload); + + // Decode and verify structure + CBORObject decoded = CBORObject.DecodeFromBytes(sigStructure); + assertThat(decoded.size()).isEqualTo(4); + assertThat(decoded.get(0).AsString()).isEqualTo("Signature1"); + assertThat(decoded.get(1).GetByteString()).isEqualTo(protectedHeader); + assertThat(decoded.get(2).GetByteString()).isEqualTo(externalAad); + assertThat(decoded.get(3).GetByteString()).isEqualTo(payload); + } + + @Test + @DisplayName("Should handle null values") + void shouldHandleNullValues() { + byte[] sigStructure = CoseSign1Parser.buildSigStructure(null, null, null); + + CBORObject decoded = CBORObject.DecodeFromBytes(sigStructure); + assertThat(decoded.get(1).GetByteString()).isEmpty(); + assertThat(decoded.get(2).GetByteString()).isEmpty(); + assertThat(decoded.get(3).GetByteString()).isEmpty(); + } + } + + @Nested + @DisplayName("CoseProtectedHeader tests") + class CoseProtectedHeaderTests { + + @Test + @DisplayName("Should detect RFC 9162 Merkle tree VDS") + void shouldDetectRfc9162MerkleTree() { + CoseProtectedHeader header = new CoseProtectedHeader(-7, null, 1, null, null); + assertThat(header.isRfc9162MerkleTree()).isTrue(); + + CoseProtectedHeader headerOther = new CoseProtectedHeader(-7, null, 2, null, null); + assertThat(headerOther.isRfc9162MerkleTree()).isFalse(); + + CoseProtectedHeader headerNull = new CoseProtectedHeader(-7, null, null, null, null); + assertThat(headerNull.isRfc9162MerkleTree()).isFalse(); + } + + @Test + @DisplayName("Should format key ID as hex") + void shouldFormatKeyIdAsHex() { + CoseProtectedHeader header = new CoseProtectedHeader(-7, + new byte[]{(byte) 0xDE, (byte) 0xAD, (byte) 0xBE, (byte) 0xEF}, null, null, null); + assertThat(header.keyIdHex()).isEqualTo("deadbeef"); + } + } +} diff --git a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittHeaderProviderTest.java b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittHeaderProviderTest.java new file mode 100644 index 0000000..5e4ddfb --- /dev/null +++ b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittHeaderProviderTest.java @@ -0,0 +1,398 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +import com.upokecenter.cbor.CBORObject; +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Nested; +import org.junit.jupiter.api.Test; + +import java.time.Instant; +import java.util.Base64; +import java.util.HashMap; +import java.util.Map; +import java.util.Optional; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; + +class DefaultScittHeaderProviderTest { + + @Nested + @DisplayName("Constructor tests") + class ConstructorTests { + + @Test + @DisplayName("Should create provider with no arguments") + void shouldCreateWithNoArguments() { + DefaultScittHeaderProvider provider = new DefaultScittHeaderProvider(); + assertThat(provider).isNotNull(); + } + + @Test + @DisplayName("Should create provider with receipt and token bytes") + void shouldCreateWithReceiptAndToken() { + byte[] receipt = {0x01, 0x02, 0x03}; + byte[] token = {0x04, 0x05, 0x06}; + + DefaultScittHeaderProvider provider = new DefaultScittHeaderProvider(receipt, token); + assertThat(provider).isNotNull(); + } + + @Test + @DisplayName("Should create provider with null values") + void shouldCreateWithNullValues() { + DefaultScittHeaderProvider provider = new DefaultScittHeaderProvider(null, null); + assertThat(provider).isNotNull(); + } + } + + @Nested + @DisplayName("Builder tests") + class BuilderTests { + + @Test + @DisplayName("Should build empty provider") + void shouldBuildEmptyProvider() { + DefaultScittHeaderProvider provider = DefaultScittHeaderProvider.builder().build(); + assertThat(provider).isNotNull(); + assertThat(provider.getOutgoingHeaders()).isEmpty(); + } + + @Test + @DisplayName("Should build provider with receipt") + void shouldBuildProviderWithReceipt() { + byte[] receipt = {0x01, 0x02, 0x03}; + + DefaultScittHeaderProvider provider = DefaultScittHeaderProvider.builder() + .receipt(receipt) + .build(); + + Map headers = provider.getOutgoingHeaders(); + assertThat(headers).containsKey(ScittHeaders.SCITT_RECEIPT_HEADER); + } + + @Test + @DisplayName("Should build provider with status token") + void shouldBuildProviderWithStatusToken() { + byte[] token = {0x01, 0x02, 0x03}; + + DefaultScittHeaderProvider provider = DefaultScittHeaderProvider.builder() + .statusToken(token) + .build(); + + Map headers = provider.getOutgoingHeaders(); + assertThat(headers).containsKey(ScittHeaders.STATUS_TOKEN_HEADER); + } + + @Test + @DisplayName("Should build provider with both artifacts") + void shouldBuildProviderWithBoth() { + byte[] receipt = {0x01, 0x02, 0x03}; + byte[] token = {0x04, 0x05, 0x06}; + + DefaultScittHeaderProvider provider = DefaultScittHeaderProvider.builder() + .receipt(receipt) + .statusToken(token) + .build(); + + Map headers = provider.getOutgoingHeaders(); + assertThat(headers).hasSize(2); + assertThat(headers).containsKey(ScittHeaders.SCITT_RECEIPT_HEADER); + assertThat(headers).containsKey(ScittHeaders.STATUS_TOKEN_HEADER); + } + } + + @Nested + @DisplayName("getOutgoingHeaders() tests") + class GetOutgoingHeadersTests { + + @Test + @DisplayName("Should return empty map when no artifacts") + void shouldReturnEmptyMapWhenNoArtifacts() { + DefaultScittHeaderProvider provider = new DefaultScittHeaderProvider(); + + Map headers = provider.getOutgoingHeaders(); + + assertThat(headers).isEmpty(); + } + + @Test + @DisplayName("Should Base64 encode receipt") + void shouldBase64EncodeReceipt() { + byte[] receipt = {0x01, 0x02, 0x03}; + String expectedBase64 = Base64.getEncoder().encodeToString(receipt); + + DefaultScittHeaderProvider provider = new DefaultScittHeaderProvider(receipt, null); + + Map headers = provider.getOutgoingHeaders(); + + assertThat(headers.get(ScittHeaders.SCITT_RECEIPT_HEADER)).isEqualTo(expectedBase64); + } + + @Test + @DisplayName("Should Base64 encode status token") + void shouldBase64EncodeStatusToken() { + byte[] token = {0x04, 0x05, 0x06}; + String expectedBase64 = Base64.getEncoder().encodeToString(token); + + DefaultScittHeaderProvider provider = new DefaultScittHeaderProvider(null, token); + + Map headers = provider.getOutgoingHeaders(); + + assertThat(headers.get(ScittHeaders.STATUS_TOKEN_HEADER)).isEqualTo(expectedBase64); + } + + @Test + @DisplayName("Should return immutable map") + void shouldReturnImmutableMap() { + byte[] receipt = {0x01, 0x02, 0x03}; + DefaultScittHeaderProvider provider = new DefaultScittHeaderProvider(receipt, null); + + Map headers = provider.getOutgoingHeaders(); + + assertThatThrownBy(() -> headers.put("new-key", "value")) + .isInstanceOf(UnsupportedOperationException.class); + } + } + + @Nested + @DisplayName("extractArtifacts() tests") + class ExtractArtifactsTests { + + @Test + @DisplayName("Should reject null headers") + void shouldRejectNullHeaders() { + DefaultScittHeaderProvider provider = new DefaultScittHeaderProvider(); + + assertThatThrownBy(() -> provider.extractArtifacts(null)) + .isInstanceOf(NullPointerException.class) + .hasMessageContaining("headers cannot be null"); + } + + @Test + @DisplayName("Should return empty when no SCITT headers") + void shouldReturnEmptyWhenNoScittHeaders() { + DefaultScittHeaderProvider provider = new DefaultScittHeaderProvider(); + + Optional result = + provider.extractArtifacts(Map.of("Content-Type", "application/json")); + + assertThat(result).isEmpty(); + } + + @Test + @DisplayName("Should extract valid status token") + void shouldExtractValidStatusToken() { + DefaultScittHeaderProvider provider = new DefaultScittHeaderProvider(); + byte[] tokenBytes = createValidStatusTokenBytes(); + String base64Token = Base64.getEncoder().encodeToString(tokenBytes); + + Map headers = Map.of(ScittHeaders.STATUS_TOKEN_HEADER, base64Token); + + Optional result = provider.extractArtifacts(headers); + + assertThat(result).isPresent(); + assertThat(result.get().statusToken()).isNotNull(); + assertThat(result.get().statusToken().agentId()).isEqualTo("test-agent"); + } + + @Test + @DisplayName("Should extract valid receipt") + void shouldExtractValidReceipt() { + DefaultScittHeaderProvider provider = new DefaultScittHeaderProvider(); + byte[] receiptBytes = createValidReceiptBytes(); + String base64Receipt = Base64.getEncoder().encodeToString(receiptBytes); + + Map headers = Map.of(ScittHeaders.SCITT_RECEIPT_HEADER, base64Receipt); + + Optional result = provider.extractArtifacts(headers); + + assertThat(result).isPresent(); + assertThat(result.get().receipt()).isNotNull(); + } + + @Test + @DisplayName("Should extract both receipt and token") + void shouldExtractBothArtifacts() { + DefaultScittHeaderProvider provider = new DefaultScittHeaderProvider(); + byte[] receiptBytes = createValidReceiptBytes(); + byte[] tokenBytes = createValidStatusTokenBytes(); + + Map headers = new HashMap<>(); + headers.put(ScittHeaders.SCITT_RECEIPT_HEADER, Base64.getEncoder().encodeToString(receiptBytes)); + headers.put(ScittHeaders.STATUS_TOKEN_HEADER, Base64.getEncoder().encodeToString(tokenBytes)); + + Optional result = provider.extractArtifacts(headers); + + assertThat(result).isPresent(); + assertThat(result.get().receipt()).isNotNull(); + assertThat(result.get().statusToken()).isNotNull(); + assertThat(result.get().isComplete()).isTrue(); + assertThat(result.get().isPresent()).isTrue(); + } + + @Test + @DisplayName("Should throw when headers present but invalid Base64") + void shouldThrowOnInvalidBase64() { + DefaultScittHeaderProvider provider = new DefaultScittHeaderProvider(); + + Map headers = Map.of(ScittHeaders.STATUS_TOKEN_HEADER, "not-valid-base64!!!"); + + // Headers present but parse failed should throw, not return empty + // This allows callers to distinguish "no headers" from "headers present but malformed" + assertThatThrownBy(() -> provider.extractArtifacts(headers)) + .isInstanceOf(IllegalStateException.class) + .hasMessageContaining("SCITT headers present but failed to parse") + .hasMessageContaining("Invalid Base64"); + } + + @Test + @DisplayName("Should throw when headers present but invalid CBOR") + void shouldThrowOnInvalidCbor() { + DefaultScittHeaderProvider provider = new DefaultScittHeaderProvider(); + byte[] invalidCbor = {0x01, 0x02, 0x03}; + + Map headers = Map.of( + ScittHeaders.STATUS_TOKEN_HEADER, Base64.getEncoder().encodeToString(invalidCbor)); + + // Headers present but parse failed should throw, not return empty + assertThatThrownBy(() -> provider.extractArtifacts(headers)) + .isInstanceOf(IllegalStateException.class) + .hasMessageContaining("SCITT headers present but failed to parse"); + } + } + + @Nested + @DisplayName("ScittArtifacts tests") + class ScittArtifactsTests { + + @Test + @DisplayName("isComplete should return true when both present") + void isCompleteShouldReturnTrueWhenBothPresent() { + ScittReceipt receipt = createMockReceipt(); + StatusToken token = createMockToken(); + + ScittHeaderProvider.ScittArtifacts artifacts = + new ScittHeaderProvider.ScittArtifacts(receipt, token, new byte[0], new byte[0]); + + assertThat(artifacts.isComplete()).isTrue(); + } + + @Test + @DisplayName("isComplete should return false when receipt missing") + void isCompleteShouldReturnFalseWhenReceiptMissing() { + StatusToken token = createMockToken(); + + ScittHeaderProvider.ScittArtifacts artifacts = + new ScittHeaderProvider.ScittArtifacts(null, token, null, new byte[0]); + + assertThat(artifacts.isComplete()).isFalse(); + } + + @Test + @DisplayName("isComplete should return false when token missing") + void isCompleteShouldReturnFalseWhenTokenMissing() { + ScittReceipt receipt = createMockReceipt(); + + ScittHeaderProvider.ScittArtifacts artifacts = + new ScittHeaderProvider.ScittArtifacts(receipt, null, new byte[0], null); + + assertThat(artifacts.isComplete()).isFalse(); + } + + @Test + @DisplayName("isPresent should return true when at least one present") + void isPresentShouldReturnTrueWhenAtLeastOnePresent() { + ScittReceipt receipt = createMockReceipt(); + + ScittHeaderProvider.ScittArtifacts artifacts = + new ScittHeaderProvider.ScittArtifacts(receipt, null, new byte[0], null); + + assertThat(artifacts.isPresent()).isTrue(); + } + + @Test + @DisplayName("isPresent should return false when both null") + void isPresentShouldReturnFalseWhenBothNull() { + ScittHeaderProvider.ScittArtifacts artifacts = + new ScittHeaderProvider.ScittArtifacts(null, null, null, null); + + assertThat(artifacts.isPresent()).isFalse(); + } + } + + // Helper methods + + private byte[] createValidStatusTokenBytes() { + long now = Instant.now().getEpochSecond(); + + // Use integer keys: 1=agent_id, 2=status, 3=iat, 4=exp + CBORObject payload = CBORObject.NewMap(); + payload.Add(1, "test-agent"); // agent_id + payload.Add(2, "ACTIVE"); // status + payload.Add(3, now); // iat + payload.Add(4, now + 3600); // exp + + CBORObject protectedHeader = CBORObject.NewMap(); + protectedHeader.Add(1, -7); // alg = ES256 + byte[] protectedBytes = protectedHeader.EncodeToBytes(); + + CBORObject array = CBORObject.NewArray(); + array.Add(protectedBytes); + array.Add(CBORObject.NewMap()); + array.Add(payload.EncodeToBytes()); + array.Add(new byte[64]); // signature + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + return tagged.EncodeToBytes(); + } + + private byte[] createValidReceiptBytes() { + CBORObject protectedHeader = CBORObject.NewMap(); + protectedHeader.Add(1, -7); // alg = ES256 + protectedHeader.Add(395, 1); // vds = RFC9162_SHA256 + byte[] protectedBytes = protectedHeader.EncodeToBytes(); + + // Create unprotected header with inclusion proof (MAP format) + CBORObject inclusionProofMap = CBORObject.NewMap(); + inclusionProofMap.Add(-1, 1L); // tree_size + inclusionProofMap.Add(-2, 0L); // leaf_index + inclusionProofMap.Add(-3, CBORObject.NewArray()); // empty hash_path + inclusionProofMap.Add(-4, CBORObject.FromObject(new byte[32])); // root_hash + + CBORObject unprotectedHeader = CBORObject.NewMap(); + unprotectedHeader.Add(396, inclusionProofMap); + + CBORObject array = CBORObject.NewArray(); + array.Add(protectedBytes); + array.Add(unprotectedHeader); + array.Add("test-payload".getBytes()); + array.Add(new byte[64]); // signature + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + return tagged.EncodeToBytes(); + } + + private ScittReceipt createMockReceipt() { + CoseProtectedHeader header = new CoseProtectedHeader(-7, new byte[4], 1, null, null); + ScittReceipt.InclusionProof proof = new ScittReceipt.InclusionProof(1, 0, new byte[32], java.util.List.of()); + return new ScittReceipt(header, new byte[10], proof, "payload".getBytes(), new byte[64]); + } + + private StatusToken createMockToken() { + return new StatusToken( + "test-agent", + StatusToken.Status.ACTIVE, + Instant.now(), + Instant.now().plusSeconds(3600), + "test.ans", + "agent.example.com", + java.util.List.of(), + java.util.List.of(), + java.util.Map.of(), + null, + null, + null, + null + ); + } +} \ No newline at end of file diff --git a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittVerifierTest.java b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittVerifierTest.java new file mode 100644 index 0000000..d181611 --- /dev/null +++ b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittVerifierTest.java @@ -0,0 +1,1080 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Nested; +import org.junit.jupiter.api.Test; + +import com.godaddy.ans.sdk.crypto.CryptoCache; + +import org.bouncycastle.util.encoders.Hex; + +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.MessageDigest; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.Signature; +import java.security.cert.X509Certificate; +import java.security.spec.ECGenParameterSpec; +import java.time.Duration; +import java.time.Instant; +import java.util.Arrays; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; + +class DefaultScittVerifierTest { + + private DefaultScittVerifier verifier; + private KeyPair keyPair; + + @BeforeEach + void setUp() throws Exception { + verifier = new DefaultScittVerifier(); + + // Generate test EC key pair (P-256) + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC"); + keyGen.initialize(new ECGenParameterSpec("secp256r1")); + keyPair = keyGen.generateKeyPair(); + } + + /** + * Helper to convert a PublicKey to a Map keyed by hex key ID. + */ + private Map toRootKeys(PublicKey publicKey) { + // Compute hex key ID: SHA-256(SPKI-DER)[0:4] as hex + byte[] hash = CryptoCache.sha256(publicKey.getEncoded()); + String hexKeyId = Hex.toHexString(Arrays.copyOf(hash, 4)); + Map map = new HashMap<>(); + map.put(hexKeyId, publicKey); + return map; + } + + @Nested + @DisplayName("Constructor tests") + class ConstructorTests { + + @Test + @DisplayName("Should create verifier with default clock skew") + void shouldCreateWithDefaultClockSkew() { + DefaultScittVerifier v = new DefaultScittVerifier(); + assertThat(v).isNotNull(); + } + + @Test + @DisplayName("Should create verifier with custom clock skew") + void shouldCreateWithCustomClockSkew() { + DefaultScittVerifier v = new DefaultScittVerifier(Duration.ofMinutes(5)); + assertThat(v).isNotNull(); + } + + @Test + @DisplayName("Should reject null clock skew tolerance") + void shouldRejectNullClockSkew() { + assertThatThrownBy(() -> new DefaultScittVerifier(null)) + .isInstanceOf(NullPointerException.class) + .hasMessageContaining("clockSkewTolerance cannot be null"); + } + } + + @Nested + @DisplayName("verify() tests") + class VerifyTests { + + @Test + @DisplayName("Should reject null receipt") + void shouldRejectNullReceipt() { + StatusToken token = createMockStatusToken(StatusToken.Status.ACTIVE); + + assertThatThrownBy(() -> verifier.verify(null, token, toRootKeys(keyPair.getPublic()))) + .isInstanceOf(NullPointerException.class) + .hasMessageContaining("receipt cannot be null"); + } + + @Test + @DisplayName("Should reject null token") + void shouldRejectNullToken() { + ScittReceipt receipt = createMockReceipt(); + + assertThatThrownBy(() -> verifier.verify(receipt, null, toRootKeys(keyPair.getPublic()))) + .isInstanceOf(NullPointerException.class) + .hasMessageContaining("token cannot be null"); + } + + @Test + @DisplayName("Should reject null root keys map") + void shouldRejectNullRootKeys() { + ScittReceipt receipt = createMockReceipt(); + StatusToken token = createMockStatusToken(StatusToken.Status.ACTIVE); + + assertThatThrownBy(() -> verifier.verify(receipt, token, null)) + .isInstanceOf(NullPointerException.class) + .hasMessageContaining("rootKeys cannot be null"); + } + + @Test + @DisplayName("Should return error for empty root keys map") + void shouldReturnErrorForEmptyRootKeys() { + ScittReceipt receipt = createMockReceipt(); + StatusToken token = createMockStatusToken(StatusToken.Status.ACTIVE); + + ScittExpectation result = verifier.verify(receipt, token, new HashMap<>()); + + assertThat(result.status()).isEqualTo(ScittExpectation.Status.INVALID_RECEIPT); + assertThat(result.failureReason()).contains("No root keys available"); + } + + @Test + @DisplayName("Should return invalid receipt for bad receipt signature") + void shouldReturnInvalidReceiptForBadSignature() throws Exception { + ScittReceipt receipt = createReceiptWithSignature(new byte[64]); // Bad signature + StatusToken token = createMockStatusToken(StatusToken.Status.ACTIVE); + + ScittExpectation result = verifier.verify(receipt, token, toRootKeys(keyPair.getPublic())); + + assertThat(result.status()).isEqualTo(ScittExpectation.Status.INVALID_RECEIPT); + assertThat(result.failureReason()).contains("signature verification failed"); + } + + @Test + @DisplayName("Should return invalid token for revoked agent") + void shouldReturnInvalidTokenForRevokedAgent() throws Exception { + ScittReceipt receipt = createValidSignedReceipt(keyPair.getPrivate()); + StatusToken token = createValidSignedToken(keyPair.getPrivate(), StatusToken.Status.REVOKED); + + ScittExpectation result = verifier.verify(receipt, token, toRootKeys(keyPair.getPublic())); + + assertThat(result.status()).isEqualTo(ScittExpectation.Status.AGENT_REVOKED); + } + + @Test + @DisplayName("Should return inactive for deprecated agent") + void shouldReturnInactiveForDeprecatedAgent() throws Exception { + ScittReceipt receipt = createValidSignedReceipt(keyPair.getPrivate()); + StatusToken token = createValidSignedToken(keyPair.getPrivate(), StatusToken.Status.DEPRECATED); + + ScittExpectation result = verifier.verify(receipt, token, toRootKeys(keyPair.getPublic())); + + assertThat(result.status()).isEqualTo(ScittExpectation.Status.AGENT_INACTIVE); + } + + @Test + @DisplayName("Should allow WARNING status as valid") + void shouldAllowWarningStatus() throws Exception { + ScittReceipt receipt = createValidSignedReceipt(keyPair.getPrivate()); + StatusToken token = createValidSignedToken(keyPair.getPrivate(), StatusToken.Status.WARNING); + + ScittExpectation result = verifier.verify(receipt, token, toRootKeys(keyPair.getPublic())); + + // WARNING should be allowed (verified), not rejected + assertThat(result.status()).isIn(ScittExpectation.Status.VERIFIED, ScittExpectation.Status.INVALID_RECEIPT); + } + } + + @Nested + @DisplayName("postVerify() tests") + class PostVerifyTests { + + @Test + @DisplayName("Should reject null hostname") + void shouldRejectNullHostname() { + X509Certificate cert = mock(X509Certificate.class); + ScittExpectation expectation = ScittExpectation.verified( + List.of("abc123"), List.of(), "host", "ans.test", Map.of(), null); + + assertThatThrownBy(() -> verifier.postVerify(null, cert, expectation)) + .isInstanceOf(NullPointerException.class) + .hasMessageContaining("hostname cannot be null"); + } + + @Test + @DisplayName("Should reject null server certificate") + void shouldRejectNullServerCert() { + ScittExpectation expectation = ScittExpectation.verified( + List.of("abc123"), List.of(), "host", "ans.test", Map.of(), null); + + assertThatThrownBy(() -> verifier.postVerify("test.example.com", null, expectation)) + .isInstanceOf(NullPointerException.class) + .hasMessageContaining("serverCert cannot be null"); + } + + @Test + @DisplayName("Should reject null expectation") + void shouldRejectNullExpectation() { + X509Certificate cert = mock(X509Certificate.class); + + assertThatThrownBy(() -> verifier.postVerify("test.example.com", cert, null)) + .isInstanceOf(NullPointerException.class) + .hasMessageContaining("expectation cannot be null"); + } + + @Test + @DisplayName("Should return error for unverified expectation") + void shouldReturnErrorForUnverifiedExpectation() { + X509Certificate cert = mock(X509Certificate.class); + ScittExpectation expectation = ScittExpectation.invalidReceipt("Test failure"); + + ScittVerifier.ScittVerificationResult result = + verifier.postVerify("test.example.com", cert, expectation); + + assertThat(result.success()).isFalse(); + assertThat(result.failureReason()).contains("pre-verification failed"); + } + + @Test + @DisplayName("Should return error when no expected fingerprints") + void shouldReturnErrorWhenNoFingerprints() { + X509Certificate cert = mock(X509Certificate.class); + ScittExpectation expectation = ScittExpectation.verified( + List.of(), List.of(), "host", "ans.test", Map.of(), null); + + ScittVerifier.ScittVerificationResult result = + verifier.postVerify("test.example.com", cert, expectation); + + assertThat(result.success()).isFalse(); + assertThat(result.failureReason()).contains("No server certificate fingerprints"); + } + + @Test + @DisplayName("Should return success when fingerprint matches") + void shouldReturnSuccessWhenFingerprintMatches() throws Exception { + // Create a real-ish mock certificate + X509Certificate cert = mock(X509Certificate.class); + byte[] certBytes = new byte[100]; + when(cert.getEncoded()).thenReturn(certBytes); + + // Compute expected fingerprint + MessageDigest md = MessageDigest.getInstance("SHA-256"); + byte[] digest = md.digest(certBytes); + String expectedFingerprint = bytesToHex(digest); + + ScittExpectation expectation = ScittExpectation.verified( + List.of(expectedFingerprint), List.of(), "host", "ans.test", Map.of(), null); + + ScittVerifier.ScittVerificationResult result = + verifier.postVerify("test.example.com", cert, expectation); + + assertThat(result.success()).isTrue(); + assertThat(result.actualFingerprint()).isEqualTo(expectedFingerprint); + } + + @Test + @DisplayName("Should return mismatch when fingerprint does not match") + void shouldReturnMismatchWhenFingerprintDoesNotMatch() throws Exception { + X509Certificate cert = mock(X509Certificate.class); + when(cert.getEncoded()).thenReturn(new byte[100]); + + ScittExpectation expectation = ScittExpectation.verified( + List.of("deadbeef00000000000000000000000000000000000000000000000000000000"), + List.of(), "host", "ans.test", Map.of(), null); + + ScittVerifier.ScittVerificationResult result = + verifier.postVerify("test.example.com", cert, expectation); + + assertThat(result.success()).isFalse(); + assertThat(result.failureReason()).contains("does not match"); + } + + @Test + @DisplayName("Should normalize fingerprints with colons") + void shouldNormalizeFingerprintsWithColons() throws Exception { + X509Certificate cert = mock(X509Certificate.class); + byte[] certBytes = new byte[100]; + when(cert.getEncoded()).thenReturn(certBytes); + + MessageDigest md = MessageDigest.getInstance("SHA-256"); + byte[] digest = md.digest(certBytes); + String hexFingerprint = bytesToHex(digest); + + // Format with colons (every 2 chars) and SHA256: prefix + StringBuilder colonFormatted = new StringBuilder("SHA256:"); + for (int i = 0; i < hexFingerprint.length(); i += 2) { + if (i > 0) { + colonFormatted.append(":"); + } + colonFormatted.append(hexFingerprint.substring(i, i + 2)); + } + + ScittExpectation expectation = ScittExpectation.verified( + List.of(colonFormatted.toString()), List.of(), "host", "ans.test", Map.of(), null); + + ScittVerifier.ScittVerificationResult result = + verifier.postVerify("test.example.com", cert, expectation); + + assertThat(result.success()).isTrue(); + } + + @Test + @DisplayName("Should match any of multiple expected fingerprints") + void shouldMatchAnyOfMultipleFingerprints() throws Exception { + X509Certificate cert = mock(X509Certificate.class); + byte[] certBytes = new byte[100]; + when(cert.getEncoded()).thenReturn(certBytes); + + MessageDigest md = MessageDigest.getInstance("SHA-256"); + byte[] digest = md.digest(certBytes); + String expectedFingerprint = bytesToHex(digest); + + ScittExpectation expectation = ScittExpectation.verified( + List.of( + "wrong1000000000000000000000000000000000000000000000000000000000", + expectedFingerprint, + "wrong2000000000000000000000000000000000000000000000000000000000" + ), + List.of(), "host", "ans.test", Map.of(), null); + + ScittVerifier.ScittVerificationResult result = + verifier.postVerify("test.example.com", cert, expectation); + + assertThat(result.success()).isTrue(); + } + } + + @Nested + @DisplayName("Clock skew handling tests") + class ClockSkewTests { + + @Test + @DisplayName("Should accept token within clock skew tolerance") + void shouldAcceptTokenWithinClockSkew() throws Exception { + // Create verifier with 60 second clock skew + DefaultScittVerifier v = new DefaultScittVerifier(Duration.ofSeconds(60)); + + ScittReceipt receipt = createValidSignedReceipt(keyPair.getPrivate()); + // Token expired 30 seconds ago (within 60 second tolerance) + StatusToken token = createExpiredToken(keyPair.getPrivate(), Duration.ofSeconds(30)); + + ScittExpectation result = v.verify(receipt, token, toRootKeys(keyPair.getPublic())); + + // Should not be marked as expired + assertThat(result.status()).isNotEqualTo(ScittExpectation.Status.TOKEN_EXPIRED); + } + + @Test + @DisplayName("Should reject token beyond clock skew tolerance") + void shouldRejectTokenBeyondClockSkew() throws Exception { + DefaultScittVerifier v = new DefaultScittVerifier(Duration.ofSeconds(60)); + + ScittReceipt receipt = createValidSignedReceipt(keyPair.getPrivate()); + // Token expired 120 seconds ago (beyond 60 second tolerance) + StatusToken token = createExpiredToken(keyPair.getPrivate(), Duration.ofSeconds(120)); + + ScittExpectation result = v.verify(receipt, token, toRootKeys(keyPair.getPublic())); + + // May be TOKEN_EXPIRED or INVALID_TOKEN/INVALID_RECEIPT depending on verification order + assertThat(result.status()).isIn( + ScittExpectation.Status.TOKEN_EXPIRED, + ScittExpectation.Status.INVALID_RECEIPT, + ScittExpectation.Status.INVALID_TOKEN + ); + } + } + + @Nested + @DisplayName("Merkle proof verification tests") + class MerkleProofTests { + + @Test + @DisplayName("Should handle receipt with null inclusion proof") + void shouldHandleReceiptWithNullInclusionProof() throws Exception { + byte[] keyId = computeKeyId(keyPair.getPublic()); + CoseProtectedHeader header = new CoseProtectedHeader(-7, keyId, 1, null, null); + ScittReceipt receipt = new ScittReceipt( + header, + new byte[10], + null, // null inclusion proof + "test-payload".getBytes(), + new byte[64] + ); + StatusToken token = createMockStatusToken(StatusToken.Status.ACTIVE); + + ScittExpectation result = verifier.verify(receipt, token, toRootKeys(keyPair.getPublic())); + + // Should fail at receipt signature verification first, or merkle proof verification + assertThat(result.status()).isIn( + ScittExpectation.Status.INVALID_RECEIPT, + ScittExpectation.Status.INVALID_TOKEN + ); + } + + @Test + @DisplayName("Should reject receipt with incomplete Merkle proof (no root hash)") + void shouldRejectIncompleteProof() throws Exception { + // Create a properly signed receipt but with incomplete Merkle proof + byte[] protectedHeaderBytes = new byte[10]; + byte[] payload = "test-payload".getBytes(); + + // Sign the receipt properly + byte[] sigStructure = CoseSign1Parser.buildSigStructure(protectedHeaderBytes, null, payload); + Signature sig = Signature.getInstance("SHA256withECDSA"); + sig.initSign(keyPair.getPrivate()); + sig.update(sigStructure); + byte[] derSignature = sig.sign(); + byte[] p1363Signature = convertDerToP1363(derSignature); + + byte[] keyId = computeKeyId(keyPair.getPublic()); + CoseProtectedHeader header = new CoseProtectedHeader(-7, keyId, 1, null, null); + + // Proof without root hash (treeSize > 0 but rootHash = null) - INCOMPLETE + ScittReceipt.InclusionProof incompleteProof = new ScittReceipt.InclusionProof( + 10, 5, null, List.of()); + + ScittReceipt receipt = new ScittReceipt(header, protectedHeaderBytes, incompleteProof, payload, + p1363Signature); + StatusToken token = createValidSignedToken(keyPair.getPrivate(), StatusToken.Status.ACTIVE); + + ScittExpectation result = verifier.verify(receipt, token, toRootKeys(keyPair.getPublic())); + + // Incomplete Merkle proof must fail - cannot verify log inclusion without all components + assertThat(result.status()).isEqualTo(ScittExpectation.Status.INVALID_RECEIPT); + assertThat(result.failureReason()).contains("Merkle proof"); + } + } + + @Nested + @DisplayName("Signature validation tests") + class SignatureValidationTests { + + @Test + @DisplayName("Should fail verification with wrong signature length (not 64 bytes)") + void shouldFailWithWrongSignatureLength() throws Exception { + byte[] keyId = computeKeyId(keyPair.getPublic()); + CoseProtectedHeader header = new CoseProtectedHeader(-7, keyId, 1, null, null); + byte[] payload = "test-payload".getBytes(); + byte[] leafHash = MerkleProofVerifier.hashLeaf(payload); + ScittReceipt.InclusionProof proof = new ScittReceipt.InclusionProof( + 1, 0, leafHash, List.of()); + + // Wrong signature length - 32 bytes instead of 64 + byte[] wrongLengthSignature = new byte[32]; + ScittReceipt receipt = new ScittReceipt( + header, + new byte[10], + proof, + payload, + wrongLengthSignature + ); + StatusToken token = createMockStatusToken(StatusToken.Status.ACTIVE); + + ScittExpectation result = verifier.verify(receipt, token, toRootKeys(keyPair.getPublic())); + + assertThat(result.status()).isEqualTo(ScittExpectation.Status.INVALID_RECEIPT); + } + + @Test + @DisplayName("Should fail verification with wrong key") + void shouldFailWithWrongKey() throws Exception { + // Sign receipt with one key + ScittReceipt receipt = createValidSignedReceipt(keyPair.getPrivate()); + StatusToken token = createMockStatusToken(StatusToken.Status.ACTIVE); + + // But provide a different key for verification + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC"); + keyGen.initialize(new ECGenParameterSpec("secp256r1")); + KeyPair wrongKeyPair = keyGen.generateKeyPair(); + + // Verify with wrong key + ScittExpectation result = verifier.verify(receipt, token, toRootKeys(wrongKeyPair.getPublic())); + + assertThat(result.status()).isEqualTo(ScittExpectation.Status.INVALID_RECEIPT); + } + } + + @Nested + @DisplayName("Merkle proof validation tests") + class MerkleProofValidationTests { + + @Test + @DisplayName("Should fail verification with wrong root hash") + void shouldFailWithWrongRootHash() throws Exception { + byte[] keyId = computeKeyId(keyPair.getPublic()); + CoseProtectedHeader header = new CoseProtectedHeader(-7, keyId, 1, null, null); + byte[] payload = "test-payload".getBytes(); + + // Create proof with correct leaf but wrong root hash + byte[] wrongRootHash = new byte[32]; + Arrays.fill(wrongRootHash, (byte) 0xFF); + + ScittReceipt.InclusionProof proof = new ScittReceipt.InclusionProof( + 1, 0, wrongRootHash, List.of()); + + ScittReceipt receipt = new ScittReceipt( + header, + new byte[10], + proof, + payload, + new byte[64] + ); + StatusToken token = createMockStatusToken(StatusToken.Status.ACTIVE); + + ScittExpectation result = verifier.verify(receipt, token, toRootKeys(keyPair.getPublic())); + + // Should fail at receipt signature verification first (invalid signature bytes) + // or at Merkle proof verification + assertThat(result.status()).isIn( + ScittExpectation.Status.INVALID_RECEIPT, + ScittExpectation.Status.INVALID_TOKEN + ); + } + + @Test + @DisplayName("Should fail verification with incorrect hash path") + void shouldFailWithIncorrectHashPath() throws Exception { + byte[] keyId = computeKeyId(keyPair.getPublic()); + CoseProtectedHeader header = new CoseProtectedHeader(-7, keyId, 1, null, null); + byte[] payload = "test-payload".getBytes(); + + // Build a tree with 2 elements but provide wrong sibling hash + byte[] leafHash = MerkleProofVerifier.hashLeaf(payload); + byte[] siblingHash = new byte[32]; + Arrays.fill(siblingHash, (byte) 0xAA); + + // Calculate root with wrong sibling + byte[] wrongRoot = MerkleProofVerifier.hashNode(leafHash, siblingHash); + + // But use a different (incorrect) sibling in the path + byte[] incorrectSibling = new byte[32]; + Arrays.fill(incorrectSibling, (byte) 0xBB); + + ScittReceipt.InclusionProof proof = new ScittReceipt.InclusionProof( + 2, 0, wrongRoot, List.of(incorrectSibling)); + + ScittReceipt receipt = new ScittReceipt( + header, + new byte[10], + proof, + payload, + new byte[64] + ); + StatusToken token = createMockStatusToken(StatusToken.Status.ACTIVE); + + ScittExpectation result = verifier.verify(receipt, token, toRootKeys(keyPair.getPublic())); + + assertThat(result.status()).isIn( + ScittExpectation.Status.INVALID_RECEIPT, + ScittExpectation.Status.INVALID_TOKEN + ); + } + + @Test + @DisplayName("Should handle empty hash path for single element tree") + void shouldHandleEmptyHashPathForSingleElement() throws Exception { + // Sign receipt properly + byte[] protectedHeaderBytes = new byte[10]; + byte[] payload = "test-payload".getBytes(); + + byte[] sigStructure = CoseSign1Parser.buildSigStructure(protectedHeaderBytes, null, payload); + + Signature sig = Signature.getInstance("SHA256withECDSA"); + sig.initSign(keyPair.getPrivate()); + sig.update(sigStructure); + byte[] derSignature = sig.sign(); + byte[] p1363Signature = convertDerToP1363(derSignature); + + byte[] keyId = computeKeyId(keyPair.getPublic()); + CoseProtectedHeader header = new CoseProtectedHeader(-7, keyId, 1, null, null); + + // Single element tree: root == leaf hash + byte[] leafHash = MerkleProofVerifier.hashLeaf(payload); + ScittReceipt.InclusionProof proof = new ScittReceipt.InclusionProof( + 1, 0, leafHash, List.of()); // Empty path for single element + + ScittReceipt receipt = new ScittReceipt(header, protectedHeaderBytes, proof, payload, p1363Signature); + StatusToken token = createValidSignedToken(keyPair.getPrivate(), StatusToken.Status.ACTIVE); + + ScittExpectation result = verifier.verify(receipt, token, toRootKeys(keyPair.getPublic())); + + // Should succeed - valid receipt and token + assertThat(result.status()).isEqualTo(ScittExpectation.Status.VERIFIED); + } + } + + @Nested + @DisplayName("postVerify error handling tests") + class PostVerifyErrorHandlingTests { + + @Test + @DisplayName("Should handle certificate encoding exception") + void shouldHandleCertificateEncodingException() throws Exception { + X509Certificate cert = mock(X509Certificate.class); + when(cert.getEncoded()).thenThrow(new java.security.cert.CertificateEncodingException("Test error")); + + ScittExpectation expectation = ScittExpectation.verified( + List.of("abc123"), List.of(), "host", "ans.test", Map.of(), null); + + ScittVerifier.ScittVerificationResult result = + verifier.postVerify("test.example.com", cert, expectation); + + assertThat(result.success()).isFalse(); + assertThat(result.failureReason()).contains("Error computing fingerprint"); + } + + @Test + @DisplayName("Should return error for expired expectation") + void shouldReturnErrorForExpiredExpectation() { + X509Certificate cert = mock(X509Certificate.class); + ScittExpectation expectation = ScittExpectation.expired(); + + ScittVerifier.ScittVerificationResult result = + verifier.postVerify("test.example.com", cert, expectation); + + assertThat(result.success()).isFalse(); + assertThat(result.failureReason()).contains("pre-verification failed"); + } + + @Test + @DisplayName("Should return error for revoked expectation") + void shouldReturnErrorForRevokedExpectation() { + X509Certificate cert = mock(X509Certificate.class); + ScittExpectation expectation = ScittExpectation.revoked("test.ans"); + + ScittVerifier.ScittVerificationResult result = + verifier.postVerify("test.example.com", cert, expectation); + + assertThat(result.success()).isFalse(); + assertThat(result.failureReason()).contains("pre-verification failed"); + } + } + + @Nested + @DisplayName("Fingerprint normalization tests") + class FingerprintNormalizationTests { + + @Test + @DisplayName("Should normalize uppercase fingerprint") + void shouldNormalizeUppercaseFingerprint() throws Exception { + X509Certificate cert = mock(X509Certificate.class); + byte[] certBytes = new byte[100]; + when(cert.getEncoded()).thenReturn(certBytes); + + MessageDigest md = MessageDigest.getInstance("SHA-256"); + byte[] digest = md.digest(certBytes); + String expectedFingerprint = bytesToHex(digest).toUpperCase(); + + ScittExpectation expectation = ScittExpectation.verified( + List.of(expectedFingerprint), List.of(), "host", "ans.test", Map.of(), null); + + ScittVerifier.ScittVerificationResult result = + verifier.postVerify("test.example.com", cert, expectation); + + assertThat(result.success()).isTrue(); + } + + @Test + @DisplayName("Should handle mixed case SHA256 prefix") + void shouldHandleMixedCaseSha256Prefix() throws Exception { + X509Certificate cert = mock(X509Certificate.class); + byte[] certBytes = new byte[100]; + when(cert.getEncoded()).thenReturn(certBytes); + + MessageDigest md = MessageDigest.getInstance("SHA-256"); + byte[] digest = md.digest(certBytes); + String hexFingerprint = bytesToHex(digest); + String fingerprintWithPrefix = "SHA256:" + hexFingerprint; + + ScittExpectation expectation = ScittExpectation.verified( + List.of(fingerprintWithPrefix), List.of(), "host", "ans.test", Map.of(), null); + + ScittVerifier.ScittVerificationResult result = + verifier.postVerify("test.example.com", cert, expectation); + + assertThat(result.success()).isTrue(); + } + } + + @Nested + @DisplayName("Key ID validation tests") + class KeyIdValidationTests { + + @Test + @DisplayName("Should reject receipt with mismatched key ID") + void shouldRejectReceiptWithMismatchedKeyId() throws Exception { + // Create receipt with wrong key ID (not matching the public key) + byte[] wrongKeyId = new byte[] { + 0x00, 0x00, 0x00, 0x00 + }; + CoseProtectedHeader header = new CoseProtectedHeader(-7, wrongKeyId, 1, null, null); + + byte[] payload = "test-payload".getBytes(); + byte[] leafHash = MerkleProofVerifier.hashLeaf(payload); + ScittReceipt.InclusionProof proof = new ScittReceipt.InclusionProof(1, 0, leafHash, List.of()); + + ScittReceipt receipt = new ScittReceipt(header, new byte[10], proof, payload, new byte[64]); + StatusToken token = createMockStatusToken(StatusToken.Status.ACTIVE); + + ScittExpectation result = verifier.verify(receipt, token, toRootKeys(keyPair.getPublic())); + + assertThat(result.status()).isEqualTo(ScittExpectation.Status.INVALID_RECEIPT); + assertThat(result.failureReason()).contains("not in trust store"); + } + + @Test + @DisplayName("Should reject token with mismatched key ID") + void shouldRejectTokenWithMismatchedKeyId() throws Exception { + // Create valid receipt with correct key ID + ScittReceipt receipt = createValidSignedReceipt(keyPair.getPrivate()); + + // Create token with wrong key ID + byte[] wrongKeyId = new byte[] { + 0x00, 0x00, 0x00, 0x00 + }; + byte[] protectedHeaderBytes = new byte[10]; + byte[] payload = "agent_id:test-agent,status:ACTIVE".getBytes(); + + byte[] sigStructure = CoseSign1Parser.buildSigStructure(protectedHeaderBytes, null, payload); + Signature sig = Signature.getInstance("SHA256withECDSA"); + sig.initSign(keyPair.getPrivate()); + sig.update(sigStructure); + byte[] derSignature = sig.sign(); + byte[] p1363Signature = convertDerToP1363(derSignature); + + CoseProtectedHeader tokenHeader = new CoseProtectedHeader(-7, wrongKeyId, null, null, null); + StatusToken token = new StatusToken( + "test-agent-id", + StatusToken.Status.ACTIVE, + Instant.now().minusSeconds(60), + Instant.now().plusSeconds(3600), + "test.ans", + "test.example.com", + List.of(), + List.of(), + Map.of(), + tokenHeader, + protectedHeaderBytes, + payload, + p1363Signature + ); + + ScittExpectation result = verifier.verify(receipt, token, toRootKeys(keyPair.getPublic())); + + assertThat(result.status()).isEqualTo(ScittExpectation.Status.INVALID_TOKEN); + assertThat(result.failureReason()).contains("not in trust store"); + } + + @Test + @DisplayName("Should reject receipt with missing key ID") + void shouldRejectReceiptWithMissingKeyId() throws Exception { + // Create receipt with null key ID + byte[] protectedHeaderBytes = new byte[10]; + byte[] payload = "test-payload".getBytes(); + + byte[] sigStructure = CoseSign1Parser.buildSigStructure(protectedHeaderBytes, null, payload); + Signature sig = Signature.getInstance("SHA256withECDSA"); + sig.initSign(keyPair.getPrivate()); + sig.update(sigStructure); + byte[] derSignature = sig.sign(); + byte[] p1363Signature = convertDerToP1363(derSignature); + + // null key ID should be rejected + CoseProtectedHeader header = new CoseProtectedHeader(-7, null, 1, null, null); + + byte[] leafHash = MerkleProofVerifier.hashLeaf(payload); + ScittReceipt.InclusionProof proof = new ScittReceipt.InclusionProof(1, 0, leafHash, List.of()); + + ScittReceipt receipt = new ScittReceipt(header, protectedHeaderBytes, proof, payload, p1363Signature); + StatusToken token = createValidSignedToken(keyPair.getPrivate(), StatusToken.Status.ACTIVE); + + ScittExpectation result = verifier.verify(receipt, token, toRootKeys(keyPair.getPublic())); + + assertThat(result.status()).isEqualTo(ScittExpectation.Status.INVALID_RECEIPT); + assertThat(result.failureReason()).contains("not in trust store"); + } + + @Test + @DisplayName("Should reject token with missing key ID") + void shouldRejectTokenWithMissingKeyId() throws Exception { + // Create valid receipt with correct key ID + ScittReceipt receipt = createValidSignedReceipt(keyPair.getPrivate()); + + // Create token with null key ID + byte[] protectedHeaderBytes = new byte[10]; + byte[] payload = "agent_id:test-agent,status:ACTIVE".getBytes(); + + byte[] sigStructure = CoseSign1Parser.buildSigStructure(protectedHeaderBytes, null, payload); + Signature sig = Signature.getInstance("SHA256withECDSA"); + sig.initSign(keyPair.getPrivate()); + sig.update(sigStructure); + byte[] derSignature = sig.sign(); + byte[] p1363Signature = convertDerToP1363(derSignature); + + // null key ID should be rejected + CoseProtectedHeader tokenHeader = new CoseProtectedHeader(-7, null, null, null, null); + StatusToken token = new StatusToken( + "test-agent-id", + StatusToken.Status.ACTIVE, + Instant.now().minusSeconds(60), + Instant.now().plusSeconds(3600), + "test.ans", + "test.example.com", + List.of(), + List.of(), + Map.of(), + tokenHeader, + protectedHeaderBytes, + payload, + p1363Signature + ); + + ScittExpectation result = verifier.verify(receipt, token, toRootKeys(keyPair.getPublic())); + + assertThat(result.status()).isEqualTo(ScittExpectation.Status.INVALID_TOKEN); + assertThat(result.failureReason()).contains("not in trust store"); + } + + @Test + @DisplayName("Should accept artifact with correct key ID") + void shouldAcceptArtifactWithCorrectKeyId() throws Exception { + ScittReceipt receipt = createValidSignedReceipt(keyPair.getPrivate()); + StatusToken token = createValidSignedToken(keyPair.getPrivate(), StatusToken.Status.ACTIVE); + + ScittExpectation result = verifier.verify(receipt, token, toRootKeys(keyPair.getPublic())); + + assertThat(result.status()).isEqualTo(ScittExpectation.Status.VERIFIED); + } + } + + @Nested + @DisplayName("Verification with different status tests") + class VerificationStatusTests { + + @Test + @DisplayName("Should return inactive for UNKNOWN status") + void shouldReturnInactiveForUnknownStatus() throws Exception { + ScittReceipt receipt = createValidSignedReceipt(keyPair.getPrivate()); + StatusToken token = createValidSignedToken(keyPair.getPrivate(), StatusToken.Status.UNKNOWN); + + ScittExpectation result = verifier.verify(receipt, token, toRootKeys(keyPair.getPublic())); + + // May be AGENT_INACTIVE or INVALID_RECEIPT depending on signature verification + assertThat(result.status()).isIn( + ScittExpectation.Status.AGENT_INACTIVE, + ScittExpectation.Status.INVALID_RECEIPT, + ScittExpectation.Status.INVALID_TOKEN + ); + } + + @Test + @DisplayName("Should return inactive for EXPIRED status") + void shouldReturnInactiveForExpiredStatus() throws Exception { + ScittReceipt receipt = createValidSignedReceipt(keyPair.getPrivate()); + StatusToken token = createValidSignedToken(keyPair.getPrivate(), StatusToken.Status.EXPIRED); + + ScittExpectation result = verifier.verify(receipt, token, toRootKeys(keyPair.getPublic())); + + assertThat(result.status()).isIn( + ScittExpectation.Status.AGENT_INACTIVE, + ScittExpectation.Status.INVALID_RECEIPT, + ScittExpectation.Status.INVALID_TOKEN + ); + } + } + + // Helper methods + + private ScittReceipt createMockReceipt() { + try { + byte[] keyId = computeKeyId(keyPair.getPublic()); + CoseProtectedHeader header = new CoseProtectedHeader(-7, keyId, 1, null, null); + ScittReceipt.InclusionProof proof = new ScittReceipt.InclusionProof( + 1, 0, new byte[32], List.of()); + return new ScittReceipt( + header, + new byte[10], + proof, + "test-payload".getBytes(), + new byte[64] + ); + } catch (Exception e) { + throw new RuntimeException(e); + } + } + + private ScittReceipt createReceiptWithSignature(byte[] signature) { + try { + byte[] keyId = computeKeyId(keyPair.getPublic()); + CoseProtectedHeader header = new CoseProtectedHeader(-7, keyId, 1, null, null); + ScittReceipt.InclusionProof proof = new ScittReceipt.InclusionProof( + 1, 0, new byte[32], List.of()); + return new ScittReceipt( + header, + new byte[10], + proof, + "test-payload".getBytes(), + signature + ); + } catch (Exception e) { + throw new RuntimeException(e); + } + } + + private ScittReceipt createValidSignedReceipt(PrivateKey privateKey) throws Exception { + byte[] protectedHeaderBytes = new byte[10]; + byte[] payload = "test-payload".getBytes(); + + // Build sig structure + byte[] sigStructure = CoseSign1Parser.buildSigStructure(protectedHeaderBytes, null, payload); + + // Sign + Signature sig = Signature.getInstance("SHA256withECDSA"); + sig.initSign(privateKey); + sig.update(sigStructure); + byte[] derSignature = sig.sign(); + byte[] p1363Signature = convertDerToP1363(derSignature); + + byte[] keyId = computeKeyId(keyPair.getPublic()); + CoseProtectedHeader header = new CoseProtectedHeader(-7, keyId, 1, null, null); + + // Create valid Merkle proof + byte[] leafHash = MerkleProofVerifier.hashLeaf(payload); + ScittReceipt.InclusionProof proof = new ScittReceipt.InclusionProof( + 1, 0, leafHash, List.of()); + + return new ScittReceipt(header, protectedHeaderBytes, proof, payload, p1363Signature); + } + + private StatusToken createMockStatusToken(StatusToken.Status status) { + try { + byte[] keyId = computeKeyId(keyPair.getPublic()); + return new StatusToken( + "test-agent-id", + status, + Instant.now().minusSeconds(60), + Instant.now().plusSeconds(3600), + "test.ans", + "test.example.com", + List.of(), + List.of(), + Map.of(), + new CoseProtectedHeader(-7, keyId, null, null, null), + new byte[10], + "test-payload".getBytes(), + new byte[64] + ); + } catch (Exception e) { + throw new RuntimeException(e); + } + } + + private StatusToken createValidSignedToken(PrivateKey privateKey, StatusToken.Status status) throws Exception { + byte[] protectedHeaderBytes = new byte[10]; + byte[] payload = ("agent_id:test-agent,status:" + status.name()).getBytes(); + + byte[] sigStructure = CoseSign1Parser.buildSigStructure(protectedHeaderBytes, null, payload); + + Signature sig = Signature.getInstance("SHA256withECDSA"); + sig.initSign(privateKey); + sig.update(sigStructure); + byte[] derSignature = sig.sign(); + byte[] p1363Signature = convertDerToP1363(derSignature); + + byte[] keyId = computeKeyId(keyPair.getPublic()); + CoseProtectedHeader header = new CoseProtectedHeader(-7, keyId, null, null, null); + + return new StatusToken( + "test-agent-id", + status, + Instant.now().minusSeconds(60), + Instant.now().plusSeconds(3600), + "test.ans", + "test.example.com", + List.of(), + List.of(), + Map.of(), + header, + protectedHeaderBytes, + payload, + p1363Signature + ); + } + + private StatusToken createExpiredToken(PrivateKey privateKey, Duration expiredAgo) throws Exception { + byte[] protectedHeaderBytes = new byte[10]; + byte[] payload = "agent_id:test-agent,status:ACTIVE".getBytes(); + + byte[] sigStructure = CoseSign1Parser.buildSigStructure(protectedHeaderBytes, null, payload); + + Signature sig = Signature.getInstance("SHA256withECDSA"); + sig.initSign(privateKey); + sig.update(sigStructure); + byte[] derSignature = sig.sign(); + byte[] p1363Signature = convertDerToP1363(derSignature); + + byte[] keyId = computeKeyId(keyPair.getPublic()); + CoseProtectedHeader header = new CoseProtectedHeader(-7, keyId, null, null, null); + + return new StatusToken( + "test-agent-id", + StatusToken.Status.ACTIVE, + Instant.now().minusSeconds(7200), + Instant.now().minus(expiredAgo), // Expired + "test.ans", + "test.example.com", + List.of(), + List.of(), + Map.of(), + header, + protectedHeaderBytes, + payload, + p1363Signature + ); + } + + private byte[] convertDerToP1363(byte[] derSignature) { + // DER format: SEQUENCE { INTEGER r, INTEGER s } + // P1363 format: r || s (each 32 bytes for P-256) + byte[] p1363 = new byte[64]; + + int offset = 2; // Skip SEQUENCE tag and length + if (derSignature[1] == (byte) 0x81) { + offset++; + } + + // Parse r + offset++; // Skip INTEGER tag + int rLen = derSignature[offset++] & 0xFF; + int rOffset = offset; + if (rLen == 33 && derSignature[rOffset] == 0) { + rOffset++; + rLen--; + } + System.arraycopy(derSignature, rOffset, p1363, 32 - rLen, rLen); + offset += (derSignature[offset - 1] & 0xFF); + + // Parse s + offset++; // Skip INTEGER tag + int sLen = derSignature[offset++] & 0xFF; + int sOffset = offset; + if (sLen == 33 && derSignature[sOffset] == 0) { + sOffset++; + sLen--; + } + System.arraycopy(derSignature, sOffset, p1363, 64 - sLen, sLen); + + return p1363; + } + + private static String bytesToHex(byte[] bytes) { + StringBuilder sb = new StringBuilder(); + for (byte b : bytes) { + sb.append(String.format("%02x", b)); + } + return sb.toString(); + } + + /** + * Computes the key ID for a public key per C2SP specification. + * The key ID is the first 4 bytes of SHA-256(SPKI-DER). + */ + private byte[] computeKeyId(java.security.PublicKey publicKey) throws Exception { + byte[] spkiDer = publicKey.getEncoded(); + MessageDigest md = MessageDigest.getInstance("SHA-256"); + byte[] hash = md.digest(spkiDer); + return Arrays.copyOf(hash, 4); + } +} diff --git a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/MerkleProofVerifierTest.java b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/MerkleProofVerifierTest.java new file mode 100644 index 0000000..11703c2 --- /dev/null +++ b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/MerkleProofVerifierTest.java @@ -0,0 +1,453 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Nested; +import org.junit.jupiter.api.Test; + +import java.nio.charset.StandardCharsets; +import java.util.Arrays; +import java.util.List; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; + +class MerkleProofVerifierTest { + + @Nested + @DisplayName("hashLeaf() tests") + class HashLeafTests { + + @Test + @DisplayName("Should compute correct leaf hash with domain separation") + void shouldComputeCorrectLeafHash() { + byte[] data = "test".getBytes(StandardCharsets.UTF_8); + byte[] hash = MerkleProofVerifier.hashLeaf(data); + + // Should be 32 bytes (SHA-256) + assertThat(hash).hasSize(32); + + // Different data should produce different hash + byte[] data2 = "test2".getBytes(StandardCharsets.UTF_8); + byte[] hash2 = MerkleProofVerifier.hashLeaf(data2); + assertThat(hash).isNotEqualTo(hash2); + } + + @Test + @DisplayName("Should produce consistent hashes") + void shouldProduceConsistentHashes() { + byte[] data = "consistent".getBytes(StandardCharsets.UTF_8); + byte[] hash1 = MerkleProofVerifier.hashLeaf(data); + byte[] hash2 = MerkleProofVerifier.hashLeaf(data); + assertThat(hash1).isEqualTo(hash2); + } + + @Test + @DisplayName("Leaf hash should differ from raw SHA-256 (domain separation)") + void leafHashShouldDifferFromRawSha256() throws Exception { + byte[] data = "test".getBytes(StandardCharsets.UTF_8); + byte[] leafHash = MerkleProofVerifier.hashLeaf(data); + + // Raw SHA-256 without domain separation prefix + java.security.MessageDigest md = java.security.MessageDigest.getInstance("SHA-256"); + byte[] rawHash = md.digest(data); + + // Should be different due to 0x00 prefix in leaf hash + assertThat(leafHash).isNotEqualTo(rawHash); + } + } + + @Nested + @DisplayName("hashNode() tests") + class HashNodeTests { + + @Test + @DisplayName("Should compute correct node hash with domain separation") + void shouldComputeCorrectNodeHash() { + byte[] left = new byte[32]; + byte[] right = new byte[32]; + Arrays.fill(left, (byte) 0x01); + Arrays.fill(right, (byte) 0x02); + + byte[] hash = MerkleProofVerifier.hashNode(left, right); + assertThat(hash).hasSize(32); + + // Different order should produce different hash + byte[] hashReversed = MerkleProofVerifier.hashNode(right, left); + assertThat(hash).isNotEqualTo(hashReversed); + } + } + + @Nested + @DisplayName("calculatePathLength() tests") + class CalculatePathLengthTests { + + @Test + @DisplayName("Should return 0 for tree size 1") + void shouldReturn0ForSize1() { + assertThat(MerkleProofVerifier.calculatePathLength(1)).isEqualTo(0); + } + + @Test + @DisplayName("Should return 1 for tree size 2") + void shouldReturn1ForSize2() { + assertThat(MerkleProofVerifier.calculatePathLength(2)).isEqualTo(1); + } + + @Test + @DisplayName("Should return correct length for power-of-two sizes") + void shouldReturnCorrectLengthForPowerOfTwo() { + assertThat(MerkleProofVerifier.calculatePathLength(4)).isEqualTo(2); + assertThat(MerkleProofVerifier.calculatePathLength(8)).isEqualTo(3); + assertThat(MerkleProofVerifier.calculatePathLength(16)).isEqualTo(4); + assertThat(MerkleProofVerifier.calculatePathLength(1024)).isEqualTo(10); + } + + @Test + @DisplayName("Should return correct length for non-power-of-two sizes") + void shouldReturnCorrectLengthForNonPowerOfTwo() { + assertThat(MerkleProofVerifier.calculatePathLength(3)).isEqualTo(2); + assertThat(MerkleProofVerifier.calculatePathLength(5)).isEqualTo(3); + assertThat(MerkleProofVerifier.calculatePathLength(7)).isEqualTo(3); + assertThat(MerkleProofVerifier.calculatePathLength(100)).isEqualTo(7); + } + } + + @Nested + @DisplayName("verifyInclusion() tests") + class VerifyInclusionTests { + + @Test + @DisplayName("Should reject null leaf data") + void shouldRejectNullLeafData() { + assertThatThrownBy(() -> + MerkleProofVerifier.verifyInclusion(null, 0, 1, List.of(), new byte[32])) + .isInstanceOf(NullPointerException.class) + .hasMessage("leafData cannot be null"); + } + + @Test + @DisplayName("Should reject leaf index >= tree size") + void shouldRejectInvalidLeafIndex() { + assertThatThrownBy(() -> + MerkleProofVerifier.verifyInclusion(new byte[10], 5, 5, List.of(), new byte[32])) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("Invalid leaf index"); + } + + @Test + @DisplayName("Should reject zero tree size") + void shouldRejectZeroTreeSize() { + // Note: leaf index validation happens before tree size validation + // when leaf index >= tree size, so we expect the leaf index error first + assertThatThrownBy(() -> + MerkleProofVerifier.verifyInclusion(new byte[10], 0, 0, List.of(), new byte[32])) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("Invalid leaf index"); + } + + @Test + @DisplayName("Should reject invalid root hash length") + void shouldRejectInvalidRootHashLength() { + assertThatThrownBy(() -> + MerkleProofVerifier.verifyInclusion(new byte[10], 0, 1, List.of(), new byte[16])) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("Invalid expected root hash length"); + } + + @Test + @DisplayName("Should verify single-element tree") + void shouldVerifySingleElementTree() throws ScittParseException { + byte[] leafData = "single leaf".getBytes(StandardCharsets.UTF_8); + byte[] leafHash = MerkleProofVerifier.hashLeaf(leafData); + + // For a single-element tree, the root hash IS the leaf hash + boolean valid = MerkleProofVerifier.verifyInclusion( + leafData, 0, 1, List.of(), leafHash); + + assertThat(valid).isTrue(); + } + + @Test + @DisplayName("Should reject mismatched root hash") + void shouldRejectMismatchedRootHash() throws ScittParseException { + byte[] leafData = "leaf".getBytes(StandardCharsets.UTF_8); + byte[] wrongRoot = new byte[32]; + Arrays.fill(wrongRoot, (byte) 0xFF); + + boolean valid = MerkleProofVerifier.verifyInclusion( + leafData, 0, 1, List.of(), wrongRoot); + + assertThat(valid).isFalse(); + } + + @Test + @DisplayName("Should verify two-element tree") + void shouldVerifyTwoElementTree() throws ScittParseException { + // Build a 2-element tree manually + byte[] leaf0Data = "leaf0".getBytes(StandardCharsets.UTF_8); + byte[] leaf1Data = "leaf1".getBytes(StandardCharsets.UTF_8); + + byte[] leaf0Hash = MerkleProofVerifier.hashLeaf(leaf0Data); + byte[] leaf1Hash = MerkleProofVerifier.hashLeaf(leaf1Data); + + // Root = hash(leaf0Hash || leaf1Hash) + byte[] rootHash = MerkleProofVerifier.hashNode(leaf0Hash, leaf1Hash); + + // Verify leaf0 with leaf1Hash as sibling + boolean valid0 = MerkleProofVerifier.verifyInclusion( + leaf0Data, 0, 2, List.of(leaf1Hash), rootHash); + assertThat(valid0).isTrue(); + + // Verify leaf1 with leaf0Hash as sibling + boolean valid1 = MerkleProofVerifier.verifyInclusion( + leaf1Data, 1, 2, List.of(leaf0Hash), rootHash); + assertThat(valid1).isTrue(); + } + } + + @Nested + @DisplayName("verifyInclusionWithHash() tests") + class VerifyInclusionWithHashTests { + + @Test + @DisplayName("Should reject invalid leaf hash length") + void shouldRejectInvalidLeafHashLength() { + assertThatThrownBy(() -> + MerkleProofVerifier.verifyInclusionWithHash(new byte[16], 0, 1, List.of(), new byte[32])) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("Invalid leaf hash length"); + } + + @Test + @DisplayName("Should verify with pre-computed hash") + void shouldVerifyWithPreComputedHash() throws ScittParseException { + byte[] leafData = "leaf".getBytes(StandardCharsets.UTF_8); + byte[] leafHash = MerkleProofVerifier.hashLeaf(leafData); + + boolean valid = MerkleProofVerifier.verifyInclusionWithHash( + leafHash, 0, 1, List.of(), leafHash); + + assertThat(valid).isTrue(); + } + + @Test + @DisplayName("Should reject null leaf hash") + void shouldRejectNullLeafHash() { + assertThatThrownBy(() -> + MerkleProofVerifier.verifyInclusionWithHash(null, 0, 1, List.of(), new byte[32])) + .isInstanceOf(NullPointerException.class) + .hasMessage("leafHash cannot be null"); + } + + @Test + @DisplayName("Should reject null hash path") + void shouldRejectNullHashPath() { + assertThatThrownBy(() -> + MerkleProofVerifier.verifyInclusionWithHash(new byte[32], 0, 1, null, new byte[32])) + .isInstanceOf(NullPointerException.class) + .hasMessage("hashPath cannot be null"); + } + + @Test + @DisplayName("Should reject null expected root hash") + void shouldRejectNullExpectedRootHash() { + assertThatThrownBy(() -> + MerkleProofVerifier.verifyInclusionWithHash(new byte[32], 0, 1, List.of(), null)) + .isInstanceOf(NullPointerException.class) + .hasMessage("expectedRootHash cannot be null"); + } + + @Test + @DisplayName("Should reject leaf index >= tree size") + void shouldRejectInvalidLeafIndex() { + assertThatThrownBy(() -> + MerkleProofVerifier.verifyInclusionWithHash(new byte[32], 5, 5, List.of(), new byte[32])) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("Invalid leaf index"); + } + + @Test + @DisplayName("Should reject zero tree size") + void shouldRejectZeroTreeSize() { + assertThatThrownBy(() -> + MerkleProofVerifier.verifyInclusionWithHash(new byte[32], 0, 0, List.of(), new byte[32])) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("Invalid leaf index"); + } + + @Test + @DisplayName("Should reject invalid expected root hash length") + void shouldRejectInvalidExpectedRootHashLength() { + assertThatThrownBy(() -> + MerkleProofVerifier.verifyInclusionWithHash(new byte[32], 0, 1, List.of(), new byte[16])) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("Invalid expected root hash length"); + } + + @Test + @DisplayName("Should verify two-element tree with pre-computed hash") + void shouldVerifyTwoElementTreeWithPreComputedHash() throws ScittParseException { + byte[] leaf0Hash = MerkleProofVerifier.hashLeaf("leaf0".getBytes(StandardCharsets.UTF_8)); + byte[] leaf1Hash = MerkleProofVerifier.hashLeaf("leaf1".getBytes(StandardCharsets.UTF_8)); + byte[] rootHash = MerkleProofVerifier.hashNode(leaf0Hash, leaf1Hash); + + boolean valid = MerkleProofVerifier.verifyInclusionWithHash( + leaf0Hash, 0, 2, List.of(leaf1Hash), rootHash); + + assertThat(valid).isTrue(); + } + } + + @Nested + @DisplayName("Hash path validation tests") + class HashPathValidationTests { + + @Test + @DisplayName("Should reject hash path too long for tree size") + void shouldRejectHashPathTooLong() { + byte[] leafData = "leaf".getBytes(StandardCharsets.UTF_8); + // For tree size 2, max path length is 1 + List tooLongPath = List.of(new byte[32], new byte[32], new byte[32]); + + assertThatThrownBy(() -> + MerkleProofVerifier.verifyInclusion(leafData, 0, 2, tooLongPath, new byte[32])) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("Hash path too long"); + } + + @Test + @DisplayName("Should reject null hash in path") + void shouldRejectNullHashInPath() { + byte[] leafData = "leaf".getBytes(StandardCharsets.UTF_8); + List pathWithNull = Arrays.asList(new byte[32], null); + + assertThatThrownBy(() -> + MerkleProofVerifier.verifyInclusion(leafData, 0, 4, pathWithNull, new byte[32])) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("Invalid hash at path index 1"); + } + + @Test + @DisplayName("Should reject wrong-sized hash in path") + void shouldRejectWrongSizedHashInPath() { + byte[] leafData = "leaf".getBytes(StandardCharsets.UTF_8); + List pathWithWrongSize = List.of(new byte[32], new byte[16]); + + assertThatThrownBy(() -> + MerkleProofVerifier.verifyInclusion(leafData, 0, 4, pathWithWrongSize, new byte[32])) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("Invalid hash at path index 1"); + } + + @Test + @DisplayName("Should reject null hashPath") + void shouldRejectNullHashPath() { + byte[] leafData = "leaf".getBytes(StandardCharsets.UTF_8); + + assertThatThrownBy(() -> + MerkleProofVerifier.verifyInclusion(leafData, 0, 1, null, new byte[32])) + .isInstanceOf(NullPointerException.class) + .hasMessage("hashPath cannot be null"); + } + + @Test + @DisplayName("Should reject null expectedRootHash") + void shouldRejectNullExpectedRootHash() { + byte[] leafData = "leaf".getBytes(StandardCharsets.UTF_8); + + assertThatThrownBy(() -> + MerkleProofVerifier.verifyInclusion(leafData, 0, 1, List.of(), null)) + .isInstanceOf(NullPointerException.class) + .hasMessage("expectedRootHash cannot be null"); + } + } + + @Nested + @DisplayName("Tree structure tests") + class TreeStructureTests { + + @Test + @DisplayName("Should verify four-element tree (balanced)") + void shouldVerifyFourElementTree() throws ScittParseException { + // Tree structure for 4 leaves: + // root + // / \ + // node01 node23 + // / \ / \ + // L0 L1 L2 L3 + + byte[] leaf0Hash = MerkleProofVerifier.hashLeaf("leaf0".getBytes(StandardCharsets.UTF_8)); + byte[] leaf1Hash = MerkleProofVerifier.hashLeaf("leaf1".getBytes(StandardCharsets.UTF_8)); + byte[] leaf2Hash = MerkleProofVerifier.hashLeaf("leaf2".getBytes(StandardCharsets.UTF_8)); + byte[] leaf3Hash = MerkleProofVerifier.hashLeaf("leaf3".getBytes(StandardCharsets.UTF_8)); + + byte[] node01Hash = MerkleProofVerifier.hashNode(leaf0Hash, leaf1Hash); + byte[] node23Hash = MerkleProofVerifier.hashNode(leaf2Hash, leaf3Hash); + byte[] rootHash = MerkleProofVerifier.hashNode(node01Hash, node23Hash); + + // Verify leaf0 (index=0) + boolean valid0 = MerkleProofVerifier.verifyInclusionWithHash( + leaf0Hash, 0, 4, List.of(leaf1Hash, node23Hash), rootHash); + assertThat(valid0).isTrue(); + + // Verify leaf3 (index=3) + boolean valid3 = MerkleProofVerifier.verifyInclusionWithHash( + leaf3Hash, 3, 4, List.of(leaf2Hash, node01Hash), rootHash); + assertThat(valid3).isTrue(); + } + } + + @Nested + @DisplayName("calculatePathLength edge cases") + class CalculatePathLengthEdgeCaseTests { + + @Test + @DisplayName("Should return 0 for tree size 0") + void shouldReturn0ForSize0() { + assertThat(MerkleProofVerifier.calculatePathLength(0)).isEqualTo(0); + } + + @Test + @DisplayName("Should handle large tree sizes") + void shouldHandleLargeTreeSizes() { + assertThat(MerkleProofVerifier.calculatePathLength(1_000_000)).isEqualTo(20); + assertThat(MerkleProofVerifier.calculatePathLength(1L << 30)).isEqualTo(30); + } + + @Test + @DisplayName("Should handle max practical tree size (2^62)") + void shouldHandleMaxPracticalTreeSize() { + // Test a very large but practical tree size (2^62) + // Path length should be 62 + long largeTreeSize = 1L << 62; + assertThat(MerkleProofVerifier.calculatePathLength(largeTreeSize)).isEqualTo(62); + } + } + + @Nested + @DisplayName("Utility methods tests") + class UtilityMethodsTests { + + @Test + @DisplayName("Should convert hex to bytes") + void shouldConvertHexToBytes() { + byte[] bytes = MerkleProofVerifier.hexToBytes("deadbeef"); + assertThat(bytes).containsExactly((byte) 0xDE, (byte) 0xAD, (byte) 0xBE, (byte) 0xEF); + } + + @Test + @DisplayName("Should convert bytes to hex") + void shouldConvertBytesToHex() { + byte[] bytes = {(byte) 0xDE, (byte) 0xAD, (byte) 0xBE, (byte) 0xEF}; + assertThat(MerkleProofVerifier.bytesToHex(bytes)).isEqualTo("deadbeef"); + } + + @Test + @DisplayName("Should reject odd-length hex string") + void shouldRejectOddLengthHex() { + assertThatThrownBy(() -> MerkleProofVerifier.hexToBytes("abc")) + .isInstanceOf(IllegalArgumentException.class) + .hasMessage("Hex string must have even length"); + } + } +} diff --git a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/MetadataHashVerifierTest.java b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/MetadataHashVerifierTest.java new file mode 100644 index 0000000..eafef7c --- /dev/null +++ b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/MetadataHashVerifierTest.java @@ -0,0 +1,192 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Nested; +import org.junit.jupiter.api.Test; + +import java.nio.charset.StandardCharsets; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; + +class MetadataHashVerifierTest { + + @Nested + @DisplayName("verify() tests") + class VerifyTests { + + @Test + @DisplayName("Should reject null metadata bytes") + void shouldRejectNullMetadataBytes() { + assertThatThrownBy(() -> MetadataHashVerifier.verify(null, "SHA256:abc")) + .isInstanceOf(NullPointerException.class) + .hasMessage("metadataBytes cannot be null"); + } + + @Test + @DisplayName("Should reject null expected hash") + void shouldRejectNullExpectedHash() { + assertThatThrownBy(() -> MetadataHashVerifier.verify(new byte[10], null)) + .isInstanceOf(NullPointerException.class) + .hasMessage("expectedHash cannot be null"); + } + + @Test + @DisplayName("Should reject invalid hash format") + void shouldRejectInvalidHashFormat() { + byte[] data = "test".getBytes(StandardCharsets.UTF_8); + + assertThat(MetadataHashVerifier.verify(data, "invalid")).isFalse(); + assertThat(MetadataHashVerifier.verify(data, "SHA256:abc")).isFalse(); // Too short + assertThat(MetadataHashVerifier.verify(data, "MD5:0123456789abcdef0123456789abcdef")).isFalse(); + } + + @Test + @DisplayName("Should verify matching hash") + void shouldVerifyMatchingHash() { + byte[] data = "test metadata content".getBytes(StandardCharsets.UTF_8); + String hash = MetadataHashVerifier.computeHash(data); + + assertThat(MetadataHashVerifier.verify(data, hash)).isTrue(); + } + + @Test + @DisplayName("Should reject mismatched hash") + void shouldRejectMismatchedHash() { + byte[] data = "test metadata".getBytes(StandardCharsets.UTF_8); + String wrongHash = "SHA256:0000000000000000000000000000000000000000000000000000000000000000"; + + assertThat(MetadataHashVerifier.verify(data, wrongHash)).isFalse(); + } + + @Test + @DisplayName("Should be case insensitive for hash prefix") + void shouldBeCaseInsensitiveForPrefix() { + byte[] data = "test".getBytes(StandardCharsets.UTF_8); + String hash = MetadataHashVerifier.computeHash(data); + String lowerHash = hash.toLowerCase(); + String upperHash = hash.toUpperCase(); + + assertThat(MetadataHashVerifier.verify(data, lowerHash)).isTrue(); + assertThat(MetadataHashVerifier.verify(data, upperHash)).isTrue(); + } + } + + @Nested + @DisplayName("computeHash() tests") + class ComputeHashTests { + + @Test + @DisplayName("Should reject null input") + void shouldRejectNullInput() { + assertThatThrownBy(() -> MetadataHashVerifier.computeHash(null)) + .isInstanceOf(NullPointerException.class) + .hasMessage("metadataBytes cannot be null"); + } + + @Test + @DisplayName("Should compute hash with correct format") + void shouldComputeHashWithCorrectFormat() { + byte[] data = "test".getBytes(StandardCharsets.UTF_8); + String hash = MetadataHashVerifier.computeHash(data); + + assertThat(hash).startsWith("SHA256:"); + assertThat(hash).hasSize(7 + 64); // "SHA256:" + 64 hex chars + } + + @Test + @DisplayName("Should produce consistent hashes") + void shouldProduceConsistentHashes() { + byte[] data = "consistent data".getBytes(StandardCharsets.UTF_8); + + assertThat(MetadataHashVerifier.computeHash(data)) + .isEqualTo(MetadataHashVerifier.computeHash(data)); + } + + @Test + @DisplayName("Should produce different hashes for different data") + void shouldProduceDifferentHashes() { + String hash1 = MetadataHashVerifier.computeHash("data1".getBytes()); + String hash2 = MetadataHashVerifier.computeHash("data2".getBytes()); + + assertThat(hash1).isNotEqualTo(hash2); + } + } + + @Nested + @DisplayName("isValidHashFormat() tests") + class IsValidHashFormatTests { + + @Test + @DisplayName("Should accept valid hash format") + void shouldAcceptValidFormat() { + String validHash = "SHA256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"; + assertThat(MetadataHashVerifier.isValidHashFormat(validHash)).isTrue(); + } + + @Test + @DisplayName("Should accept uppercase hex") + void shouldAcceptUppercaseHex() { + String validHash = "SHA256:0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"; + assertThat(MetadataHashVerifier.isValidHashFormat(validHash)).isTrue(); + } + + @Test + @DisplayName("Should reject null") + void shouldRejectNull() { + assertThat(MetadataHashVerifier.isValidHashFormat(null)).isFalse(); + } + + @Test + @DisplayName("Should reject wrong prefix") + void shouldRejectWrongPrefix() { + assertThat(MetadataHashVerifier.isValidHashFormat("MD5:abc")).isFalse(); + assertThat(MetadataHashVerifier.isValidHashFormat("sha256:abc")).isFalse(); + } + + @Test + @DisplayName("Should reject wrong length") + void shouldRejectWrongLength() { + assertThat(MetadataHashVerifier.isValidHashFormat("SHA256:abc")).isFalse(); + assertThat(MetadataHashVerifier.isValidHashFormat("SHA256:")).isFalse(); + } + + @Test + @DisplayName("Should reject non-hex characters") + void shouldRejectNonHexCharacters() { + String invalidHash = "SHA256:ghijklmnopqrstuvwxyz0123456789abcdef0123456789abcdef01234567"; + assertThat(MetadataHashVerifier.isValidHashFormat(invalidHash)).isFalse(); + } + } + + @Nested + @DisplayName("extractHex() tests") + class ExtractHexTests { + + @Test + @DisplayName("Should extract hex portion") + void shouldExtractHexPortion() { + String hash = "SHA256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"; + String hex = MetadataHashVerifier.extractHex(hash); + + assertThat(hex).isEqualTo("0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"); + } + + @Test + @DisplayName("Should return lowercase hex") + void shouldReturnLowercaseHex() { + String hash = "SHA256:0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"; + String hex = MetadataHashVerifier.extractHex(hash); + + assertThat(hex).isEqualTo("0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"); + } + + @Test + @DisplayName("Should return null for invalid format") + void shouldReturnNullForInvalidFormat() { + assertThat(MetadataHashVerifier.extractHex(null)).isNull(); + assertThat(MetadataHashVerifier.extractHex("invalid")).isNull(); + assertThat(MetadataHashVerifier.extractHex("SHA256:abc")).isNull(); + } + } +} diff --git a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/RefreshDecisionTest.java b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/RefreshDecisionTest.java new file mode 100644 index 0000000..1a8c3f4 --- /dev/null +++ b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/RefreshDecisionTest.java @@ -0,0 +1,62 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Test; + +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.PublicKey; +import java.util.Map; + +import static org.assertj.core.api.Assertions.assertThat; + +@DisplayName("RefreshDecision tests") +class RefreshDecisionTest { + + @Test + @DisplayName("reject() should create REJECT decision with reason") + void rejectShouldCreateRejectDecision() { + RefreshDecision decision = RefreshDecision.reject("test reason"); + + assertThat(decision.action()).isEqualTo(RefreshDecision.RefreshAction.REJECT); + assertThat(decision.reason()).isEqualTo("test reason"); + assertThat(decision.keys()).isNull(); + assertThat(decision.isRefreshed()).isFalse(); + } + + @Test + @DisplayName("defer() should create DEFER decision with reason") + void deferShouldCreateDeferDecision() { + RefreshDecision decision = RefreshDecision.defer("cooldown active"); + + assertThat(decision.action()).isEqualTo(RefreshDecision.RefreshAction.DEFER); + assertThat(decision.reason()).isEqualTo("cooldown active"); + assertThat(decision.keys()).isNull(); + assertThat(decision.isRefreshed()).isFalse(); + } + + @Test + @DisplayName("refreshed() should create REFRESHED decision with keys") + void refreshedShouldCreateRefreshedDecision() throws Exception { + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC"); + keyGen.initialize(256); + KeyPair keyPair = keyGen.generateKeyPair(); + PublicKey publicKey = keyPair.getPublic(); + + Map keys = Map.of("test-key-id", publicKey); + RefreshDecision decision = RefreshDecision.refreshed(keys); + + assertThat(decision.action()).isEqualTo(RefreshDecision.RefreshAction.REFRESHED); + assertThat(decision.reason()).isNull(); + assertThat(decision.keys()).isEqualTo(keys); + assertThat(decision.isRefreshed()).isTrue(); + } + + @Test + @DisplayName("isRefreshed() should return true only for REFRESHED action") + void isRefreshedShouldReturnTrueOnlyForRefreshed() { + assertThat(RefreshDecision.reject("reason").isRefreshed()).isFalse(); + assertThat(RefreshDecision.defer("reason").isRefreshed()).isFalse(); + assertThat(RefreshDecision.refreshed(Map.of()).isRefreshed()).isTrue(); + } +} diff --git a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittArtifactManagerTest.java b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittArtifactManagerTest.java new file mode 100644 index 0000000..c12c32d --- /dev/null +++ b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittArtifactManagerTest.java @@ -0,0 +1,729 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +import com.godaddy.ans.sdk.transparency.TransparencyClient; +import com.upokecenter.cbor.CBORObject; +import org.junit.jupiter.api.AfterEach; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Nested; +import org.junit.jupiter.api.Test; + +import java.time.Instant; +import java.util.concurrent.CompletableFuture; +import java.util.concurrent.ScheduledExecutorService; +import java.util.concurrent.Executors; +import java.util.concurrent.TimeUnit; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; +import static org.mockito.ArgumentMatchers.anyString; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.times; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.when; + +class ScittArtifactManagerTest { + + private TransparencyClient mockClient; + private ScittArtifactManager manager; + + @BeforeEach + void setUp() { + mockClient = mock(TransparencyClient.class); + } + + @AfterEach + void tearDown() { + if (manager != null) { + manager.close(); + } + } + + @Nested + @DisplayName("Builder tests") + class BuilderTests { + + @Test + @DisplayName("Should require transparency client") + void shouldRequireTransparencyClient() { + assertThatThrownBy(() -> ScittArtifactManager.builder().build()) + .isInstanceOf(NullPointerException.class) + .hasMessageContaining("transparencyClient cannot be null"); + } + + @Test + @DisplayName("Should build with minimum configuration") + void shouldBuildWithMinimumConfiguration() { + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + assertThat(manager).isNotNull(); + } + + @Test + @DisplayName("Should build with custom scheduler") + void shouldBuildWithCustomScheduler() { + ScheduledExecutorService scheduler = Executors.newSingleThreadScheduledExecutor(); + try { + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .scheduler(scheduler) + .build(); + + assertThat(manager).isNotNull(); + } finally { + scheduler.shutdown(); + } + } + + } + + @Nested + @DisplayName("getReceipt() tests") + class GetReceiptTests { + + @Test + @DisplayName("Should reject null agentId") + void shouldRejectNullAgentId() { + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + assertThatThrownBy(() -> manager.getReceipt(null)) + .isInstanceOf(NullPointerException.class) + .hasMessageContaining("agentId cannot be null"); + } + + @Test + @DisplayName("Should return failed future when manager is closed") + void shouldReturnFailedFutureWhenClosed() { + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + manager.close(); + + CompletableFuture future = manager.getReceipt("test-agent"); + assertThat(future).isCompletedExceptionally(); + } + + @Test + @DisplayName("Should fetch receipt from transparency client") + void shouldFetchReceiptFromClient() throws Exception { + byte[] receiptBytes = createValidReceiptBytes(); + when(mockClient.getReceipt("test-agent")).thenReturn(receiptBytes); + + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + CompletableFuture future = manager.getReceipt("test-agent"); + ScittReceipt receipt = future.get(5, TimeUnit.SECONDS); + + assertThat(receipt).isNotNull(); + verify(mockClient).getReceipt("test-agent"); + } + + @Test + @DisplayName("Should cache receipt on subsequent calls") + void shouldCacheReceipt() throws Exception { + byte[] receiptBytes = createValidReceiptBytes(); + when(mockClient.getReceipt("test-agent")).thenReturn(receiptBytes); + + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + // First call + manager.getReceipt("test-agent").get(5, TimeUnit.SECONDS); + // Second call should use cache + manager.getReceipt("test-agent").get(5, TimeUnit.SECONDS); + + // Client should only be called once + verify(mockClient, times(1)).getReceipt("test-agent"); + } + + @Test + @DisplayName("Should wrap client exception in ScittFetchException") + void shouldWrapClientException() { + when(mockClient.getReceipt(anyString())).thenThrow(new RuntimeException("Network error")); + + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + CompletableFuture future = manager.getReceipt("test-agent"); + + assertThatThrownBy(() -> future.get(5, TimeUnit.SECONDS)) + .hasCauseInstanceOf(ScittFetchException.class) + .hasMessageContaining("Failed to fetch receipt"); + } + } + + @Nested + @DisplayName("getStatusToken() tests") + class GetStatusTokenTests { + + @Test + @DisplayName("Should reject null agentId") + void shouldRejectNullAgentId() { + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + assertThatThrownBy(() -> manager.getStatusToken(null)) + .isInstanceOf(NullPointerException.class) + .hasMessageContaining("agentId cannot be null"); + } + + @Test + @DisplayName("Should return failed future when manager is closed") + void shouldReturnFailedFutureWhenClosed() { + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + manager.close(); + + CompletableFuture future = manager.getStatusToken("test-agent"); + assertThat(future).isCompletedExceptionally(); + } + + @Test + @DisplayName("Should fetch status token from transparency client") + void shouldFetchTokenFromClient() throws Exception { + byte[] tokenBytes = createValidStatusTokenBytes(); + when(mockClient.getStatusToken("test-agent")).thenReturn(tokenBytes); + + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + CompletableFuture future = manager.getStatusToken("test-agent"); + StatusToken token = future.get(5, TimeUnit.SECONDS); + + assertThat(token).isNotNull(); + verify(mockClient).getStatusToken("test-agent"); + } + + @Test + @DisplayName("Should cache status token on subsequent calls") + void shouldCacheToken() throws Exception { + byte[] tokenBytes = createValidStatusTokenBytes(); + when(mockClient.getStatusToken("test-agent")).thenReturn(tokenBytes); + + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + // First call + manager.getStatusToken("test-agent").get(5, TimeUnit.SECONDS); + // Second call should use cache + manager.getStatusToken("test-agent").get(5, TimeUnit.SECONDS); + + verify(mockClient, times(1)).getStatusToken("test-agent"); + } + + @Test + @DisplayName("Should wrap client exception in ScittFetchException") + void shouldWrapClientException() { + when(mockClient.getStatusToken(anyString())).thenThrow(new RuntimeException("Network error")); + + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + CompletableFuture future = manager.getStatusToken("test-agent"); + + assertThatThrownBy(() -> future.get(5, TimeUnit.SECONDS)) + .hasCauseInstanceOf(ScittFetchException.class) + .hasMessageContaining("Failed to fetch status token"); + } + + @Test + @DisplayName("Should coalesce concurrent status token requests") + void shouldCoalesceConcurrentRequests() throws Exception { + // Delay the response to simulate slow network + byte[] tokenBytes = createValidStatusTokenBytes(); + when(mockClient.getStatusToken("test-agent")).thenAnswer(invocation -> { + Thread.sleep(200); // Simulate network delay + return tokenBytes; + }); + + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + // Start two concurrent requests + CompletableFuture future1 = manager.getStatusToken("test-agent"); + CompletableFuture future2 = manager.getStatusToken("test-agent"); + + // Both should complete + StatusToken token1 = future1.get(5, TimeUnit.SECONDS); + StatusToken token2 = future2.get(5, TimeUnit.SECONDS); + + // Both should get the same token + assertThat(token1).isNotNull(); + assertThat(token2).isNotNull(); + + // Client should only be called once due to pending request coalescing + // (or twice if the second request started after first completed) + verify(mockClient, times(1)).getStatusToken("test-agent"); + } + } + + @Nested + @DisplayName("getReceiptBase64() tests") + class GetReceiptBytesTests { + + @Test + @DisplayName("Should reject null agentId") + void shouldRejectNullAgentId() { + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + assertThatThrownBy(() -> manager.getReceiptBase64(null)) + .isInstanceOf(NullPointerException.class) + .hasMessageContaining("agentId cannot be null"); + } + + @Test + @DisplayName("Should return failed future when manager is closed") + void shouldReturnFailedFutureWhenClosed() { + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + manager.close(); + + CompletableFuture future = manager.getReceiptBase64("test-agent"); + assertThat(future).isCompletedExceptionally(); + } + + @Test + @DisplayName("Should fetch receipt Base64 from transparency client") + void shouldFetchReceiptBase64FromClient() throws Exception { + byte[] receiptBytes = createValidReceiptBytes(); + when(mockClient.getReceipt("test-agent")).thenReturn(receiptBytes); + + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + CompletableFuture future = manager.getReceiptBase64("test-agent"); + String result = future.get(5, TimeUnit.SECONDS); + + assertThat(result).isNotNull(); + assertThat(result).isNotEmpty(); + // Verify it's valid Base64 that decodes to the original bytes + assertThat(java.util.Base64.getDecoder().decode(result)).isEqualTo(receiptBytes); + verify(mockClient).getReceipt("test-agent"); + } + + @Test + @DisplayName("Should cache receipt Base64 on subsequent calls") + void shouldCacheReceiptBase64() throws Exception { + byte[] receiptBytes = createValidReceiptBytes(); + when(mockClient.getReceipt("test-agent")).thenReturn(receiptBytes); + + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + // First call + String first = manager.getReceiptBase64("test-agent").get(5, TimeUnit.SECONDS); + // Second call should use cache and return same String instance + String second = manager.getReceiptBase64("test-agent").get(5, TimeUnit.SECONDS); + + assertThat(first).isSameAs(second); + // Client should only be called once + verify(mockClient, times(1)).getReceipt("test-agent"); + } + + @Test + @DisplayName("Should wrap client exception in ScittFetchException") + void shouldWrapClientException() { + when(mockClient.getReceipt(anyString())).thenThrow(new RuntimeException("Network error")); + + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + CompletableFuture future = manager.getReceiptBase64("test-agent"); + + assertThatThrownBy(() -> future.get(5, TimeUnit.SECONDS)) + .hasCauseInstanceOf(ScittFetchException.class) + .hasMessageContaining("Failed to fetch receipt"); + } + } + + @Nested + @DisplayName("getStatusTokenBase64() tests") + class GetStatusTokenBytesTests { + + @Test + @DisplayName("Should reject null agentId") + void shouldRejectNullAgentId() { + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + assertThatThrownBy(() -> manager.getStatusTokenBase64(null)) + .isInstanceOf(NullPointerException.class) + .hasMessageContaining("agentId cannot be null"); + } + + @Test + @DisplayName("Should return failed future when manager is closed") + void shouldReturnFailedFutureWhenClosed() { + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + manager.close(); + + CompletableFuture future = manager.getStatusTokenBase64("test-agent"); + assertThat(future).isCompletedExceptionally(); + } + + @Test + @DisplayName("Should fetch status token Base64 from transparency client") + void shouldFetchTokenBase64FromClient() throws Exception { + byte[] tokenBytes = createValidStatusTokenBytes(); + when(mockClient.getStatusToken("test-agent")).thenReturn(tokenBytes); + + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + CompletableFuture future = manager.getStatusTokenBase64("test-agent"); + String result = future.get(5, TimeUnit.SECONDS); + + assertThat(result).isNotNull(); + assertThat(result).isNotEmpty(); + // Verify it's valid Base64 that decodes to the original bytes + assertThat(java.util.Base64.getDecoder().decode(result)).isEqualTo(tokenBytes); + verify(mockClient).getStatusToken("test-agent"); + } + + @Test + @DisplayName("Should cache status token Base64 on subsequent calls") + void shouldCacheTokenBase64() throws Exception { + byte[] tokenBytes = createValidStatusTokenBytes(); + when(mockClient.getStatusToken("test-agent")).thenReturn(tokenBytes); + + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + // First call + String first = manager.getStatusTokenBase64("test-agent").get(5, TimeUnit.SECONDS); + // Second call should use cache and return same String instance + String second = manager.getStatusTokenBase64("test-agent").get(5, TimeUnit.SECONDS); + + assertThat(first).isSameAs(second); + verify(mockClient, times(1)).getStatusToken("test-agent"); + } + + @Test + @DisplayName("Should wrap client exception in ScittFetchException") + void shouldWrapClientException() { + when(mockClient.getStatusToken(anyString())).thenThrow(new RuntimeException("Network error")); + + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + CompletableFuture future = manager.getStatusTokenBase64("test-agent"); + + assertThatThrownBy(() -> future.get(5, TimeUnit.SECONDS)) + .hasCauseInstanceOf(ScittFetchException.class) + .hasMessageContaining("Failed to fetch status token"); + } + } + + @Nested + @DisplayName("Background refresh tests") + class BackgroundRefreshTests { + + @Test + @DisplayName("Should not start refresh when manager is closed") + void shouldNotStartWhenClosed() { + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + manager.close(); + + // Should not throw + manager.startBackgroundRefresh("test-agent"); + } + + @Test + @DisplayName("Should stop background refresh") + void shouldStopBackgroundRefresh() throws Exception { + byte[] tokenBytes = createValidStatusTokenBytes(); + when(mockClient.getStatusToken("test-agent")).thenReturn(tokenBytes); + + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + // Fetch initial token + manager.getStatusToken("test-agent").get(5, TimeUnit.SECONDS); + + // Start refresh + manager.startBackgroundRefresh("test-agent"); + + // Stop refresh + manager.stopBackgroundRefresh("test-agent"); + + // Should not throw + } + + @Test + @DisplayName("Should handle stopping non-existent refresh") + void shouldHandleStoppingNonExistentRefresh() { + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + // Should not throw + manager.stopBackgroundRefresh("non-existent-agent"); + } + + @Test + @DisplayName("Should start refresh without cached token using default interval") + void shouldStartRefreshWithoutCachedToken() throws Exception { + byte[] tokenBytes = createValidStatusTokenBytes(); + when(mockClient.getStatusToken("test-agent")).thenReturn(tokenBytes); + + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + // Start refresh without fetching token first + manager.startBackgroundRefresh("test-agent"); + + // Should not throw - uses default 5 minute interval + Thread.sleep(100); // Give scheduler time to initialize + + manager.stopBackgroundRefresh("test-agent"); + } + + @Test + @DisplayName("Should replace existing refresh task when starting again") + void shouldReplaceExistingRefreshTask() throws Exception { + byte[] tokenBytes = createValidStatusTokenBytes(); + when(mockClient.getStatusToken("test-agent")).thenReturn(tokenBytes); + + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + // Fetch token + manager.getStatusToken("test-agent").get(5, TimeUnit.SECONDS); + + // Start refresh twice + manager.startBackgroundRefresh("test-agent"); + manager.startBackgroundRefresh("test-agent"); + + // Should not throw, second call should replace first + manager.stopBackgroundRefresh("test-agent"); + } + } + + @Nested + @DisplayName("Cache management tests") + class CacheManagementTests { + + @Test + @DisplayName("Should clear cache for specific agent") + void shouldClearCacheForAgent() throws Exception { + byte[] receiptBytes = createValidReceiptBytes(); + byte[] tokenBytes = createValidStatusTokenBytes(); + when(mockClient.getReceipt("test-agent")).thenReturn(receiptBytes); + when(mockClient.getStatusToken("test-agent")).thenReturn(tokenBytes); + + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + // Populate cache + manager.getReceipt("test-agent").get(5, TimeUnit.SECONDS); + manager.getStatusToken("test-agent").get(5, TimeUnit.SECONDS); + + // Clear cache + manager.clearCache("test-agent"); + + // Fetch again - should hit client + manager.getReceipt("test-agent").get(5, TimeUnit.SECONDS); + + verify(mockClient, times(2)).getReceipt("test-agent"); + } + + @Test + @DisplayName("Should clear all caches") + void shouldClearAllCaches() throws Exception { + byte[] receiptBytes = createValidReceiptBytes(); + byte[] tokenBytes = createValidStatusTokenBytes(); + when(mockClient.getReceipt(anyString())).thenReturn(receiptBytes); + when(mockClient.getStatusToken(anyString())).thenReturn(tokenBytes); + + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + // Populate caches for multiple agents + manager.getReceipt("agent1").get(5, TimeUnit.SECONDS); + manager.getReceipt("agent2").get(5, TimeUnit.SECONDS); + + // Clear all + manager.clearAllCaches(); + + // Fetch again - should hit client + manager.getReceipt("agent1").get(5, TimeUnit.SECONDS); + manager.getReceipt("agent2").get(5, TimeUnit.SECONDS); + + verify(mockClient, times(2)).getReceipt("agent1"); + verify(mockClient, times(2)).getReceipt("agent2"); + } + } + + @Nested + @DisplayName("AutoCloseable tests") + class AutoCloseableTests { + + @Test + @DisplayName("Should shutdown scheduler on close") + void shouldShutdownSchedulerOnClose() { + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + manager.close(); + + // Verify manager is closed by checking subsequent operations fail + assertThat(manager.getReceipt("test")).isCompletedExceptionally(); + } + + @Test + @DisplayName("Should be idempotent when closing multiple times") + void shouldBeIdempotentOnClose() { + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + manager.close(); + manager.close(); + manager.close(); + + // Should not throw + } + + @Test + @DisplayName("Should cancel refresh tasks on close") + void shouldCancelRefreshTasksOnClose() throws Exception { + byte[] tokenBytes = createValidStatusTokenBytes(); + when(mockClient.getStatusToken("test-agent")).thenReturn(tokenBytes); + + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .build(); + + manager.getStatusToken("test-agent").get(5, TimeUnit.SECONDS); + manager.startBackgroundRefresh("test-agent"); + + manager.close(); + + // Should not throw + } + + @Test + @DisplayName("Should not shutdown external scheduler") + void shouldNotShutdownExternalScheduler() throws Exception { + ScheduledExecutorService externalScheduler = Executors.newSingleThreadScheduledExecutor(); + + try { + manager = ScittArtifactManager.builder() + .transparencyClient(mockClient) + .scheduler(externalScheduler) + .build(); + + manager.close(); + + // External scheduler should still be running + assertThat(externalScheduler.isShutdown()).isFalse(); + } finally { + externalScheduler.shutdown(); + } + } + } + + // Helper methods + + private byte[] createValidReceiptBytes() { + // Create a minimal valid COSE_Sign1 for receipt + CBORObject protectedHeader = CBORObject.NewMap(); + protectedHeader.Add(1, -7); // alg = ES256 + protectedHeader.Add(395, 1); // vds = RFC9162_SHA256 (required for receipts) + byte[] protectedBytes = protectedHeader.EncodeToBytes(); + + byte[] payload = "test-payload".getBytes(); + byte[] signature = new byte[64]; + + // Create unprotected header with inclusion proof (MAP format) + CBORObject inclusionProofMap = CBORObject.NewMap(); + inclusionProofMap.Add(-1, 1L); // tree_size + inclusionProofMap.Add(-2, 0L); // leaf_index + inclusionProofMap.Add(-3, CBORObject.NewArray()); // empty hash_path + inclusionProofMap.Add(-4, CBORObject.FromObject(new byte[32])); // root_hash + + CBORObject unprotectedHeader = CBORObject.NewMap(); + unprotectedHeader.Add(396, inclusionProofMap); // proofs label + + CBORObject array = CBORObject.NewArray(); + array.Add(protectedBytes); + array.Add(unprotectedHeader); + array.Add(payload); + array.Add(signature); + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + return tagged.EncodeToBytes(); + } + + private byte[] createReceiptPayload() { + return "test-payload".getBytes(); + } + + private byte[] createValidStatusTokenBytes() { + // Create a minimal valid COSE_Sign1 for status token + CBORObject protectedHeader = CBORObject.NewMap(); + protectedHeader.Add(1, -7); // alg = ES256 + byte[] protectedBytes = protectedHeader.EncodeToBytes(); + + byte[] payload = createStatusTokenPayload(); + byte[] signature = new byte[64]; + + CBORObject array = CBORObject.NewArray(); + array.Add(protectedBytes); + array.Add(CBORObject.NewMap()); + array.Add(payload); + array.Add(signature); + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + return tagged.EncodeToBytes(); + } + + private byte[] createStatusTokenPayload() { + // Use integer keys: 1=agent_id, 2=status, 3=iat, 4=exp + CBORObject payload = CBORObject.NewMap(); + payload.Add(1, "test-agent"); // agent_id + payload.Add(2, "ACTIVE"); // status + payload.Add(3, Instant.now().minusSeconds(60).getEpochSecond()); // iat + payload.Add(4, Instant.now().plusSeconds(3600).getEpochSecond()); // exp + return payload.EncodeToBytes(); + } +} diff --git a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittExpectationTest.java b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittExpectationTest.java new file mode 100644 index 0000000..19dd52a --- /dev/null +++ b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittExpectationTest.java @@ -0,0 +1,198 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Nested; +import org.junit.jupiter.api.Test; + +import java.util.List; +import java.util.Map; + +import static org.assertj.core.api.Assertions.assertThat; + +class ScittExpectationTest { + + @Nested + @DisplayName("Factory method tests") + class FactoryMethodTests { + + @Test + @DisplayName("verified() should create expectation with all data") + void verifiedShouldCreateExpectationWithAllData() { + List serverCerts = List.of("SHA256:server1", "SHA256:server2"); + List identityCerts = List.of("SHA256:identity1"); + Map metadataHashes = Map.of("a2a", "SHA256:metadata1"); + + ScittExpectation expectation = ScittExpectation.verified( + serverCerts, identityCerts, "agent.example.com", "ans://test", + metadataHashes, null); + + assertThat(expectation.status()).isEqualTo(ScittExpectation.Status.VERIFIED); + assertThat(expectation.validServerCertFingerprints()).containsExactlyElementsOf(serverCerts); + assertThat(expectation.validIdentityCertFingerprints()).containsExactlyElementsOf(identityCerts); + assertThat(expectation.agentHost()).isEqualTo("agent.example.com"); + assertThat(expectation.ansName()).isEqualTo("ans://test"); + assertThat(expectation.metadataHashes()).isEqualTo(metadataHashes); + assertThat(expectation.failureReason()).isNull(); + assertThat(expectation.isVerified()).isTrue(); + assertThat(expectation.shouldFail()).isFalse(); + } + + @Test + @DisplayName("invalidReceipt() should create failure expectation") + void invalidReceiptShouldCreateFailureExpectation() { + ScittExpectation expectation = ScittExpectation.invalidReceipt("Bad signature"); + + assertThat(expectation.status()).isEqualTo(ScittExpectation.Status.INVALID_RECEIPT); + assertThat(expectation.failureReason()).isEqualTo("Bad signature"); + assertThat(expectation.isVerified()).isFalse(); + assertThat(expectation.shouldFail()).isTrue(); + assertThat(expectation.validServerCertFingerprints()).isEmpty(); + } + + @Test + @DisplayName("invalidToken() should create failure expectation") + void invalidTokenShouldCreateFailureExpectation() { + ScittExpectation expectation = ScittExpectation.invalidToken("Malformed token"); + + assertThat(expectation.status()).isEqualTo(ScittExpectation.Status.INVALID_TOKEN); + assertThat(expectation.failureReason()).isEqualTo("Malformed token"); + assertThat(expectation.shouldFail()).isTrue(); + } + + @Test + @DisplayName("expired() should create expiry expectation") + void expiredShouldCreateExpiryExpectation() { + ScittExpectation expectation = ScittExpectation.expired(); + + assertThat(expectation.status()).isEqualTo(ScittExpectation.Status.TOKEN_EXPIRED); + assertThat(expectation.failureReason()).isEqualTo("Status token has expired"); + assertThat(expectation.shouldFail()).isTrue(); + } + + @Test + @DisplayName("revoked() should create revoked expectation") + void revokedShouldCreateRevokedExpectation() { + ScittExpectation expectation = ScittExpectation.revoked("ans://revoked.agent"); + + assertThat(expectation.status()).isEqualTo(ScittExpectation.Status.AGENT_REVOKED); + assertThat(expectation.ansName()).isEqualTo("ans://revoked.agent"); + assertThat(expectation.shouldFail()).isTrue(); + } + + @Test + @DisplayName("inactive() should create inactive expectation") + void inactiveShouldCreateInactiveExpectation() { + ScittExpectation expectation = ScittExpectation.inactive( + StatusToken.Status.DEPRECATED, "ans://deprecated.agent"); + + assertThat(expectation.status()).isEqualTo(ScittExpectation.Status.AGENT_INACTIVE); + assertThat(expectation.failureReason()).isEqualTo("Agent status is DEPRECATED"); + assertThat(expectation.shouldFail()).isTrue(); + } + + @Test + @DisplayName("keyNotFound() should create key not found expectation") + void keyNotFoundShouldCreateExpectation() { + ScittExpectation expectation = ScittExpectation.keyNotFound("TL key not found"); + + assertThat(expectation.status()).isEqualTo(ScittExpectation.Status.KEY_NOT_FOUND); + assertThat(expectation.failureReason()).isEqualTo("TL key not found"); + assertThat(expectation.shouldFail()).isTrue(); + } + + @Test + @DisplayName("notPresent() should create not present expectation") + void notPresentShouldCreateExpectation() { + ScittExpectation expectation = ScittExpectation.notPresent(); + + assertThat(expectation.status()).isEqualTo(ScittExpectation.Status.NOT_PRESENT); + assertThat(expectation.isNotPresent()).isTrue(); + assertThat(expectation.shouldFail()).isFalse(); // Not a failure, just fallback needed + } + + @Test + @DisplayName("parseError() should create parse error expectation") + void parseErrorShouldCreateExpectation() { + ScittExpectation expectation = ScittExpectation.parseError("Invalid CBOR"); + + assertThat(expectation.status()).isEqualTo(ScittExpectation.Status.PARSE_ERROR); + assertThat(expectation.failureReason()).isEqualTo("Invalid CBOR"); + assertThat(expectation.shouldFail()).isTrue(); + } + } + + @Nested + @DisplayName("Status behavior tests") + class StatusBehaviorTests { + + @Test + @DisplayName("shouldFail() should return correct values for each status") + void shouldFailShouldReturnCorrectValues() { + assertThat(ScittExpectation.verified(List.of(), List.of(), null, null, null, null) + .shouldFail()).isFalse(); + assertThat(ScittExpectation.notPresent().shouldFail()).isFalse(); + + assertThat(ScittExpectation.invalidReceipt("").shouldFail()).isTrue(); + assertThat(ScittExpectation.invalidToken("").shouldFail()).isTrue(); + assertThat(ScittExpectation.expired().shouldFail()).isTrue(); + assertThat(ScittExpectation.revoked("").shouldFail()).isTrue(); + assertThat(ScittExpectation.inactive(StatusToken.Status.EXPIRED, "").shouldFail()).isTrue(); + assertThat(ScittExpectation.keyNotFound("").shouldFail()).isTrue(); + assertThat(ScittExpectation.parseError("").shouldFail()).isTrue(); + } + + @Test + @DisplayName("isVerified() should only return true for VERIFIED status") + void isVerifiedShouldOnlyBeTrueForVerifiedStatus() { + assertThat(ScittExpectation.verified(List.of(), List.of(), null, null, null, null) + .isVerified()).isTrue(); + + assertThat(ScittExpectation.notPresent().isVerified()).isFalse(); + assertThat(ScittExpectation.invalidReceipt("").isVerified()).isFalse(); + assertThat(ScittExpectation.expired().isVerified()).isFalse(); + } + + @Test + @DisplayName("isNotPresent() should only return true for NOT_PRESENT status") + void isNotPresentShouldOnlyBeTrueForNotPresentStatus() { + assertThat(ScittExpectation.notPresent().isNotPresent()).isTrue(); + + assertThat(ScittExpectation.verified(List.of(), List.of(), null, null, null, null) + .isNotPresent()).isFalse(); + assertThat(ScittExpectation.invalidReceipt("").isNotPresent()).isFalse(); + } + } + + @Nested + @DisplayName("Defensive copying tests") + class DefensiveCopyingTests { + + @Test + @DisplayName("Should defensively copy server cert fingerprints") + void shouldDefensivelyCopyServerCerts() { + List mutableList = new java.util.ArrayList<>(); + mutableList.add("cert1"); + + ScittExpectation expectation = ScittExpectation.verified( + mutableList, List.of(), null, null, null, null); + + mutableList.add("cert2"); + + assertThat(expectation.validServerCertFingerprints()).containsExactly("cert1"); + } + + @Test + @DisplayName("Should defensively copy metadata hashes") + void shouldDefensivelyCopyMetadataHashes() { + Map mutableMap = new java.util.HashMap<>(); + mutableMap.put("key1", "value1"); + + ScittExpectation expectation = ScittExpectation.verified( + List.of(), List.of(), null, null, mutableMap, null); + + mutableMap.put("key2", "value2"); + + assertThat(expectation.metadataHashes()).containsOnlyKeys("key1"); + } + } +} diff --git a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittFetchExceptionTest.java b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittFetchExceptionTest.java new file mode 100644 index 0000000..d977b98 --- /dev/null +++ b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittFetchExceptionTest.java @@ -0,0 +1,110 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Nested; +import org.junit.jupiter.api.Test; + +import static org.assertj.core.api.Assertions.assertThat; + +class ScittFetchExceptionTest { + + @Nested + @DisplayName("Constructor tests") + class ConstructorTests { + + @Test + @DisplayName("Should create exception with message and artifact type") + void shouldCreateExceptionWithMessageAndArtifactType() { + ScittFetchException exception = new ScittFetchException( + "Failed to fetch", ScittFetchException.ArtifactType.RECEIPT, "test-agent"); + + assertThat(exception.getMessage()).isEqualTo("Failed to fetch"); + assertThat(exception.getArtifactType()).isEqualTo(ScittFetchException.ArtifactType.RECEIPT); + assertThat(exception.getAgentId()).isEqualTo("test-agent"); + assertThat(exception.getCause()).isNull(); + } + + @Test + @DisplayName("Should create exception with message, cause, and artifact type") + void shouldCreateExceptionWithCause() { + RuntimeException cause = new RuntimeException("Network error"); + ScittFetchException exception = new ScittFetchException( + "Failed to fetch", cause, ScittFetchException.ArtifactType.STATUS_TOKEN, "agent-123"); + + assertThat(exception.getMessage()).isEqualTo("Failed to fetch"); + assertThat(exception.getCause()).isEqualTo(cause); + assertThat(exception.getArtifactType()).isEqualTo(ScittFetchException.ArtifactType.STATUS_TOKEN); + assertThat(exception.getAgentId()).isEqualTo("agent-123"); + } + + @Test + @DisplayName("Should allow null agent ID for public key fetches") + void shouldAllowNullAgentId() { + ScittFetchException exception = new ScittFetchException( + "Key fetch failed", ScittFetchException.ArtifactType.PUBLIC_KEY, null); + + assertThat(exception.getAgentId()).isNull(); + assertThat(exception.getArtifactType()).isEqualTo(ScittFetchException.ArtifactType.PUBLIC_KEY); + } + } + + @Nested + @DisplayName("ArtifactType enum tests") + class ArtifactTypeTests { + + @Test + @DisplayName("Should have RECEIPT artifact type") + void shouldHaveReceiptType() { + assertThat(ScittFetchException.ArtifactType.RECEIPT).isNotNull(); + assertThat(ScittFetchException.ArtifactType.valueOf("RECEIPT")) + .isEqualTo(ScittFetchException.ArtifactType.RECEIPT); + } + + @Test + @DisplayName("Should have STATUS_TOKEN artifact type") + void shouldHaveStatusTokenType() { + assertThat(ScittFetchException.ArtifactType.STATUS_TOKEN).isNotNull(); + assertThat(ScittFetchException.ArtifactType.valueOf("STATUS_TOKEN")) + .isEqualTo(ScittFetchException.ArtifactType.STATUS_TOKEN); + } + + @Test + @DisplayName("Should have PUBLIC_KEY artifact type") + void shouldHavePublicKeyType() { + assertThat(ScittFetchException.ArtifactType.PUBLIC_KEY).isNotNull(); + assertThat(ScittFetchException.ArtifactType.valueOf("PUBLIC_KEY")) + .isEqualTo(ScittFetchException.ArtifactType.PUBLIC_KEY); + } + + @Test + @DisplayName("Should have exactly 3 artifact types") + void shouldHaveThreeArtifactTypes() { + assertThat(ScittFetchException.ArtifactType.values()).hasSize(3); + } + } + + @Nested + @DisplayName("Exception behavior tests") + class ExceptionBehaviorTests { + + @Test + @DisplayName("Should be throwable as RuntimeException") + void shouldBeThrowableAsRuntimeException() { + ScittFetchException exception = new ScittFetchException( + "Test", ScittFetchException.ArtifactType.RECEIPT, "agent"); + + assertThat(exception).isInstanceOf(RuntimeException.class); + } + + @Test + @DisplayName("Should preserve stack trace") + void shouldPreserveStackTrace() { + RuntimeException cause = new RuntimeException("Original"); + ScittFetchException exception = new ScittFetchException( + "Wrapped", cause, ScittFetchException.ArtifactType.RECEIPT, "agent"); + + assertThat(exception.getStackTrace()).isNotEmpty(); + assertThat(exception.getCause().getMessage()).isEqualTo("Original"); + } + } +} \ No newline at end of file diff --git a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittPreVerifyResultTest.java b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittPreVerifyResultTest.java new file mode 100644 index 0000000..e69e825 --- /dev/null +++ b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittPreVerifyResultTest.java @@ -0,0 +1,117 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Nested; +import org.junit.jupiter.api.Test; + +import java.time.Instant; +import java.util.List; +import java.util.Map; + +import static org.assertj.core.api.Assertions.assertThat; + +class ScittPreVerifyResultTest { + + @Nested + @DisplayName("Factory methods tests") + class FactoryMethodsTests { + + @Test + @DisplayName("notPresent() should create result with isPresent=false") + void notPresentShouldCreateResultWithIsPresentFalse() { + ScittPreVerifyResult result = ScittPreVerifyResult.notPresent(); + + assertThat(result.isPresent()).isFalse(); + assertThat(result.expectation()).isNotNull(); + assertThat(result.expectation().status()).isEqualTo(ScittExpectation.Status.NOT_PRESENT); + assertThat(result.receipt()).isNull(); + assertThat(result.statusToken()).isNull(); + } + + @Test + @DisplayName("parseError() should create result with isPresent=true") + void parseErrorShouldCreateResultWithIsPresentTrue() { + ScittPreVerifyResult result = ScittPreVerifyResult.parseError("Test error"); + + assertThat(result.isPresent()).isTrue(); + assertThat(result.expectation()).isNotNull(); + assertThat(result.expectation().status()).isEqualTo(ScittExpectation.Status.PARSE_ERROR); + assertThat(result.expectation().failureReason()).contains("Test error"); + assertThat(result.receipt()).isNull(); + assertThat(result.statusToken()).isNull(); + } + + @Test + @DisplayName("verified() should create result with all components") + void verifiedShouldCreateResultWithAllComponents() { + ScittExpectation expectation = ScittExpectation.verified( + List.of("fp1"), List.of("fp2"), "host", "ans.test", Map.of(), null); + ScittReceipt receipt = createMockReceipt(); + StatusToken token = createMockToken(); + + ScittPreVerifyResult result = ScittPreVerifyResult.verified(expectation, receipt, token); + + assertThat(result.isPresent()).isTrue(); + assertThat(result.expectation()).isEqualTo(expectation); + assertThat(result.expectation().isVerified()).isTrue(); + assertThat(result.receipt()).isEqualTo(receipt); + assertThat(result.statusToken()).isEqualTo(token); + } + } + + @Nested + @DisplayName("Record accessor tests") + class RecordAccessorTests { + + @Test + @DisplayName("Should access all record components") + void shouldAccessAllRecordComponents() { + ScittExpectation expectation = ScittExpectation.verified( + List.of("fp1"), List.of(), "host", "ans.test", Map.of(), null); + ScittReceipt receipt = createMockReceipt(); + StatusToken token = createMockToken(); + + ScittPreVerifyResult result = new ScittPreVerifyResult(expectation, receipt, token, true); + + assertThat(result.expectation()).isEqualTo(expectation); + assertThat(result.receipt()).isEqualTo(receipt); + assertThat(result.statusToken()).isEqualTo(token); + assertThat(result.isPresent()).isTrue(); + } + + @Test + @DisplayName("Should handle null components") + void shouldHandleNullComponents() { + ScittPreVerifyResult result = new ScittPreVerifyResult(null, null, null, false); + + assertThat(result.expectation()).isNull(); + assertThat(result.receipt()).isNull(); + assertThat(result.statusToken()).isNull(); + assertThat(result.isPresent()).isFalse(); + } + } + + private ScittReceipt createMockReceipt() { + CoseProtectedHeader header = new CoseProtectedHeader(-7, new byte[4], 1, null, null); + ScittReceipt.InclusionProof proof = new ScittReceipt.InclusionProof(1, 0, new byte[32], List.of()); + return new ScittReceipt(header, new byte[10], proof, "payload".getBytes(), new byte[64]); + } + + private StatusToken createMockToken() { + return new StatusToken( + "test-agent", + StatusToken.Status.ACTIVE, + Instant.now(), + Instant.now().plusSeconds(3600), + "test.ans", + "agent.example.com", + List.of(), + List.of(), + Map.of(), + null, + null, + null, + null + ); + } +} \ No newline at end of file diff --git a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittReceiptTest.java b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittReceiptTest.java new file mode 100644 index 0000000..6f2a1f7 --- /dev/null +++ b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittReceiptTest.java @@ -0,0 +1,721 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +import com.upokecenter.cbor.CBORObject; +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Nested; +import org.junit.jupiter.api.Test; + +import java.util.List; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; + +class ScittReceiptTest { + + @Nested + @DisplayName("parse() tests") + class ParseTests { + + @Test + @DisplayName("Should reject null input") + void shouldRejectNullInput() { + assertThatThrownBy(() -> ScittReceipt.parse(null)) + .isInstanceOf(NullPointerException.class) + .hasMessageContaining("coseBytes cannot be null"); + } + + @Test + @DisplayName("Should reject receipt without VDS") + void shouldRejectReceiptWithoutVds() { + // Create COSE_Sign1 without VDS (395) in protected header + CBORObject protectedHeader = CBORObject.NewMap(); + protectedHeader.Add(1, -7); // alg = ES256, but no VDS + byte[] protectedBytes = protectedHeader.EncodeToBytes(); + + CBORObject unprotectedHeader = createValidUnprotectedHeader(); + + CBORObject array = CBORObject.NewArray(); + array.Add(protectedBytes); + array.Add(unprotectedHeader); + array.Add("payload".getBytes()); + array.Add(new byte[64]); + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + assertThatThrownBy(() -> ScittReceipt.parse(tagged.EncodeToBytes())) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("VDS=1"); + } + + @Test + @DisplayName("Should reject receipt with wrong VDS value") + void shouldRejectReceiptWithWrongVds() { + CBORObject protectedHeader = CBORObject.NewMap(); + protectedHeader.Add(1, -7); // alg = ES256 + protectedHeader.Add(395, 2); // Wrong VDS value + byte[] protectedBytes = protectedHeader.EncodeToBytes(); + + CBORObject unprotectedHeader = createValidUnprotectedHeader(); + + CBORObject array = CBORObject.NewArray(); + array.Add(protectedBytes); + array.Add(unprotectedHeader); + array.Add("payload".getBytes()); + array.Add(new byte[64]); + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + assertThatThrownBy(() -> ScittReceipt.parse(tagged.EncodeToBytes())) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("VDS=1"); + } + + @Test + @DisplayName("Should reject receipt without proofs") + void shouldRejectReceiptWithoutProofs() { + CBORObject protectedHeader = CBORObject.NewMap(); + protectedHeader.Add(1, -7); + protectedHeader.Add(395, 1); + byte[] protectedBytes = protectedHeader.EncodeToBytes(); + + // Empty unprotected header (no proofs) + CBORObject emptyUnprotected = CBORObject.NewMap(); + + CBORObject array = CBORObject.NewArray(); + array.Add(protectedBytes); + array.Add(emptyUnprotected); + array.Add("payload".getBytes()); + array.Add(new byte[64]); + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + assertThatThrownBy(() -> ScittReceipt.parse(tagged.EncodeToBytes())) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("inclusion proofs"); + } + + @Test + @DisplayName("Should parse valid receipt with RFC 9162 proof format") + void shouldParseValidReceiptWithRfc9162Format() throws ScittParseException { + byte[] receiptBytes = createValidReceiptWithRfc9162Proof(); + + ScittReceipt receipt = ScittReceipt.parse(receiptBytes); + + assertThat(receipt).isNotNull(); + assertThat(receipt.protectedHeader()).isNotNull(); + assertThat(receipt.protectedHeader().algorithm()).isEqualTo(-7); + assertThat(receipt.inclusionProof()).isNotNull(); + assertThat(receipt.eventPayload()).isNotNull(); + assertThat(receipt.signature()).hasSize(64); + } + + @Test + @DisplayName("Should parse receipt with tree size and leaf index") + void shouldParseReceiptWithTreeSizeAndLeafIndex() throws ScittParseException { + CBORObject protectedHeader = CBORObject.NewMap(); + protectedHeader.Add(1, -7); + protectedHeader.Add(395, 1); + byte[] protectedBytes = protectedHeader.EncodeToBytes(); + + // Create proof with tree_size=100, leaf_index=42 using MAP format + CBORObject inclusionProofMap = CBORObject.NewMap(); + inclusionProofMap.Add(-1, 100L); // tree_size + inclusionProofMap.Add(-2, 42L); // leaf_index + inclusionProofMap.Add(-3, CBORObject.NewArray()); // empty hash_path + inclusionProofMap.Add(-4, CBORObject.FromObject(new byte[32])); // root_hash + + CBORObject unprotectedHeader = CBORObject.NewMap(); + unprotectedHeader.Add(396, inclusionProofMap); + + CBORObject array = CBORObject.NewArray(); + array.Add(protectedBytes); + array.Add(unprotectedHeader); + array.Add("payload".getBytes()); + array.Add(new byte[64]); + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + ScittReceipt receipt = ScittReceipt.parse(tagged.EncodeToBytes()); + + assertThat(receipt.inclusionProof().treeSize()).isEqualTo(100); + assertThat(receipt.inclusionProof().leafIndex()).isEqualTo(42); + } + + @Test + @DisplayName("Should parse receipt with hash path") + void shouldParseReceiptWithHashPath() throws ScittParseException { + CBORObject protectedHeader = CBORObject.NewMap(); + protectedHeader.Add(1, -7); + protectedHeader.Add(395, 1); + byte[] protectedBytes = protectedHeader.EncodeToBytes(); + + byte[] hash1 = new byte[32]; + byte[] hash2 = new byte[32]; + hash1[0] = 0x01; + hash2[0] = 0x02; + + // MAP format with hash path array at key -3 + CBORObject hashPathArray = CBORObject.NewArray(); + hashPathArray.Add(CBORObject.FromObject(hash1)); + hashPathArray.Add(CBORObject.FromObject(hash2)); + + CBORObject inclusionProofMap = CBORObject.NewMap(); + inclusionProofMap.Add(-1, 4L); // tree_size + inclusionProofMap.Add(-2, 2L); // leaf_index + inclusionProofMap.Add(-3, hashPathArray); // hash_path array + inclusionProofMap.Add(-4, CBORObject.FromObject(new byte[32])); // root_hash + + CBORObject unprotectedHeader = CBORObject.NewMap(); + unprotectedHeader.Add(396, inclusionProofMap); + + CBORObject array = CBORObject.NewArray(); + array.Add(protectedBytes); + array.Add(unprotectedHeader); + array.Add("payload".getBytes()); + array.Add(new byte[64]); + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + ScittReceipt receipt = ScittReceipt.parse(tagged.EncodeToBytes()); + + assertThat(receipt.inclusionProof().hashPath()).hasSize(2); + } + } + + @Nested + @DisplayName("InclusionProof tests") + class InclusionProofTests { + + @Test + @DisplayName("Should create inclusion proof with null hashPath") + void shouldCreateInclusionProofWithNullHashPath() { + ScittReceipt.InclusionProof proof = new ScittReceipt.InclusionProof( + 10, 5, new byte[32], null); + + assertThat(proof.hashPath()).isEmpty(); + } + + @Test + @DisplayName("Should defensively copy hashPath") + void shouldDefensivelyCopyHashPath() { + List originalPath = new java.util.ArrayList<>(); + originalPath.add(new byte[32]); + + ScittReceipt.InclusionProof proof = new ScittReceipt.InclusionProof( + 10, 5, new byte[32], originalPath); + + // Original list modification should not affect proof + originalPath.add(new byte[32]); + + assertThat(proof.hashPath()).hasSize(1); + } + } + + @Nested + @DisplayName("equals() and hashCode() tests") + class EqualsHashCodeTests { + + @Test + @DisplayName("Should be equal for same values") + void shouldBeEqualForSameValues() { + ScittReceipt receipt1 = createBasicReceipt(); + ScittReceipt receipt2 = createBasicReceipt(); + + assertThat(receipt1).isEqualTo(receipt2); + assertThat(receipt1.hashCode()).isEqualTo(receipt2.hashCode()); + } + + @Test + @DisplayName("Should not be equal to null") + void shouldNotBeEqualToNull() { + ScittReceipt receipt = createBasicReceipt(); + assertThat(receipt).isNotEqualTo(null); + } + + @Test + @DisplayName("Should be equal to itself") + void shouldBeEqualToItself() { + ScittReceipt receipt = createBasicReceipt(); + assertThat(receipt).isEqualTo(receipt); + } + + @Test + @DisplayName("toString should contain useful info") + void toStringShouldContainUsefulInfo() { + ScittReceipt receipt = createBasicReceipt(); + String str = receipt.toString(); + + assertThat(str).contains("ScittReceipt"); + } + + @Test + @DisplayName("Should not be equal when protected header differs") + void shouldNotBeEqualWhenProtectedHeaderDiffers() { + CoseProtectedHeader header1 = new CoseProtectedHeader(-7, new byte[4], 1, null, null); + CoseProtectedHeader header2 = new CoseProtectedHeader(-35, new byte[4], 1, null, null); // Different alg + ScittReceipt.InclusionProof proof = new ScittReceipt.InclusionProof(1, 0, new byte[32], List.of()); + + ScittReceipt receipt1 = new ScittReceipt(header1, new byte[10], proof, "payload".getBytes(), new byte[64]); + ScittReceipt receipt2 = new ScittReceipt(header2, new byte[10], proof, "payload".getBytes(), new byte[64]); + + assertThat(receipt1).isNotEqualTo(receipt2); + } + + @Test + @DisplayName("Should not be equal when signature differs") + void shouldNotBeEqualWhenSignatureDiffers() { + CoseProtectedHeader header = new CoseProtectedHeader(-7, new byte[4], 1, null, null); + ScittReceipt.InclusionProof proof = new ScittReceipt.InclusionProof(1, 0, new byte[32], List.of()); + + byte[] sig1 = new byte[64]; + byte[] sig2 = new byte[64]; + sig2[0] = 1; // Different signature + + ScittReceipt receipt1 = new ScittReceipt(header, new byte[10], proof, "payload".getBytes(), sig1); + ScittReceipt receipt2 = new ScittReceipt(header, new byte[10], proof, "payload".getBytes(), sig2); + + assertThat(receipt1).isNotEqualTo(receipt2); + } + + @Test + @DisplayName("Should not be equal when payload differs") + void shouldNotBeEqualWhenPayloadDiffers() { + CoseProtectedHeader header = new CoseProtectedHeader(-7, new byte[4], 1, null, null); + ScittReceipt.InclusionProof proof = new ScittReceipt.InclusionProof(1, 0, new byte[32], List.of()); + + ScittReceipt receipt1 = new ScittReceipt(header, new byte[10], proof, "payload1".getBytes(), new byte[64]); + ScittReceipt receipt2 = new ScittReceipt(header, new byte[10], proof, "payload2".getBytes(), new byte[64]); + + assertThat(receipt1).isNotEqualTo(receipt2); + } + } + + @Nested + @DisplayName("InclusionProof equals tests") + class InclusionProofEqualsTests { + + @Test + @DisplayName("Should not be equal when tree size differs") + void shouldNotBeEqualWhenTreeSizeDiffers() { + ScittReceipt.InclusionProof proof1 = new ScittReceipt.InclusionProof( + 10, 5, new byte[32], List.of()); + ScittReceipt.InclusionProof proof2 = new ScittReceipt.InclusionProof( + 20, 5, new byte[32], List.of()); + + assertThat(proof1).isNotEqualTo(proof2); + } + + @Test + @DisplayName("Should not be equal when leaf index differs") + void shouldNotBeEqualWhenLeafIndexDiffers() { + ScittReceipt.InclusionProof proof1 = new ScittReceipt.InclusionProof( + 10, 5, new byte[32], List.of()); + ScittReceipt.InclusionProof proof2 = new ScittReceipt.InclusionProof( + 10, 7, new byte[32], List.of()); + + assertThat(proof1).isNotEqualTo(proof2); + } + + @Test + @DisplayName("Should not be equal when root hash differs") + void shouldNotBeEqualWhenRootHashDiffers() { + byte[] hash1 = new byte[32]; + byte[] hash2 = new byte[32]; + hash2[0] = 1; + + ScittReceipt.InclusionProof proof1 = new ScittReceipt.InclusionProof( + 10, 5, hash1, List.of()); + ScittReceipt.InclusionProof proof2 = new ScittReceipt.InclusionProof( + 10, 5, hash2, List.of()); + + assertThat(proof1).isNotEqualTo(proof2); + } + + @Test + @DisplayName("Should not be equal when hash path length differs") + void shouldNotBeEqualWhenHashPathLengthDiffers() { + List path1 = List.of(new byte[32]); + List path2 = List.of(new byte[32], new byte[32]); + + ScittReceipt.InclusionProof proof1 = new ScittReceipt.InclusionProof( + 10, 5, new byte[32], path1); + ScittReceipt.InclusionProof proof2 = new ScittReceipt.InclusionProof( + 10, 5, new byte[32], path2); + + assertThat(proof1).isNotEqualTo(proof2); + } + + @Test + @DisplayName("Should not be equal when hash path content differs") + void shouldNotBeEqualWhenHashPathContentDiffers() { + byte[] pathHash1 = new byte[32]; + byte[] pathHash2 = new byte[32]; + pathHash2[0] = 1; + + ScittReceipt.InclusionProof proof1 = new ScittReceipt.InclusionProof( + 10, 5, new byte[32], List.of(pathHash1)); + ScittReceipt.InclusionProof proof2 = new ScittReceipt.InclusionProof( + 10, 5, new byte[32], List.of(pathHash2)); + + assertThat(proof1).isNotEqualTo(proof2); + } + + @Test + @DisplayName("Should have different hash codes for different proofs") + void shouldHaveDifferentHashCodesForDifferentProofs() { + ScittReceipt.InclusionProof proof1 = new ScittReceipt.InclusionProof( + 10, 5, new byte[32], List.of()); + ScittReceipt.InclusionProof proof2 = new ScittReceipt.InclusionProof( + 20, 5, new byte[32], List.of()); + + assertThat(proof1.hashCode()).isNotEqualTo(proof2.hashCode()); + } + + @Test + @DisplayName("Should not be equal to different type") + void shouldNotBeEqualToDifferentType() { + ScittReceipt.InclusionProof proof = new ScittReceipt.InclusionProof( + 10, 5, new byte[32], List.of()); + + assertThat(proof).isNotEqualTo("string"); + } + } + + @Nested + @DisplayName("Parsing edge cases") + class ParsingEdgeCaseTests { + + @Test + @DisplayName("Should reject receipt with empty inclusion proof map") + void shouldRejectReceiptWithEmptyInclusionProofMap() { + CBORObject protectedHeader = CBORObject.NewMap(); + protectedHeader.Add(1, -7); + protectedHeader.Add(395, 1); + byte[] protectedBytes = protectedHeader.EncodeToBytes(); + + // Empty inclusion proof map (missing required keys) + CBORObject emptyProofMap = CBORObject.NewMap(); + CBORObject unprotectedHeader = CBORObject.NewMap(); + unprotectedHeader.Add(396, emptyProofMap); + + CBORObject array = CBORObject.NewArray(); + array.Add(protectedBytes); + array.Add(unprotectedHeader); + array.Add("payload".getBytes()); + array.Add(new byte[64]); + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + assertThatThrownBy(() -> ScittReceipt.parse(tagged.EncodeToBytes())) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("tree_size"); + } + + @Test + @DisplayName("Should reject receipt with non-map at label 396") + void shouldRejectReceiptWithNonMapAtLabel396() { + CBORObject protectedHeader = CBORObject.NewMap(); + protectedHeader.Add(1, -7); + protectedHeader.Add(395, 1); + byte[] protectedBytes = protectedHeader.EncodeToBytes(); + + // Label 396 with string instead of map + CBORObject unprotectedHeader = CBORObject.NewMap(); + unprotectedHeader.Add(396, "not a map"); + + CBORObject array = CBORObject.NewArray(); + array.Add(protectedBytes); + array.Add(unprotectedHeader); + array.Add("payload".getBytes()); + array.Add(new byte[64]); + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + assertThatThrownBy(() -> ScittReceipt.parse(tagged.EncodeToBytes())) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("must be a map"); + } + + @Test + @DisplayName("Should reject receipt with missing leaf_index key") + void shouldRejectReceiptWithMissingLeafIndex() { + CBORObject protectedHeader = CBORObject.NewMap(); + protectedHeader.Add(1, -7); + protectedHeader.Add(395, 1); + byte[] protectedBytes = protectedHeader.EncodeToBytes(); + + // Inclusion proof map with only tree_size (missing leaf_index) + CBORObject inclusionProofMap = CBORObject.NewMap(); + inclusionProofMap.Add(-1, 1L); // tree_size only + CBORObject unprotectedHeader = CBORObject.NewMap(); + unprotectedHeader.Add(396, inclusionProofMap); + + CBORObject array = CBORObject.NewArray(); + array.Add(protectedBytes); + array.Add(unprotectedHeader); + array.Add("payload".getBytes()); + array.Add(new byte[64]); + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + assertThatThrownBy(() -> ScittReceipt.parse(tagged.EncodeToBytes())) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("leaf_index"); + } + + @Test + @DisplayName("Should parse receipt with root hash at key -4") + void shouldParseReceiptWithRootHash() throws ScittParseException { + CBORObject protectedHeader = CBORObject.NewMap(); + protectedHeader.Add(1, -7); + protectedHeader.Add(395, 1); + byte[] protectedBytes = protectedHeader.EncodeToBytes(); + + byte[] rootHash = new byte[32]; + rootHash[0] = 0x01; + + // MAP format with root hash at key -4 + CBORObject inclusionProofMap = CBORObject.NewMap(); + inclusionProofMap.Add(-1, 100L); // tree_size + inclusionProofMap.Add(-2, 42L); // leaf_index + inclusionProofMap.Add(-3, CBORObject.NewArray()); // empty hash_path + inclusionProofMap.Add(-4, CBORObject.FromObject(rootHash)); // root_hash + + CBORObject unprotectedHeader = CBORObject.NewMap(); + unprotectedHeader.Add(396, inclusionProofMap); + + CBORObject array = CBORObject.NewArray(); + array.Add(protectedBytes); + array.Add(unprotectedHeader); + array.Add("payload".getBytes()); + array.Add(new byte[64]); + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + ScittReceipt receipt = ScittReceipt.parse(tagged.EncodeToBytes()); + + assertThat(receipt.inclusionProof().treeSize()).isEqualTo(100); + assertThat(receipt.inclusionProof().leafIndex()).isEqualTo(42); + assertThat(receipt.inclusionProof().rootHash()).isEqualTo(rootHash); + } + + @Test + @DisplayName("Should parse receipt with multiple hashes in path") + void shouldParseReceiptWithMultipleHashesInPath() throws ScittParseException { + CBORObject protectedHeader = CBORObject.NewMap(); + protectedHeader.Add(1, -7); + protectedHeader.Add(395, 1); + byte[] protectedBytes = protectedHeader.EncodeToBytes(); + + byte[] hash1 = new byte[32]; + byte[] hash2 = new byte[32]; + hash1[0] = 0x11; + hash2[0] = 0x22; + + // Hash path array at key -3 + CBORObject hashPathArray = CBORObject.NewArray(); + hashPathArray.Add(CBORObject.FromObject(hash1)); + hashPathArray.Add(CBORObject.FromObject(hash2)); + + CBORObject inclusionProofMap = CBORObject.NewMap(); + inclusionProofMap.Add(-1, 8L); // tree_size + inclusionProofMap.Add(-2, 3L); // leaf_index + inclusionProofMap.Add(-3, hashPathArray); // hash_path array + inclusionProofMap.Add(-4, CBORObject.FromObject(new byte[32])); // root_hash + + CBORObject unprotectedHeader = CBORObject.NewMap(); + unprotectedHeader.Add(396, inclusionProofMap); + + CBORObject array = CBORObject.NewArray(); + array.Add(protectedBytes); + array.Add(unprotectedHeader); + array.Add("payload".getBytes()); + array.Add(new byte[64]); + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + ScittReceipt receipt = ScittReceipt.parse(tagged.EncodeToBytes()); + + assertThat(receipt.inclusionProof().hashPath()).hasSize(2); + } + + @Test + @DisplayName("Should parse receipt with minimal required fields") + void shouldParseReceiptWithMinimalRequiredFields() throws ScittParseException { + CBORObject protectedHeader = CBORObject.NewMap(); + protectedHeader.Add(1, -7); + protectedHeader.Add(395, 1); + byte[] protectedBytes = protectedHeader.EncodeToBytes(); + + // Minimal map with just tree_size and leaf_index + CBORObject inclusionProofMap = CBORObject.NewMap(); + inclusionProofMap.Add(-1, 10L); // tree_size + inclusionProofMap.Add(-2, 5L); // leaf_index + + CBORObject unprotectedHeader = CBORObject.NewMap(); + unprotectedHeader.Add(396, inclusionProofMap); + + CBORObject array = CBORObject.NewArray(); + array.Add(protectedBytes); + array.Add(unprotectedHeader); + array.Add("payload".getBytes()); + array.Add(new byte[64]); + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + ScittReceipt receipt = ScittReceipt.parse(tagged.EncodeToBytes()); + + assertThat(receipt.inclusionProof().treeSize()).isEqualTo(10); + assertThat(receipt.inclusionProof().leafIndex()).isEqualTo(5); + assertThat(receipt.inclusionProof().hashPath()).isEmpty(); + } + + @Test + @DisplayName("Should skip non-32-byte entries in hash path") + void shouldSkipNon32ByteEntriesInHashPath() throws ScittParseException { + CBORObject protectedHeader = CBORObject.NewMap(); + protectedHeader.Add(1, -7); + protectedHeader.Add(395, 1); + byte[] protectedBytes = protectedHeader.EncodeToBytes(); + + // Hash path with mixed valid and invalid entries + CBORObject hashPathArray = CBORObject.NewArray(); + hashPathArray.Add(CBORObject.FromObject(new byte[32])); // valid 32-byte hash + hashPathArray.Add(CBORObject.FromObject(new byte[16])); // invalid 16-byte (skipped) + + CBORObject inclusionProofMap = CBORObject.NewMap(); + inclusionProofMap.Add(-1, 4L); // tree_size + inclusionProofMap.Add(-2, 1L); // leaf_index + inclusionProofMap.Add(-3, hashPathArray); // hash_path with mixed sizes + inclusionProofMap.Add(-4, CBORObject.FromObject(new byte[32])); // root_hash + + CBORObject unprotectedHeader = CBORObject.NewMap(); + unprotectedHeader.Add(396, inclusionProofMap); + + CBORObject array = CBORObject.NewArray(); + array.Add(protectedBytes); + array.Add(unprotectedHeader); + array.Add("payload".getBytes()); + array.Add(new byte[64]); + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + ScittReceipt receipt = ScittReceipt.parse(tagged.EncodeToBytes()); + + // Only the valid 32-byte hash should be included + assertThat(receipt.inclusionProof().hashPath()).hasSize(1); + } + } + + @Nested + @DisplayName("toString() tests") + class ToStringTests { + + @Test + @DisplayName("Should include protectedHeader info") + void shouldIncludeProtectedHeaderInfo() { + ScittReceipt receipt = createBasicReceipt(); + String str = receipt.toString(); + + assertThat(str).contains("protectedHeader"); + } + + @Test + @DisplayName("Should include inclusionProof info") + void shouldIncludeInclusionProofInfo() { + ScittReceipt receipt = createBasicReceipt(); + String str = receipt.toString(); + + assertThat(str).contains("inclusionProof"); + } + + @Test + @DisplayName("Should include payload size") + void shouldIncludePayloadSize() { + ScittReceipt receipt = createBasicReceipt(); + String str = receipt.toString(); + + assertThat(str).contains("payloadSize"); + } + + @Test + @DisplayName("Should handle null payload in toString") + void shouldHandleNullPayloadInToString() { + CoseProtectedHeader header = new CoseProtectedHeader(-7, new byte[4], 1, null, null); + ScittReceipt.InclusionProof proof = new ScittReceipt.InclusionProof(1, 0, new byte[32], List.of()); + ScittReceipt receipt = new ScittReceipt(header, new byte[10], proof, null, new byte[64]); + + String str = receipt.toString(); + assertThat(str).contains("payloadSize=0"); + } + } + + @Nested + @DisplayName("fromParsedCose() tests") + class FromParsedCoseTests { + + @Test + @DisplayName("Should reject null parsed input") + void shouldRejectNullParsedInput() { + assertThatThrownBy(() -> ScittReceipt.fromParsedCose(null)) + .isInstanceOf(NullPointerException.class) + .hasMessageContaining("parsed cannot be null"); + } + } + + @Nested + @DisplayName("hashCode() tests") + class HashCodeTests { + + @Test + @DisplayName("Should have consistent hashCode") + void shouldHaveConsistentHashCode() { + ScittReceipt receipt = createBasicReceipt(); + int hash1 = receipt.hashCode(); + int hash2 = receipt.hashCode(); + + assertThat(hash1).isEqualTo(hash2); + } + + @Test + @DisplayName("Should have same hashCode for equal receipts") + void shouldHaveSameHashCodeForEqualReceipts() { + ScittReceipt receipt1 = createBasicReceipt(); + ScittReceipt receipt2 = createBasicReceipt(); + + assertThat(receipt1.hashCode()).isEqualTo(receipt2.hashCode()); + } + } + + // Helper methods + + private byte[] createValidReceiptWithRfc9162Proof() { + CBORObject protectedHeader = CBORObject.NewMap(); + protectedHeader.Add(1, -7); // alg = ES256 + protectedHeader.Add(395, 1); // vds = RFC9162_SHA256 + byte[] protectedBytes = protectedHeader.EncodeToBytes(); + + CBORObject unprotectedHeader = createValidUnprotectedHeader(); + + CBORObject array = CBORObject.NewArray(); + array.Add(protectedBytes); + array.Add(unprotectedHeader); + array.Add("test-payload".getBytes()); + array.Add(new byte[64]); // signature + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + return tagged.EncodeToBytes(); + } + + /** + * Creates a valid unprotected header using MAP format at label 396. + * This matches the Go server format with negative integer keys: + * -1: tree_size, -2: leaf_index, -3: hash_path, -4: root_hash + */ + private CBORObject createValidUnprotectedHeader() { + CBORObject inclusionProofMap = CBORObject.NewMap(); + inclusionProofMap.Add(-1, 1L); // tree_size + inclusionProofMap.Add(-2, 0L); // leaf_index + inclusionProofMap.Add(-3, CBORObject.NewArray()); // empty hash_path + inclusionProofMap.Add(-4, CBORObject.FromObject(new byte[32])); // root_hash + + CBORObject unprotectedHeader = CBORObject.NewMap(); + unprotectedHeader.Add(396, inclusionProofMap); // proofs label + + return unprotectedHeader; + } + + private ScittReceipt createBasicReceipt() { + CoseProtectedHeader header = new CoseProtectedHeader(-7, new byte[4], 1, null, null); + ScittReceipt.InclusionProof proof = new ScittReceipt.InclusionProof(1, 0, new byte[32], List.of()); + return new ScittReceipt(header, new byte[10], proof, "payload".getBytes(), new byte[64]); + } +} \ No newline at end of file diff --git a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/StatusTokenTest.java b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/StatusTokenTest.java new file mode 100644 index 0000000..61276fd --- /dev/null +++ b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/StatusTokenTest.java @@ -0,0 +1,509 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +import com.godaddy.ans.sdk.transparency.model.CertificateInfo; +import com.upokecenter.cbor.CBORObject; +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Nested; +import org.junit.jupiter.api.Test; + +import java.time.Duration; +import java.time.Instant; +import java.util.List; +import java.util.Map; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; + +class StatusTokenTest { + + @Nested + @DisplayName("CwtClaims tests") + class CwtClaimsTests { + + @Test + @DisplayName("Should convert epoch seconds to Instant") + void shouldConvertEpochToInstant() { + CwtClaims claims = new CwtClaims( + "issuer", "subject", "audience", + 1700000000L, 1600000000L, 1650000000L); + + assertThat(claims.expirationTime()).isEqualTo(Instant.ofEpochSecond(1700000000L)); + assertThat(claims.notBeforeTime()).isEqualTo(Instant.ofEpochSecond(1600000000L)); + assertThat(claims.issuedAtTime()).isEqualTo(Instant.ofEpochSecond(1650000000L)); + } + + @Test + @DisplayName("Should return null for missing timestamps") + void shouldReturnNullForMissingTimestamps() { + CwtClaims claims = new CwtClaims("issuer", null, null, null, null, null); + + assertThat(claims.expirationTime()).isNull(); + assertThat(claims.notBeforeTime()).isNull(); + assertThat(claims.issuedAtTime()).isNull(); + } + + @Test + @DisplayName("Should check expiration correctly") + void shouldCheckExpirationCorrectly() { + long futureExp = Instant.now().plusSeconds(3600).getEpochSecond(); + long pastExp = Instant.now().minusSeconds(3600).getEpochSecond(); + + CwtClaims futureClaims = new CwtClaims(null, null, null, futureExp, null, null); + CwtClaims pastClaims = new CwtClaims(null, null, null, pastExp, null, null); + CwtClaims noClaims = new CwtClaims(null, null, null, null, null, null); + + assertThat(futureClaims.isExpired(Instant.now())).isFalse(); + assertThat(pastClaims.isExpired(Instant.now())).isTrue(); + assertThat(noClaims.isExpired(Instant.now())).isFalse(); + } + + @Test + @DisplayName("Should check expiration with clock skew") + void shouldCheckExpirationWithClockSkew() { + // Token that expired 30 seconds ago + long exp = Instant.now().minusSeconds(30).getEpochSecond(); + CwtClaims claims = new CwtClaims(null, null, null, exp, null, null); + + // Without clock skew, it's expired + assertThat(claims.isExpired(Instant.now(), 0)).isTrue(); + + // With 60 second clock skew, it's still valid + assertThat(claims.isExpired(Instant.now(), 60)).isFalse(); + } + + @Test + @DisplayName("Should check not-before correctly") + void shouldCheckNotBeforeCorrectly() { + long futureNbf = Instant.now().plusSeconds(3600).getEpochSecond(); + long pastNbf = Instant.now().minusSeconds(3600).getEpochSecond(); + + CwtClaims futureClaims = new CwtClaims(null, null, null, null, futureNbf, null); + CwtClaims pastClaims = new CwtClaims(null, null, null, null, pastNbf, null); + + assertThat(futureClaims.isNotYetValid(Instant.now())).isTrue(); + assertThat(pastClaims.isNotYetValid(Instant.now())).isFalse(); + } + + @Test + @DisplayName("Should check not-before with clock skew") + void shouldCheckNotBeforeWithClockSkew() { + // Token that becomes valid 30 seconds from now + long nbf = Instant.now().plusSeconds(30).getEpochSecond(); + CwtClaims claims = new CwtClaims(null, null, null, null, nbf, null); + + // Without clock skew, it's not yet valid + assertThat(claims.isNotYetValid(Instant.now(), 0)).isTrue(); + + // With 60 second clock skew, it's valid + assertThat(claims.isNotYetValid(Instant.now(), 60)).isFalse(); + } + } + + @Nested + @DisplayName("StatusToken expiry tests") + class StatusTokenExpiryTests { + + @Test + @DisplayName("Should check token expiration") + void shouldCheckTokenExpiration() { + Instant past = Instant.now().minusSeconds(3600); + Instant future = Instant.now().plusSeconds(3600); + + StatusToken expiredToken = createToken("id", StatusToken.Status.ACTIVE, past, past); + StatusToken validToken = createToken("id", StatusToken.Status.ACTIVE, past, future); + + assertThat(expiredToken.isExpired()).isTrue(); + assertThat(validToken.isExpired()).isFalse(); + } + + @Test + @DisplayName("Should respect clock skew tolerance") + void shouldRespectClockSkewTolerance() { + // Token expired 30 seconds ago + Instant past = Instant.now().minusSeconds(3600); + Instant recentExpiry = Instant.now().minusSeconds(30); + + StatusToken token = createToken("id", StatusToken.Status.ACTIVE, past, recentExpiry); + + // With default 60s clock skew, should not be expired + assertThat(token.isExpired(Duration.ofSeconds(60))).isFalse(); + + // With 0 clock skew, should be expired + assertThat(token.isExpired(Duration.ZERO)).isTrue(); + } + + @Test + @DisplayName("Should treat null expiry as expired (defensive)") + void shouldTreatNullExpiryAsExpired() { + // Direct construction with null expiry is treated as expired (defensive check) + // Normal parsing would reject such tokens + StatusToken token = createToken("id", StatusToken.Status.ACTIVE, Instant.now(), null); + assertThat(token.isExpired()).isTrue(); + } + } + + @Nested + @DisplayName("StatusToken refresh interval tests") + class RefreshIntervalTests { + + @Test + @DisplayName("Should compute refresh interval as half of lifetime") + void shouldComputeRefreshIntervalAsHalfLifetime() { + Instant issuedAt = Instant.now(); + Instant expiresAt = issuedAt.plusSeconds(7200); // 2 hours + + StatusToken token = createToken("id", StatusToken.Status.ACTIVE, issuedAt, expiresAt); + + Duration interval = token.computeRefreshInterval(); + assertThat(interval).isEqualTo(Duration.ofSeconds(3600)); // 1 hour + } + + @Test + @DisplayName("Should return minimum 1 minute interval") + void shouldReturnMinimumInterval() { + Instant issuedAt = Instant.now(); + Instant expiresAt = issuedAt.plusSeconds(30); // 30 seconds + + StatusToken token = createToken("id", StatusToken.Status.ACTIVE, issuedAt, expiresAt); + + Duration interval = token.computeRefreshInterval(); + assertThat(interval).isEqualTo(Duration.ofMinutes(1)); + } + + @Test + @DisplayName("Should return maximum 1 hour interval") + void shouldReturnMaximumInterval() { + Instant issuedAt = Instant.now(); + Instant expiresAt = issuedAt.plusSeconds(86400); // 24 hours + + StatusToken token = createToken("id", StatusToken.Status.ACTIVE, issuedAt, expiresAt); + + Duration interval = token.computeRefreshInterval(); + assertThat(interval).isEqualTo(Duration.ofHours(1)); + } + + @Test + @DisplayName("Should return default for missing timestamps") + void shouldReturnDefaultForMissingTimestamps() { + StatusToken token = createToken("id", StatusToken.Status.ACTIVE, null, null); + + Duration interval = token.computeRefreshInterval(); + assertThat(interval).isEqualTo(Duration.ofMinutes(5)); + } + } + + @Nested + @DisplayName("StatusToken status tests") + class StatusTests { + + @Test + @DisplayName("Should parse all status values") + void shouldParseAllStatusValues() { + assertThat(StatusToken.Status.valueOf("ACTIVE")).isEqualTo(StatusToken.Status.ACTIVE); + assertThat(StatusToken.Status.valueOf("WARNING")).isEqualTo(StatusToken.Status.WARNING); + assertThat(StatusToken.Status.valueOf("DEPRECATED")).isEqualTo(StatusToken.Status.DEPRECATED); + assertThat(StatusToken.Status.valueOf("EXPIRED")).isEqualTo(StatusToken.Status.EXPIRED); + assertThat(StatusToken.Status.valueOf("REVOKED")).isEqualTo(StatusToken.Status.REVOKED); + assertThat(StatusToken.Status.valueOf("UNKNOWN")).isEqualTo(StatusToken.Status.UNKNOWN); + } + } + + @Nested + @DisplayName("StatusToken parsing tests") + class ParsingTests { + + @Test + @DisplayName("Should reject null input") + void shouldRejectNullInput() { + assertThatThrownBy(() -> StatusToken.parse(null)) + .isInstanceOf(NullPointerException.class) + .hasMessageContaining("coseBytes cannot be null"); + } + + @Test + @DisplayName("Should reject empty payload") + void shouldRejectEmptyPayload() throws Exception { + byte[] coseBytes = createCoseSign1WithPayload(new byte[0]); + + assertThatThrownBy(() -> StatusToken.parse(coseBytes)) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("payload cannot be empty"); + } + + @Test + @DisplayName("Should reject non-map payload") + void shouldRejectNonMapPayload() throws Exception { + CBORObject array = CBORObject.NewArray(); + array.Add("test"); + byte[] coseBytes = createCoseSign1WithPayload(array.EncodeToBytes()); + + assertThatThrownBy(() -> StatusToken.parse(coseBytes)) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("must be a CBOR map"); + } + + @Test + @DisplayName("Should reject missing agent_id") + void shouldRejectMissingAgentId() throws Exception { + CBORObject payload = CBORObject.NewMap(); + payload.Add(2, "ACTIVE"); // status only, no agent_id + byte[] coseBytes = createCoseSign1WithPayload(payload.EncodeToBytes()); + + assertThatThrownBy(() -> StatusToken.parse(coseBytes)) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("Missing required field"); + } + + @Test + @DisplayName("Should reject missing status") + void shouldRejectMissingStatus() throws Exception { + CBORObject payload = CBORObject.NewMap(); + payload.Add(1, "test-agent"); // agent_id only, no status + byte[] coseBytes = createCoseSign1WithPayload(payload.EncodeToBytes()); + + assertThatThrownBy(() -> StatusToken.parse(coseBytes)) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("Missing required field"); + } + + @Test + @DisplayName("Should reject missing expiration") + void shouldRejectMissingExpiration() throws Exception { + CBORObject payload = CBORObject.NewMap(); + payload.Add(1, "test-agent"); // agent_id + payload.Add(2, "ACTIVE"); // status - no exp + byte[] coseBytes = createCoseSign1WithPayload(payload.EncodeToBytes()); + + assertThatThrownBy(() -> StatusToken.parse(coseBytes)) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("missing required expiration time"); + } + + @Test + @DisplayName("Should parse minimal valid token") + void shouldParseMinimalValidToken() throws Exception { + long future = Instant.now().plusSeconds(3600).getEpochSecond(); + + CBORObject payload = CBORObject.NewMap(); + payload.Add(1, "test-agent"); // agent_id + payload.Add(2, "ACTIVE"); // status + payload.Add(4, future); // exp (required) + byte[] coseBytes = createCoseSign1WithPayload(payload.EncodeToBytes()); + + StatusToken token = StatusToken.parse(coseBytes); + + assertThat(token.agentId()).isEqualTo("test-agent"); + assertThat(token.status()).isEqualTo(StatusToken.Status.ACTIVE); + assertThat(token.expiresAt()).isNotNull(); + } + + @Test + @DisplayName("Should parse token with all fields") + void shouldParseTokenWithAllFields() throws Exception { + long now = Instant.now().getEpochSecond(); + long future = now + 3600; + + CBORObject payload = CBORObject.NewMap(); + payload.Add(1, "test-agent"); // agent_id + payload.Add(2, "WARNING"); // status + payload.Add(3, now); // iat + payload.Add(4, future); // exp + payload.Add(5, "test.agent.ans"); // ans_name + + // Add server certs (key 7) + CBORObject serverCerts = CBORObject.NewArray(); + CBORObject cert = CBORObject.NewMap(); + cert.Add(1, "abc123"); // fingerprint + cert.Add(2, "LEAF"); // type + serverCerts.Add(cert); + payload.Add(7, serverCerts); + + // Add identity certs (key 6) as simple strings + CBORObject identityCerts = CBORObject.NewArray(); + identityCerts.Add("def456"); + payload.Add(6, identityCerts); + + // Add metadata hashes (key 8) + CBORObject metadataHashes = CBORObject.NewMap(); + metadataHashes.Add("a2a", "SHA256:hash1"); + metadataHashes.Add("mcp", "SHA256:hash2"); + payload.Add(8, metadataHashes); + + byte[] coseBytes = createCoseSign1WithPayload(payload.EncodeToBytes()); + + StatusToken token = StatusToken.parse(coseBytes); + + assertThat(token.agentId()).isEqualTo("test-agent"); + assertThat(token.status()).isEqualTo(StatusToken.Status.WARNING); + assertThat(token.ansName()).isEqualTo("test.agent.ans"); + assertThat(token.issuedAt()).isEqualTo(Instant.ofEpochSecond(now)); + assertThat(token.expiresAt()).isEqualTo(Instant.ofEpochSecond(future)); + assertThat(token.validServerCerts()).hasSize(1); + assertThat(token.validIdentityCerts()).hasSize(1); + assertThat(token.metadataHashes()).hasSize(2); + } + + @Test + @DisplayName("Should parse unknown status as UNKNOWN") + void shouldParseUnknownStatusAsUnknown() throws Exception { + long future = Instant.now().plusSeconds(3600).getEpochSecond(); + + CBORObject payload = CBORObject.NewMap(); + payload.Add(1, "test-agent"); // agent_id + payload.Add(2, "BOGUS_STATUS"); // status + payload.Add(4, future); // exp (required) + byte[] coseBytes = createCoseSign1WithPayload(payload.EncodeToBytes()); + + StatusToken token = StatusToken.parse(coseBytes); + + assertThat(token.status()).isEqualTo(StatusToken.Status.UNKNOWN); + } + + private byte[] createCoseSign1WithPayload(byte[] payload) { + CBORObject protectedHeader = CBORObject.NewMap(); + protectedHeader.Add(1, -7); // alg = ES256 + byte[] protectedBytes = protectedHeader.EncodeToBytes(); + + CBORObject array = CBORObject.NewArray(); + array.Add(protectedBytes); + array.Add(CBORObject.NewMap()); + array.Add(payload); + array.Add(new byte[64]); // signature + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + return tagged.EncodeToBytes(); + } + } + + @Nested + @DisplayName("Certificate fingerprint accessor tests") + class FingerprintAccessorTests { + + @Test + @DisplayName("Should return server cert fingerprints") + void shouldReturnServerCertFingerprints() { + CertificateInfo cert1 = new CertificateInfo(); + cert1.setFingerprint("fp1"); + CertificateInfo cert2 = new CertificateInfo(); + cert2.setFingerprint("fp2"); + + StatusToken token = new StatusToken( + "id", StatusToken.Status.ACTIVE, null, null, + null, null, List.of(), List.of(cert1, cert2), + Map.of(), null, null, null, null + ); + + assertThat(token.serverCertFingerprints()).containsExactly("fp1", "fp2"); + } + + @Test + @DisplayName("Should return identity cert fingerprints") + void shouldReturnIdentityCertFingerprints() { + CertificateInfo cert1 = new CertificateInfo(); + cert1.setFingerprint("id1"); + CertificateInfo cert2 = new CertificateInfo(); + cert2.setFingerprint("id2"); + + StatusToken token = new StatusToken( + "id", StatusToken.Status.ACTIVE, null, null, + null, null, List.of(cert1, cert2), List.of(), + Map.of(), null, null, null, null + ); + + assertThat(token.identityCertFingerprints()).containsExactly("id1", "id2"); + } + + @Test + @DisplayName("Should filter null fingerprints") + void shouldFilterNullFingerprints() { + CertificateInfo cert1 = new CertificateInfo(); + cert1.setFingerprint("fp1"); + CertificateInfo cert2 = new CertificateInfo(); + // No fingerprint set + + StatusToken token = new StatusToken( + "id", StatusToken.Status.ACTIVE, null, null, + null, null, List.of(), List.of(cert1, cert2), + Map.of(), null, null, null, null + ); + + assertThat(token.serverCertFingerprints()).containsExactly("fp1"); + } + } + + @Nested + @DisplayName("Equals and hashCode tests") + class EqualsHashCodeTests { + + @Test + @DisplayName("Should be equal to itself") + void shouldBeEqualToItself() { + StatusToken token = createToken("id", StatusToken.Status.ACTIVE, Instant.now(), + Instant.now().plusSeconds(3600)); + assertThat(token).isEqualTo(token); + } + + @Test + @DisplayName("Should be equal for same values") + void shouldBeEqualForSameValues() { + Instant now = Instant.now(); + Instant later = now.plusSeconds(3600); + + StatusToken token1 = createToken("id", StatusToken.Status.ACTIVE, now, later); + StatusToken token2 = createToken("id", StatusToken.Status.ACTIVE, now, later); + + assertThat(token1).isEqualTo(token2); + assertThat(token1.hashCode()).isEqualTo(token2.hashCode()); + } + + @Test + @DisplayName("Should not be equal for different agent IDs") + void shouldNotBeEqualForDifferentIds() { + Instant now = Instant.now(); + Instant later = now.plusSeconds(3600); + + StatusToken token1 = createToken("id1", StatusToken.Status.ACTIVE, now, later); + StatusToken token2 = createToken("id2", StatusToken.Status.ACTIVE, now, later); + + assertThat(token1).isNotEqualTo(token2); + } + + @Test + @DisplayName("Should not be equal to null") + void shouldNotBeEqualToNull() { + StatusToken token = createToken("id", StatusToken.Status.ACTIVE, Instant.now(), + Instant.now().plusSeconds(3600)); + assertThat(token).isNotEqualTo(null); + } + + @Test + @DisplayName("Should have meaningful toString") + void shouldHaveMeaningfulToString() { + StatusToken token = createToken("test-id", StatusToken.Status.ACTIVE, Instant.now(), + Instant.now().plusSeconds(3600)); + String str = token.toString(); + + assertThat(str).contains("test-id"); + assertThat(str).contains("ACTIVE"); + } + } + + private StatusToken createToken(String agentId, StatusToken.Status status, + Instant issuedAt, Instant expiresAt) { + return new StatusToken( + agentId, + status, + issuedAt, + expiresAt, + "ans://test", + "agent.example.com", + List.of(), + List.of(), + Map.of(), + null, + null, + null, + null + ); + } +} diff --git a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/TrustedDomainRegistryTest.java b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/TrustedDomainRegistryTest.java new file mode 100644 index 0000000..9f6c52d --- /dev/null +++ b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/TrustedDomainRegistryTest.java @@ -0,0 +1,163 @@ +package com.godaddy.ans.sdk.transparency.scitt; + +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Nested; +import org.junit.jupiter.api.Test; + +import java.util.Set; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; + +/** + * Tests for TrustedDomainRegistry. + * + *

Note: The trusted domains are captured once at class initialization + * and cannot be changed afterward. Tests that need custom domains must be run + * in a separate JVM with the system property set before class loading.

+ */ +class TrustedDomainRegistryTest { + + @Nested + @DisplayName("isTrustedDomain() with defaults") + class DefaultDomainTests { + + @Test + @DisplayName("Should accept production domain") + void shouldAcceptProductionDomain() { + assertThat(TrustedDomainRegistry.isTrustedDomain("transparency.ans.godaddy.com")).isTrue(); + } + + @Test + @DisplayName("Should accept OTE domain") + void shouldAcceptOteDomain() { + assertThat(TrustedDomainRegistry.isTrustedDomain("transparency.ans.ote-godaddy.com")).isTrue(); + } + + @Test + @DisplayName("Should be case insensitive") + void shouldBeCaseInsensitive() { + assertThat(TrustedDomainRegistry.isTrustedDomain("TRANSPARENCY.ANS.GODADDY.COM")).isTrue(); + assertThat(TrustedDomainRegistry.isTrustedDomain("Transparency.Ans.Godaddy.Com")).isTrue(); + } + + @Test + @DisplayName("Should reject unknown domains") + void shouldRejectUnknownDomains() { + assertThat(TrustedDomainRegistry.isTrustedDomain("unknown.example.com")).isFalse(); + assertThat(TrustedDomainRegistry.isTrustedDomain("transparency.ans.evil.com")).isFalse(); + } + + @Test + @DisplayName("Should reject null") + void shouldRejectNull() { + assertThat(TrustedDomainRegistry.isTrustedDomain(null)).isFalse(); + } + + @Test + @DisplayName("Should reject empty string") + void shouldRejectEmptyString() { + assertThat(TrustedDomainRegistry.isTrustedDomain("")).isFalse(); + } + } + + @Nested + @DisplayName("Immutability guarantees") + class ImmutabilityTests { + + @Test + @DisplayName("getTrustedDomains() should return same instance on repeated calls") + void shouldReturnSameInstance() { + Set first = TrustedDomainRegistry.getTrustedDomains(); + Set second = TrustedDomainRegistry.getTrustedDomains(); + + // Same reference - not just equal, but identical + assertThat(first).isSameAs(second); + } + + @Test + @DisplayName("Returned set should be unmodifiable") + void returnedSetShouldBeUnmodifiable() { + Set domains = TrustedDomainRegistry.getTrustedDomains(); + + assertThatThrownBy(() -> domains.add("malicious.com")) + .isInstanceOf(UnsupportedOperationException.class); + } + + @Test + @DisplayName("Runtime system property changes should NOT affect trusted domains") + void runtimePropertyChangesShouldNotAffect() { + // Capture current state + Set before = TrustedDomainRegistry.getTrustedDomains(); + boolean productionWasTrusted = TrustedDomainRegistry.isTrustedDomain("transparency.ans.godaddy.com"); + + // Attempt to add a malicious domain via system property + String originalValue = System.getProperty(TrustedDomainRegistry.TRUSTED_DOMAINS_PROPERTY); + try { + System.setProperty(TrustedDomainRegistry.TRUSTED_DOMAINS_PROPERTY, "malicious.attacker.com"); + + // Verify the change had NO effect (security guarantee) + Set after = TrustedDomainRegistry.getTrustedDomains(); + assertThat(after).isSameAs(before); + assertThat(TrustedDomainRegistry.isTrustedDomain("malicious.attacker.com")).isFalse(); + assertThat(TrustedDomainRegistry.isTrustedDomain("transparency.ans.godaddy.com")) + .isEqualTo(productionWasTrusted); + } finally { + // Restore original state + if (originalValue == null) { + System.clearProperty(TrustedDomainRegistry.TRUSTED_DOMAINS_PROPERTY); + } else { + System.setProperty(TrustedDomainRegistry.TRUSTED_DOMAINS_PROPERTY, originalValue); + } + } + } + + @Test + @DisplayName("Clearing system property at runtime should NOT affect trusted domains") + void clearingPropertyShouldNotAffect() { + // Capture current state + Set before = TrustedDomainRegistry.getTrustedDomains(); + + // Attempt to clear the property + String originalValue = System.getProperty(TrustedDomainRegistry.TRUSTED_DOMAINS_PROPERTY); + try { + System.clearProperty(TrustedDomainRegistry.TRUSTED_DOMAINS_PROPERTY); + + // Verify the change had NO effect + Set after = TrustedDomainRegistry.getTrustedDomains(); + assertThat(after).isSameAs(before); + } finally { + // Restore original state + if (originalValue != null) { + System.setProperty(TrustedDomainRegistry.TRUSTED_DOMAINS_PROPERTY, originalValue); + } + } + } + } + + @Nested + @DisplayName("Default domain set constants") + class DefaultSetTests { + + @Test + @DisplayName("DEFAULT_TRUSTED_DOMAINS should be immutable") + void defaultDomainsShouldBeImmutable() { + assertThat(TrustedDomainRegistry.DEFAULT_TRUSTED_DOMAINS).isUnmodifiable(); + } + + @Test + @DisplayName("Should contain expected default domains") + void shouldContainExpectedDefaultDomains() { + assertThat(TrustedDomainRegistry.DEFAULT_TRUSTED_DOMAINS) + .hasSize(2) + .contains("transparency.ans.godaddy.com", "transparency.ans.ote-godaddy.com"); + } + + @Test + @DisplayName("DEFAULT_TRUSTED_DOMAINS constant should not be modifiable") + void defaultConstantShouldNotBeModifiable() { + assertThatThrownBy(() -> TrustedDomainRegistry.DEFAULT_TRUSTED_DOMAINS.add("attack.com")) + .isInstanceOf(UnsupportedOperationException.class); + } + } +} From afabcf0991d546484c60042a053649466930e77f Mon Sep 17 00:00:00 2001 From: James Hateley Date: Fri, 27 Mar 2026 12:52:58 +1100 Subject: [PATCH 03/19] feat: enhance TransparencyClient and service with SCITT integration - TransparencyClient: Add SCITT root key fetching, domain configuration, and artifact retrieval methods - TransparencyService: Major enhancements for SCITT artifact management, status token validation, and receipt verification - CachingBadgeVerificationService: Refactor to use new SCITT infrastructure with improved caching and refresh logic Co-Authored-By: Claude Opus 4.5 --- .../sdk/transparency/TransparencyClient.java | 171 ++- .../sdk/transparency/TransparencyService.java | 506 +++++++- .../CachingBadgeVerificationService.java | 189 ++- .../transparency/TransparencyClientTest.java | 292 +++++ .../transparency/TransparencyServiceTest.java | 1095 +++++++++++++++++ .../CachingBadgeVerificationServiceTest.java | 148 +-- 6 files changed, 2134 insertions(+), 267 deletions(-) create mode 100644 ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/TransparencyServiceTest.java diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/TransparencyClient.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/TransparencyClient.java index 1007dad..c703c0c 100644 --- a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/TransparencyClient.java +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/TransparencyClient.java @@ -7,8 +7,13 @@ import com.godaddy.ans.sdk.transparency.model.CheckpointResponse; import com.godaddy.ans.sdk.transparency.model.TransparencyLog; import com.godaddy.ans.sdk.transparency.model.TransparencyLogAudit; +import com.godaddy.ans.sdk.transparency.scitt.RefreshDecision; +import com.godaddy.ans.sdk.transparency.scitt.TrustedDomainRegistry; +import java.net.URI; +import java.security.PublicKey; import java.time.Duration; +import java.time.Instant; import java.util.Map; import java.util.concurrent.CompletableFuture; @@ -46,15 +51,23 @@ public final class TransparencyClient { */ public static final String DEFAULT_BASE_URL = "https://transparency.ans.ote-godaddy.com"; + /** + * Default cache TTL for the root public key (24 hours). + * + *

Root keys rarely change, so a long TTL is appropriate.

+ */ + public static final Duration DEFAULT_ROOT_KEY_CACHE_TTL = Duration.ofHours(24); + private static final Duration DEFAULT_CONNECT_TIMEOUT = Duration.ofSeconds(10); private static final Duration DEFAULT_READ_TIMEOUT = Duration.ofSeconds(30); private final String baseUrl; private final TransparencyService service; - private TransparencyClient(String baseUrl, Duration connectTimeout, Duration readTimeout) { + private TransparencyClient(String baseUrl, Duration connectTimeout, Duration readTimeout, + Duration rootKeyCacheTtl) { this.baseUrl = baseUrl; - this.service = new TransparencyService(baseUrl, connectTimeout, readTimeout); + this.service = new TransparencyService(baseUrl, connectTimeout, readTimeout, rootKeyCacheTtl); } /** @@ -161,6 +174,81 @@ public Map getLogSchema(String version) { return service.getLogSchema(version); } + // ==================== SCITT Operations (Sync) ==================== + + /** + * Retrieves the SCITT receipt for an agent. + * + *

The receipt is a COSE_Sign1 structure containing a Merkle inclusion + * proof that the agent's registration was recorded in the transparency log.

+ * + * @param agentId the agent's unique identifier + * @return the raw receipt bytes (COSE_Sign1) + * @throws com.godaddy.ans.sdk.exception.AnsNotFoundException if the agent is not found + */ + public byte[] getReceipt(String agentId) { + return service.getReceipt(agentId); + } + + /** + * Retrieves the status token for an agent. + * + *

The status token is a COSE_Sign1 structure containing a time-bounded + * assertion of the agent's current status and valid certificate fingerprints.

+ * + * @param agentId the agent's unique identifier + * @return the raw status token bytes (COSE_Sign1) + * @throws com.godaddy.ans.sdk.exception.AnsNotFoundException if the agent is not found + */ + public byte[] getStatusToken(String agentId) { + return service.getStatusToken(agentId); + } + + /** + * Invalidates the cached root public keys. + * + *

Call this method to force the next {@link #getRootKeysAsync()} call to + * fetch fresh keys from the server. This is useful when you know the + * root keys have been rotated.

+ */ + public void invalidateRootKeyCache() { + service.invalidateRootKeyCache(); + } + + /** + * Returns the timestamp when the root key cache was last populated. + * + *

This can be used to determine if an artifact was issued after the cache + * was refreshed, which may indicate the artifact was signed with a new key + * that we don't have yet.

+ * + * @return the cache population timestamp, or {@link Instant#EPOCH} if never populated + */ + public Instant getCachePopulatedAt() { + return service.getCachePopulatedAt(); + } + + /** + * Attempts to refresh the root key cache if the artifact's issued-at timestamp + * indicates it may have been signed with a new key not yet in our cache. + * + *

This method performs security checks to prevent cache thrashing attacks:

+ *
    + *
  • Rejects artifacts claiming to be from the future (beyond 60s clock skew)
    • + *
  • Rejects artifacts older than our cache (key should already be present)
    • + *
  • Enforces a 30-second global cooldown between refresh attempts
    • + *
+ * + *

Use this method when a key lookup fails during SCITT verification to + * potentially recover from a key rotation scenario.

+ * + * @param artifactIssuedAt the issued-at timestamp from the SCITT artifact + * @return the refresh decision indicating whether to retry verification + */ + public RefreshDecision refreshRootKeysIfNeeded(Instant artifactIssuedAt) { + return service.refreshRootKeysIfNeeded(artifactIssuedAt); + } + // ==================== Async Operations ==================== /** @@ -206,6 +294,50 @@ public CompletableFuture getCheckpointHistoryAsync( return CompletableFuture.supplyAsync(() -> getCheckpointHistory(params), AnsExecutors.sharedIoExecutor()); } + /** + * Retrieves the SCITT receipt for an agent asynchronously. + * + *

This method uses non-blocking I/O and does not occupy a thread pool + * thread during the HTTP request. Use this instead of the sync variant + * for high-concurrency scenarios.

+ * + * @param agentId the agent's unique identifier + * @return a CompletableFuture with the raw receipt bytes + */ + public CompletableFuture getReceiptAsync(String agentId) { + return service.getReceiptAsync(agentId); + } + + /** + * Retrieves the status token for an agent asynchronously. + * + *

This method uses non-blocking I/O and does not occupy a thread pool + * thread during the HTTP request. Use this instead of the sync variant + * for high-concurrency scenarios.

+ * + * @param agentId the agent's unique identifier + * @return a CompletableFuture with the raw status token bytes + */ + public CompletableFuture getStatusTokenAsync(String agentId) { + return service.getStatusTokenAsync(agentId); + } + + /** + * Retrieves the SCITT root public keys asynchronously. + * + *

This method uses non-blocking I/O and does not occupy a thread pool + * thread during the HTTP request. The keys are cached with a configurable + * TTL (default: 24 hours) to avoid redundant network calls.

+ * + *

The returned map is keyed by hex key ID (4-byte SHA-256 of SPKI-DER), + * enabling O(1) lookup by key ID from COSE headers.

+ * + * @return a CompletableFuture with the root public keys (keyed by hex key ID) + */ + public CompletableFuture> getRootKeysAsync() { + return service.getRootKeysAsync(); + } + // ==================== Accessors ==================== /** @@ -225,6 +357,7 @@ public static final class Builder { private String baseUrl = DEFAULT_BASE_URL; private Duration connectTimeout = DEFAULT_CONNECT_TIMEOUT; private Duration readTimeout = DEFAULT_READ_TIMEOUT; + private Duration rootKeyCacheTtl = DEFAULT_ROOT_KEY_CACHE_TTL; private Builder() { } @@ -232,7 +365,12 @@ private Builder() { /** * Sets the base URL for the transparency log API. * - * @param baseUrl the base URL (default: https://transparency.ans.godaddy.com) + *

Security note: Only URLs pointing to trusted SCITT domains + * (defined in {@link TrustedDomainRegistry}) are accepted. This prevents + * root key substitution attacks where a malicious transparency log could + * provide a forged root key.

+ * + * @param baseUrl the base URL (default: https://transparency.ans.ote-godaddy.com) * @return this builder */ public Builder baseUrl(String baseUrl) { @@ -262,13 +400,38 @@ public Builder readTimeout(Duration timeout) { return this; } + /** + * Sets the cache TTL for the root public key. + * + *

The root key is cached to avoid redundant network calls during + * verification. Since root keys rarely change, a long TTL is appropriate.

+ * + * @param ttl the cache TTL (default: 24 hours) + * @return this builder + */ + public Builder rootKeyCacheTtl(Duration ttl) { + this.rootKeyCacheTtl = ttl; + return this; + } + /** * Builds the TransparencyClient. * * @return a new TransparencyClient instance + * @throws SecurityException if the configured baseUrl is not a trusted SCITT domain */ public TransparencyClient build() { - return new TransparencyClient(baseUrl, connectTimeout, readTimeout); + validateTrustedDomain(); + return new TransparencyClient(baseUrl, connectTimeout, readTimeout, rootKeyCacheTtl); + } + + private void validateTrustedDomain() { + String host = URI.create(baseUrl).getHost(); + if (!TrustedDomainRegistry.isTrustedDomain(host)) { + throw new SecurityException( + "Untrusted transparency log domain: " + host + ". " + + "Trusted domains: " + TrustedDomainRegistry.getTrustedDomains()); + } } } } \ No newline at end of file diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/TransparencyService.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/TransparencyService.java index 33091ad..74bf1f6 100644 --- a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/TransparencyService.java +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/TransparencyService.java @@ -3,6 +3,8 @@ import com.fasterxml.jackson.databind.DeserializationFeature; import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule; +import com.github.benmanes.caffeine.cache.AsyncLoadingCache; +import com.github.benmanes.caffeine.cache.Caffeine; import com.godaddy.ans.sdk.exception.AnsNotFoundException; import com.godaddy.ans.sdk.exception.AnsServerException; import com.godaddy.ans.sdk.transparency.model.AgentAuditParams; @@ -13,6 +15,14 @@ import com.godaddy.ans.sdk.transparency.model.TransparencyLogAudit; import com.godaddy.ans.sdk.transparency.model.TransparencyLogV0; import com.godaddy.ans.sdk.transparency.model.TransparencyLogV1; +import com.godaddy.ans.sdk.transparency.scitt.RefreshDecision; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.godaddy.ans.sdk.crypto.CryptoCache; + +import org.bouncycastle.util.encoders.Hex; import java.io.IOException; import java.net.URI; @@ -21,34 +31,96 @@ import java.net.http.HttpRequest; import java.net.http.HttpResponse; import java.nio.charset.StandardCharsets; +import java.security.KeyFactory; +import java.security.NoSuchAlgorithmException; +import java.security.PublicKey; +import java.security.spec.X509EncodedKeySpec; import java.time.Duration; +import java.time.Instant; import java.time.format.DateTimeFormatter; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Base64; +import java.util.HashMap; +import java.util.List; import java.util.Map; import java.util.StringJoiner; +import java.util.concurrent.CompletableFuture; +import java.util.concurrent.atomic.AtomicReference; /** * Internal service for handling transparency log API calls. */ class TransparencyService { + private static final Logger LOGGER = LoggerFactory.getLogger(TransparencyService.class); private static final String SCHEMA_VERSION_HEADER = "X-Schema-Version"; + private static final String ROOT_KEY_CACHE_KEY = "root"; + + /** + * Maximum number of root keys to cache. Prevents DoS from unbounded key sets. + */ + private static final int MAX_ROOT_KEYS = 20; + + /** + * Global cooldown between cache refresh attempts to prevent cache thrashing. + */ + private static final Duration REFRESH_COOLDOWN = Duration.ofSeconds(30); + + /** + * Maximum tolerance for artifact timestamps in the future (clock skew). + */ + private static final Duration FUTURE_TOLERANCE = Duration.ofSeconds(60); + + /** + * Tolerance for artifacts issued slightly before cache refresh (race conditions). + */ + private static final Duration PAST_TOLERANCE = Duration.ofMinutes(5); + + /** + * Cached KeyFactory instance. Thread-safe after initialization. + */ + private static final KeyFactory EC_KEY_FACTORY; + + static { + try { + EC_KEY_FACTORY = KeyFactory.getInstance("EC"); + } catch (NoSuchAlgorithmException e) { + throw new IllegalStateException("EC algorithm not available", e); + } + } + private final String baseUrl; private final HttpClient httpClient; private final ObjectMapper objectMapper; private final Duration readTimeout; - TransparencyService(String baseUrl, Duration connectTimeout, Duration readTimeout) { + // Root keys cache with automatic TTL and stampede prevention (keyed by hex key ID) + private final AsyncLoadingCache> rootKeyCache; + + // Timestamp when cache was last populated (for refresh-on-miss logic) + private final AtomicReference cachePopulatedAt = new AtomicReference<>(Instant.EPOCH); + + // Timestamp of last refresh attempt (for cooldown enforcement) + private final AtomicReference lastRefreshAttempt = new AtomicReference<>(Instant.EPOCH); + + TransparencyService(String baseUrl, Duration connectTimeout, Duration readTimeout, Duration rootKeyCacheTtl) { this.baseUrl = baseUrl; this.readTimeout = readTimeout; this.httpClient = HttpClient.newBuilder() .connectTimeout(connectTimeout) - .followRedirects(HttpClient.Redirect.NORMAL) - .version(HttpClient.Version.HTTP_1_1) + .followRedirects(HttpClient.Redirect.NEVER) .build(); this.objectMapper = new ObjectMapper(); this.objectMapper.registerModule(new JavaTimeModule()); this.objectMapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false); + + // Build root keys cache with TTL - stampede prevention is automatic + this.rootKeyCache = Caffeine.newBuilder() + .maximumSize(1) + .expireAfterWrite(rootKeyCacheTtl) + .buildAsync((key, executor) -> fetchRootKeysFromServerAsync()); } /** @@ -138,6 +210,325 @@ Map getLogSchema(String version) { } } + /** + * Gets the SCITT receipt for an agent. + * + * @param agentId the agent's unique identifier + * @return the raw receipt bytes (COSE_Sign1) + */ + byte[] getReceipt(String agentId) { + String path = "/v1/agents/" + URLEncoder.encode(agentId, StandardCharsets.UTF_8) + "/receipt"; + return fetchBinaryResponse(path, "application/scitt-receipt+cose"); + } + + /** + * Gets the status token for an agent. + * + * @param agentId the agent's unique identifier + * @return the raw status token bytes (COSE_Sign1) + */ + byte[] getStatusToken(String agentId) { + String path = "/v1/agents/" + URLEncoder.encode(agentId, StandardCharsets.UTF_8) + "/status-token"; + return fetchBinaryResponse(path, "application/ans-status-token+cbor"); + } + + /** + * Gets the SCITT receipt for an agent asynchronously using non-blocking I/O. + * + * @param agentId the agent's unique identifier + * @return a CompletableFuture with the raw receipt bytes (COSE_Sign1) + */ + CompletableFuture getReceiptAsync(String agentId) { + String path = "/v1/agents/" + URLEncoder.encode(agentId, StandardCharsets.UTF_8) + "/receipt"; + return fetchBinaryResponseAsync(path, "application/scitt-receipt+cose"); + } + + /** + * Gets the status token for an agent asynchronously using non-blocking I/O. + * + * @param agentId the agent's unique identifier + * @return a CompletableFuture with the raw status token bytes (COSE_Sign1) + */ + CompletableFuture getStatusTokenAsync(String agentId) { + String path = "/v1/agents/" + URLEncoder.encode(agentId, StandardCharsets.UTF_8) + "/status-token"; + return fetchBinaryResponseAsync(path, "application/ans-status-token+cbor"); + } + + /** + * Returns the SCITT root public keys asynchronously, using cached values if available. + * + *

The root keys are cached with a configurable TTL to avoid redundant + * network calls on every verification request. Concurrent callers share + * a single in-flight fetch to prevent cache stampedes.

+ * + *

The returned map is keyed by hex key ID (4-byte SHA-256 of SPKI-DER), + * enabling O(1) lookup by key ID from COSE headers.

+ * + * @return a CompletableFuture with the root public keys for verifying receipts and status tokens + */ + CompletableFuture> getRootKeysAsync() { + return rootKeyCache.get(ROOT_KEY_CACHE_KEY); + } + + /** + * Invalidates the cached root key, forcing the next call to fetch from the server. + */ + void invalidateRootKeyCache() { + rootKeyCache.synchronous().invalidate(ROOT_KEY_CACHE_KEY); + LOGGER.debug("Root key cache invalidated"); + } + + /** + * Returns the timestamp when the root key cache was last populated. + * + * @return the cache population timestamp, or {@link Instant#EPOCH} if never populated + */ + Instant getCachePopulatedAt() { + return cachePopulatedAt.get(); + } + + /** + * Attempts to refresh the root key cache if the artifact's issued-at timestamp + * indicates it may have been signed with a new key not yet in our cache. + * + *

Security checks performed:

+ *
    + *
  1. Reject artifacts claiming to be from the future (beyond clock skew tolerance)
    2. + *
  2. Reject artifacts older than our cache (key should already be present)
    3. + *
  3. Enforce global cooldown to prevent cache thrashing attacks
    4. + *
+ * + * @param artifactIssuedAt the issued-at timestamp from the SCITT artifact + * @return the refresh decision with action, reason, and optionally refreshed keys + */ + RefreshDecision refreshRootKeysIfNeeded(Instant artifactIssuedAt) { + Instant now = Instant.now(); + Instant cacheTime = cachePopulatedAt.get(); + + // Check 1: Reject artifacts from the future (beyond clock skew tolerance) + if (artifactIssuedAt.isAfter(now.plus(FUTURE_TOLERANCE))) { + LOGGER.warn("Artifact timestamp {} is in the future (now={}), rejecting", + artifactIssuedAt, now); + return RefreshDecision.reject("Artifact timestamp is in the future"); + } + + // Check 2: Reject artifacts older than cache (with past tolerance for race conditions) + // If artifact was issued before we refreshed cache, the key SHOULD be there + if (artifactIssuedAt.isBefore(cacheTime.minus(PAST_TOLERANCE))) { + LOGGER.debug("Artifact issued at {} predates cache refresh at {} (with {}min tolerance), " + + "key should be present - rejecting refresh", + artifactIssuedAt, cacheTime, PAST_TOLERANCE.toMinutes()); + return RefreshDecision.reject( + "Key not found and artifact predates cache refresh"); + } + + // Check 3: Enforce global cooldown to prevent cache thrashing + Instant lastAttempt = lastRefreshAttempt.get(); + if (lastAttempt.plus(REFRESH_COOLDOWN).isAfter(now)) { + Duration remaining = Duration.between(now, lastAttempt.plus(REFRESH_COOLDOWN)); + LOGGER.debug("Cache refresh on cooldown, {} remaining", remaining); + return RefreshDecision.defer( + "Cache was recently refreshed, retry in " + remaining.toSeconds() + "s"); + } + + // All checks passed - attempt refresh + LOGGER.info("Artifact issued at {} is newer than cache at {}, refreshing root keys", + artifactIssuedAt, cacheTime); + + // Update cooldown timestamp before fetch to prevent concurrent refresh attempts + lastRefreshAttempt.set(now); + + try { + // Invalidate and fetch fresh keys + invalidateRootKeyCache(); + Map freshKeys = getRootKeysAsync().join(); + LOGGER.info("Cache refresh complete, now have {} keys", freshKeys.size()); + return RefreshDecision.refreshed(freshKeys); + } catch (Exception e) { + LOGGER.error("Failed to refresh root keys: {}", e.getMessage()); + return RefreshDecision.defer("Failed to refresh: " + e.getMessage()); + } + } + + /** + * Fetches the SCITT root public keys from the /root-keys endpoint asynchronously. + */ + private CompletableFuture> fetchRootKeysFromServerAsync() { + LOGGER.info("Fetching root keys from server"); + HttpRequest request = HttpRequest.newBuilder() + .uri(URI.create(baseUrl + "/root-keys")) + .header("Accept", "application/json") + .timeout(readTimeout) + .GET() + .build(); + + return httpClient.sendAsync(request, HttpResponse.BodyHandlers.ofString()) + .thenApply(response -> { + if (response.statusCode() != 200) { + throw new AnsServerException( + "Failed to fetch root keys: HTTP " + response.statusCode(), + response.statusCode(), + response.headers().firstValue("X-Request-Id").orElse(null)); + } + Map keys = parsePublicKeysResponse(response.body()); + cachePopulatedAt.set(Instant.now()); + LOGGER.info("Fetched and cached {} root key(s) at {}", keys.size(), cachePopulatedAt.get()); + return keys; + }); + } + + /** + * Parses public keys from the root-keys API response. + * + *

Format is C2SP note: each line is {@code name+key_hash+base64_public_key}

+ *

Example:

+ * 
+     * transparency.ans.godaddy.com+bb7ed8cf+AjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IAB...
+     * transparency.ans.godaddy.com+cc8fe9d0+AjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IAB...
+     *
+ * + *

Returns a map keyed by hex key ID (4-byte SHA-256 of SPKI-DER) for O(1) lookup.

+ * + * @param responseBody the raw response body (text/plain, C2SP note format) + * @return map of hex key ID to public key + * @throws IllegalArgumentException if no valid keys found or too many keys + */ + private Map parsePublicKeysResponse(String responseBody) { + Map keys = new HashMap<>(); + List parseErrors = new ArrayList<>(); + + String[] lines = responseBody.split("\n"); + int lineNum = 0; + for (String line : lines) { + lineNum++; + line = line.trim(); + if (line.isEmpty() || line.startsWith("#")) { + continue; + } + + // Check max keys limit + if (keys.size() >= MAX_ROOT_KEYS) { + LOGGER.warn("Reached max root keys limit ({}), ignoring remaining keys", MAX_ROOT_KEYS); + break; + } + + // C2SP format: name+key_hash+base64_key (limit split to 3 since base64 can contain '+') + String[] parts = line.split("\\+", 3); + if (parts.length != 3) { + String error = String.format("Line %d: expected C2SP format (name+hash+key), got %d parts", + lineNum, parts.length); + LOGGER.debug("Public key parse failed - {}", error); + parseErrors.add(error); + continue; + } + + try { + PublicKey key = decodePublicKey(parts[2].trim()); + String hexKeyId = computeHexKeyId(key); + if (keys.containsKey(hexKeyId)) { + LOGGER.warn("Duplicate key ID {} at line {}, skipping", hexKeyId, lineNum); + } else { + keys.put(hexKeyId, key); + LOGGER.debug("Parsed key with ID {} at line {}", hexKeyId, lineNum); + } + } catch (Exception e) { + String error = String.format("Line %d: %s", lineNum, e.getMessage()); + LOGGER.debug("Public key parse failed - {}", error); + parseErrors.add(error); + } + } + + if (keys.isEmpty()) { + String errorDetail = parseErrors.isEmpty() + ? "No parseable key lines found" + : "Parse attempts failed: " + String.join("; ", parseErrors); + throw new IllegalArgumentException("Could not parse any public keys from response. " + errorDetail); + } + + return keys; + } + + /** + * Computes the hex key ID for a public key per C2SP specification. + * + *

The key ID is the first 4 bytes of SHA-256(SPKI-DER), where SPKI-DER + * is the Subject Public Key Info DER encoding of the public key.

+ * + * @param publicKey the public key + * @return the 8-character hex key ID + */ + static String computeHexKeyId(PublicKey publicKey) { + byte[] spkiDer = publicKey.getEncoded(); + byte[] hash = CryptoCache.sha256(spkiDer); + return Hex.toHexString(Arrays.copyOf(hash, 4)); + } + + /** + * Decodes a base64-encoded public key. + */ + private PublicKey decodePublicKey(String base64Key) throws Exception { + byte[] keyBytes = Base64.getDecoder().decode(base64Key); + + // C2SP note format includes a version byte prefix (0x02) before the SPKI-DER data. + // We need to strip it to get valid SPKI-DER for Java's KeyFactory. + // Detection: SPKI-DER starts with 0x30 (SEQUENCE tag), C2SP prefixed data starts with 0x02. + if (keyBytes.length > 0 && keyBytes[0] == 0x02) { + // Strip C2SP version byte (first byte) + keyBytes = Arrays.copyOfRange(keyBytes, 1, keyBytes.length); + } + + X509EncodedKeySpec keySpec = new X509EncodedKeySpec(keyBytes); + return EC_KEY_FACTORY.generatePublic(keySpec); + } + + /** + * Fetches a binary response from the API. + */ + private byte[] fetchBinaryResponse(String path, String acceptHeader) { + HttpRequest request = buildBinaryRequest(path, acceptHeader); + + try { + HttpResponse response = httpClient.send( + request, HttpResponse.BodyHandlers.ofByteArray()); + String requestId = response.headers().firstValue("X-Request-Id").orElse(null); + String body = new String(response.body(), StandardCharsets.UTF_8); + throwForStatus(response.statusCode(), body, requestId); + return response.body(); + } catch (IOException e) { + throw new AnsServerException("Network error: " + e.getMessage(), 0, e, null); + } catch (InterruptedException e) { + Thread.currentThread().interrupt(); + throw new AnsServerException("Request interrupted", 0, e, null); + } + } + + /** + * Fetches a binary response from the API asynchronously using non-blocking I/O. + */ + private CompletableFuture fetchBinaryResponseAsync(String path, String acceptHeader) { + HttpRequest request = buildBinaryRequest(path, acceptHeader); + + return httpClient.sendAsync(request, HttpResponse.BodyHandlers.ofByteArray()) + .thenApply(response -> { + String requestId = response.headers().firstValue("X-Request-Id").orElse(null); + String body = new String(response.body(), StandardCharsets.UTF_8); + throwForStatus(response.statusCode(), body, requestId); + return response.body(); + }); + } + + /** + * Builds an HTTP request for binary content. + */ + private HttpRequest buildBinaryRequest(String path, String acceptHeader) { + return HttpRequest.newBuilder() + .uri(URI.create(baseUrl + path)) + .header("Accept", acceptHeader) + .timeout(readTimeout) + .GET() + .build(); + } + /** * Fetches a transparency log entry with schema version handling. */ @@ -182,18 +573,16 @@ private void parseAndSetPayload(TransparencyLog result, String schemaVersion) { } try { - String payloadJson = objectMapper.writeValueAsString(result.getPayload()); - if ("V1".equalsIgnoreCase(schemaVersion)) { - TransparencyLogV1 v1 = objectMapper.readValue(payloadJson, TransparencyLogV1.class); + TransparencyLogV1 v1 = objectMapper.convertValue(result.getPayload(), TransparencyLogV1.class); result.setParsedPayload(v1); } else { // V0 is default for missing or unknown schema version - TransparencyLogV0 v0 = objectMapper.readValue(payloadJson, TransparencyLogV0.class); + TransparencyLogV0 v0 = objectMapper.convertValue(result.getPayload(), TransparencyLogV0.class); result.setParsedPayload(v0); } - } catch (IOException e) { - // If parsing fails, leave parsedPayload as null + } catch (IllegalArgumentException e) { + // If conversion fails, leave parsedPayload as null // The raw payload is still available } } @@ -219,17 +608,24 @@ private HttpResponse sendRequest(HttpRequest request) { * Handles error responses from the API. */ private void handleErrorResponse(HttpResponse response) { - int statusCode = response.statusCode(); + String requestId = response.headers().firstValue("X-Request-Id").orElse(null); + throwForStatus(response.statusCode(), response.body(), requestId); + } + /** + * Throws an appropriate exception for non-success HTTP status codes. + * + * @param statusCode the HTTP status code + * @param body the response body as a string + * @param requestId the request ID from headers, may be null + */ + private void throwForStatus(int statusCode, String body, String requestId) { if (statusCode >= 200 && statusCode < 300) { return; // Success } - String requestId = response.headers().firstValue("X-Request-Id").orElse(null); - String body = response.body(); - if (statusCode == 404) { - throw new AnsNotFoundException("Agent not found: " + body, null, null, requestId); + throw new AnsNotFoundException("Resource not found: " + body, null, null, requestId); } else if (statusCode >= 500) { throw new AnsServerException("Server error: " + body, statusCode, requestId); } else { @@ -253,46 +649,68 @@ private HttpRequest.Builder createRequestBuilder(String path) { * Appends audit parameters to the path. */ private String appendAuditParams(String path, AgentAuditParams params) { - StringJoiner joiner = new StringJoiner("&"); - if (params.getOffset() > 0) { - joiner.add("offset=" + params.getOffset()); - } - if (params.getLimit() > 0) { - joiner.add("limit=" + params.getLimit()); - } - if (joiner.length() > 0) { - return path + "?" + joiner; - } - return path; + QueryParamBuilder builder = new QueryParamBuilder(); + builder.addIfPositive("offset", params.getOffset()); + builder.addIfPositive("limit", params.getLimit()); + return builder.buildUrl(path); } /** * Appends checkpoint history parameters to the path. */ private String appendCheckpointHistoryParams(String path, CheckpointHistoryParams params) { - StringJoiner joiner = new StringJoiner("&"); - if (params.getLimit() > 0) { - joiner.add("limit=" + params.getLimit()); - } - if (params.getOffset() > 0) { - joiner.add("offset=" + params.getOffset()); - } - if (params.getFromSize() > 0) { - joiner.add("fromSize=" + params.getFromSize()); - } - if (params.getToSize() > 0) { - joiner.add("toSize=" + params.getToSize()); - } + QueryParamBuilder builder = new QueryParamBuilder(); + builder.addIfPositive("limit", params.getLimit()); + builder.addIfPositive("offset", params.getOffset()); + builder.addIfPositive("fromSize", params.getFromSize()); + builder.addIfPositive("toSize", params.getToSize()); if (params.getSince() != null) { String since = params.getSince().format(DateTimeFormatter.ISO_OFFSET_DATE_TIME); - joiner.add("since=" + URLEncoder.encode(since, StandardCharsets.UTF_8)); + builder.addEncoded("since", since); } - if (params.getOrder() != null && !params.getOrder().isEmpty()) { - joiner.add("order=" + URLEncoder.encode(params.getOrder(), StandardCharsets.UTF_8)); + builder.addEncodedIfNotEmpty("order", params.getOrder()); + return builder.buildUrl(path); + } + + /** + * Helper for building URL query strings. + */ + private static final class QueryParamBuilder { + private final StringJoiner joiner = new StringJoiner("&"); + + /** + * Adds a parameter if the value is positive. + */ + void addIfPositive(String name, long value) { + if (value > 0) { + joiner.add(name + "=" + value); + } } - if (joiner.length() > 0) { - return path + "?" + joiner; + + /** + * Adds a URL-encoded parameter. + */ + void addEncoded(String name, String value) { + joiner.add(name + "=" + URLEncoder.encode(value, StandardCharsets.UTF_8)); + } + + /** + * Adds a URL-encoded parameter if the value is not null or empty. + */ + void addEncodedIfNotEmpty(String name, String value) { + if (value != null && !value.isEmpty()) { + addEncoded(name, value); + } + } + + /** + * Builds the final URL with query string. + */ + String buildUrl(String path) { + if (joiner.length() > 0) { + return path + "?" + joiner; + } + return path; } - return path; } } \ No newline at end of file diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/verification/CachingBadgeVerificationService.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/verification/CachingBadgeVerificationService.java index cf64470..484729b 100644 --- a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/verification/CachingBadgeVerificationService.java +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/verification/CachingBadgeVerificationService.java @@ -1,5 +1,8 @@ package com.godaddy.ans.sdk.transparency.verification; +import com.github.benmanes.caffeine.cache.Cache; +import com.github.benmanes.caffeine.cache.Caffeine; +import com.github.benmanes.caffeine.cache.Expiry; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -7,9 +10,8 @@ import java.security.cert.CertificateEncodingException; import java.security.cert.X509Certificate; import java.time.Duration; -import java.time.Instant; import java.util.HexFormat; -import java.util.concurrent.ConcurrentHashMap; +import java.util.function.Predicate; /** * A caching wrapper for {@link BadgeVerificationService} that reduces blocking @@ -53,19 +55,28 @@ public final class CachingBadgeVerificationService implements ServerVerifier { private static final Duration DEFAULT_CACHE_TTL = Duration.ofMinutes(15); private static final Duration DEFAULT_NEGATIVE_CACHE_TTL = Duration.ofMinutes(5); + private static final int DEFAULT_MAX_CACHE_SIZE = 10_000; private final BadgeVerificationService delegate; - private final Duration cacheTtl; - private final Duration negativeCacheTtl; - - private final ConcurrentHashMap serverCache = new ConcurrentHashMap<>(); - private final ConcurrentHashMap clientCache = new ConcurrentHashMap<>(); + private final Cache serverCache; + private final Cache clientCache; private CachingBadgeVerificationService(Builder builder) { this.delegate = builder.delegate; - this.cacheTtl = builder.cacheTtl != null ? builder.cacheTtl : DEFAULT_CACHE_TTL; - this.negativeCacheTtl = builder.negativeCacheTtl != null ? builder.negativeCacheTtl - : DEFAULT_NEGATIVE_CACHE_TTL; + + Duration positiveTtl = builder.cacheTtl != null ? builder.cacheTtl : DEFAULT_CACHE_TTL; + Duration negativeTtl = builder.negativeCacheTtl != null + ? builder.negativeCacheTtl : DEFAULT_NEGATIVE_CACHE_TTL; + + this.serverCache = Caffeine.newBuilder() + .maximumSize(DEFAULT_MAX_CACHE_SIZE) + .expireAfter(new VariableTtlExpiry<>(positiveTtl, negativeTtl, ServerVerificationResult::isSuccess)) + .build(); + + this.clientCache = Caffeine.newBuilder() + .maximumSize(DEFAULT_MAX_CACHE_SIZE) + .expireAfter(new VariableTtlExpiry<>(positiveTtl, negativeTtl, ClientVerificationResult::isSuccess)) + .build(); } /** @@ -74,30 +85,12 @@ private CachingBadgeVerificationService(Builder builder) { * @param hostname the server hostname to verify * @return the verification result (may be cached) */ + @Override public ServerVerificationResult verifyServer(String hostname) { - // Check cache first - CachedServerResult cached = serverCache.get(hostname); - if (cached != null && !cached.isExpired()) { - LOG.debug("Cache hit for server verification: {}", hostname); - return cached.result; - } - - // Lazy eviction: remove expired entry immediately to free memory - if (cached != null) { - serverCache.remove(hostname); - LOG.debug("Lazily evicted expired server cache entry: {}", hostname); - } - - // Cache miss - perform verification - LOG.debug("Cache miss for server verification: {}", hostname); - ServerVerificationResult result = delegate.verifyServer(hostname); - - // Cache the result - Duration ttl = result.isSuccess() ? cacheTtl : negativeCacheTtl; - serverCache.put(hostname, new CachedServerResult(result, ttl)); - LOG.debug("Cached server verification result for {} (ttl={})", hostname, ttl); - - return result; + return serverCache.get(hostname, key -> { + LOG.debug("Cache miss for server verification: {}", key); + return delegate.verifyServer(key); + }); } /** @@ -109,36 +102,16 @@ public ServerVerificationResult verifyServer(String hostname) { * @return the verification result (may be cached) */ public ClientVerificationResult verifyClient(X509Certificate clientCert) { - // Compute fingerprint for cache key String fingerprint = computeFingerprint(clientCert); if (fingerprint == null) { // Can't cache without fingerprint - delegate directly return delegate.verifyClient(clientCert); } - // Check cache first - CachedClientResult cached = clientCache.get(fingerprint); - if (cached != null && !cached.isExpired()) { - LOG.debug("Cache hit for client verification: {}", truncateFingerprint(fingerprint)); - return cached.result; - } - - // Lazy eviction: remove expired entry immediately to free memory - if (cached != null) { - clientCache.remove(fingerprint); - LOG.debug("Lazily evicted expired client cache entry: {}", truncateFingerprint(fingerprint)); - } - - // Cache miss - perform verification - LOG.debug("Cache miss for client verification: {}", truncateFingerprint(fingerprint)); - ClientVerificationResult result = delegate.verifyClient(clientCert); - - // Cache the result - Duration ttl = result.isSuccess() ? cacheTtl : negativeCacheTtl; - clientCache.put(fingerprint, new CachedClientResult(result, ttl)); - LOG.debug("Cached client verification result for {} (ttl={})", truncateFingerprint(fingerprint), ttl); - - return result; + return clientCache.get(fingerprint, key -> { + LOG.debug("Cache miss for client verification: {}", truncateFingerprint(key)); + return delegate.verifyClient(clientCert); + }); } // ==================== Cache Management ==================== @@ -149,9 +122,8 @@ public ClientVerificationResult verifyClient(X509Certificate clientCert) { * @param hostname the hostname to invalidate */ public void invalidateServer(String hostname) { - if (serverCache.remove(hostname) != null) { - LOG.debug("Invalidated server cache for: {}", hostname); - } + serverCache.invalidate(hostname); + LOG.debug("Invalidated server cache for: {}", hostname); } /** @@ -161,7 +133,8 @@ public void invalidateServer(String hostname) { */ public void invalidateClient(X509Certificate clientCert) { String fingerprint = computeFingerprint(clientCert); - if (fingerprint != null && clientCache.remove(fingerprint) != null) { + if (fingerprint != null) { + clientCache.invalidate(fingerprint); LOG.debug("Invalidated client cache for: {}", truncateFingerprint(fingerprint)); } } @@ -170,55 +143,29 @@ public void invalidateClient(X509Certificate clientCert) { * Clears all cached verification results. */ public void clearCache() { - int serverCount = serverCache.size(); - int clientCount = clientCache.size(); - serverCache.clear(); - clientCache.clear(); + long serverCount = serverCache.estimatedSize(); + long clientCount = clientCache.estimatedSize(); + serverCache.invalidateAll(); + clientCache.invalidateAll(); LOG.debug("Cleared verification cache ({} server, {} client entries)", serverCount, clientCount); } /** - * Returns the number of cached server verification results. - */ - public int serverCacheSize() { - return serverCache.size(); - } - - /** - * Returns the number of cached client verification results. + * Returns the estimated number of cached server verification results. + * + * @return estimated cache size */ - public int clientCacheSize() { - return clientCache.size(); + public long serverCacheSize() { + return serverCache.estimatedSize(); } /** - * Removes expired entries from both caches. + * Returns the estimated number of cached client verification results. * - *

Call this periodically to prevent memory buildup from expired entries.

+ * @return estimated cache size */ - public void evictExpired() { - int serverEvicted = 0; - int clientEvicted = 0; - - var serverIt = serverCache.entrySet().iterator(); - while (serverIt.hasNext()) { - if (serverIt.next().getValue().isExpired()) { - serverIt.remove(); - serverEvicted++; - } - } - - var clientIt = clientCache.entrySet().iterator(); - while (clientIt.hasNext()) { - if (clientIt.next().getValue().isExpired()) { - clientIt.remove(); - clientEvicted++; - } - } - - if (serverEvicted > 0 || clientEvicted > 0) { - LOG.debug("Evicted {} server and {} client expired cache entries", serverEvicted, clientEvicted); - } + public long clientCacheSize() { + return clientCache.estimatedSize(); } // ==================== Private Helpers ==================== @@ -245,33 +192,35 @@ private String truncateFingerprint(String fingerprint) { return fingerprint.substring(0, 16) + "..."; } - // ==================== Cache Entry Classes ==================== - - private static class CachedServerResult { - final ServerVerificationResult result; - final Instant expiresAt; + // ==================== Caffeine Expiry for Variable TTL ==================== - CachedServerResult(ServerVerificationResult result, Duration ttl) { - this.result = result; - this.expiresAt = Instant.now().plus(ttl); + /** + * Custom Caffeine Expiry that applies different TTLs for positive and negative results. + */ + private static class VariableTtlExpiry implements Expiry { + private final long positiveTtlNanos; + private final long negativeTtlNanos; + private final Predicate isSuccess; + + VariableTtlExpiry(Duration positiveTtl, Duration negativeTtl, Predicate isSuccess) { + this.positiveTtlNanos = positiveTtl.toNanos(); + this.negativeTtlNanos = negativeTtl.toNanos(); + this.isSuccess = isSuccess; } - boolean isExpired() { - return Instant.now().isAfter(expiresAt); + @Override + public long expireAfterCreate(String key, V value, long currentTime) { + return isSuccess.test(value) ? positiveTtlNanos : negativeTtlNanos; } - } - - private static class CachedClientResult { - final ClientVerificationResult result; - final Instant expiresAt; - CachedClientResult(ClientVerificationResult result, Duration ttl) { - this.result = result; - this.expiresAt = Instant.now().plus(ttl); + @Override + public long expireAfterUpdate(String key, V value, long currentTime, long currentDuration) { + return expireAfterCreate(key, value, currentTime); } - boolean isExpired() { - return Instant.now().isAfter(expiresAt); + @Override + public long expireAfterRead(String key, V value, long currentTime, long currentDuration) { + return currentDuration; // No change on read } } diff --git a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/TransparencyClientTest.java b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/TransparencyClientTest.java index 432b4ca..ca08586 100644 --- a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/TransparencyClientTest.java +++ b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/TransparencyClientTest.java @@ -11,9 +11,13 @@ import com.godaddy.ans.sdk.transparency.model.CheckpointHistoryResponse; import com.godaddy.ans.sdk.transparency.model.TransparencyLogAudit; import com.godaddy.ans.sdk.transparency.model.TransparencyLogV1; +import com.godaddy.ans.sdk.transparency.scitt.TrustedDomainRegistry; +import org.junit.jupiter.api.AfterAll; +import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.DisplayName; import org.junit.jupiter.api.Test; +import java.security.PublicKey; import java.time.Duration; import java.util.Map; @@ -30,6 +34,18 @@ class TransparencyClientTest { private static final String TEST_AGENT_ID = "6bf2b7a9-1383-4e33-a945-845f34af7526"; + @BeforeAll + static void setUpClass() { + // Include localhost for WireMock tests along with production domains + System.setProperty(TrustedDomainRegistry.TRUSTED_DOMAINS_PROPERTY, + "transparency.ans.godaddy.com,transparency.ans.ote-godaddy.com,localhost"); + } + + @AfterAll + static void tearDownClass() { + System.clearProperty(TrustedDomainRegistry.TRUSTED_DOMAINS_PROPERTY); + } + @Test @DisplayName("Should retrieve agent transparency log with V1 schema") void shouldRetrieveAgentTransparencyLogV1(WireMockRuntimeInfo wmRuntimeInfo) { @@ -543,6 +559,257 @@ void shouldDefaultToV0WhenNoSchemaVersionPresent(WireMockRuntimeInfo wmRuntimeIn assertThat(result.getSchemaVersion()).isEqualTo("V0"); } + @Test + @DisplayName("Should retrieve root key from C2SP format") + void shouldRetrieveRootKeyFromC2spFormat(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/root-keys")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withBody(rootKeyC2spSingleResponse()))); + + TransparencyClient client = TransparencyClient.builder() + .baseUrl(baseUrl) + .build(); + + Map keys = client.getRootKeysAsync().join(); + + assertThat(keys).isNotEmpty(); + assertThat(keys.values().iterator().next().getAlgorithm()).isEqualTo("EC"); + } + + @Test + @DisplayName("Should retrieve multiple root keys from C2SP format") + void shouldRetrieveMultipleRootKeysFromC2spFormat(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/root-keys")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withBody(rootKeyC2spMultipleResponse()))); + + TransparencyClient client = TransparencyClient.builder() + .baseUrl(baseUrl) + .build(); + + Map keys = client.getRootKeysAsync().join(); + + assertThat(keys).hasSize(2); + keys.values().forEach(k -> assertThat(k.getAlgorithm()).isEqualTo("EC")); + } + + @Test + @DisplayName("Should retrieve root key asynchronously") + void shouldRetrieveRootKeyAsync(WireMockRuntimeInfo wmRuntimeInfo) throws Exception { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/root-keys")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withBody(rootKeyC2spSingleResponse()))); + + TransparencyClient client = TransparencyClient.builder() + .baseUrl(baseUrl) + .build(); + + Map keys = client.getRootKeysAsync().get(); + + assertThat(keys).isNotEmpty(); + assertThat(keys.values().iterator().next().getAlgorithm()).isEqualTo("EC"); + } + + @Test + @DisplayName("Should throw AnsServerException for root key 500 error") + void shouldThrowServerExceptionForRootKeyError(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/root-keys")) + .willReturn(aResponse() + .withStatus(500) + .withHeader("X-Request-Id", "req-123") + .withBody("Internal error"))); + + TransparencyClient client = TransparencyClient.builder() + .baseUrl(baseUrl) + .build(); + + assertThatThrownBy(() -> client.getRootKeysAsync().join()) + .hasCauseInstanceOf(com.godaddy.ans.sdk.exception.AnsServerException.class); + } + + @Test + @DisplayName("Should throw exception for invalid root key format") + void shouldThrowExceptionForInvalidRootKeyFormat(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/root-keys")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withBody("not a valid C2SP format line"))); + + TransparencyClient client = TransparencyClient.builder() + .baseUrl(baseUrl) + .build(); + + assertThatThrownBy(() -> client.getRootKeysAsync().join()) + .hasCauseInstanceOf(IllegalArgumentException.class); + } + + @Test + @DisplayName("Should retrieve receipt bytes") + void shouldRetrieveReceiptBytes(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + byte[] expectedBytes = {0x01, 0x02, 0x03}; + + stubFor(get(urlEqualTo("/v1/agents/" + TEST_AGENT_ID + "/receipt")) + .willReturn(aResponse() + .withStatus(200) + .withBody(expectedBytes))); + + TransparencyClient client = TransparencyClient.builder() + .baseUrl(baseUrl) + .build(); + + byte[] result = client.getReceipt(TEST_AGENT_ID); + assertThat(result).isEqualTo(expectedBytes); + } + + @Test + @DisplayName("Should retrieve status token bytes") + void shouldRetrieveStatusTokenBytes(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + byte[] expectedBytes = {0x04, 0x05, 0x06}; + + stubFor(get(urlEqualTo("/v1/agents/" + TEST_AGENT_ID + "/status-token")) + .willReturn(aResponse() + .withStatus(200) + .withBody(expectedBytes))); + + TransparencyClient client = TransparencyClient.builder() + .baseUrl(baseUrl) + .build(); + + byte[] result = client.getStatusToken(TEST_AGENT_ID); + assertThat(result).isEqualTo(expectedBytes); + } + + @Test + @DisplayName("Should retrieve receipt asynchronously") + void shouldRetrieveReceiptAsync(WireMockRuntimeInfo wmRuntimeInfo) throws Exception { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + byte[] expectedBytes = {0x07, 0x08}; + + stubFor(get(urlEqualTo("/v1/agents/" + TEST_AGENT_ID + "/receipt")) + .willReturn(aResponse() + .withStatus(200) + .withBody(expectedBytes))); + + TransparencyClient client = TransparencyClient.builder() + .baseUrl(baseUrl) + .build(); + + byte[] result = client.getReceiptAsync(TEST_AGENT_ID).get(); + assertThat(result).isEqualTo(expectedBytes); + } + + @Test + @DisplayName("Should retrieve status token asynchronously") + void shouldRetrieveStatusTokenAsync(WireMockRuntimeInfo wmRuntimeInfo) throws Exception { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + byte[] expectedBytes = {0x09, 0x0A}; + + stubFor(get(urlEqualTo("/v1/agents/" + TEST_AGENT_ID + "/status-token")) + .willReturn(aResponse() + .withStatus(200) + .withBody(expectedBytes))); + + TransparencyClient client = TransparencyClient.builder() + .baseUrl(baseUrl) + .build(); + + byte[] result = client.getStatusTokenAsync(TEST_AGENT_ID).get(); + assertThat(result).isEqualTo(expectedBytes); + } + + @Test + @DisplayName("Should build client with custom root key cache TTL") + void shouldBuildClientWithCustomRootKeyCacheTtl(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + TransparencyClient client = TransparencyClient.builder() + .baseUrl(baseUrl) + .rootKeyCacheTtl(Duration.ofMinutes(30)) + .build(); + + assertThat(client).isNotNull(); + assertThat(client.getBaseUrl()).isEqualTo(baseUrl); + } + + @Test + @DisplayName("Should invalidate root key cache") + void shouldInvalidateRootKeyCache(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/root-keys")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withBody(rootKeyC2spSingleResponse()))); + + TransparencyClient client = TransparencyClient.builder() + .baseUrl(baseUrl) + .build(); + + // First call fetches keys + Map keys1 = client.getRootKeysAsync().join(); + assertThat(keys1).isNotEmpty(); + + // Invalidate cache - should not throw + client.invalidateRootKeyCache(); + + // Second call should fetch again (cache was invalidated) + Map keys2 = client.getRootKeysAsync().join(); + assertThat(keys2).isNotEmpty(); + } + + @Test + @DisplayName("Should use default root key cache TTL of 24 hours") + void shouldUseDefaultRootKeyCacheTtl() { + assertThat(TransparencyClient.DEFAULT_ROOT_KEY_CACHE_TTL).isEqualTo(Duration.ofHours(24)); + } + + @Test + @DisplayName("Should reject untrusted transparency log domain") + void shouldRejectUntrustedDomain() { + // malicious domain is not in our configured trusted domains + assertThatThrownBy(() -> TransparencyClient.builder() + .baseUrl("https://malicious-transparency-log.example.com") + .build()) + .isInstanceOf(SecurityException.class) + .hasMessageContaining("Untrusted transparency log domain") + .hasMessageContaining("malicious-transparency-log.example.com"); + } + + @Test + @DisplayName("Should accept trusted production domain") + void shouldAcceptTrustedProductionDomain() { + // These are in our configured trusted domains + TransparencyClient prodClient = TransparencyClient.builder() + .baseUrl("https://transparency.ans.godaddy.com") + .build(); + assertThat(prodClient.getBaseUrl()).isEqualTo("https://transparency.ans.godaddy.com"); + + TransparencyClient oteClient = TransparencyClient.builder() + .baseUrl("https://transparency.ans.ote-godaddy.com") + .build(); + assertThat(oteClient.getBaseUrl()).isEqualTo("https://transparency.ans.ote-godaddy.com"); + } + // ==================== Test Data ==================== private String v1TransparencyLogResponse() { @@ -718,4 +985,29 @@ private String v0TransparencyLogWithoutSchemaVersion() { } """; } + + // Valid EC P-256 public key for testing (SPKI-DER, base64 encoded) + private static final String TEST_EC_PUBLIC_KEY = + "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEveuRZW0vWcVjh4enr9tA7VAKPFmL" + + "OZs1S99lGDqRhAQBEdetB290Det8rO1ojnHEA8PX4Yojb0oomwA2krO5Ag=="; + + // Second test key (different point on P-256 curve) + private static final String TEST_EC_PUBLIC_KEY_2 = + "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEb3cL8bLB0m5Dz7NiJj3xz0oPp4at" + + "Hj8bTqJf4d3nVkPR5eK8jFrLhCPQgKcZvWpJhH9q0vwPiT3v5RCKnGdDgA=="; + + /** + * Returns a valid EC P-256 public key in C2SP note format. + */ + private String rootKeyC2spSingleResponse() { + return "transparency.ans.godaddy.com+abcd1234+" + TEST_EC_PUBLIC_KEY; + } + + /** + * Returns multiple valid EC P-256 public keys in C2SP note format. + */ + private String rootKeyC2spMultipleResponse() { + return "transparency.ans.godaddy.com+abcd1234+" + TEST_EC_PUBLIC_KEY + "\n" + + "transparency.ans.godaddy.com+efgh5678+" + TEST_EC_PUBLIC_KEY_2; + } } \ No newline at end of file diff --git a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/TransparencyServiceTest.java b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/TransparencyServiceTest.java new file mode 100644 index 0000000..2b3bcb0 --- /dev/null +++ b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/TransparencyServiceTest.java @@ -0,0 +1,1095 @@ +package com.godaddy.ans.sdk.transparency; + +import com.github.tomakehurst.wiremock.junit5.WireMockRuntimeInfo; +import com.github.tomakehurst.wiremock.junit5.WireMockTest; +import com.godaddy.ans.sdk.exception.AnsNotFoundException; +import com.godaddy.ans.sdk.exception.AnsServerException; +import com.godaddy.ans.sdk.transparency.model.AgentAuditParams; +import com.godaddy.ans.sdk.transparency.model.CheckpointHistoryParams; +import com.godaddy.ans.sdk.transparency.model.CheckpointHistoryResponse; +import com.godaddy.ans.sdk.transparency.model.CheckpointResponse; +import com.godaddy.ans.sdk.transparency.model.TransparencyLog; +import com.godaddy.ans.sdk.transparency.model.TransparencyLogAudit; +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Nested; +import org.junit.jupiter.api.Test; + +import java.security.PublicKey; +import java.time.Duration; +import java.time.Instant; +import java.util.ArrayList; +import java.util.List; +import java.util.Map; +import java.util.concurrent.CompletableFuture; +import java.util.concurrent.CountDownLatch; +import java.util.concurrent.ExecutionException; +import java.util.concurrent.ExecutorService; +import java.util.concurrent.Executors; +import java.util.concurrent.TimeUnit; +import java.util.concurrent.TimeoutException; + +import com.godaddy.ans.sdk.transparency.scitt.RefreshDecision; + +import static com.github.tomakehurst.wiremock.client.WireMock.aResponse; +import static com.github.tomakehurst.wiremock.client.WireMock.get; +import static com.github.tomakehurst.wiremock.client.WireMock.getRequestedFor; +import static com.github.tomakehurst.wiremock.client.WireMock.stubFor; +import static com.github.tomakehurst.wiremock.client.WireMock.urlEqualTo; +import static com.github.tomakehurst.wiremock.client.WireMock.urlMatching; +import static com.github.tomakehurst.wiremock.client.WireMock.verify; +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; + +@WireMockTest +class TransparencyServiceTest { + + private static final String TEST_AGENT_ID = "test-agent-123"; + + private TransparencyService createService(String baseUrl) { + return createService(baseUrl, Duration.ofHours(24)); + } + + private TransparencyService createService(String baseUrl, Duration rootKeyCacheTtl) { + return new TransparencyService(baseUrl, Duration.ofSeconds(5), Duration.ofSeconds(10), rootKeyCacheTtl); + } + + @Nested + @DisplayName("getReceipt() tests") + class GetReceiptTests { + + @Test + @DisplayName("Should retrieve receipt bytes") + void shouldRetrieveReceiptBytes(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + byte[] expectedBytes = {0x01, 0x02, 0x03, 0x04}; + + stubFor(get(urlEqualTo("/v1/agents/" + TEST_AGENT_ID + "/receipt")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "application/cbor") + .withBody(expectedBytes))); + + TransparencyService service = createService(baseUrl); + byte[] result = service.getReceipt(TEST_AGENT_ID); + + assertThat(result).isEqualTo(expectedBytes); + } + + @Test + @DisplayName("Should throw AnsNotFoundException for 404") + void shouldThrowNotFoundFor404(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/v1/agents/" + TEST_AGENT_ID + "/receipt")) + .willReturn(aResponse() + .withStatus(404) + .withHeader("X-Request-Id", "req-123") + .withBody("Not found"))); + + TransparencyService service = createService(baseUrl); + + assertThatThrownBy(() -> service.getReceipt(TEST_AGENT_ID)) + .isInstanceOf(AnsNotFoundException.class); + } + + @Test + @DisplayName("Should throw AnsServerException for 500") + void shouldThrowServerExceptionFor500(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/v1/agents/" + TEST_AGENT_ID + "/receipt")) + .willReturn(aResponse() + .withStatus(500) + .withHeader("X-Request-Id", "req-456") + .withBody("Internal error"))); + + TransparencyService service = createService(baseUrl); + + assertThatThrownBy(() -> service.getReceipt(TEST_AGENT_ID)) + .isInstanceOf(AnsServerException.class); + } + + @Test + @DisplayName("Should throw AnsServerException for unexpected 4xx") + void shouldThrowServerExceptionForUnexpected4xx(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/v1/agents/" + TEST_AGENT_ID + "/receipt")) + .willReturn(aResponse() + .withStatus(403) + .withBody("Forbidden"))); + + TransparencyService service = createService(baseUrl); + + assertThatThrownBy(() -> service.getReceipt(TEST_AGENT_ID)) + .isInstanceOf(AnsServerException.class); + } + + @Test + @DisplayName("Should URL encode agent ID with special characters") + void shouldUrlEncodeAgentId(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + String agentIdWithSpecialChars = "agent/with spaces"; + byte[] expectedBytes = {0x05, 0x06}; + + stubFor(get(urlEqualTo("/v1/agents/agent%2Fwith+spaces/receipt")) + .willReturn(aResponse() + .withStatus(200) + .withBody(expectedBytes))); + + TransparencyService service = createService(baseUrl); + byte[] result = service.getReceipt(agentIdWithSpecialChars); + + assertThat(result).isEqualTo(expectedBytes); + } + } + + @Nested + @DisplayName("getStatusToken() tests") + class GetStatusTokenTests { + + @Test + @DisplayName("Should retrieve status token bytes") + void shouldRetrieveStatusTokenBytes(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + byte[] expectedBytes = {0x10, 0x20, 0x30, 0x40}; + + stubFor(get(urlEqualTo("/v1/agents/" + TEST_AGENT_ID + "/status-token")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "application/cose") + .withBody(expectedBytes))); + + TransparencyService service = createService(baseUrl); + byte[] result = service.getStatusToken(TEST_AGENT_ID); + + assertThat(result).isEqualTo(expectedBytes); + } + + @Test + @DisplayName("Should throw AnsNotFoundException for 404") + void shouldThrowNotFoundFor404(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/v1/agents/" + TEST_AGENT_ID + "/status-token")) + .willReturn(aResponse() + .withStatus(404) + .withBody("Token not found"))); + + TransparencyService service = createService(baseUrl); + + assertThatThrownBy(() -> service.getStatusToken(TEST_AGENT_ID)) + .isInstanceOf(AnsNotFoundException.class); + } + + @Test + @DisplayName("Should throw AnsServerException for 500") + void shouldThrowServerExceptionFor500(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/v1/agents/" + TEST_AGENT_ID + "/status-token")) + .willReturn(aResponse() + .withStatus(500) + .withBody("Server error"))); + + TransparencyService service = createService(baseUrl); + + assertThatThrownBy(() -> service.getStatusToken(TEST_AGENT_ID)) + .isInstanceOf(AnsServerException.class); + } + } + + @Nested + @DisplayName("getAgentTransparencyLog() tests") + class GetAgentTransparencyLogTests { + + @Test + @DisplayName("Should parse V1 payload correctly") + void shouldParseV1Payload(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/v1/agents/" + TEST_AGENT_ID)) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withHeader("X-Schema-Version", "V1") + .withBody(v1Response()))); + + TransparencyService service = createService(baseUrl); + TransparencyLog result = service.getAgentTransparencyLog(TEST_AGENT_ID); + + assertThat(result).isNotNull(); + assertThat(result.getSchemaVersion()).isEqualTo("V1"); + } + + @Test + @DisplayName("Should parse V0 payload correctly") + void shouldParseV0Payload(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/v1/agents/" + TEST_AGENT_ID)) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withHeader("X-Schema-Version", "V0") + .withBody(v0Response()))); + + TransparencyService service = createService(baseUrl); + TransparencyLog result = service.getAgentTransparencyLog(TEST_AGENT_ID); + + assertThat(result).isNotNull(); + assertThat(result.getSchemaVersion()).isEqualTo("V0"); + } + + @Test + @DisplayName("Should default to V0 when schema version missing") + void shouldDefaultToV0WhenSchemaMissing(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/v1/agents/" + TEST_AGENT_ID)) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withBody(v0Response()))); + + TransparencyService service = createService(baseUrl); + TransparencyLog result = service.getAgentTransparencyLog(TEST_AGENT_ID); + + assertThat(result).isNotNull(); + assertThat(result.getSchemaVersion()).isEqualTo("V0"); + } + + @Test + @DisplayName("Should throw AnsNotFoundException for 404") + void shouldThrowNotFoundFor404(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/v1/agents/" + TEST_AGENT_ID)) + .willReturn(aResponse() + .withStatus(404) + .withHeader("X-Request-Id", "req-123") + .withBody("Agent not found"))); + + TransparencyService service = createService(baseUrl); + + assertThatThrownBy(() -> service.getAgentTransparencyLog(TEST_AGENT_ID)) + .isInstanceOf(AnsNotFoundException.class); + } + } + + @Nested + @DisplayName("getCheckpoint() tests") + class GetCheckpointTests { + + @Test + @DisplayName("Should retrieve checkpoint") + void shouldRetrieveCheckpoint(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/v1/log/checkpoint")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withBody(checkpointResponse()))); + + TransparencyService service = createService(baseUrl); + CheckpointResponse result = service.getCheckpoint(); + + assertThat(result).isNotNull(); + assertThat(result.getLogSize()).isEqualTo(1000L); + } + } + + @Nested + @DisplayName("getCheckpointHistory() tests") + class GetCheckpointHistoryTests { + + @Test + @DisplayName("Should retrieve checkpoint history") + void shouldRetrieveCheckpointHistory(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlMatching("/v1/log/checkpoint/history.*")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withBody(checkpointHistoryResponse()))); + + TransparencyService service = createService(baseUrl); + CheckpointHistoryResponse result = service.getCheckpointHistory(null); + + assertThat(result).isNotNull(); + assertThat(result.getCheckpoints()).isNotNull(); + } + + @Test + @DisplayName("Should include query parameters") + void shouldIncludeQueryParameters(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlMatching("/v1/log/checkpoint/history\\?.*limit=10.*")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withBody(checkpointHistoryResponse()))); + + TransparencyService service = createService(baseUrl); + CheckpointHistoryParams params = CheckpointHistoryParams.builder().limit(10).build(); + CheckpointHistoryResponse result = service.getCheckpointHistory(params); + + assertThat(result).isNotNull(); + } + } + + @Nested + @DisplayName("getLogSchema() tests") + class GetLogSchemaTests { + + @Test + @DisplayName("Should retrieve schema") + void shouldRetrieveSchema(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/v1/log/schema/V1")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withBody("{\"type\":\"object\"}"))); + + TransparencyService service = createService(baseUrl); + Map result = service.getLogSchema("V1"); + + assertThat(result).isNotNull(); + assertThat(result.get("type")).isEqualTo("object"); + } + } + + @Nested + @DisplayName("getAgentTransparencyLogAudit() tests") + class GetAgentTransparencyLogAuditTests { + + @Test + @DisplayName("Should retrieve audit trail") + void shouldRetrieveAuditTrail(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlMatching("/v1/agents/" + TEST_AGENT_ID + "/audit.*")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withBody(auditResponse()))); + + TransparencyService service = createService(baseUrl); + TransparencyLogAudit result = service.getAgentTransparencyLogAudit(TEST_AGENT_ID, null); + + assertThat(result).isNotNull(); + assertThat(result.getRecords()).isNotNull(); + } + + @Test + @DisplayName("Should include audit parameters") + void shouldIncludeAuditParameters(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlMatching("/v1/agents/" + TEST_AGENT_ID + "/audit\\?.*offset=10.*")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withBody(auditResponse()))); + + TransparencyService service = createService(baseUrl); + AgentAuditParams params = AgentAuditParams.builder().offset(10).limit(20).build(); + TransparencyLogAudit result = service.getAgentTransparencyLogAudit(TEST_AGENT_ID, params); + + assertThat(result).isNotNull(); + } + + @Test + @DisplayName("Should handle audit response with null records") + void shouldHandleNullRecords(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/v1/agents/" + TEST_AGENT_ID + "/audit")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withBody("{\"totalRecords\": 0}"))); + + TransparencyService service = createService(baseUrl); + TransparencyLogAudit result = service.getAgentTransparencyLogAudit(TEST_AGENT_ID, null); + + assertThat(result).isNotNull(); + assertThat(result.getRecords()).isNull(); + } + } + + @Nested + @DisplayName("getRootKey() tests") + class GetRootKeyTests { + + @Test + @DisplayName("Should retrieve single root key from C2SP format") + void shouldRetrieveSingleRootKeyFromC2spFormat(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/root-keys")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withBody(rootKeyC2spSingleResponse()))); + + TransparencyService service = createService(baseUrl); + Map keys = service.getRootKeysAsync().join(); + + assertThat(keys).hasSize(1); + assertThat(keys.values().iterator().next().getAlgorithm()).isEqualTo("EC"); + } + + @Test + @DisplayName("Should retrieve root key from C2SP format with alternate hash") + void shouldRetrieveRootKeyFromC2spFormatWithAlternateHash(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/root-keys")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withBody(rootKeyC2spResponse()))); + + TransparencyService service = createService(baseUrl); + Map keys = service.getRootKeysAsync().join(); + + assertThat(keys).hasSize(1); + assertThat(keys.values().iterator().next().getAlgorithm()).isEqualTo("EC"); + } + + @Test + @DisplayName("Should retrieve root key with C2SP version byte prefix") + void shouldRetrieveRootKeyWithC2spVersionPrefix(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + // C2SP format includes a version byte (0x02) prefix before SPKI-DER + stubFor(get(urlEqualTo("/root-keys")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withBody(rootKeyC2spWithVersionByte()))); + + TransparencyService service = createService(baseUrl); + Map keys = service.getRootKeysAsync().join(); + + assertThat(keys).isNotEmpty(); + assertThat(keys.values().iterator().next().getAlgorithm()).isEqualTo("EC"); + } + + @Test + @DisplayName("Should throw AnsServerException for 500 error") + void shouldThrowServerExceptionFor500(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/root-keys")) + .willReturn(aResponse() + .withStatus(500) + .withHeader("X-Request-Id", "req-123") + .withBody("Internal error"))); + + TransparencyService service = createService(baseUrl); + + assertThatThrownBy(() -> service.getRootKeysAsync().join()) + .hasCauseInstanceOf(AnsServerException.class); + } + + @Test + @DisplayName("Should throw IllegalArgumentException for invalid key format") + void shouldThrowExceptionForInvalidFormat(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/root-keys")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withBody("{\"notkey\": \"value\"}"))); + + TransparencyService service = createService(baseUrl); + + assertThatThrownBy(() -> service.getRootKeysAsync().join()) + .hasCauseInstanceOf(IllegalArgumentException.class) + .hasMessageContaining("Could not parse any public keys"); + } + + @Test + @DisplayName("Should skip comment lines in C2SP format") + void shouldSkipCommentLinesInC2spFormat(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/root-keys")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withBody(rootKeyC2spWithComments()))); + + TransparencyService service = createService(baseUrl); + Map keys = service.getRootKeysAsync().join(); + + assertThat(keys).isNotEmpty(); + } + + @Test + @DisplayName("Should throw for non-200 status on root key") + void shouldThrowForNon200Status(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/root-keys")) + .willReturn(aResponse() + .withStatus(404) + .withHeader("X-Request-Id", "req-999") + .withBody("Not found"))); + + TransparencyService service = createService(baseUrl); + + assertThatThrownBy(() -> service.getRootKeysAsync().join()) + .hasCauseInstanceOf(AnsServerException.class); + } + + @Test + @DisplayName("Should return cached root key on second call (no HTTP request)") + void shouldReturnCachedRootKeyOnSecondCall(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/root-keys")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withBody(rootKeyC2spSingleResponse()))); + + TransparencyService service = createService(baseUrl, Duration.ofHours(1)); + + // First call - should make HTTP request + Map keys1 = service.getRootKeysAsync().join(); + assertThat(keys1).isNotEmpty(); + + // Second call - should use cache, no HTTP request + Map keys2 = service.getRootKeysAsync().join(); + assertThat(keys2).isNotEmpty(); + assertThat(keys2).isSameAs(keys1); + + // Verify only one HTTP request was made + verify(1, getRequestedFor(urlEqualTo("/root-keys"))); + } + + @Test + @DisplayName("Should refetch root key when cache expires") + void shouldRefetchRootKeyWhenCacheExpires(WireMockRuntimeInfo wmRuntimeInfo) throws Exception { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/root-keys")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withBody(rootKeyC2spSingleResponse()))); + + // Use very short TTL for testing + TransparencyService service = createService(baseUrl, Duration.ofMillis(50)); + + // First call - should make HTTP request + Map keys1 = service.getRootKeysAsync().join(); + assertThat(keys1).isNotEmpty(); + + // Wait for cache to expire + Thread.sleep(100); + + // Second call - should make another HTTP request (cache expired) + Map keys2 = service.getRootKeysAsync().join(); + assertThat(keys2).isNotEmpty(); + + // Verify two HTTP requests were made + verify(2, getRequestedFor(urlEqualTo("/root-keys"))); + } + + @Test + @DisplayName("Should make only one HTTP request for concurrent calls") + void shouldMakeOnlyOneHttpRequestForConcurrentCalls(WireMockRuntimeInfo wmRuntimeInfo) throws Exception { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/root-keys")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withFixedDelay(100) // Simulate network latency + .withBody(rootKeyC2spSingleResponse()))); + + TransparencyService service = createService(baseUrl, Duration.ofHours(1)); + + int threadCount = 10; + CountDownLatch startLatch = new CountDownLatch(1); + CountDownLatch doneLatch = new CountDownLatch(threadCount); + List> results = new ArrayList<>(); + ExecutorService executor = Executors.newFixedThreadPool(threadCount); + + try { + // Launch concurrent requests + for (int i = 0; i < threadCount; i++) { + executor.submit(() -> { + try { + startLatch.await(); // Wait for all threads to be ready + Map keys = service.getRootKeysAsync().join(); + synchronized (results) { + results.add(keys); + } + } catch (InterruptedException e) { + Thread.currentThread().interrupt(); + } finally { + doneLatch.countDown(); + } + }); + } + + // Release all threads simultaneously + startLatch.countDown(); + + // Wait for all threads to complete + doneLatch.await(5, TimeUnit.SECONDS); + + // All results should be the same instance + assertThat(results).hasSize(threadCount); + Map firstKeys = results.get(0); + for (Map keys : results) { + assertThat(keys).isSameAs(firstKeys); + } + + // Only one HTTP request should have been made + verify(1, getRequestedFor(urlEqualTo("/root-keys"))); + } finally { + executor.shutdown(); + } + } + + @Test + @DisplayName("Async: Should make only one HTTP request for concurrent async calls (stampede prevention)") + void shouldMakeOnlyOneHttpRequestForConcurrentAsyncCalls(WireMockRuntimeInfo wmRuntimeInfo) + throws InterruptedException, ExecutionException, TimeoutException { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/root-keys")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withFixedDelay(200) // Simulate network latency to ensure overlap + .withBody(rootKeyC2spSingleResponse()))); + + TransparencyService service = createService(baseUrl, Duration.ofHours(1)); + + int concurrentCalls = 10; + CountDownLatch startLatch = new CountDownLatch(1); + CountDownLatch doneLatch = new CountDownLatch(concurrentCalls); + List>> futures = new ArrayList<>(); + ExecutorService executor = Executors.newFixedThreadPool(concurrentCalls); + + try { + // Launch concurrent async requests + for (int i = 0; i < concurrentCalls; i++) { + executor.submit(() -> { + try { + startLatch.await(); // Wait for all threads to be ready + CompletableFuture> future = service.getRootKeysAsync(); + synchronized (futures) { + futures.add(future); + } + } catch (InterruptedException e) { + Thread.currentThread().interrupt(); + } finally { + doneLatch.countDown(); + } + }); + } + + // Release all threads simultaneously + startLatch.countDown(); + + // Wait for all threads to submit their futures + doneLatch.await(5, TimeUnit.SECONDS); + + // Wait for all futures to complete and collect results + List> results = new ArrayList<>(); + for (CompletableFuture> future : futures) { + results.add(future.get(5, TimeUnit.SECONDS)); + } + + // All results should be the same instance + assertThat(results).hasSize(concurrentCalls); + Map firstKeys = results.get(0); + for (Map keys : results) { + assertThat(keys).isSameAs(firstKeys); + } + + // Only one HTTP request should have been made (stampede prevention) + verify(1, getRequestedFor(urlEqualTo("/root-keys"))); + } finally { + executor.shutdown(); + } + } + + @Test + @DisplayName("Should clear cache when invalidateRootKeyCache is called") + void shouldClearCacheWhenInvalidateCalled(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/root-keys")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withBody(rootKeyC2spSingleResponse()))); + + TransparencyService service = createService(baseUrl, Duration.ofHours(1)); + + // First call - should make HTTP request + Map keys1 = service.getRootKeysAsync().join(); + assertThat(keys1).isNotEmpty(); + verify(1, getRequestedFor(urlEqualTo("/root-keys"))); + + // Invalidate cache + service.invalidateRootKeyCache(); + + // Second call - should make new HTTP request + Map keys2 = service.getRootKeysAsync().join(); + assertThat(keys2).isNotEmpty(); + + // Verify two HTTP requests were made + verify(2, getRequestedFor(urlEqualTo("/root-keys"))); + } + } + + @Nested + @DisplayName("refreshRootKeysIfNeeded() tests") + class RefreshRootKeysIfNeededTests { + + @Test + @DisplayName("Should reject artifact with future timestamp beyond tolerance") + void shouldRejectArtifactFromFuture(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/root-keys")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withBody(rootKeyC2spSingleResponse()))); + + TransparencyService service = createService(baseUrl); + + // Populate the cache first + service.getRootKeysAsync().join(); + + // Try refresh with artifact claiming to be 2 minutes in the future (beyond 60s tolerance) + Instant futureTime = Instant.now().plus(Duration.ofMinutes(2)); + RefreshDecision decision = service.refreshRootKeysIfNeeded(futureTime); + + assertThat(decision.action()).isEqualTo(RefreshDecision.RefreshAction.REJECT); + assertThat(decision.reason()).contains("future"); + } + + @Test + @DisplayName("Should reject artifact older than cache refresh time") + void shouldRejectArtifactOlderThanCache(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/root-keys")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withBody(rootKeyC2spSingleResponse()))); + + TransparencyService service = createService(baseUrl); + + // Populate the cache first + service.getRootKeysAsync().join(); + + // Try refresh with artifact from 10 minutes ago (beyond 5 min past tolerance) + Instant oldTime = Instant.now().minus(Duration.ofMinutes(10)); + RefreshDecision decision = service.refreshRootKeysIfNeeded(oldTime); + + assertThat(decision.action()).isEqualTo(RefreshDecision.RefreshAction.REJECT); + assertThat(decision.reason()).contains("predates cache refresh"); + } + + @Test + @DisplayName("Should allow refresh for artifact issued after cache refresh") + void shouldAllowRefreshForNewerArtifact(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/root-keys")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withBody(rootKeyC2spSingleResponse()))); + + TransparencyService service = createService(baseUrl); + + // Populate the cache first + service.getRootKeysAsync().join(); + verify(1, getRequestedFor(urlEqualTo("/root-keys"))); + + // Try refresh with artifact issued just now (after cache was populated) + Instant recentTime = Instant.now(); + RefreshDecision decision = service.refreshRootKeysIfNeeded(recentTime); + + assertThat(decision.action()).isEqualTo(RefreshDecision.RefreshAction.REFRESHED); + assertThat(decision.keys()).isNotNull(); + assertThat(decision.keys()).isNotEmpty(); + + // Should have made another request to refresh the cache + verify(2, getRequestedFor(urlEqualTo("/root-keys"))); + } + + @Test + @DisplayName("Should defer refresh when cooldown is in effect") + void shouldDeferRefreshDuringCooldown(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/root-keys")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withBody(rootKeyC2spSingleResponse()))); + + TransparencyService service = createService(baseUrl); + + // Populate the cache first + service.getRootKeysAsync().join(); + + // First refresh should succeed + Instant recentTime = Instant.now(); + RefreshDecision decision1 = service.refreshRootKeysIfNeeded(recentTime); + assertThat(decision1.action()).isEqualTo(RefreshDecision.RefreshAction.REFRESHED); + + // Second refresh immediately after should be deferred (30s cooldown) + RefreshDecision decision2 = service.refreshRootKeysIfNeeded(Instant.now()); + assertThat(decision2.action()).isEqualTo(RefreshDecision.RefreshAction.DEFER); + assertThat(decision2.reason()).contains("recently refreshed"); + } + + @Test + @DisplayName("Should track cache populated timestamp") + void shouldTrackCachePopulatedTimestamp(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/root-keys")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withBody(rootKeyC2spSingleResponse()))); + + TransparencyService service = createService(baseUrl); + + // Initially should be EPOCH + assertThat(service.getCachePopulatedAt()).isEqualTo(Instant.EPOCH); + + // After populating cache, timestamp should be recent + Instant beforeFetch = Instant.now(); + service.getRootKeysAsync().join(); + Instant afterFetch = Instant.now(); + + Instant cacheTime = service.getCachePopulatedAt(); + assertThat(cacheTime).isAfterOrEqualTo(beforeFetch); + assertThat(cacheTime).isBeforeOrEqualTo(afterFetch); + } + + @Test + @DisplayName("Should allow artifact within past tolerance window") + void shouldAllowArtifactWithinPastTolerance(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/root-keys")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withBody(rootKeyC2spSingleResponse()))); + + TransparencyService service = createService(baseUrl); + + // Populate the cache + service.getRootKeysAsync().join(); + + // Artifact from 3 minutes ago should be allowed (within 5 min past tolerance) + Instant threeMinutesAgo = Instant.now().minus(Duration.ofMinutes(3)); + RefreshDecision decision = service.refreshRootKeysIfNeeded(threeMinutesAgo); + + // Should allow refresh since it's within tolerance + assertThat(decision.action()).isEqualTo(RefreshDecision.RefreshAction.REFRESHED); + } + + @Test + @DisplayName("Should allow artifact with small future timestamp (within clock skew)") + void shouldAllowArtifactWithinClockSkewTolerance(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + stubFor(get(urlEqualTo("/root-keys")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withBody(rootKeyC2spSingleResponse()))); + + TransparencyService service = createService(baseUrl); + + // Populate the cache + service.getRootKeysAsync().join(); + + // Artifact from 30 seconds in future should be allowed (within 60s tolerance) + Instant thirtySecondsAhead = Instant.now().plus(Duration.ofSeconds(30)); + RefreshDecision decision = service.refreshRootKeysIfNeeded(thirtySecondsAhead); + + // Should allow refresh since it's within clock skew tolerance + assertThat(decision.action()).isEqualTo(RefreshDecision.RefreshAction.REFRESHED); + } + + @Test + @DisplayName("Should defer when network error occurs during refresh") + void shouldDeferOnNetworkError(WireMockRuntimeInfo wmRuntimeInfo) { + String baseUrl = wmRuntimeInfo.getHttpBaseUrl(); + + // First request succeeds (initial cache population) + stubFor(get(urlEqualTo("/root-keys")) + .inScenario("network-error") + .whenScenarioStateIs("Started") + .willReturn(aResponse() + .withStatus(200) + .withHeader("Content-Type", "text/plain") + .withBody(rootKeyC2spSingleResponse())) + .willSetStateTo("first-call-done")); + + // Second request fails (network error during refresh) + stubFor(get(urlEqualTo("/root-keys")) + .inScenario("network-error") + .whenScenarioStateIs("first-call-done") + .willReturn(aResponse() + .withStatus(500) + .withBody("Server error"))); + + TransparencyService service = createService(baseUrl); + + // Populate the cache + service.getRootKeysAsync().join(); + + // Attempt refresh - should fail and return DEFER + Instant recentTime = Instant.now(); + RefreshDecision decision = service.refreshRootKeysIfNeeded(recentTime); + + assertThat(decision.action()).isEqualTo(RefreshDecision.RefreshAction.DEFER); + assertThat(decision.reason()).contains("Failed to refresh"); + } + } + + // Helper methods for test data + + private String v1Response() { + return """ + { + "status": "ACTIVE", + "schemaVersion": "V1", + "payload": { + "logId": "log-123", + "producer": { + "event": { + "ansId": "6bf2b7a9-1383-4e33-a945-845f34af7526", + "ansName": "ans://v1.0.0.agent.example.com", + "eventType": "AGENT_REGISTERED", + "agent": { + "host": "agent.example.com", + "name": "Example Agent", + "version": "v1.0.0" + }, + "attestations": { + "domainValidation": "ACME-DNS-01" + } + } + } + } + } + """; + } + + private String v0Response() { + return """ + { + "status": "ACTIVE", + "schemaVersion": "V0", + "payload": { + "ansId": "6bf2b7a9-1383-4e33-a945-845f34af7526", + "ansName": "ans://v1.0.0.agent.example.com", + "eventType": "AGENT_REGISTERED" + } + } + """; + } + + private String checkpointResponse() { + return """ + { + "logSize": 1000, + "rootHash": "abcd1234" + } + """; + } + + private String checkpointHistoryResponse() { + return """ + { + "checkpoints": [ + { + "logSize": 1000, + "rootHash": "abcd1234" + } + ] + } + """; + } + + private String auditResponse() { + return """ + { + "records": [], + "totalRecords": 5 + } + """; + } + + // Valid EC P-256 public key for testing (SPKI-DER, base64 encoded) + private static final String TEST_EC_PUBLIC_KEY = + "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEveuRZW0vWcVjh4enr9tA7VAKPFmL" + + "OZs1S99lGDqRhAQBEdetB290Det8rO1ojnHEA8PX4Yojb0oomwA2krO5Ag=="; + + /** + * Returns a valid EC P-256 public key in JSON format. + */ + private String rootKeyC2spSingleResponse() { + return "transparency.ans.godaddy.com+abcd1234+" + TEST_EC_PUBLIC_KEY; + } + + /** + * Returns a valid EC P-256 public key in C2SP note format. + */ + private String rootKeyC2spResponse() { + return "transparency.ans.godaddy.com+abc123+" + TEST_EC_PUBLIC_KEY; + } + + /** + * Returns a valid EC P-256 public key with C2SP version byte prefix (0x02). + * This tests the version byte stripping logic in decodePublicKey(). + */ + private String rootKeyC2spWithVersionByte() { + // Prepend 0x02 version byte to the SPKI-DER bytes + byte[] originalKey = java.util.Base64.getDecoder().decode(TEST_EC_PUBLIC_KEY); + byte[] prefixedKey = new byte[originalKey.length + 1]; + prefixedKey[0] = 0x02; // C2SP version byte + System.arraycopy(originalKey, 0, prefixedKey, 1, originalKey.length); + String prefixedBase64 = java.util.Base64.getEncoder().encodeToString(prefixedKey); + return "transparency.ans.godaddy.com+abc123+" + prefixedBase64; + } + + /** + * Returns a C2SP note format with comment lines. + */ + private String rootKeyC2spWithComments() { + return "# This is a comment\n\n" + + "transparency.ans.godaddy.com+abc123+" + TEST_EC_PUBLIC_KEY; + } +} \ No newline at end of file diff --git a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/verification/CachingBadgeVerificationServiceTest.java b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/verification/CachingBadgeVerificationServiceTest.java index 031efe4..cd1d267 100644 --- a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/verification/CachingBadgeVerificationServiceTest.java +++ b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/verification/CachingBadgeVerificationServiceTest.java @@ -18,6 +18,7 @@ import java.time.Duration; import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.anyString; import static org.mockito.Mockito.times; @@ -203,57 +204,6 @@ void shouldCacheNegativeResultsWithShorterTtl() { verify(delegate, times(1)).verifyServer(TEST_HOSTNAME); // Still only 1 call } - // ==================== Background Refresh / Cache Management ==================== - - @Test - @DisplayName("Should evict expired entries when evictExpired is called") - void shouldEvictExpiredEntriesWhenEvictExpiredCalled() throws InterruptedException { - // Given - very short TTL - cachingService = CachingBadgeVerificationService.builder() - .delegate(delegate) - .cacheTtl(Duration.ofMillis(50)) - .build(); - - ServerVerificationResult result = createSuccessfulServerResult(); - when(delegate.verifyServer(TEST_HOSTNAME)).thenReturn(result); - - // Populate cache - cachingService.verifyServer(TEST_HOSTNAME); - assertThat(cachingService.serverCacheSize()).isEqualTo(1); - - // Wait for expiry - Thread.sleep(100); - - // When - evict expired entries - cachingService.evictExpired(); - - // Then - cache is empty - assertThat(cachingService.serverCacheSize()).isEqualTo(0); - } - - @Test - @DisplayName("Should not evict non-expired entries when evictExpired is called") - void shouldNotEvictNonExpiredEntriesWhenEvictExpiredCalled() { - // Given - long TTL - cachingService = CachingBadgeVerificationService.builder() - .delegate(delegate) - .cacheTtl(Duration.ofMinutes(15)) - .build(); - - ServerVerificationResult result = createSuccessfulServerResult(); - when(delegate.verifyServer(TEST_HOSTNAME)).thenReturn(result); - - // Populate cache - cachingService.verifyServer(TEST_HOSTNAME); - assertThat(cachingService.serverCacheSize()).isEqualTo(1); - - // When - evict expired entries (none should be expired) - cachingService.evictExpired(); - - // Then - cache still has entry - assertThat(cachingService.serverCacheSize()).isEqualTo(1); - } - // ==================== Cache Invalidation ==================== @Test @@ -347,11 +297,11 @@ void shouldUseDefaultTtlsWhenNotSpecified() { verify(delegate, times(1)).verifyServer(TEST_HOSTNAME); } - // ==================== Lazy Eviction Tests ==================== + // ==================== Expiration Tests ==================== @Test - @DisplayName("Should lazily remove expired server entry on cache miss") - void shouldLazilyRemoveExpiredServerEntryOnCacheMiss() throws InterruptedException { + @DisplayName("Should reload expired server entries") + void shouldReloadExpiredServerEntries() throws InterruptedException { // Given - very short TTL cachingService = CachingBadgeVerificationService.builder() .delegate(delegate) @@ -363,28 +313,21 @@ void shouldLazilyRemoveExpiredServerEntryOnCacheMiss() throws InterruptedExcepti // Populate cache cachingService.verifyServer(TEST_HOSTNAME); - assertThat(cachingService.serverCacheSize()).isEqualTo(1); + verify(delegate, times(1)).verifyServer(TEST_HOSTNAME); // Wait for expiry Thread.sleep(100); - // Cache still has 1 entry (expired but not evicted yet) - assertThat(cachingService.serverCacheSize()).isEqualTo(1); - - // When - access expired entry (should trigger lazy eviction + refresh) + // When - access expired entry (triggers reload) cachingService.verifyServer(TEST_HOSTNAME); - // Then - expired entry was removed and replaced with fresh one - // Cache size should still be 1 (the new entry) - assertThat(cachingService.serverCacheSize()).isEqualTo(1); - - // And delegate was called twice (initial + refresh after expiry) + // Then - delegate was called again verify(delegate, times(2)).verifyServer(TEST_HOSTNAME); } @Test - @DisplayName("Should lazily remove expired client entry on cache miss") - void shouldLazilyRemoveExpiredClientEntryOnCacheMiss() throws Exception { + @DisplayName("Should reload expired client entries") + void shouldReloadExpiredClientEntries() throws Exception { // Given - very short TTL cachingService = CachingBadgeVerificationService.builder() .delegate(delegate) @@ -399,61 +342,68 @@ void shouldLazilyRemoveExpiredClientEntryOnCacheMiss() throws Exception { // Populate cache cachingService.verifyClient(mockCertificate); - assertThat(cachingService.clientCacheSize()).isEqualTo(1); + verify(delegate, times(1)).verifyClient(mockCertificate); // Wait for expiry Thread.sleep(100); - // Cache still has 1 entry (expired but not evicted yet) - assertThat(cachingService.clientCacheSize()).isEqualTo(1); - - // When - access expired entry (should trigger lazy eviction + refresh) + // When - access expired entry (triggers reload) cachingService.verifyClient(mockCertificate); - // Then - expired entry was removed and replaced with fresh one - assertThat(cachingService.clientCacheSize()).isEqualTo(1); - - // And delegate was called twice + // Then - delegate was called again verify(delegate, times(2)).verifyClient(mockCertificate); } @Test - @DisplayName("Should remove expired entry immediately when accessed, not wait for put") - void shouldRemoveExpiredEntryImmediatelyWhenAccessed() throws InterruptedException { - // This test verifies that expired entries are REMOVED when found, - // not just overwritten by a subsequent put. This matters for memory - // because the old CachedResult object should be eligible for GC immediately. - - // Given - very short TTL + @DisplayName("Should not cache result when delegate throws exception") + void shouldNotCacheResultWhenDelegateThrows() { + // Given cachingService = CachingBadgeVerificationService.builder() .delegate(delegate) - .cacheTtl(Duration.ofMillis(50)) + .cacheTtl(Duration.ofMinutes(15)) .build(); - // Mock delegate to throw on second call - this way we can verify - // that removal happens even when the refresh fails - ServerVerificationResult firstResult = createSuccessfulServerResult(); when(delegate.verifyServer(TEST_HOSTNAME)) - .thenReturn(firstResult) .thenThrow(new RuntimeException("Network error")); - // Populate cache + // When - first call throws + assertThatThrownBy(() -> cachingService.verifyServer(TEST_HOSTNAME)) + .isInstanceOf(RuntimeException.class) + .hasMessage("Network error"); + + // Then - cache should be empty (nothing was cached) + assertThat(cachingService.serverCacheSize()).isEqualTo(0); + } + + @Test + @DisplayName("Should use different TTLs for positive and negative results") + void shouldUseDifferentTtlsForPositiveAndNegativeResults() throws InterruptedException { + // Given - positive TTL = 200ms, negative TTL = 50ms + cachingService = CachingBadgeVerificationService.builder() + .delegate(delegate) + .cacheTtl(Duration.ofMillis(200)) + .negativeCacheTtl(Duration.ofMillis(50)) + .build(); + + ServerVerificationResult failureResult = createFailedServerResult(); + ServerVerificationResult successResult = createSuccessfulServerResult(); + when(delegate.verifyServer(TEST_HOSTNAME)) + .thenReturn(failureResult) + .thenReturn(successResult); + + // When - first call returns failure cachingService.verifyServer(TEST_HOSTNAME); - assertThat(cachingService.serverCacheSize()).isEqualTo(1); + verify(delegate, times(1)).verifyServer(TEST_HOSTNAME); - // Wait for expiry + // Wait past negative TTL (50ms) but not past positive TTL (200ms) Thread.sleep(100); - // When - access expired entry (refresh will fail) - try { - cachingService.verifyServer(TEST_HOSTNAME); - } catch (RuntimeException e) { - // Expected - delegate threw - } + // When - call again (negative cache should have expired) + ServerVerificationResult result = cachingService.verifyServer(TEST_HOSTNAME); - // Then - expired entry should have been removed BEFORE the failed refresh - // So cache should be empty (not still holding the stale entry) - assertThat(cachingService.serverCacheSize()).isEqualTo(0); + // Then - should have fetched new result (success this time) + assertThat(result.getStatus()).isEqualTo(VerificationStatus.VERIFIED); + verify(delegate, times(2)).verifyServer(TEST_HOSTNAME); } // ==================== Helper Methods ==================== From 4fd359f1e9a72e0f920958022fce4562cf22b003 Mon Sep 17 00:00:00 2001 From: James Hateley Date: Fri, 27 Mar 2026 12:53:41 +1100 Subject: [PATCH 04/19] feat: add SCITT support to agent-client verification - VerificationPolicy: Add SCITT_REQUIRED policy for full SCITT verification - PreVerificationResult: Add SCITT result fields and builder methods - ConnectionVerifier/DefaultConnectionVerifier: Integrate SCITT verification into the connection flow - ScittVerifierAdapter: Bridge SCITT verification from transparency module to agent-client connection verification - Add ScittVerificationException and ClientConfigurationException - Comprehensive test coverage for all verification components Co-Authored-By: Claude Opus 4.5 --- .../ans/sdk/agent/VerificationPolicy.java | 78 +++- .../ClientConfigurationException.java | 39 ++ .../exception/ScittVerificationException.java | 109 ++++++ .../agent/http/NoOpConnectionVerifier.java | 7 + .../verification/ConnectionVerifier.java | 27 +- .../DefaultConnectionVerifier.java | 344 ++++++++++++++---- .../verification/PreVerificationResult.java | 109 +++++- .../verification/ScittVerifierAdapter.java | 320 ++++++++++++++++ .../ans/sdk/agent/verification/TlsaUtils.java | 10 +- .../verification/VerificationResult.java | 2 + .../ans/sdk/agent/ConnectOptionsTest.java | 11 - .../ans/sdk/agent/VerificationPolicyTest.java | 29 -- .../ClientConfigurationExceptionTest.java | 37 ++ .../ScittVerificationExceptionTest.java | 209 +++++++++++ .../DefaultAgentHttpClientFactoryTest.java | 4 +- .../http/NoOpConnectionVerifierTest.java | 2 +- .../agent/verification/DanePolicyTest.java | 64 ++++ .../DefaultCertificateFetcherTest.java | 75 ++++ .../DefaultConnectionVerifierTest.java | 186 ++++++++++ .../DefaultResolverFactoryTest.java | 53 +++ .../verification/DnsResolverConfigTest.java | 82 +++++ .../DnssecValidationModeTest.java | 50 +++ .../PreVerificationResultTest.java | 181 ++++++++- .../ScittVerifierAdapterTest.java | 342 +++++++++++++++++ .../verification/VerificationResultTest.java | 3 +- 25 files changed, 2232 insertions(+), 141 deletions(-) create mode 100644 ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/exception/ClientConfigurationException.java create mode 100644 ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/exception/ScittVerificationException.java create mode 100644 ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapter.java create mode 100644 ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/exception/ClientConfigurationExceptionTest.java create mode 100644 ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/exception/ScittVerificationExceptionTest.java create mode 100644 ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DanePolicyTest.java create mode 100644 ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DefaultCertificateFetcherTest.java create mode 100644 ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DefaultResolverFactoryTest.java create mode 100644 ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DnsResolverConfigTest.java create mode 100644 ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DnssecValidationModeTest.java create mode 100644 ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapterTest.java diff --git a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/VerificationPolicy.java b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/VerificationPolicy.java index 49ceb47..966fdc6 100644 --- a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/VerificationPolicy.java +++ b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/VerificationPolicy.java @@ -9,6 +9,7 @@ *
    *
  • DANE: DNS-based Authentication of Named Entities (TLSA records)
    • *
  • Badge: ANS transparency log verification (proof of registration)
    • + *
  • SCITT: Cryptographic proof via HTTP headers (receipts and status tokens)
    • *
* *

Using Presets

@@ -19,11 +20,12 @@ * .verificationPolicy(VerificationPolicy.BADGE_REQUIRED) * .build(); * - * // Full verification (all methods required) + * // SCITT verification with badge fallback * ConnectOptions.builder() - * .verificationPolicy(VerificationPolicy.FULL) + * .verificationPolicy(VerificationPolicy.SCITT_ENHANCED) * .build(); - * } + * + * * *

Custom Configuration

*

For advanced scenarios, use the builder:

@@ -32,18 +34,21 @@ * .verificationPolicy(VerificationPolicy.custom() * .dane(VerificationMode.ADVISORY) // Try DANE, log on failure * .badge(VerificationMode.REQUIRED) // Must verify badge + * .scitt(VerificationMode.ADVISORY) // Try SCITT, fall back to badge * .build()) * .build(); * } * * @param daneMode the DANE verification mode * @param badgeMode the Badge verification mode + * @param scittMode the SCITT verification mode * @see VerificationMode * @see ConnectOptions.Builder#verificationPolicy(VerificationPolicy) */ public record VerificationPolicy( VerificationMode daneMode, - VerificationMode badgeMode + VerificationMode badgeMode, + VerificationMode scittMode ) { // ==================== Predefined Policies ==================== @@ -54,6 +59,7 @@ public record VerificationPolicy( * well-known Certificate Authorities. This is the minimum security level.

*/ public static final VerificationPolicy PKI_ONLY = new VerificationPolicy( + VerificationMode.DISABLED, VerificationMode.DISABLED, VerificationMode.DISABLED ); @@ -67,7 +73,8 @@ public record VerificationPolicy( */ public static final VerificationPolicy BADGE_REQUIRED = new VerificationPolicy( VerificationMode.DISABLED, - VerificationMode.REQUIRED + VerificationMode.REQUIRED, + VerificationMode.DISABLED ); /** @@ -78,6 +85,7 @@ public record VerificationPolicy( */ public static final VerificationPolicy DANE_ADVISORY = new VerificationPolicy( VerificationMode.ADVISORY, + VerificationMode.DISABLED, VerificationMode.DISABLED ); @@ -89,6 +97,7 @@ public record VerificationPolicy( */ public static final VerificationPolicy DANE_REQUIRED = new VerificationPolicy( VerificationMode.REQUIRED, + VerificationMode.DISABLED, VerificationMode.DISABLED ); @@ -101,16 +110,33 @@ public record VerificationPolicy( */ public static final VerificationPolicy DANE_AND_BADGE = new VerificationPolicy( VerificationMode.REQUIRED, + VerificationMode.REQUIRED, + VerificationMode.DISABLED + ); + + /** + * SCITT verification with badge fallback. + * + *

Uses SCITT artifacts (receipts and status tokens) delivered via HTTP headers + * for verification. Falls back to badge verification if SCITT headers are not + * present. This is the recommended migration path from badge-based verification.

+ */ + public static final VerificationPolicy SCITT_ENHANCED = new VerificationPolicy( + VerificationMode.DISABLED, + VerificationMode.ADVISORY, VerificationMode.REQUIRED ); /** - * All verification methods required. + * SCITT verification required, no fallback. * - *

Maximum security: requires both DANE and Badge verification.

+ *

Recommended for production. Requires SCITT artifacts for verification + * with no badge fallback. This prevents downgrade attacks where an attacker + * strips SCITT headers to force badge-based verification.

*/ - public static final VerificationPolicy FULL = new VerificationPolicy( - VerificationMode.REQUIRED, + public static final VerificationPolicy SCITT_REQUIRED = new VerificationPolicy( + VerificationMode.DISABLED, + VerificationMode.DISABLED, VerificationMode.REQUIRED ); @@ -122,6 +148,7 @@ public record VerificationPolicy( public VerificationPolicy { Objects.requireNonNull(daneMode, "daneMode cannot be null"); Objects.requireNonNull(badgeMode, "badgeMode cannot be null"); + Objects.requireNonNull(scittMode, "scittMode cannot be null"); } // ==================== Factory Methods ==================== @@ -144,13 +171,24 @@ public static Builder custom() { */ public boolean hasAnyVerification() { return daneMode != VerificationMode.DISABLED - || badgeMode != VerificationMode.DISABLED; + || badgeMode != VerificationMode.DISABLED + || scittMode != VerificationMode.DISABLED; + } + + /** + * Checks if SCITT verification is enabled. + * + * @return true if SCITT mode is not DISABLED + */ + public boolean hasScittVerification() { + return scittMode != VerificationMode.DISABLED; } @Override public String toString() { return "VerificationPolicy{dane=" + daneMode + - ", badge=" + badgeMode + "}"; + ", badge=" + badgeMode + + ", scitt=" + scittMode + "}"; } // ==================== Builder ==================== @@ -163,6 +201,7 @@ public String toString() { public static final class Builder { private VerificationMode daneMode = VerificationMode.DISABLED; private VerificationMode badgeMode = VerificationMode.DISABLED; + private VerificationMode scittMode = VerificationMode.DISABLED; private Builder() { } @@ -197,13 +236,28 @@ public Builder badge(VerificationMode mode) { return this; } + /** + * Sets the SCITT verification mode. + * + *

SCITT (Supply Chain Integrity, Transparency, and Trust) verification + * uses cryptographic receipts and status tokens delivered via HTTP headers. + * This eliminates the need for live transparency log queries.

+ * + * @param mode the verification mode + * @return this builder + */ + public Builder scitt(VerificationMode mode) { + this.scittMode = Objects.requireNonNull(mode, "mode cannot be null"); + return this; + } + /** * Builds the verification policy. * * @return the configured policy */ public VerificationPolicy build() { - return new VerificationPolicy(daneMode, badgeMode); + return new VerificationPolicy(daneMode, badgeMode, scittMode); } } } diff --git a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/exception/ClientConfigurationException.java b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/exception/ClientConfigurationException.java new file mode 100644 index 0000000..e38342c --- /dev/null +++ b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/exception/ClientConfigurationException.java @@ -0,0 +1,39 @@ +package com.godaddy.ans.sdk.agent.exception; + +import com.godaddy.ans.sdk.exception.AnsException; + +/** + * Exception thrown when client configuration fails. + * + *

This exception is thrown during {@link com.godaddy.ans.sdk.agent.AnsVerifiedClient} + * initialization when configuration issues prevent the client from being built.

+ * + *

Common causes include:

+ *
    + *
  • Keystore file not found
    • + *
  • Invalid keystore format (not PKCS12/JKS)
    • + *
  • Wrong keystore password
    • + *
  • SSLContext creation failure
    • + *
+ */ +public class ClientConfigurationException extends AnsException { + + /** + * Creates a new exception with the specified message. + * + * @param message the error message + */ + public ClientConfigurationException(String message) { + super(message); + } + + /** + * Creates a new exception with the specified message and cause. + * + * @param message the error message + * @param cause the underlying cause + */ + public ClientConfigurationException(String message, Throwable cause) { + super(message, cause); + } +} diff --git a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/exception/ScittVerificationException.java b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/exception/ScittVerificationException.java new file mode 100644 index 0000000..18de728 --- /dev/null +++ b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/exception/ScittVerificationException.java @@ -0,0 +1,109 @@ +package com.godaddy.ans.sdk.agent.exception; + +/** + * Exception thrown when SCITT verification fails. + * + *

SCITT (Supply Chain Integrity, Transparency, and Trust) verification + * can fail for various reasons including:

+ *
    + *
  • Invalid COSE_Sign1 signature on receipt or status token
    • + *
  • Invalid Merkle inclusion proof
    • + *
  • Expired or malformed status token
    • + *
  • Algorithm substitution attack (non-ES256 algorithm)
    • + *
  • Required public key not found or invalid
    • + *
+ */ +public class ScittVerificationException extends TrustValidationException { + + private final FailureType failureType; + + /** + * Types of SCITT verification failures. + */ + public enum FailureType { + /** SCITT headers required but not present in response */ + HEADERS_NOT_PRESENT, + /** Failed to parse SCITT artifact (receipt or status token) */ + PARSE_ERROR, + /** Algorithm in COSE header is not ES256 */ + INVALID_ALGORITHM, + /** COSE_Sign1 signature verification failed */ + INVALID_SIGNATURE, + /** Merkle tree inclusion proof is invalid */ + MERKLE_PROOF_INVALID, + /** Status token has expired */ + TOKEN_EXPIRED, + /** Required public key (TL or RA) not found */ + KEY_NOT_FOUND, + /** Certificate fingerprint does not match expectations */ + FINGERPRINT_MISMATCH, + /** Agent registration is revoked */ + AGENT_REVOKED, + /** Agent status is not active */ + AGENT_INACTIVE, + /** General verification error */ + VERIFICATION_ERROR + } + + /** + * Creates a new SCITT verification exception. + * + * @param message the error message + * @param failureType the type of failure + */ + public ScittVerificationException(String message, FailureType failureType) { + super(message, mapToValidationReason(failureType)); + this.failureType = failureType; + } + + /** + * Creates a new SCITT verification exception with a cause. + * + * @param message the error message + * @param cause the underlying cause + * @param failureType the type of failure + */ + public ScittVerificationException(String message, Throwable cause, FailureType failureType) { + super(message, cause, null, mapToValidationReason(failureType)); + this.failureType = failureType; + } + + /** + * Creates a new SCITT verification exception with certificate info. + * + * @param message the error message + * @param certificateSubject the subject of the certificate + * @param failureType the type of failure + */ + public ScittVerificationException(String message, String certificateSubject, FailureType failureType) { + super(message, certificateSubject, mapToValidationReason(failureType)); + this.failureType = failureType; + } + + /** + * Returns the type of SCITT verification failure. + * + * @return the failure type + */ + public FailureType getFailureType() { + return failureType; + } + + /** + * Maps SCITT failure types to TrustValidationException reasons. + */ + private static ValidationFailureReason mapToValidationReason(FailureType failureType) { + if (failureType == null) { + return ValidationFailureReason.UNKNOWN; + } + return switch (failureType) { + case HEADERS_NOT_PRESENT, PARSE_ERROR, AGENT_INACTIVE, VERIFICATION_ERROR -> + ValidationFailureReason.UNKNOWN; + case INVALID_ALGORITHM, MERKLE_PROOF_INVALID, INVALID_SIGNATURE, FINGERPRINT_MISMATCH -> + ValidationFailureReason.CHAIN_VALIDATION_FAILED; + case TOKEN_EXPIRED -> ValidationFailureReason.EXPIRED; + case KEY_NOT_FOUND -> ValidationFailureReason.TRUST_BUNDLE_LOAD_FAILED; + case AGENT_REVOKED -> ValidationFailureReason.REVOKED; + }; + } +} diff --git a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/http/NoOpConnectionVerifier.java b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/http/NoOpConnectionVerifier.java index 4086c07..cc427b7 100644 --- a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/http/NoOpConnectionVerifier.java +++ b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/http/NoOpConnectionVerifier.java @@ -4,9 +4,11 @@ import com.godaddy.ans.sdk.agent.verification.ConnectionVerifier; import com.godaddy.ans.sdk.agent.verification.PreVerificationResult; import com.godaddy.ans.sdk.agent.verification.VerificationResult; +import com.godaddy.ans.sdk.transparency.scitt.ScittPreVerifyResult; import java.security.cert.X509Certificate; import java.util.List; +import java.util.Map; import java.util.concurrent.CompletableFuture; /** @@ -48,4 +50,9 @@ public List postVerify(String hostname, X509Certificate serv public VerificationResult combine(List results, VerificationPolicy policy) { return VerificationResult.skipped("No additional verification performed (PKI only)"); } + + @Override + public CompletableFuture scittPreVerify(Map responseHeaders) { + return CompletableFuture.completedFuture(ScittPreVerifyResult.notPresent()); + } } \ No newline at end of file diff --git a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/ConnectionVerifier.java b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/ConnectionVerifier.java index b76668d..40f25f3 100644 --- a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/ConnectionVerifier.java +++ b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/ConnectionVerifier.java @@ -2,8 +2,12 @@ import java.security.cert.X509Certificate; import java.util.List; +import java.util.Map; import java.util.concurrent.CompletableFuture; +import com.godaddy.ans.sdk.agent.VerificationPolicy; +import com.godaddy.ans.sdk.transparency.scitt.ScittPreVerifyResult; + /** * Interface for verifying connections outside the TLS handshake. * @@ -87,5 +91,26 @@ public interface ConnectionVerifier { * @param policy the verification policy (determines which failures are fatal) * @return the combined result */ - VerificationResult combine(List results, com.godaddy.ans.sdk.agent.VerificationPolicy policy); + VerificationResult combine(List results, VerificationPolicy policy); + + /** + * Performs SCITT pre-verification using HTTP response headers. + * + *

This should be called after receiving HTTP response headers but before + * post-verification. It extracts SCITT artifacts (receipts, status tokens) + * from the headers and verifies them.

+ * + *

The SCITT domain is automatically determined from the TransparencyClient + * configured in the ScittVerifierAdapter.

+ * + *

The default implementation returns {@link ScittPreVerifyResult#notPresent()}, + * indicating SCITT verification is not configured. Override this method to + * enable SCITT verification.

+ * + * @param responseHeaders the HTTP response headers + * @return future containing the SCITT pre-verification result + */ + default CompletableFuture scittPreVerify(Map responseHeaders) { + return CompletableFuture.completedFuture(ScittPreVerifyResult.notPresent()); + } } diff --git a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/DefaultConnectionVerifier.java b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/DefaultConnectionVerifier.java index de31233..5c0a24d 100644 --- a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/DefaultConnectionVerifier.java +++ b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/DefaultConnectionVerifier.java @@ -2,12 +2,15 @@ import com.godaddy.ans.sdk.agent.VerificationMode; import com.godaddy.ans.sdk.agent.VerificationPolicy; +import com.godaddy.ans.sdk.transparency.scitt.ScittPreVerifyResult; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.List; +import java.util.Map; +import java.util.Optional; import java.util.concurrent.CompletableFuture; /** @@ -47,10 +50,12 @@ public class DefaultConnectionVerifier implements ConnectionVerifier { private final DaneVerifier daneVerifier; private final BadgeVerifier badgeVerifier; + private final ScittVerifierAdapter scittVerifier; private DefaultConnectionVerifier(Builder builder) { this.daneVerifier = builder.daneVerifier; this.badgeVerifier = builder.badgeVerifier; + this.scittVerifier = builder.scittVerifier; } /** @@ -99,6 +104,14 @@ public CompletableFuture preVerify(String hostname, int p }); } + @Override + public CompletableFuture scittPreVerify(Map responseHeaders) { + if (scittVerifier == null) { + return CompletableFuture.completedFuture(ScittPreVerifyResult.notPresent()); + } + return scittVerifier.preVerify(responseHeaders); + } + @Override public List postVerify(String hostname, X509Certificate serverCert, PreVerificationResult preResult) { @@ -106,92 +119,287 @@ public List postVerify(String hostname, X509Certificate serv List results = new ArrayList<>(); - // DANE post-verification - if (daneVerifier != null) { - VerificationResult daneResult; - if (preResult.daneDnsError()) { - // DNS query failed - this is an ERROR, not NOT_FOUND - daneResult = VerificationResult.error( - VerificationResult.VerificationType.DANE, - "DNS lookup failed: " + preResult.daneDnsErrorMessage()); - LOGGER.warn("DANE DNS error for {}: {}", hostname, preResult.daneDnsErrorMessage()); - } else { - daneResult = daneVerifier.postVerify( - hostname, serverCert, preResult.daneExpectations()); - } - results.add(daneResult); - LOGGER.debug("DANE result for {}: {}", hostname, daneResult.status()); - } - - // Badge post-verification - if (badgeVerifier != null) { - BadgeVerifier.BadgeExpectation badgeExpectation; - if (preResult.badgePreVerifyFailed()) { - // Pre-verification failed (e.g., revoked/expired registration) - badgeExpectation = BadgeVerifier.BadgeExpectation.failed(preResult.badgeFailureReason()); - } else if (preResult.hasBadgeExpectation()) { - // During version rotation, multiple fingerprints may exist - badgeExpectation = BadgeVerifier.BadgeExpectation.registered( - preResult.badgeFingerprints(), false, null); - } else { - badgeExpectation = BadgeVerifier.BadgeExpectation.notAnsAgent(); - } + postVerifyDane(hostname, serverCert, preResult).ifPresent(results::add); + postVerifyScitt(hostname, serverCert, preResult).ifPresent(results::add); + postVerifyBadge(hostname, serverCert, preResult).ifPresent(results::add); - VerificationResult badgeResult = badgeVerifier.postVerify(hostname, serverCert, badgeExpectation); - results.add(badgeResult); - LOGGER.debug("Badge result for {}: {}", hostname, badgeResult.status()); + return results; + } + + /** + * Performs DANE post-verification if DANE verifier is configured. + */ + private Optional postVerifyDane(String hostname, + X509Certificate serverCert, + PreVerificationResult preResult) { + if (daneVerifier == null) { + return Optional.empty(); } - return results; + VerificationResult daneResult; + if (preResult.daneDnsError()) { + // DNS query failed - this is an ERROR, not NOT_FOUND + daneResult = VerificationResult.error( + VerificationResult.VerificationType.DANE, + "DNS lookup failed: " + preResult.daneDnsErrorMessage()); + LOGGER.warn("DANE DNS error for {}: {}", hostname, preResult.daneDnsErrorMessage()); + } else { + daneResult = daneVerifier.postVerify(hostname, serverCert, preResult.daneExpectations()); + } + + LOGGER.debug("DANE result for {}: {}", hostname, daneResult.status()); + return Optional.of(daneResult); + } + + /** + * Performs SCITT post-verification if SCITT verifier is configured. + */ + private Optional postVerifyScitt(String hostname, + X509Certificate serverCert, + PreVerificationResult preResult) { + if (scittVerifier == null) { + return Optional.empty(); + } + + VerificationResult scittResult; + if (preResult.hasScittExpectation()) { + scittResult = scittVerifier.postVerify(hostname, serverCert, preResult.scittPreVerifyResult()); + } else { + // SCITT verifier present but no SCITT artifacts in response + scittResult = VerificationResult.notFound( + VerificationResult.VerificationType.SCITT, + "SCITT headers not present in response"); + } + + LOGGER.debug("SCITT result for {}: {}", hostname, scittResult.status()); + return Optional.of(scittResult); + } + + /** + * Performs Badge post-verification if Badge verifier is configured. + */ + private Optional postVerifyBadge(String hostname, + X509Certificate serverCert, + PreVerificationResult preResult) { + if (badgeVerifier == null) { + return Optional.empty(); + } + + BadgeVerifier.BadgeExpectation badgeExpectation = buildBadgeExpectation(preResult); + VerificationResult badgeResult = badgeVerifier.postVerify(hostname, serverCert, badgeExpectation); + + LOGGER.debug("Badge result for {}: {}", hostname, badgeResult.status()); + return Optional.of(badgeResult); + } + + /** + * Builds the badge expectation from the pre-verification result. + */ + private BadgeVerifier.BadgeExpectation buildBadgeExpectation(PreVerificationResult preResult) { + if (preResult.badgePreVerifyFailed()) { + // Pre-verification failed (e.g., revoked/expired registration) + return BadgeVerifier.BadgeExpectation.failed(preResult.badgeFailureReason()); + } else if (preResult.hasBadgeExpectation()) { + // During version rotation, multiple fingerprints may exist + return BadgeVerifier.BadgeExpectation.registered(preResult.badgeFingerprints(), false, null); + } else { + return BadgeVerifier.BadgeExpectation.notAnsAgent(); + } } @Override public VerificationResult combine(List results, VerificationPolicy policy) { - // Check for failures based on policy + CombineStrategy strategy = determineCombineStrategy(results, policy); + + LOGGER.debug("Combining results with strategy: {}", strategy.name()); + + // Check for failures based on policy and strategy + VerificationResult failure = checkForFailures(results, policy, strategy); + if (failure != null) { + return failure; + } + + // All required verifications passed - return the best success result + return selectSuccessResult(results, strategy); + } + + /** + * Determines the combine strategy based on results and policy. + * + *

Fallback invariants:

+ *
    + *
  • SCITT-to-Badge fallback is ONLY allowed when: + *
      + *
    1. SCITT mode is REQUIRED
      2. + *
    2. Badge mode is ADVISORY (not REQUIRED or DISABLED)
      3. + *
    3. SCITT result is NOT_FOUND (headers missing, not verification failure)
      4. + *
    4. Badge verification succeeded
      5. + *
    + *
    • + *
  • This matches {@link VerificationPolicy#SCITT_ENHANCED} - the migration scenario + * where SCITT is preferred but badge provides an audit trail fallback.
    • + *
  • When badge is REQUIRED, both verifications must pass independently - + * no fallback allowed.
    • + *
  • When badge is DISABLED (e.g., {@link VerificationPolicy#SCITT_REQUIRED}), + * fallback is impossible - SCITT NOT_FOUND becomes a hard failure.
    • + *
+ */ + private CombineStrategy determineCombineStrategy(List results, + VerificationPolicy policy) { + // Fallback only applies when SCITT is REQUIRED + if (policy.scittMode() != VerificationMode.REQUIRED) { + return CombineStrategy.STANDARD; + } + + Optional scittResult = findResultByType(results, + VerificationResult.VerificationType.SCITT); + Optional badgeResult = findResultByType(results, + VerificationResult.VerificationType.BADGE); + + // Check fallback conditions + boolean scittMissing = scittResult.map(VerificationResult::isNotFound).orElse(false); + boolean badgeSucceeded = badgeResult.map(VerificationResult::isSuccess).orElse(false); + boolean badgeIsAdvisory = policy.badgeMode() == VerificationMode.ADVISORY; + + if (scittMissing && badgeSucceeded && badgeIsAdvisory) { + LOGGER.info("SCITT headers not present, falling back to badge verification for audit trail"); + return CombineStrategy.SCITT_FALLBACK_TO_BADGE; + } + + return CombineStrategy.STANDARD; + } + + /** + * Checks all results for failures based on policy and strategy. + * + * @return the first failure result, or null if no failures + */ + private VerificationResult checkForFailures(List results, + VerificationPolicy policy, + CombineStrategy strategy) { for (VerificationResult result : results) { VerificationMode mode = getModeForType(result.type(), policy); + // Skip SCITT NOT_FOUND when using fallback strategy + if (strategy.shouldSkipScittNotFound() + && result.type() == VerificationResult.VerificationType.SCITT + && result.isNotFound()) { + continue; + } + // Check explicit failures (MISMATCH, ERROR) - if (result.shouldFail()) { - if (mode == VerificationMode.REQUIRED) { - LOGGER.warn("Verification failed (REQUIRED): {}", result); - return result; // Return the failing result - } else { - LOGGER.warn("Verification issue (ADVISORY): {}", result); - } + if (result.shouldFail() && mode == VerificationMode.REQUIRED) { + LOGGER.warn("Verification failed (REQUIRED): {}", result); + return result; + } else if (result.shouldFail()) { + LOGGER.warn("Verification issue (ADVISORY): {}", result); } - // Check NOT_FOUND - this is a failure when mode is REQUIRED, a warning when ADVISORY - if (result.isNotFound()) { - if (mode == VerificationMode.REQUIRED) { - LOGGER.warn("Verification not found but REQUIRED: {}", result); - // Convert NOT_FOUND to an error when REQUIRED - return VerificationResult.error( - result.type(), - "No " + result.type().name().toLowerCase() - + " record/registration found for verification (REQUIRED mode)"); - } else if (mode == VerificationMode.ADVISORY) { - LOGGER.warn("Verification not found (ADVISORY - continuing): {}", result); - } + // Check NOT_FOUND - failure when REQUIRED, warning when ADVISORY + if (result.isNotFound() && mode == VerificationMode.REQUIRED) { + LOGGER.warn("Verification not found but REQUIRED: {}", result); + return VerificationResult.error( + result.type(), + "No " + result.type().name().toLowerCase() + + " record/registration found for verification (REQUIRED mode)"); + } else if (result.isNotFound() && mode == VerificationMode.ADVISORY) { + LOGGER.warn("Verification not found (ADVISORY - continuing): {}", result); } } + return null; + } - // All required verifications passed - return success - // Find a successful result to return, preferring Badge > DANE - for (VerificationResult result : results) { - if (result.isSuccess()) { - return result; - } + /** + * Selects the best success result based on priority: SCITT > Badge > DANE. + */ + private VerificationResult selectSuccessResult(List results, + CombineStrategy strategy) { + // Priority order: SCITT > Badge > DANE + return findSuccessByType(results, VerificationResult.VerificationType.SCITT) + .or(() -> findSuccessByType(results, VerificationResult.VerificationType.BADGE) + .map(badge -> annotateFallbackIfNeeded(badge, strategy))) + .or(() -> findSuccessByType(results, VerificationResult.VerificationType.DANE)) + .orElseGet(() -> VerificationResult.skipped( + "No verification performed (no records/registrations found)")); + } + + /** + * Annotates a badge result as a SCITT fallback if that strategy is in use. + */ + private VerificationResult annotateFallbackIfNeeded(VerificationResult badge, CombineStrategy strategy) { + if (strategy == CombineStrategy.SCITT_FALLBACK_TO_BADGE) { + return VerificationResult.success( + badge.type(), + badge.actualFingerprint(), + badge.reason() + " (SCITT fallback)"); } + return badge; + } + + /** + * Strategy for combining verification results. + * + *

This enum encapsulates the different behaviors needed when combining + * multiple verification results into a final decision.

+ */ + private enum CombineStrategy { + /** + * Standard combining - each verification is evaluated independently + * according to its mode (REQUIRED, ADVISORY, DISABLED). + */ + STANDARD { + @Override + boolean shouldSkipScittNotFound() { + return false; + } + }, - // No explicit success but no failures either (all NOT_FOUND with ADVISORY mode) - return VerificationResult.skipped("No verification performed (no records/registrations found)"); + /** + * SCITT fallback to Badge - when SCITT headers are missing but badge + * verification succeeded, allow the badge result to satisfy the policy. + * + *

This strategy is used exclusively with {@link VerificationPolicy#SCITT_ENHANCED} + * (scitt=REQUIRED, badge=ADVISORY) to support migration scenarios where + * servers may not yet provide SCITT headers.

+ */ + SCITT_FALLBACK_TO_BADGE { + @Override + boolean shouldSkipScittNotFound() { + return true; + } + }; + + /** + * Whether to skip SCITT NOT_FOUND results during failure checking. + */ + abstract boolean shouldSkipScittNotFound(); + } + + /** + * Finds a verification result by type. + */ + private Optional findResultByType(List results, + VerificationResult.VerificationType type) { + return results.stream() + .filter(r -> r.type() == type) + .findFirst(); + } + + /** + * Finds a successful verification result by type. + */ + private Optional findSuccessByType(List results, + VerificationResult.VerificationType type) { + return results.stream() + .filter(r -> r.type() == type && r.isSuccess()) + .findFirst(); } private VerificationMode getModeForType(VerificationResult.VerificationType type, VerificationPolicy policy) { return switch (type) { case DANE -> policy.daneMode(); case BADGE -> policy.badgeMode(); + case SCITT -> policy.scittMode(); case PKI_ONLY -> VerificationMode.DISABLED; }; } @@ -202,6 +410,7 @@ private VerificationMode getModeForType(VerificationResult.VerificationType type public static class Builder { private DaneVerifier daneVerifier; private BadgeVerifier badgeVerifier; + private ScittVerifierAdapter scittVerifier; private Builder() { } @@ -228,6 +437,17 @@ public Builder badgeVerifier(BadgeVerifier badgeVerifier) { return this; } + /** + * Sets the SCITT verifier. + * + * @param scittVerifier the SCITT verifier (null to disable SCITT) + * @return this builder + */ + public Builder scittVerifier(ScittVerifierAdapter scittVerifier) { + this.scittVerifier = scittVerifier; + return this; + } + /** * Builds the DefaultConnectionVerifier. * diff --git a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/PreVerificationResult.java b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/PreVerificationResult.java index 220220c..daf5c54 100644 --- a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/PreVerificationResult.java +++ b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/PreVerificationResult.java @@ -1,5 +1,7 @@ package com.godaddy.ans.sdk.agent.verification; +import com.godaddy.ans.sdk.transparency.scitt.ScittPreVerifyResult; + import java.time.Instant; import java.util.List; @@ -10,6 +12,7 @@ *
    *
  • DANE: Look up TLSA records and extract expected certificate data
    • *
  • Badge: Query transparency log for registered certificate fingerprints
    • + *
  • SCITT: Extract and verify receipts/status tokens from HTTP headers
    • *
* *

After the TLS handshake completes, the actual server certificate is compared @@ -27,6 +30,7 @@ * @param badgeFingerprints expected fingerprints from transparency log (empty if not registered) * @param badgePreVerifyFailed true if badge pre-verification failed (e.g., revoked/expired) * @param badgeFailureReason the reason for badge pre-verification failure (null if not failed) + * @param scittPreVerifyResult the SCITT pre-verification result (null if not performed) * @param timestamp when the pre-verification was performed */ public record PreVerificationResult( @@ -38,6 +42,7 @@ public record PreVerificationResult( List badgeFingerprints, boolean badgePreVerifyFailed, String badgeFailureReason, + ScittPreVerifyResult scittPreVerifyResult, Instant timestamp ) { @@ -66,7 +71,8 @@ public static Builder builder(String hostname, int port) { * @return true if DANE expectations are available */ public boolean hasDaneExpectation() { - return daneExpectations != null && !daneExpectations.isEmpty(); + // Note: compact constructor guarantees daneExpectations is never null + return !daneExpectations.isEmpty(); } /** @@ -75,7 +81,49 @@ public boolean hasDaneExpectation() { * @return true if badge fingerprints are available from transparency log */ public boolean hasBadgeExpectation() { - return badgeFingerprints != null && !badgeFingerprints.isEmpty(); + // Note: compact constructor guarantees badgeFingerprints is never null + return !badgeFingerprints.isEmpty(); + } + + /** + * Returns true if SCITT verification should be performed. + * + * @return true if SCITT artifacts are available + */ + public boolean hasScittExpectation() { + return scittPreVerifyResult != null && scittPreVerifyResult.isPresent(); + } + + /** + * Returns true if SCITT pre-verification was successful. + * + * @return true if SCITT expectation is verified + */ + public boolean scittPreVerifySucceeded() { + return scittPreVerifyResult != null + && scittPreVerifyResult.isPresent() + && scittPreVerifyResult.expectation().isVerified(); + } + + /** + * Returns a new PreVerificationResult with the SCITT result replaced. + * + * @param scittResult the new SCITT pre-verification result + * @return a new PreVerificationResult with the updated SCITT result + */ + public PreVerificationResult withScittResult(ScittPreVerifyResult scittResult) { + return new PreVerificationResult( + this.hostname, + this.port, + this.daneExpectations, + this.daneDnsError, + this.daneDnsErrorMessage, + this.badgeFingerprints, + this.badgePreVerifyFailed, + this.badgeFailureReason, + scittResult, + this.timestamp + ); } /** @@ -90,26 +138,19 @@ public static class Builder { private List badgeFingerprints = List.of(); private boolean badgePreVerifyFailed; private String badgeFailureReason; + private ScittPreVerifyResult scittPreVerifyResult; private Builder(String hostname, int port) { this.hostname = hostname; this.port = port; } - /** - * Sets the expected DANE expectations from TLSA records. - * - * @param expectations the TLSA expectations - * @return this builder - */ - public Builder daneExpectations(List expectations) { - this.daneExpectations = expectations != null ? expectations : List.of(); - return this; - } - /** * Sets the DANE pre-verify result, extracting expectations and DNS error status. * + *

This is the preferred method for setting DANE state. It atomically sets + * all DANE-related fields from a single result object, ensuring consistency.

+ * * @param result the DANE pre-verify result * @return this builder */ @@ -122,9 +163,35 @@ public Builder danePreVerifyResult(DaneVerifier.PreVerifyResult result) { return this; } + /** + * Sets the expected DANE expectations from TLSA records. + * + *

Note: Prefer {@link #danePreVerifyResult(DaneVerifier.PreVerifyResult)} which + * sets all DANE state atomically. This method exists primarily for testing scenarios + * where constructing a full {@code PreVerifyResult} is inconvenient.

+ * + *

Warning: Calling this after {@link #danePreVerifyResult} will overwrite + * the expectations but leave DNS error flags unchanged, potentially creating + * inconsistent state.

+ * + * @param expectations the TLSA expectations + * @return this builder + */ + public Builder daneExpectations(List expectations) { + this.daneExpectations = expectations != null ? expectations : List.of(); + return this; + } + /** * Marks DANE pre-verification as failed due to DNS error. * + *

Note: Prefer {@link #danePreVerifyResult(DaneVerifier.PreVerifyResult)} which + * sets all DANE state atomically. This method exists primarily for testing scenarios.

+ * + *

Warning: Calling this after {@link #danePreVerifyResult} will overwrite + * the DNS error state but leave expectations unchanged, potentially creating + * inconsistent state.

+ * * @param errorMessage the DNS error message * @return this builder */ @@ -161,6 +228,17 @@ public Builder badgePreVerifyFailed(String reason) { return this; } + /** + * Sets the SCITT pre-verification result. + * + * @param result the SCITT pre-verification result + * @return this builder + */ + public Builder scittPreVerifyResult(ScittPreVerifyResult result) { + this.scittPreVerifyResult = result; + return this; + } + /** * Builds the PreVerificationResult. * @@ -176,6 +254,7 @@ public PreVerificationResult build() { badgeFingerprints, badgePreVerifyFailed, badgeFailureReason, + scittPreVerifyResult, Instant.now() ); } @@ -184,7 +263,7 @@ public PreVerificationResult build() { @Override public String toString() { return String.format("PreVerificationResult{hostname='%s', port=%d, " + - "hasDane=%s, hasBadge=%s}", - hostname, port, hasDaneExpectation(), hasBadgeExpectation()); + "hasDane=%s, hasBadge=%s, hasScitt=%s}", + hostname, port, hasDaneExpectation(), hasBadgeExpectation(), hasScittExpectation()); } } diff --git a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapter.java b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapter.java new file mode 100644 index 0000000..ffd585b --- /dev/null +++ b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapter.java @@ -0,0 +1,320 @@ +package com.godaddy.ans.sdk.agent.verification; + +import com.godaddy.ans.sdk.concurrent.AnsExecutors; +import com.godaddy.ans.sdk.transparency.TransparencyClient; +import com.godaddy.ans.sdk.transparency.scitt.CwtClaims; +import com.godaddy.ans.sdk.transparency.scitt.DefaultScittHeaderProvider; +import com.godaddy.ans.sdk.transparency.scitt.DefaultScittVerifier; +import com.godaddy.ans.sdk.transparency.scitt.RefreshDecision; +import com.godaddy.ans.sdk.transparency.scitt.ScittExpectation; +import com.godaddy.ans.sdk.transparency.scitt.ScittHeaderProvider; +import com.godaddy.ans.sdk.transparency.scitt.ScittPreVerifyResult; +import com.godaddy.ans.sdk.transparency.scitt.ScittReceipt; +import com.godaddy.ans.sdk.transparency.scitt.ScittVerifier; +import com.godaddy.ans.sdk.transparency.scitt.StatusToken; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.security.PublicKey; +import java.security.cert.X509Certificate; +import java.time.Duration; +import java.time.Instant; +import java.util.Map; +import java.util.Objects; +import java.util.Optional; +import java.util.concurrent.CompletableFuture; +import java.util.concurrent.CompletionException; +import java.util.concurrent.Executor; + +/** + * Adapter for SCITT verification in the agent client connection flow. + * + *

This class bridges the SCITT verification infrastructure in ans-sdk-transparency + * with the connection verification flow in ans-sdk-agent-client.

+ * + *

The TransparencyClient provides both root key fetching and domain configuration, + * eliminating the need to manually synchronize SCITT domain settings.

+ */ +public class ScittVerifierAdapter { + + private static final Logger LOGGER = LoggerFactory.getLogger(ScittVerifierAdapter.class); + + private final TransparencyClient transparencyClient; + private final ScittVerifier scittVerifier; + private final ScittHeaderProvider headerProvider; + private final Executor executor; + + /** + * Creates a new adapter with custom components. + * + *

This constructor is package-private. Use {@link #builder()} to create instances. + * The builder ensures proper configuration including clock skew tolerance.

+ * + * @param transparencyClient the transparency client for root key fetching + * @param scittVerifier the SCITT verifier + * @param headerProvider the header provider for extracting SCITT artifacts + * @param executor the executor for async operations + */ + ScittVerifierAdapter( + TransparencyClient transparencyClient, + ScittVerifier scittVerifier, + ScittHeaderProvider headerProvider, + Executor executor) { + this.transparencyClient = Objects.requireNonNull(transparencyClient, "transparencyClient cannot be null"); + this.scittVerifier = Objects.requireNonNull(scittVerifier, "scittVerifier cannot be null"); + this.headerProvider = Objects.requireNonNull(headerProvider, "headerProvider cannot be null"); + this.executor = Objects.requireNonNull(executor, "executor cannot be null"); + } + + /** + * Pre-verifies SCITT artifacts from response headers. + * + *

This should be called after receiving HTTP response headers but before + * post-verification of the TLS certificate. The domain is automatically + * derived from the TransparencyClient configuration.

+ * + * @param responseHeaders the HTTP response headers + * @return future containing the pre-verification result + */ + public CompletableFuture preVerify(Map responseHeaders) { + + // Step 1: extract artifacts synchronously — this is cheap and has no I/O + Optional artifactsOpt; + try { + artifactsOpt = headerProvider.extractArtifacts(responseHeaders); + } catch (RuntimeException e) { + LOGGER.error("SCITT artifact parsing error: {}", e.getMessage()); + return CompletableFuture.completedFuture( + ScittPreVerifyResult.parseError("Artifact error: " + e.getMessage())); + } + + if (artifactsOpt.isEmpty() || !artifactsOpt.get().isComplete()) { + LOGGER.debug("SCITT headers not present or incomplete"); + return CompletableFuture.completedFuture(ScittPreVerifyResult.notPresent()); + } + + ScittHeaderProvider.ScittArtifacts artifacts = artifactsOpt.get(); + ScittReceipt receipt = artifacts.receipt(); + StatusToken token = artifacts.statusToken(); + + // Step 2: fetch keys asynchronously — uses transparencyClient's configured domain + return transparencyClient.getRootKeysAsync() + .thenApplyAsync((Map rootKeys) -> { + try { + ScittExpectation expectation = scittVerifier.verify(receipt, token, rootKeys); + + // Check if verification failed due to unknown key - may need cache refresh + if (expectation.isKeyNotFound()) { + return handleKeyNotFound(receipt, token, expectation); + } + + LOGGER.debug("SCITT pre-verification result: {}", expectation.status()); + return ScittPreVerifyResult.verified(expectation, receipt, token); + } catch (RuntimeException e) { + LOGGER.error("SCITT verification error: {}", e.getMessage(), e); + return ScittPreVerifyResult.parseError("Verification error: " + e.getMessage()); + } + }, executor) + .exceptionally(e -> { + Throwable cause = e instanceof CompletionException && e.getCause() != null + ? e.getCause() : e; + LOGGER.error("SCITT pre-verification error: {}", cause.getMessage(), cause); + return ScittPreVerifyResult.parseError("Pre-verification error: " + cause.getMessage()); + }); + } + + /** + * Handles a key-not-found verification failure by attempting to refresh the cache. + * + *

This method implements secure cache refresh logic:

+ *
    + *
  • Extracts the artifact's issued-at timestamp
    • + *
  • Only refreshes if the artifact is newer than our cache
    • + *
  • Enforces a cooldown to prevent cache thrashing attacks
    • + *
  • Retries verification once with refreshed keys
    • + *
+ */ + private ScittPreVerifyResult handleKeyNotFound( + ScittReceipt receipt, + StatusToken token, + ScittExpectation originalExpectation) { + + // Get the artifact's issued-at timestamp for refresh decision + Instant artifactIssuedAt = getArtifactIssuedAt(receipt, token); + if (artifactIssuedAt == null) { + LOGGER.warn("Cannot determine artifact issued-at time, failing verification"); + return ScittPreVerifyResult.verified(originalExpectation, receipt, token); + } + + LOGGER.debug("Key not found, checking if cache refresh is needed (artifact iat={})", artifactIssuedAt); + + // Attempt refresh with security checks + RefreshDecision decision = transparencyClient.refreshRootKeysIfNeeded(artifactIssuedAt); + + switch (decision.action()) { + case REJECT: + // Artifact is invalid (too old or from future) - return original error + LOGGER.warn("Cache refresh rejected: {}", decision.reason()); + return ScittPreVerifyResult.verified(originalExpectation, receipt, token); + + case DEFER: + // Cooldown in effect - return temporary failure + LOGGER.info("Cache refresh deferred: {}", decision.reason()); + return ScittPreVerifyResult.parseError("Verification deferred: " + decision.reason()); + + case REFRESHED: + // Retry verification with fresh keys + LOGGER.info("Cache refreshed, retrying verification"); + Map freshKeys = decision.keys(); + ScittExpectation retryExpectation = scittVerifier.verify(receipt, token, freshKeys); + LOGGER.debug("Retry verification result: {}", retryExpectation.status()); + return ScittPreVerifyResult.verified(retryExpectation, receipt, token); + + default: + // Should never happen + return ScittPreVerifyResult.verified(originalExpectation, receipt, token); + } + } + + /** + * Extracts the issued-at timestamp from the SCITT artifacts. + * + *

Prefers the status token's issued-at time since it's typically more recent. + * Falls back to the receipt's CWT claims if available.

+ */ + private Instant getArtifactIssuedAt(ScittReceipt receipt, StatusToken token) { + // Prefer token's issued-at (typically more recent) + if (token.issuedAt() != null) { + return token.issuedAt(); + } + + // Fall back to receipt's CWT claims + if (receipt.protectedHeader() != null) { + CwtClaims claims = receipt.protectedHeader().cwtClaims(); + if (claims != null && claims.issuedAtTime() != null) { + return claims.issuedAtTime(); + } + } + + return null; + } + /** + * Post-verifies the server certificate against SCITT expectations. + * + * @param hostname the hostname being connected to + * @param serverCert the server certificate from TLS handshake + * @param preResult the result from pre-verification + * @return the verification result + */ + public VerificationResult postVerify( + String hostname, + X509Certificate serverCert, + ScittPreVerifyResult preResult) { + + Objects.requireNonNull(hostname, "hostname cannot be null"); + Objects.requireNonNull(serverCert, "serverCert cannot be null"); + Objects.requireNonNull(preResult, "preResult cannot be null"); + + // If SCITT was not present, return NOT_FOUND + if (!preResult.isPresent()) { + return VerificationResult.notFound( + VerificationResult.VerificationType.SCITT, + "SCITT headers not present in response"); + } + + ScittExpectation expectation = preResult.expectation(); + + // If pre-verification failed, return error + if (!expectation.isVerified()) { + String reason = expectation.failureReason() != null + ? expectation.failureReason() + : "SCITT verification failed: " + expectation.status(); + LOGGER.warn("SCITT pre-verification failed for {}: {}", hostname, reason); + return VerificationResult.error(VerificationResult.VerificationType.SCITT, reason); + } + + // Verify certificate fingerprint + ScittVerifier.ScittVerificationResult result = + scittVerifier.postVerify(hostname, serverCert, expectation); + + if (result.success()) { + LOGGER.debug("SCITT post-verification successful for {}", hostname); + return VerificationResult.success( + VerificationResult.VerificationType.SCITT, + result.actualFingerprint(), + "Certificate matches SCITT status token"); + } else { + LOGGER.warn("SCITT post-verification failed for {}: {}", hostname, result.failureReason()); + return VerificationResult.mismatch( + VerificationResult.VerificationType.SCITT, + result.actualFingerprint(), + expectation.validServerCertFingerprints().isEmpty() + ? "unknown" + : String.join(",", expectation.validServerCertFingerprints())); + } + } + + /** + * Builder for ScittVerifierAdapter. + */ + public static class Builder { + private TransparencyClient transparencyClient; + private Duration clockSkewTolerance = StatusToken.DEFAULT_CLOCK_SKEW; + private Executor executor = AnsExecutors.sharedIoExecutor(); + + /** + * Sets the TransparencyClient for root key fetching and domain configuration. + * + * @param transparencyClient the transparency client (required) + * @return this builder + */ + public Builder transparencyClient(TransparencyClient transparencyClient) { + this.transparencyClient = transparencyClient; + return this; + } + + /** + * Sets the clock skew tolerance for token expiry checks. + * + * @param tolerance the clock skew tolerance (default: 60 seconds) + * @return this builder + */ + public Builder clockSkewTolerance(Duration tolerance) { + this.clockSkewTolerance = tolerance; + return this; + } + + /** + * Sets the executor for async operations. + * + * @param executor the executor + * @return this builder + */ + public Builder executor(Executor executor) { + this.executor = executor; + return this; + } + + /** + * Builds the adapter. + * + * @return the configured adapter + * @throws NullPointerException if transparencyClient is not set + */ + public ScittVerifierAdapter build() { + Objects.requireNonNull(transparencyClient, "transparencyClient is required"); + ScittVerifier verifier = new DefaultScittVerifier(clockSkewTolerance); + ScittHeaderProvider headerProvider = new DefaultScittHeaderProvider(); + return new ScittVerifierAdapter(transparencyClient, verifier, headerProvider, executor); + } + } + + /** + * Creates a new builder. + * + * @return a new builder instance + */ + public static Builder builder() { + return new Builder(); + } +} diff --git a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/TlsaUtils.java b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/TlsaUtils.java index ab743f4..9ae80c4 100644 --- a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/TlsaUtils.java +++ b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/TlsaUtils.java @@ -1,10 +1,9 @@ package com.godaddy.ans.sdk.agent.verification; +import com.godaddy.ans.sdk.crypto.CryptoCache; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; import java.security.cert.CertificateEncodingException; import java.security.cert.X509Certificate; @@ -75,11 +74,10 @@ private TlsaUtils() { * @param selector the TLSA selector (0 = full cert, 1 = SPKI) * @param matchingType the TLSA matching type (0 = exact, 1 = SHA-256, 2 = SHA-512) * @return the computed certificate data, or null if selector/matchingType is unknown - * @throws NoSuchAlgorithmException if the hash algorithm is not available * @throws CertificateEncodingException if the certificate cannot be encoded */ public static byte[] computeCertificateData(X509Certificate cert, int selector, int matchingType) - throws NoSuchAlgorithmException, CertificateEncodingException { + throws CertificateEncodingException { // Extract data based on selector byte[] data; @@ -95,8 +93,8 @@ public static byte[] computeCertificateData(X509Certificate cert, int selector, // Apply matching type (hash or exact) return switch (matchingType) { case MATCH_EXACT -> data; - case MATCH_SHA256 -> MessageDigest.getInstance("SHA-256").digest(data); - case MATCH_SHA512 -> MessageDigest.getInstance("SHA-512").digest(data); + case MATCH_SHA256 -> CryptoCache.sha256(data); + case MATCH_SHA512 -> CryptoCache.sha512(data); default -> { LOGGER.warn("Unknown TLSA matching type: {}", matchingType); yield null; diff --git a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/VerificationResult.java b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/VerificationResult.java index 0d02587..e8e6abe 100644 --- a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/VerificationResult.java +++ b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/VerificationResult.java @@ -43,6 +43,8 @@ public enum VerificationType { DANE, /** ANS transparency log badge verification (proof of registration) */ BADGE, + /** SCITT verification via HTTP headers (receipt + status token) */ + SCITT, /** PKI-only verification (no additional ANS verification performed) */ PKI_ONLY } diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/ConnectOptionsTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/ConnectOptionsTest.java index 99e07b2..9200c3f 100644 --- a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/ConnectOptionsTest.java +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/ConnectOptionsTest.java @@ -132,17 +132,6 @@ void daneAndBadgePolicyShouldWork() { assertEquals(VerificationMode.REQUIRED, policy.badgeMode()); } - @Test - void fullPolicyShouldEnableAllVerifications() { - ConnectOptions options = ConnectOptions.builder() - .verificationPolicy(VerificationPolicy.FULL) - .build(); - - VerificationPolicy policy = options.getVerificationPolicy(); - assertEquals(VerificationMode.REQUIRED, policy.daneMode()); - assertEquals(VerificationMode.REQUIRED, policy.badgeMode()); - } - @Test void customPolicyWithAdvisoryModes() { VerificationPolicy custom = VerificationPolicy.custom() diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/VerificationPolicyTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/VerificationPolicyTest.java index 3988f02..ede7953 100644 --- a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/VerificationPolicyTest.java +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/VerificationPolicyTest.java @@ -49,13 +49,6 @@ void daneAndBadgeHasBothRequired() { assertEquals(VerificationMode.REQUIRED, VerificationPolicy.DANE_AND_BADGE.badgeMode()); } - @Test - void fullHasAllRequired() { - assertTrue(VerificationPolicy.FULL.hasAnyVerification()); - assertEquals(VerificationMode.REQUIRED, VerificationPolicy.FULL.daneMode()); - assertEquals(VerificationMode.REQUIRED, VerificationPolicy.FULL.badgeMode()); - } - @Test void customBuilderDefaultsToDisabled() { VerificationPolicy policy = VerificationPolicy.custom().build(); @@ -99,18 +92,6 @@ void customBuilderWithBothModes() { assertEquals(VerificationMode.REQUIRED, policy.badgeMode()); } - @Test - void constructorRejectsNullDaneMode() { - assertThrows(NullPointerException.class, () -> - new VerificationPolicy(null, VerificationMode.DISABLED)); - } - - @Test - void constructorRejectsNullBadgeMode() { - assertThrows(NullPointerException.class, () -> - new VerificationPolicy(VerificationMode.DISABLED, null)); - } - @Test void builderRejectsNullDaneMode() { assertThrows(NullPointerException.class, () -> @@ -141,15 +122,6 @@ void toStringContainsKeyInfo() { assertTrue(str.contains("DISABLED")); } - @Test - void recordAccessors() { - VerificationPolicy policy = new VerificationPolicy( - VerificationMode.ADVISORY, VerificationMode.REQUIRED); - - assertEquals(VerificationMode.ADVISORY, policy.daneMode()); - assertEquals(VerificationMode.REQUIRED, policy.badgeMode()); - } - @Test void hasAnyVerificationWithAdvisoryMode() { VerificationPolicy policy = VerificationPolicy.custom() @@ -166,6 +138,5 @@ void presetPoliciesAreNotNull() { assertNotNull(VerificationPolicy.DANE_ADVISORY); assertNotNull(VerificationPolicy.DANE_REQUIRED); assertNotNull(VerificationPolicy.DANE_AND_BADGE); - assertNotNull(VerificationPolicy.FULL); } } diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/exception/ClientConfigurationExceptionTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/exception/ClientConfigurationExceptionTest.java new file mode 100644 index 0000000..17efcc6 --- /dev/null +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/exception/ClientConfigurationExceptionTest.java @@ -0,0 +1,37 @@ +package com.godaddy.ans.sdk.agent.exception; + +import org.junit.jupiter.api.Test; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertNull; +import static org.junit.jupiter.api.Assertions.assertSame; + +/** + * Tests for ClientConfigurationException. + */ +class ClientConfigurationExceptionTest { + + @Test + void constructorWithMessageOnly() { + ClientConfigurationException ex = new ClientConfigurationException("Failed to load keystore"); + + assertEquals("Failed to load keystore", ex.getMessage()); + assertNull(ex.getCause()); + } + + @Test + void constructorWithMessageAndCause() { + RuntimeException cause = new RuntimeException("Wrong password"); + ClientConfigurationException ex = new ClientConfigurationException("Failed to load keystore", cause); + + assertEquals("Failed to load keystore", ex.getMessage()); + assertSame(cause, ex.getCause()); + } + + @Test + void extendsAnsException() { + ClientConfigurationException ex = new ClientConfigurationException("Config error"); + + assertEquals(com.godaddy.ans.sdk.exception.AnsException.class, ex.getClass().getSuperclass()); + } +} diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/exception/ScittVerificationExceptionTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/exception/ScittVerificationExceptionTest.java new file mode 100644 index 0000000..f6e027a --- /dev/null +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/exception/ScittVerificationExceptionTest.java @@ -0,0 +1,209 @@ +package com.godaddy.ans.sdk.agent.exception; + +import com.godaddy.ans.sdk.agent.exception.ScittVerificationException.FailureType; +import com.godaddy.ans.sdk.agent.exception.TrustValidationException.ValidationFailureReason; +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Nested; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.EnumSource; + +import static org.assertj.core.api.Assertions.assertThat; + +/** + * Tests for ScittVerificationException. + */ +class ScittVerificationExceptionTest { + + @Nested + @DisplayName("Constructor tests") + class ConstructorTests { + + @Test + @DisplayName("Should create exception with message and failure type") + void shouldCreateWithMessageAndFailureType() { + ScittVerificationException ex = new ScittVerificationException( + "Receipt signature invalid", FailureType.INVALID_SIGNATURE); + + assertThat(ex.getMessage()).isEqualTo("Receipt signature invalid"); + assertThat(ex.getFailureType()).isEqualTo(FailureType.INVALID_SIGNATURE); + assertThat(ex.getCause()).isNull(); + } + + @Test + @DisplayName("Should create exception with message, cause, and failure type") + void shouldCreateWithMessageCauseAndFailureType() { + RuntimeException cause = new RuntimeException("Underlying error"); + ScittVerificationException ex = new ScittVerificationException( + "Parse failed", cause, FailureType.PARSE_ERROR); + + assertThat(ex.getMessage()).isEqualTo("Parse failed"); + assertThat(ex.getCause()).isEqualTo(cause); + assertThat(ex.getFailureType()).isEqualTo(FailureType.PARSE_ERROR); + } + + @Test + @DisplayName("Should create exception with message, certificate subject, and failure type") + void shouldCreateWithMessageCertSubjectAndFailureType() { + ScittVerificationException ex = new ScittVerificationException( + "Fingerprint mismatch", "CN=test.example.com", FailureType.FINGERPRINT_MISMATCH); + + assertThat(ex.getMessage()).isEqualTo("Fingerprint mismatch"); + assertThat(ex.getFailureType()).isEqualTo(FailureType.FINGERPRINT_MISMATCH); + assertThat(ex.getCertificateSubject()).isEqualTo("CN=test.example.com"); + } + } + + @Nested + @DisplayName("FailureType mapping tests") + class FailureTypeMappingTests { + + @Test + @DisplayName("PARSE_ERROR maps to UNKNOWN") + void parseErrorMapsToUnknown() { + ScittVerificationException ex = new ScittVerificationException( + "Parse error", FailureType.PARSE_ERROR); + assertThat(ex.getReason()).isEqualTo(ValidationFailureReason.UNKNOWN); + } + + @Test + @DisplayName("INVALID_ALGORITHM maps to CHAIN_VALIDATION_FAILED") + void invalidAlgorithmMapsToChainValidationFailed() { + ScittVerificationException ex = new ScittVerificationException( + "Invalid algorithm", FailureType.INVALID_ALGORITHM); + assertThat(ex.getReason()).isEqualTo(ValidationFailureReason.CHAIN_VALIDATION_FAILED); + } + + @Test + @DisplayName("INVALID_SIGNATURE maps to CHAIN_VALIDATION_FAILED") + void invalidSignatureMapsToChainValidationFailed() { + ScittVerificationException ex = new ScittVerificationException( + "Invalid signature", FailureType.INVALID_SIGNATURE); + assertThat(ex.getReason()).isEqualTo(ValidationFailureReason.CHAIN_VALIDATION_FAILED); + } + + @Test + @DisplayName("MERKLE_PROOF_INVALID maps to CHAIN_VALIDATION_FAILED") + void merkleProofInvalidMapsToChainValidationFailed() { + ScittVerificationException ex = new ScittVerificationException( + "Invalid Merkle proof", FailureType.MERKLE_PROOF_INVALID); + assertThat(ex.getReason()).isEqualTo(ValidationFailureReason.CHAIN_VALIDATION_FAILED); + } + + @Test + @DisplayName("TOKEN_EXPIRED maps to EXPIRED") + void tokenExpiredMapsToExpired() { + ScittVerificationException ex = new ScittVerificationException( + "Token expired", FailureType.TOKEN_EXPIRED); + assertThat(ex.getReason()).isEqualTo(ValidationFailureReason.EXPIRED); + } + + @Test + @DisplayName("KEY_NOT_FOUND maps to TRUST_BUNDLE_LOAD_FAILED") + void keyNotFoundMapsToTrustBundleLoadFailed() { + ScittVerificationException ex = new ScittVerificationException( + "Key not found", FailureType.KEY_NOT_FOUND); + assertThat(ex.getReason()).isEqualTo(ValidationFailureReason.TRUST_BUNDLE_LOAD_FAILED); + } + + @Test + @DisplayName("FINGERPRINT_MISMATCH maps to CHAIN_VALIDATION_FAILED") + void fingerprintMismatchMapsToChainValidationFailed() { + ScittVerificationException ex = new ScittVerificationException( + "Fingerprint mismatch", FailureType.FINGERPRINT_MISMATCH); + assertThat(ex.getReason()).isEqualTo(ValidationFailureReason.CHAIN_VALIDATION_FAILED); + } + + @Test + @DisplayName("AGENT_REVOKED maps to REVOKED") + void agentRevokedMapsToRevoked() { + ScittVerificationException ex = new ScittVerificationException( + "Agent revoked", FailureType.AGENT_REVOKED); + assertThat(ex.getReason()).isEqualTo(ValidationFailureReason.REVOKED); + } + + @Test + @DisplayName("AGENT_INACTIVE maps to UNKNOWN") + void agentInactiveMapsToUnknown() { + ScittVerificationException ex = new ScittVerificationException( + "Agent inactive", FailureType.AGENT_INACTIVE); + assertThat(ex.getReason()).isEqualTo(ValidationFailureReason.UNKNOWN); + } + + @Test + @DisplayName("VERIFICATION_ERROR maps to UNKNOWN") + void verificationErrorMapsToUnknown() { + ScittVerificationException ex = new ScittVerificationException( + "Verification error", FailureType.VERIFICATION_ERROR); + assertThat(ex.getReason()).isEqualTo(ValidationFailureReason.UNKNOWN); + } + + @Test + @DisplayName("Null failure type maps to UNKNOWN") + void nullFailureTypeMapsToUnknown() { + ScittVerificationException ex = new ScittVerificationException( + "Unknown error", (FailureType) null); + assertThat(ex.getReason()).isEqualTo(ValidationFailureReason.UNKNOWN); + assertThat(ex.getFailureType()).isNull(); + } + } + + @Nested + @DisplayName("FailureType enum tests") + class FailureTypeEnumTests { + + @ParameterizedTest + @EnumSource(FailureType.class) + @DisplayName("All failure types should be valid") + void allFailureTypesShouldBeValid(FailureType type) { + assertThat(type).isNotNull(); + assertThat(type.name()).isNotBlank(); + } + + @Test + @DisplayName("Should have expected number of failure types") + void shouldHaveExpectedNumberOfFailureTypes() { + // 11 types: HEADERS_NOT_PRESENT, PARSE_ERROR, INVALID_ALGORITHM, INVALID_SIGNATURE, + // MERKLE_PROOF_INVALID, TOKEN_EXPIRED, KEY_NOT_FOUND, FINGERPRINT_MISMATCH, + // AGENT_REVOKED, AGENT_INACTIVE, VERIFICATION_ERROR + assertThat(FailureType.values()).hasSize(11); + } + + @Test + @DisplayName("Should resolve all failure type names") + void shouldResolveAllFailureTypeNames() { + assertThat(FailureType.valueOf("HEADERS_NOT_PRESENT")).isEqualTo(FailureType.HEADERS_NOT_PRESENT); + assertThat(FailureType.valueOf("PARSE_ERROR")).isEqualTo(FailureType.PARSE_ERROR); + assertThat(FailureType.valueOf("INVALID_ALGORITHM")).isEqualTo(FailureType.INVALID_ALGORITHM); + assertThat(FailureType.valueOf("INVALID_SIGNATURE")).isEqualTo(FailureType.INVALID_SIGNATURE); + assertThat(FailureType.valueOf("MERKLE_PROOF_INVALID")).isEqualTo(FailureType.MERKLE_PROOF_INVALID); + assertThat(FailureType.valueOf("TOKEN_EXPIRED")).isEqualTo(FailureType.TOKEN_EXPIRED); + assertThat(FailureType.valueOf("KEY_NOT_FOUND")).isEqualTo(FailureType.KEY_NOT_FOUND); + assertThat(FailureType.valueOf("FINGERPRINT_MISMATCH")).isEqualTo(FailureType.FINGERPRINT_MISMATCH); + assertThat(FailureType.valueOf("AGENT_REVOKED")).isEqualTo(FailureType.AGENT_REVOKED); + assertThat(FailureType.valueOf("AGENT_INACTIVE")).isEqualTo(FailureType.AGENT_INACTIVE); + assertThat(FailureType.valueOf("VERIFICATION_ERROR")).isEqualTo(FailureType.VERIFICATION_ERROR); + } + } + + @Nested + @DisplayName("Inheritance tests") + class InheritanceTests { + + @Test + @DisplayName("Should extend TrustValidationException") + void shouldExtendTrustValidationException() { + ScittVerificationException ex = new ScittVerificationException( + "Test", FailureType.PARSE_ERROR); + assertThat(ex).isInstanceOf(TrustValidationException.class); + } + + @Test + @DisplayName("Should be throwable as Exception") + void shouldBeThrowableAsException() { + ScittVerificationException ex = new ScittVerificationException( + "Test", FailureType.PARSE_ERROR); + assertThat(ex).isInstanceOf(Exception.class); + } + } +} \ No newline at end of file diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/http/DefaultAgentHttpClientFactoryTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/http/DefaultAgentHttpClientFactoryTest.java index ffec6fe..a4bdecd 100644 --- a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/http/DefaultAgentHttpClientFactoryTest.java +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/http/DefaultAgentHttpClientFactoryTest.java @@ -353,7 +353,7 @@ void createVerifiedWithMtlsAndBadgeVerification() throws Exception { } @Test - void createVerifiedWithMtlsAndFullVerification() throws Exception { + void createVerifiedWithMtlsAndDaneAndBadgeVerification() throws Exception { // Tests mTLS combined with both DANE and Badge verification DefaultAgentHttpClientFactory factory = new DefaultAgentHttpClientFactory(); @@ -361,7 +361,7 @@ void createVerifiedWithMtlsAndFullVerification() throws Exception { X509Certificate cert = createTestCertificate("CN=TestClient", keyPair); ConnectOptions options = ConnectOptions.builder() - .verificationPolicy(VerificationPolicy.FULL) + .verificationPolicy(VerificationPolicy.DANE_AND_BADGE) .clientCertificate(cert, keyPair.getPrivate()) .build(); diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/http/NoOpConnectionVerifierTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/http/NoOpConnectionVerifierTest.java index 997950e..2ad20dc 100644 --- a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/http/NoOpConnectionVerifierTest.java +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/http/NoOpConnectionVerifierTest.java @@ -86,7 +86,7 @@ void combineWithDifferentPoliciesReturnsSkipped() { VerificationResult result2 = verifier.combine(List.of(), VerificationPolicy.BADGE_REQUIRED); assertFalse(result2.shouldFail()); - VerificationResult result3 = verifier.combine(List.of(), VerificationPolicy.FULL); + VerificationResult result3 = verifier.combine(List.of(), VerificationPolicy.DANE_AND_BADGE); assertFalse(result3.shouldFail()); } diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DanePolicyTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DanePolicyTest.java new file mode 100644 index 0000000..d77b71e --- /dev/null +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DanePolicyTest.java @@ -0,0 +1,64 @@ +package com.godaddy.ans.sdk.agent.verification; + +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Test; + +import static org.assertj.core.api.Assertions.assertThat; + +class DanePolicyTest { + + @Test + @DisplayName("DISABLED.shouldVerify() returns false") + void disabledShouldVerifyReturnsFalse() { + assertThat(DanePolicy.DISABLED.shouldVerify()).isFalse(); + } + + @Test + @DisplayName("DISABLED.isRequired() returns false") + void disabledIsRequiredReturnsFalse() { + assertThat(DanePolicy.DISABLED.isRequired()).isFalse(); + } + + @Test + @DisplayName("VALIDATE_IF_PRESENT.shouldVerify() returns true") + void validateIfPresentShouldVerifyReturnsTrue() { + assertThat(DanePolicy.VALIDATE_IF_PRESENT.shouldVerify()).isTrue(); + } + + @Test + @DisplayName("VALIDATE_IF_PRESENT.isRequired() returns false") + void validateIfPresentIsRequiredReturnsFalse() { + assertThat(DanePolicy.VALIDATE_IF_PRESENT.isRequired()).isFalse(); + } + + @Test + @DisplayName("REQUIRED.shouldVerify() returns true") + void requiredShouldVerifyReturnsTrue() { + assertThat(DanePolicy.REQUIRED.shouldVerify()).isTrue(); + } + + @Test + @DisplayName("REQUIRED.isRequired() returns true") + void requiredIsRequiredReturnsTrue() { + assertThat(DanePolicy.REQUIRED.isRequired()).isTrue(); + } + + @Test + @DisplayName("All values are present") + void allValuesPresent() { + assertThat(DanePolicy.values()).hasSize(3); + assertThat(DanePolicy.values()).containsExactly( + DanePolicy.DISABLED, + DanePolicy.VALIDATE_IF_PRESENT, + DanePolicy.REQUIRED + ); + } + + @Test + @DisplayName("valueOf works correctly") + void valueOfWorksCorrectly() { + assertThat(DanePolicy.valueOf("DISABLED")).isEqualTo(DanePolicy.DISABLED); + assertThat(DanePolicy.valueOf("VALIDATE_IF_PRESENT")).isEqualTo(DanePolicy.VALIDATE_IF_PRESENT); + assertThat(DanePolicy.valueOf("REQUIRED")).isEqualTo(DanePolicy.REQUIRED); + } +} diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DefaultCertificateFetcherTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DefaultCertificateFetcherTest.java new file mode 100644 index 0000000..d80caa6 --- /dev/null +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DefaultCertificateFetcherTest.java @@ -0,0 +1,75 @@ +package com.godaddy.ans.sdk.agent.verification; + +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Nested; +import org.junit.jupiter.api.Test; + +import java.io.IOException; +import java.security.cert.X509Certificate; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; + +/** + * Tests for DefaultCertificateFetcher. + */ +class DefaultCertificateFetcherTest { + + @Nested + @DisplayName("Singleton tests") + class SingletonTests { + + @Test + @DisplayName("INSTANCE should not be null") + void instanceShouldNotBeNull() { + assertThat(DefaultCertificateFetcher.INSTANCE).isNotNull(); + } + + @Test + @DisplayName("INSTANCE should implement CertificateFetcher") + void instanceShouldImplementCertificateFetcher() { + assertThat(DefaultCertificateFetcher.INSTANCE).isInstanceOf(CertificateFetcher.class); + } + + @Test + @DisplayName("INSTANCE should be same reference") + void instanceShouldBeSameReference() { + CertificateFetcher first = DefaultCertificateFetcher.INSTANCE; + CertificateFetcher second = DefaultCertificateFetcher.INSTANCE; + assertThat(first).isSameAs(second); + } + } + + @Nested + @DisplayName("getCertificate() tests") + class GetCertificateTests { + + @Test + @DisplayName("Should fetch certificate from real host") + void shouldFetchCertificateFromRealHost() throws IOException { + // Connect to a well-known host + X509Certificate cert = DefaultCertificateFetcher.INSTANCE + .getCertificate("www.google.com", 443); + + assertThat(cert).isNotNull(); + assertThat(cert.getSubjectX500Principal()).isNotNull(); + } + + @Test + @DisplayName("Should throw IOException for invalid hostname") + void shouldThrowForInvalidHostname() { + assertThatThrownBy(() -> + DefaultCertificateFetcher.INSTANCE.getCertificate("invalid.host.that.does.not.exist.example", 443)) + .isInstanceOf(IOException.class); + } + + @Test + @DisplayName("Should throw IOException for connection refused") + void shouldThrowForConnectionRefused() { + // Port 1 is typically not listening + assertThatThrownBy(() -> + DefaultCertificateFetcher.INSTANCE.getCertificate("localhost", 1)) + .isInstanceOf(IOException.class); + } + } +} \ No newline at end of file diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DefaultConnectionVerifierTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DefaultConnectionVerifierTest.java index 403f1b7..4f6eadd 100644 --- a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DefaultConnectionVerifierTest.java +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DefaultConnectionVerifierTest.java @@ -5,8 +5,14 @@ import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; +import com.godaddy.ans.sdk.transparency.scitt.ScittExpectation; +import com.godaddy.ans.sdk.transparency.scitt.ScittPreVerifyResult; +import com.godaddy.ans.sdk.transparency.scitt.ScittReceipt; +import com.godaddy.ans.sdk.transparency.scitt.StatusToken; + import java.security.cert.X509Certificate; import java.util.List; +import java.util.Map; import java.util.concurrent.CompletableFuture; import java.util.concurrent.ExecutionException; @@ -29,12 +35,14 @@ class DefaultConnectionVerifierTest { private DaneVerifier mockDaneVerifier; private BadgeVerifier mockBadgeVerifier; + private ScittVerifierAdapter mockScittVerifier; private X509Certificate mockCert; @BeforeEach void setUp() { mockDaneVerifier = mock(DaneVerifier.class); mockBadgeVerifier = mock(BadgeVerifier.class); + mockScittVerifier = mock(ScittVerifierAdapter.class); mockCert = mock(X509Certificate.class); } @@ -346,4 +354,182 @@ void combineWithDaneErrorAndRequiredModeReturnsError() { assertTrue(combined.shouldFail()); assertEquals(VerificationResult.Status.ERROR, combined.status()); } + + // ==================== SCITT Tests ==================== + + @Test + void scittPreVerifyReturnsNotPresentWhenNoScittVerifier() throws ExecutionException, InterruptedException { + DefaultConnectionVerifier verifier = DefaultConnectionVerifier.builder().build(); + + ScittPreVerifyResult result = verifier.scittPreVerify(Map.of()).get(); + + assertFalse(result.isPresent()); + } + + @Test + void scittPreVerifyDelegatesToScittVerifier() throws ExecutionException, InterruptedException { + ScittExpectation expectation = ScittExpectation.verified( + List.of("fp123"), List.of(), "host", "test.ans", Map.of(), null); + ScittPreVerifyResult expectedResult = ScittPreVerifyResult.verified( + expectation, mock(ScittReceipt.class), mock(StatusToken.class)); + + when(mockScittVerifier.preVerify(any())) + .thenReturn(CompletableFuture.completedFuture(expectedResult)); + + DefaultConnectionVerifier verifier = DefaultConnectionVerifier.builder() + .scittVerifier(mockScittVerifier) + .build(); + + ScittPreVerifyResult result = verifier.scittPreVerify( + Map.of("X-SCITT-Receipt", "base64")).get(); + + assertTrue(result.isPresent()); + verify(mockScittVerifier).preVerify(any()); + } + + @Test + void withScittResultCreatesEnhancedPreVerificationResult() { + PreVerificationResult original = PreVerificationResult.builder("test.com", 443) + .badgeFingerprints(List.of("badge-fp")) + .build(); + + ScittExpectation expectation = ScittExpectation.verified( + List.of("scitt-fp"), List.of(), "host", "test.ans", Map.of(), null); + ScittPreVerifyResult scittResult = ScittPreVerifyResult.verified( + expectation, mock(ScittReceipt.class), mock(StatusToken.class)); + + PreVerificationResult enhanced = original.withScittResult(scittResult); + + assertEquals("test.com", enhanced.hostname()); + assertEquals(443, enhanced.port()); + assertTrue(enhanced.hasBadgeExpectation()); + assertTrue(enhanced.hasScittExpectation()); + assertSame(scittResult, enhanced.scittPreVerifyResult()); + } + + @Test + void postVerifyWithScittVerifierAndExpectation() { + VerificationResult scittResult = VerificationResult.success( + VerificationResult.VerificationType.SCITT, "fp123"); + + when(mockScittVerifier.postVerify(anyString(), any(), any())) + .thenReturn(scittResult); + + DefaultConnectionVerifier verifier = DefaultConnectionVerifier.builder() + .scittVerifier(mockScittVerifier) + .build(); + + ScittExpectation expectation = ScittExpectation.verified( + List.of("fp123"), List.of(), "host", "test.ans", Map.of(), null); + ScittPreVerifyResult scittPreResult = ScittPreVerifyResult.verified( + expectation, mock(ScittReceipt.class), mock(StatusToken.class)); + + PreVerificationResult preResult = PreVerificationResult.builder("test.com", 443) + .scittPreVerifyResult(scittPreResult) + .build(); + + List results = verifier.postVerify("test.com", mockCert, preResult); + + assertEquals(1, results.size()); + assertEquals(VerificationResult.VerificationType.SCITT, results.get(0).type()); + assertTrue(results.get(0).isSuccess()); + } + + @Test + void postVerifyWithScittVerifierButNoExpectationReturnsNotFound() { + DefaultConnectionVerifier verifier = DefaultConnectionVerifier.builder() + .scittVerifier(mockScittVerifier) + .build(); + + PreVerificationResult preResult = PreVerificationResult.builder("test.com", 443).build(); + + List results = verifier.postVerify("test.com", mockCert, preResult); + + assertEquals(1, results.size()); + assertEquals(VerificationResult.VerificationType.SCITT, results.get(0).type()); + assertTrue(results.get(0).isNotFound()); + } + + @Test + void combineWithScittSuccessPrefersScittOverBadge() { + DefaultConnectionVerifier verifier = DefaultConnectionVerifier.builder().build(); + + List results = List.of( + VerificationResult.success(VerificationResult.VerificationType.BADGE, "badge-fp"), + VerificationResult.success(VerificationResult.VerificationType.SCITT, "scitt-fp")); + + VerificationResult combined = verifier.combine(results, VerificationPolicy.SCITT_REQUIRED); + + assertTrue(combined.isSuccess()); + assertEquals(VerificationResult.VerificationType.SCITT, combined.type()); + } + + @Test + void combineWithScittNotFoundFallsBackToBadge() { + DefaultConnectionVerifier verifier = DefaultConnectionVerifier.builder().build(); + + VerificationPolicy scittWithBadgeFallback = VerificationPolicy.custom() + .scitt(VerificationMode.REQUIRED) + .badge(VerificationMode.ADVISORY) + .build(); + + List results = List.of( + VerificationResult.notFound(VerificationResult.VerificationType.SCITT, "No headers"), + VerificationResult.success(VerificationResult.VerificationType.BADGE, "badge-fp")); + + VerificationResult combined = verifier.combine(results, scittWithBadgeFallback); + + assertTrue(combined.isSuccess()); + assertEquals(VerificationResult.VerificationType.BADGE, combined.type()); + assertTrue(combined.reason().contains("SCITT fallback")); + } + + @Test + void combineWithScittNotFoundAndBadgeDisabledReturnsError() { + DefaultConnectionVerifier verifier = DefaultConnectionVerifier.builder().build(); + + List results = List.of( + VerificationResult.notFound(VerificationResult.VerificationType.SCITT, "No headers")); + + VerificationResult combined = verifier.combine(results, VerificationPolicy.SCITT_REQUIRED); + + assertTrue(combined.shouldFail()); + assertEquals(VerificationResult.Status.ERROR, combined.status()); + } + + @Test + void combineWithScittNotFoundAndBadgeRequiredDoesNotFallback() { + // When both SCITT and Badge are REQUIRED, SCITT failure should NOT fallback to badge. + // This prevents downgrade attacks where an attacker strips SCITT headers. + DefaultConnectionVerifier verifier = DefaultConnectionVerifier.builder().build(); + + VerificationPolicy bothRequired = VerificationPolicy.custom() + .scitt(VerificationMode.REQUIRED) + .badge(VerificationMode.REQUIRED) + .build(); + + List results = List.of( + VerificationResult.notFound(VerificationResult.VerificationType.SCITT, "No headers"), + VerificationResult.success(VerificationResult.VerificationType.BADGE, "badge-fp")); + + VerificationResult combined = verifier.combine(results, bothRequired); + + // Should fail because SCITT is REQUIRED and not found, even though badge succeeded + assertTrue(combined.shouldFail(), "Expected failure when SCITT=REQUIRED is not found"); + assertEquals(VerificationResult.Status.ERROR, combined.status()); + assertEquals(VerificationResult.VerificationType.SCITT, combined.type()); + } + + @Test + void combineWithScittMismatchReturnsFailure() { + DefaultConnectionVerifier verifier = DefaultConnectionVerifier.builder().build(); + + List results = List.of( + VerificationResult.mismatch(VerificationResult.VerificationType.SCITT, "actual", "expected")); + + VerificationResult combined = verifier.combine(results, VerificationPolicy.SCITT_REQUIRED); + + assertTrue(combined.shouldFail()); + assertEquals(VerificationResult.Status.MISMATCH, combined.status()); + } } diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DefaultResolverFactoryTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DefaultResolverFactoryTest.java new file mode 100644 index 0000000..968c596 --- /dev/null +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DefaultResolverFactoryTest.java @@ -0,0 +1,53 @@ +package com.godaddy.ans.sdk.agent.verification; + +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Test; +import org.xbill.DNS.SimpleResolver; + +import java.net.UnknownHostException; + +import static org.assertj.core.api.Assertions.assertThat; + +class DefaultResolverFactoryTest { + + @Test + @DisplayName("INSTANCE is singleton") + void instanceIsSingleton() { + DefaultResolverFactory instance1 = DefaultResolverFactory.INSTANCE; + DefaultResolverFactory instance2 = DefaultResolverFactory.INSTANCE; + + assertThat(instance1).isSameAs(instance2); + } + + @Test + @DisplayName("create() with DNS server address creates resolver") + void createWithAddressCreatesResolver() throws UnknownHostException { + SimpleResolver resolver = DefaultResolverFactory.INSTANCE.create("8.8.8.8"); + + assertThat(resolver).isNotNull(); + } + + @Test + @DisplayName("create() with null address creates default resolver") + void createWithNullAddressCreatesDefaultResolver() throws UnknownHostException { + SimpleResolver resolver = DefaultResolverFactory.INSTANCE.create(null); + + assertThat(resolver).isNotNull(); + } + + @Test + @DisplayName("create() with blank address creates default resolver") + void createWithBlankAddressCreatesDefaultResolver() throws UnknownHostException { + SimpleResolver resolver = DefaultResolverFactory.INSTANCE.create(" "); + + assertThat(resolver).isNotNull(); + } + + @Test + @DisplayName("create() with empty address creates default resolver") + void createWithEmptyAddressCreatesDefaultResolver() throws UnknownHostException { + SimpleResolver resolver = DefaultResolverFactory.INSTANCE.create(""); + + assertThat(resolver).isNotNull(); + } +} diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DnsResolverConfigTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DnsResolverConfigTest.java new file mode 100644 index 0000000..7d103b6 --- /dev/null +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DnsResolverConfigTest.java @@ -0,0 +1,82 @@ +package com.godaddy.ans.sdk.agent.verification; + +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Test; + +import static org.assertj.core.api.Assertions.assertThat; + +class DnsResolverConfigTest { + + @Test + @DisplayName("SYSTEM has null addresses") + void systemHasNullAddresses() { + assertThat(DnsResolverConfig.SYSTEM.getPrimaryAddress()).isNull(); + assertThat(DnsResolverConfig.SYSTEM.getSecondaryAddress()).isNull(); + } + + @Test + @DisplayName("SYSTEM.isSystemResolver() returns true") + void systemIsSystemResolverReturnsTrue() { + assertThat(DnsResolverConfig.SYSTEM.isSystemResolver()).isTrue(); + } + + @Test + @DisplayName("CLOUDFLARE has correct addresses") + void cloudflareHasCorrectAddresses() { + assertThat(DnsResolverConfig.CLOUDFLARE.getPrimaryAddress()).isEqualTo("1.1.1.1"); + assertThat(DnsResolverConfig.CLOUDFLARE.getSecondaryAddress()).isEqualTo("1.0.0.1"); + } + + @Test + @DisplayName("CLOUDFLARE.isSystemResolver() returns false") + void cloudflareIsSystemResolverReturnsFalse() { + assertThat(DnsResolverConfig.CLOUDFLARE.isSystemResolver()).isFalse(); + } + + @Test + @DisplayName("GOOGLE has correct addresses") + void googleHasCorrectAddresses() { + assertThat(DnsResolverConfig.GOOGLE.getPrimaryAddress()).isEqualTo("8.8.8.8"); + assertThat(DnsResolverConfig.GOOGLE.getSecondaryAddress()).isEqualTo("8.8.4.4"); + } + + @Test + @DisplayName("GOOGLE.isSystemResolver() returns false") + void googleIsSystemResolverReturnsFalse() { + assertThat(DnsResolverConfig.GOOGLE.isSystemResolver()).isFalse(); + } + + @Test + @DisplayName("QUAD9 has correct addresses") + void quad9HasCorrectAddresses() { + assertThat(DnsResolverConfig.QUAD9.getPrimaryAddress()).isEqualTo("9.9.9.9"); + assertThat(DnsResolverConfig.QUAD9.getSecondaryAddress()).isEqualTo("149.112.112.112"); + } + + @Test + @DisplayName("QUAD9.isSystemResolver() returns false") + void quad9IsSystemResolverReturnsFalse() { + assertThat(DnsResolverConfig.QUAD9.isSystemResolver()).isFalse(); + } + + @Test + @DisplayName("All values are present") + void allValuesPresent() { + assertThat(DnsResolverConfig.values()).hasSize(4); + assertThat(DnsResolverConfig.values()).containsExactly( + DnsResolverConfig.SYSTEM, + DnsResolverConfig.CLOUDFLARE, + DnsResolverConfig.GOOGLE, + DnsResolverConfig.QUAD9 + ); + } + + @Test + @DisplayName("valueOf works correctly") + void valueOfWorksCorrectly() { + assertThat(DnsResolverConfig.valueOf("SYSTEM")).isEqualTo(DnsResolverConfig.SYSTEM); + assertThat(DnsResolverConfig.valueOf("CLOUDFLARE")).isEqualTo(DnsResolverConfig.CLOUDFLARE); + assertThat(DnsResolverConfig.valueOf("GOOGLE")).isEqualTo(DnsResolverConfig.GOOGLE); + assertThat(DnsResolverConfig.valueOf("QUAD9")).isEqualTo(DnsResolverConfig.QUAD9); + } +} diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DnssecValidationModeTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DnssecValidationModeTest.java new file mode 100644 index 0000000..795d4bb --- /dev/null +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DnssecValidationModeTest.java @@ -0,0 +1,50 @@ +package com.godaddy.ans.sdk.agent.verification; + +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Test; + +import static org.assertj.core.api.Assertions.assertThat; + +class DnssecValidationModeTest { + + @Test + @DisplayName("TRUST_RESOLVER.isInCodeValidation() returns false") + void trustResolverIsInCodeValidationReturnsFalse() { + assertThat(DnssecValidationMode.TRUST_RESOLVER.isInCodeValidation()).isFalse(); + } + + @Test + @DisplayName("TRUST_RESOLVER.requiresDnssecResolver() returns true") + void trustResolverRequiresDnssecResolverReturnsTrue() { + assertThat(DnssecValidationMode.TRUST_RESOLVER.requiresDnssecResolver()).isTrue(); + } + + @Test + @DisplayName("VALIDATE_IN_CODE.isInCodeValidation() returns true") + void validateInCodeIsInCodeValidationReturnsTrue() { + assertThat(DnssecValidationMode.VALIDATE_IN_CODE.isInCodeValidation()).isTrue(); + } + + @Test + @DisplayName("VALIDATE_IN_CODE.requiresDnssecResolver() returns false") + void validateInCodeRequiresDnssecResolverReturnsFalse() { + assertThat(DnssecValidationMode.VALIDATE_IN_CODE.requiresDnssecResolver()).isFalse(); + } + + @Test + @DisplayName("All values are present") + void allValuesPresent() { + assertThat(DnssecValidationMode.values()).hasSize(2); + assertThat(DnssecValidationMode.values()).containsExactly( + DnssecValidationMode.TRUST_RESOLVER, + DnssecValidationMode.VALIDATE_IN_CODE + ); + } + + @Test + @DisplayName("valueOf works correctly") + void valueOfWorksCorrectly() { + assertThat(DnssecValidationMode.valueOf("TRUST_RESOLVER")).isEqualTo(DnssecValidationMode.TRUST_RESOLVER); + assertThat(DnssecValidationMode.valueOf("VALIDATE_IN_CODE")).isEqualTo(DnssecValidationMode.VALIDATE_IN_CODE); + } +} diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/PreVerificationResultTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/PreVerificationResultTest.java index 059aedb..06b057b 100644 --- a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/PreVerificationResultTest.java +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/PreVerificationResultTest.java @@ -1,9 +1,12 @@ package com.godaddy.ans.sdk.agent.verification; +import com.godaddy.ans.sdk.transparency.scitt.ScittExpectation; +import com.godaddy.ans.sdk.transparency.scitt.ScittPreVerifyResult; import org.junit.jupiter.api.Test; import java.time.Instant; import java.util.List; +import java.util.Map; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; @@ -84,7 +87,7 @@ void recordConstructorDefensiveCopiesLists() { fingerprints.add("fp1"); PreVerificationResult result = new PreVerificationResult( - "test.com", 443, List.of(), false, null, fingerprints, false, null, Instant.now()); + "test.com", 443, List.of(), false, null, fingerprints, false, null, null, Instant.now()); assertEquals(1, result.badgeFingerprints().size()); // The list should be immutable @@ -100,6 +103,7 @@ void toStringContainsKeyInfo() { assertTrue(str.contains("test.com")); assertTrue(str.contains("443")); assertTrue(str.contains("hasBadge=true")); + assertTrue(str.contains("hasScitt=")); } @Test @@ -190,4 +194,179 @@ void defaultDnsErrorFieldsAreFalse() { assertFalse(result.daneDnsError()); assertNull(result.daneDnsErrorMessage()); } + + // ==================== SCITT Tests ==================== + + @Test + void hasScittExpectationReturnsFalseWhenNull() { + PreVerificationResult result = PreVerificationResult.builder("test.com", 443).build(); + + assertFalse(result.hasScittExpectation()); + } + + @Test + void hasScittExpectationReturnsFalseWhenNotPresent() { + ScittPreVerifyResult scittResult = ScittPreVerifyResult.notPresent(); + + PreVerificationResult result = PreVerificationResult.builder("test.com", 443) + .scittPreVerifyResult(scittResult) + .build(); + + assertFalse(result.hasScittExpectation()); + } + + @Test + void hasScittExpectationReturnsTrueWhenPresent() { + ScittExpectation expectation = ScittExpectation.verified( + List.of("fp1"), List.of(), "host", "test.ans", Map.of(), null); + ScittPreVerifyResult scittResult = ScittPreVerifyResult.verified(expectation, null, null); + + PreVerificationResult result = PreVerificationResult.builder("test.com", 443) + .scittPreVerifyResult(scittResult) + .build(); + + assertTrue(result.hasScittExpectation()); + } + + @Test + void hasScittExpectationReturnsTrueForParseError() { + ScittPreVerifyResult scittResult = ScittPreVerifyResult.parseError("Failed to parse receipt"); + + PreVerificationResult result = PreVerificationResult.builder("test.com", 443) + .scittPreVerifyResult(scittResult) + .build(); + + // Parse error means headers were present, just couldn't parse them + assertTrue(result.hasScittExpectation()); + } + + @Test + void scittPreVerifySucceededReturnsFalseWhenNull() { + PreVerificationResult result = PreVerificationResult.builder("test.com", 443).build(); + + assertFalse(result.scittPreVerifySucceeded()); + } + + @Test + void scittPreVerifySucceededReturnsFalseWhenNotPresent() { + ScittPreVerifyResult scittResult = ScittPreVerifyResult.notPresent(); + + PreVerificationResult result = PreVerificationResult.builder("test.com", 443) + .scittPreVerifyResult(scittResult) + .build(); + + assertFalse(result.scittPreVerifySucceeded()); + } + + @Test + void scittPreVerifySucceededReturnsFalseWhenParseError() { + ScittPreVerifyResult scittResult = ScittPreVerifyResult.parseError("Invalid CBOR"); + + PreVerificationResult result = PreVerificationResult.builder("test.com", 443) + .scittPreVerifyResult(scittResult) + .build(); + + assertFalse(result.scittPreVerifySucceeded()); + } + + @Test + void scittPreVerifySucceededReturnsFalseForInvalidReceipt() { + ScittExpectation expectation = ScittExpectation.invalidReceipt("Signature verification failed"); + ScittPreVerifyResult scittResult = ScittPreVerifyResult.verified(expectation, null, null); + + PreVerificationResult result = PreVerificationResult.builder("test.com", 443) + .scittPreVerifyResult(scittResult) + .build(); + + assertFalse(result.scittPreVerifySucceeded()); + } + + @Test + void scittPreVerifySucceededReturnsFalseForExpired() { + ScittExpectation expectation = ScittExpectation.expired(); + ScittPreVerifyResult scittResult = ScittPreVerifyResult.verified(expectation, null, null); + + PreVerificationResult result = PreVerificationResult.builder("test.com", 443) + .scittPreVerifyResult(scittResult) + .build(); + + assertFalse(result.scittPreVerifySucceeded()); + } + + @Test + void scittPreVerifySucceededReturnsFalseForRevoked() { + ScittExpectation expectation = ScittExpectation.revoked("test.ans"); + ScittPreVerifyResult scittResult = ScittPreVerifyResult.verified(expectation, null, null); + + PreVerificationResult result = PreVerificationResult.builder("test.com", 443) + .scittPreVerifyResult(scittResult) + .build(); + + assertFalse(result.scittPreVerifySucceeded()); + } + + @Test + void scittPreVerifySucceededReturnsTrueWhenVerified() { + ScittExpectation expectation = ScittExpectation.verified( + List.of("server-fp"), List.of("identity-fp"), "agent.example.com", "test.ans", Map.of(), null); + ScittPreVerifyResult scittResult = ScittPreVerifyResult.verified(expectation, null, null); + + PreVerificationResult result = PreVerificationResult.builder("test.com", 443) + .scittPreVerifyResult(scittResult) + .build(); + + assertTrue(result.scittPreVerifySucceeded()); + } + + @Test + void builderWithScittPreVerifyResult() { + ScittExpectation expectation = ScittExpectation.verified( + List.of("fp1", "fp2"), List.of(), "host", "test.ans", Map.of("https", "SHA256:abc"), null); + ScittPreVerifyResult scittResult = ScittPreVerifyResult.verified(expectation, null, null); + + PreVerificationResult result = PreVerificationResult.builder("test.com", 443) + .scittPreVerifyResult(scittResult) + .build(); + + assertNotNull(result.scittPreVerifyResult()); + assertEquals(scittResult, result.scittPreVerifyResult()); + assertTrue(result.hasScittExpectation()); + assertTrue(result.scittPreVerifySucceeded()); + } + + @Test + void toStringIncludesScittInfo() { + ScittExpectation expectation = ScittExpectation.verified( + List.of("fp1"), List.of(), "host", "test.ans", Map.of(), null); + ScittPreVerifyResult scittResult = ScittPreVerifyResult.verified(expectation, null, null); + + PreVerificationResult result = PreVerificationResult.builder("test.com", 443) + .scittPreVerifyResult(scittResult) + .build(); + + String str = result.toString(); + assertTrue(str.contains("hasScitt=true")); + } + + @Test + void toStringShowsScittFalseWhenNotPresent() { + PreVerificationResult result = PreVerificationResult.builder("test.com", 443).build(); + + String str = result.toString(); + assertTrue(str.contains("hasScitt=false")); + } + + @Test + void recordConstructorWithScittPreVerifyResult() { + ScittExpectation expectation = ScittExpectation.verified( + List.of("fp1"), List.of(), "host", "test.ans", Map.of(), null); + ScittPreVerifyResult scittResult = ScittPreVerifyResult.verified(expectation, null, null); + + PreVerificationResult result = new PreVerificationResult( + "test.com", 443, List.of(), false, null, List.of(), false, null, scittResult, Instant.now()); + + assertTrue(result.hasScittExpectation()); + assertTrue(result.scittPreVerifySucceeded()); + assertEquals(scittResult, result.scittPreVerifyResult()); + } } diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapterTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapterTest.java new file mode 100644 index 0000000..0e8c041 --- /dev/null +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapterTest.java @@ -0,0 +1,342 @@ +package com.godaddy.ans.sdk.agent.verification; + +import com.godaddy.ans.sdk.transparency.TransparencyClient; +import com.godaddy.ans.sdk.transparency.scitt.ScittExpectation; +import com.godaddy.ans.sdk.transparency.scitt.ScittHeaderProvider; +import com.godaddy.ans.sdk.transparency.scitt.ScittPreVerifyResult; +import com.godaddy.ans.sdk.transparency.scitt.ScittReceipt; +import com.godaddy.ans.sdk.transparency.scitt.ScittVerifier; +import com.godaddy.ans.sdk.transparency.scitt.StatusToken; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Nested; +import org.junit.jupiter.api.Test; + +import com.godaddy.ans.sdk.crypto.CryptoCache; + +import org.bouncycastle.util.encoders.Hex; + +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.PublicKey; +import java.security.cert.X509Certificate; +import java.security.spec.ECGenParameterSpec; +import java.time.Duration; +import java.util.Arrays; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Optional; +import java.util.concurrent.CompletableFuture; +import java.util.concurrent.Executor; +import java.util.concurrent.TimeUnit; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; + +class ScittVerifierAdapterTest { + + private TransparencyClient mockTransparencyClient; + private ScittVerifier mockScittVerifier; + private ScittHeaderProvider mockHeaderProvider; + private Executor directExecutor; + private ScittVerifierAdapter adapter; + private KeyPair testKeyPair; + + @BeforeEach + void setUp() throws Exception { + mockTransparencyClient = mock(TransparencyClient.class); + mockScittVerifier = mock(ScittVerifier.class); + mockHeaderProvider = mock(ScittHeaderProvider.class); + directExecutor = Runnable::run; // Synchronous executor for testing + + // Generate test key pair + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC"); + keyGen.initialize(new ECGenParameterSpec("secp256r1")); + testKeyPair = keyGen.generateKeyPair(); + } + + /** + * Helper to convert a PublicKey to a Map keyed by hex key ID. + */ + private Map toRootKeys(PublicKey publicKey) { + byte[] hash = CryptoCache.sha256(publicKey.getEncoded()); + String hexKeyId = Hex.toHexString(Arrays.copyOf(hash, 4)); + Map map = new HashMap<>(); + map.put(hexKeyId, publicKey); + return map; + } + + @Nested + @DisplayName("Constructor tests") + class ConstructorTests { + + @Test + @DisplayName("Should create adapter via builder") + void shouldCreateViaBuilder() { + ScittVerifierAdapter a = ScittVerifierAdapter.builder() + .transparencyClient(mockTransparencyClient) + .build(); + assertThat(a).isNotNull(); + } + + @Test + @DisplayName("Should reject null transparencyClient in builder") + void shouldRejectNullTransparencyClient() { + assertThatThrownBy(() -> ScittVerifierAdapter.builder() + .transparencyClient(null) + .build()) + .isInstanceOf(NullPointerException.class); + } + + @Test + @DisplayName("Should reject null scittVerifier") + void shouldRejectNullScittVerifier() { + assertThatThrownBy(() -> new ScittVerifierAdapter( + mockTransparencyClient, null, mockHeaderProvider, directExecutor)) + .isInstanceOf(NullPointerException.class) + .hasMessageContaining("scittVerifier cannot be null"); + } + + @Test + @DisplayName("Should reject null headerProvider") + void shouldRejectNullHeaderProvider() { + assertThatThrownBy(() -> new ScittVerifierAdapter( + mockTransparencyClient, mockScittVerifier, null, directExecutor)) + .isInstanceOf(NullPointerException.class) + .hasMessageContaining("headerProvider cannot be null"); + } + + @Test + @DisplayName("Should reject null executor") + void shouldRejectNullExecutor() { + assertThatThrownBy(() -> new ScittVerifierAdapter( + mockTransparencyClient, mockScittVerifier, mockHeaderProvider, null)) + .isInstanceOf(NullPointerException.class) + .hasMessageContaining("executor cannot be null"); + } + } + + @Nested + @DisplayName("Builder tests") + class BuilderTests { + + @Test + @DisplayName("Should build adapter with TransparencyClient") + void shouldBuildWithTransparencyClient() { + ScittVerifierAdapter a = ScittVerifierAdapter.builder() + .transparencyClient(mockTransparencyClient) + .build(); + assertThat(a).isNotNull(); + } + + @Test + @DisplayName("Should require TransparencyClient in builder") + void shouldRequireTransparencyClient() { + assertThatThrownBy(() -> ScittVerifierAdapter.builder().build()) + .isInstanceOf(NullPointerException.class) + .hasMessageContaining("transparencyClient is required"); + } + + @Test + @DisplayName("Should build adapter with custom clock skew tolerance") + void shouldBuildWithCustomClockSkew() { + ScittVerifierAdapter a = ScittVerifierAdapter.builder() + .transparencyClient(mockTransparencyClient) + .clockSkewTolerance(Duration.ofMinutes(5)) + .build(); + assertThat(a).isNotNull(); + } + + @Test + @DisplayName("Should build adapter with custom executor") + void shouldBuildWithCustomExecutor() { + ScittVerifierAdapter a = ScittVerifierAdapter.builder() + .transparencyClient(mockTransparencyClient) + .executor(directExecutor) + .build(); + assertThat(a).isNotNull(); + } + + } + + @Nested + @DisplayName("preVerify() tests") + class PreVerifyTests { + + @BeforeEach + void setupAdapter() { + adapter = new ScittVerifierAdapter( + mockTransparencyClient, mockScittVerifier, mockHeaderProvider, directExecutor); + } + + @Test + @DisplayName("Should return notPresent when headers are empty") + void shouldReturnNotPresentWhenHeadersEmpty() throws Exception { + when(mockHeaderProvider.extractArtifacts(any())).thenReturn(Optional.empty()); + + CompletableFuture future = adapter.preVerify(Map.of()); + + ScittPreVerifyResult result = future.get(5, TimeUnit.SECONDS); + assertThat(result.isPresent()).isFalse(); + } + + @Test + @DisplayName("Should return notPresent when artifacts are incomplete") + void shouldReturnNotPresentWhenIncomplete() throws Exception { + ScittHeaderProvider.ScittArtifacts incomplete = + new ScittHeaderProvider.ScittArtifacts(null, null, null, null); + when(mockHeaderProvider.extractArtifacts(any())).thenReturn(Optional.of(incomplete)); + + CompletableFuture future = adapter.preVerify(Map.of()); + + ScittPreVerifyResult result = future.get(5, TimeUnit.SECONDS); + assertThat(result.isPresent()).isFalse(); + } + + @Test + @DisplayName("Should verify complete artifacts") + void shouldVerifyCompleteArtifacts() throws Exception { + ScittReceipt receipt = mock(ScittReceipt.class); + StatusToken token = mock(StatusToken.class); + ScittHeaderProvider.ScittArtifacts artifacts = + new ScittHeaderProvider.ScittArtifacts(receipt, token, new byte[10], new byte[10]); + + when(mockHeaderProvider.extractArtifacts(any())).thenReturn(Optional.of(artifacts)); + when(mockTransparencyClient.getRootKeysAsync()) + .thenReturn(CompletableFuture.completedFuture(toRootKeys(testKeyPair.getPublic()))); + + ScittExpectation expectation = ScittExpectation.verified( + List.of("abc123"), List.of(), "host", "ans.test", Map.of(), null); + when(mockScittVerifier.verify(any(), any(), any())).thenReturn(expectation); + + CompletableFuture future = adapter.preVerify(Map.of()); + + ScittPreVerifyResult result = future.get(5, TimeUnit.SECONDS); + assertThat(result.isPresent()).isTrue(); + assertThat(result.expectation().isVerified()).isTrue(); + } + + @Test + @DisplayName("Should return parseError on exception") + void shouldReturnParseErrorOnException() throws Exception { + when(mockHeaderProvider.extractArtifacts(any())) + .thenThrow(new RuntimeException("Parse error")); + + CompletableFuture future = adapter.preVerify(Map.of()); + + ScittPreVerifyResult result = future.get(5, TimeUnit.SECONDS); + assertThat(result.expectation().status()).isEqualTo(ScittExpectation.Status.PARSE_ERROR); + } + } + + @Nested + @DisplayName("postVerify() tests") + class PostVerifyTests { + + @BeforeEach + void setupAdapter() { + adapter = new ScittVerifierAdapter( + mockTransparencyClient, mockScittVerifier, mockHeaderProvider, directExecutor); + } + + @Test + @DisplayName("Should reject null hostname") + void shouldRejectNullHostname() { + X509Certificate cert = mock(X509Certificate.class); + ScittPreVerifyResult preResult = ScittPreVerifyResult.notPresent(); + + assertThatThrownBy(() -> adapter.postVerify(null, cert, preResult)) + .isInstanceOf(NullPointerException.class) + .hasMessageContaining("hostname cannot be null"); + } + + @Test + @DisplayName("Should reject null server certificate") + void shouldRejectNullServerCert() { + ScittPreVerifyResult preResult = ScittPreVerifyResult.notPresent(); + + assertThatThrownBy(() -> adapter.postVerify("test.example.com", null, preResult)) + .isInstanceOf(NullPointerException.class) + .hasMessageContaining("serverCert cannot be null"); + } + + @Test + @DisplayName("Should reject null preResult") + void shouldRejectNullPreResult() { + X509Certificate cert = mock(X509Certificate.class); + + assertThatThrownBy(() -> adapter.postVerify("test.example.com", cert, null)) + .isInstanceOf(NullPointerException.class) + .hasMessageContaining("preResult cannot be null"); + } + + @Test + @DisplayName("Should return NOT_FOUND when SCITT not present") + void shouldReturnNotFoundWhenNotPresent() { + X509Certificate cert = mock(X509Certificate.class); + ScittPreVerifyResult preResult = ScittPreVerifyResult.notPresent(); + + VerificationResult result = adapter.postVerify("test.example.com", cert, preResult); + + assertThat(result.status()).isEqualTo(VerificationResult.Status.NOT_FOUND); + assertThat(result.type()).isEqualTo(VerificationResult.VerificationType.SCITT); + } + + @Test + @DisplayName("Should return ERROR when pre-verification failed") + void shouldReturnErrorWhenPreVerificationFailed() { + X509Certificate cert = mock(X509Certificate.class); + ScittExpectation failedExpectation = ScittExpectation.invalidReceipt("Test failure"); + ScittPreVerifyResult preResult = ScittPreVerifyResult.verified( + failedExpectation, mock(ScittReceipt.class), mock(StatusToken.class)); + + VerificationResult result = adapter.postVerify("test.example.com", cert, preResult); + + assertThat(result.status()).isEqualTo(VerificationResult.Status.ERROR); + assertThat(result.type()).isEqualTo(VerificationResult.VerificationType.SCITT); + } + + @Test + @DisplayName("Should return SUCCESS when post-verification succeeds") + void shouldReturnSuccessWhenPostVerificationSucceeds() { + X509Certificate cert = mock(X509Certificate.class); + ScittExpectation expectation = ScittExpectation.verified( + List.of("abc123"), List.of(), "host", "ans.test", Map.of(), null); + ScittPreVerifyResult preResult = ScittPreVerifyResult.verified( + expectation, mock(ScittReceipt.class), mock(StatusToken.class)); + + ScittVerifier.ScittVerificationResult verifyResult = + ScittVerifier.ScittVerificationResult.success("abc123"); + when(mockScittVerifier.postVerify(any(), any(), any())).thenReturn(verifyResult); + + VerificationResult result = adapter.postVerify("test.example.com", cert, preResult); + + assertThat(result.status()).isEqualTo(VerificationResult.Status.SUCCESS); + assertThat(result.type()).isEqualTo(VerificationResult.VerificationType.SCITT); + } + + @Test + @DisplayName("Should return MISMATCH when post-verification fails") + void shouldReturnMismatchWhenPostVerificationFails() { + X509Certificate cert = mock(X509Certificate.class); + ScittExpectation expectation = ScittExpectation.verified( + List.of("expected123"), List.of(), "host", "ans.test", Map.of(), null); + ScittPreVerifyResult preResult = ScittPreVerifyResult.verified( + expectation, mock(ScittReceipt.class), mock(StatusToken.class)); + + ScittVerifier.ScittVerificationResult verifyResult = + ScittVerifier.ScittVerificationResult.mismatch("actual456", "Mismatch"); + when(mockScittVerifier.postVerify(any(), any(), any())).thenReturn(verifyResult); + + VerificationResult result = adapter.postVerify("test.example.com", cert, preResult); + + assertThat(result.status()).isEqualTo(VerificationResult.Status.MISMATCH); + assertThat(result.type()).isEqualTo(VerificationResult.VerificationType.SCITT); + } + } + +} diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/VerificationResultTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/VerificationResultTest.java index d5b3e8a..15fdcf9 100644 --- a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/VerificationResultTest.java +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/VerificationResultTest.java @@ -145,9 +145,10 @@ void statusEnumValues() { @Test void verificationTypeEnumValues() { - assertEquals(3, VerificationType.values().length); + assertEquals(4, VerificationType.values().length); assertEquals(VerificationType.DANE, VerificationType.valueOf("DANE")); assertEquals(VerificationType.BADGE, VerificationType.valueOf("BADGE")); + assertEquals(VerificationType.SCITT, VerificationType.valueOf("SCITT")); assertEquals(VerificationType.PKI_ONLY, VerificationType.valueOf("PKI_ONLY")); } From d2f4dd95f6a0a762a49ff658de5f74f6ded7a09c Mon Sep 17 00:00:00 2001 From: James Hateley Date: Fri, 27 Mar 2026 12:54:23 +1100 Subject: [PATCH 05/19] feat: add high-level AnsVerifiedClient API - AnsVerifiedClient: High-level client supporting all verification policies (PKI_ONLY, BADGE_REQUIRED, DANE_REQUIRED, SCITT_REQUIRED) - AnsConnection: Connection wrapper with verification result access - ClientRequestVerifier/DefaultClientRequestVerifier: Per-request SCITT verification for response headers - ClientRequestVerificationResult: Structured verification results Provides a simple, fluent API for secure agent-to-agent communication with configurable trust policies. Co-Authored-By: Claude Opus 4.5 --- ans-sdk-agent-client/build.gradle.kts | 5 + .../godaddy/ans/sdk/agent/AnsConnection.java | 181 ++++ .../ans/sdk/agent/AnsVerifiedClient.java | 528 ++++++++++++ .../ClientRequestVerificationResult.java | 184 ++++ .../verification/ClientRequestVerifier.java | 86 ++ .../DefaultClientRequestVerifier.java | 630 ++++++++++++++ .../ans/sdk/agent/AnsConnectionTest.java | 238 ++++++ .../ans/sdk/agent/AnsVerifiedClientTest.java | 783 ++++++++++++++++++ .../ClientRequestVerificationResultTest.java | 387 +++++++++ .../ClientRequestVerifierTest.java | 644 ++++++++++++++ 10 files changed, 3666 insertions(+) create mode 100644 ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/AnsConnection.java create mode 100644 ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/AnsVerifiedClient.java create mode 100644 ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/ClientRequestVerificationResult.java create mode 100644 ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/ClientRequestVerifier.java create mode 100644 ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/DefaultClientRequestVerifier.java create mode 100644 ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/AnsConnectionTest.java create mode 100644 ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/AnsVerifiedClientTest.java create mode 100644 ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ClientRequestVerificationResultTest.java create mode 100644 ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ClientRequestVerifierTest.java diff --git a/ans-sdk-agent-client/build.gradle.kts b/ans-sdk-agent-client/build.gradle.kts index 55bed65..f8faffa 100644 --- a/ans-sdk-agent-client/build.gradle.kts +++ b/ans-sdk-agent-client/build.gradle.kts @@ -2,6 +2,7 @@ val jacksonVersion: String by project val bouncyCastleVersion: String by project val slf4jVersion: String by project val reactorVersion: String by project +val caffeineVersion: String by project val junitVersion: String by project val mockitoVersion: String by project val assertjVersion: String by project @@ -28,6 +29,9 @@ dependencies { // dnsjava for DANE/TLSA DNS lookups (JNDI doesn't support TLSA) implementation("dnsjava:dnsjava:3.6.4") + // Caffeine for high-performance caching with TTL and automatic eviction + implementation("com.github.ben-manes.caffeine:caffeine:$caffeineVersion") + // Logging implementation("org.slf4j:slf4j-api:$slf4jVersion") @@ -38,5 +42,6 @@ dependencies { testImplementation("org.assertj:assertj-core:$assertjVersion") testImplementation("org.wiremock:wiremock:$wiremockVersion") testImplementation("io.projectreactor:reactor-test:$reactorVersion") + testImplementation("com.upokecenter:cbor:4.5.4") testRuntimeOnly("org.slf4j:slf4j-simple:$slf4jVersion") } \ No newline at end of file diff --git a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/AnsConnection.java b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/AnsConnection.java new file mode 100644 index 0000000..496e2a2 --- /dev/null +++ b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/AnsConnection.java @@ -0,0 +1,181 @@ +package com.godaddy.ans.sdk.agent; + +import com.godaddy.ans.sdk.agent.http.CertificateCapturingTrustManager; +import com.godaddy.ans.sdk.agent.verification.ConnectionVerifier; +import com.godaddy.ans.sdk.agent.verification.PreVerificationResult; +import com.godaddy.ans.sdk.agent.verification.VerificationResult; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.security.cert.X509Certificate; +import java.util.List; + +/** + * Represents a connection to an ANS-verified server. + * + *

Created by {@link AnsVerifiedClient#connect(String)}, this class holds + * pre-verification results and provides post-verification after TLS handshake.

+ * + *

Based on the policy, verification may include DANE, Badge, and/or SCITT. + * The {@link #verifyServer()} method combines all results according to the policy.

+ * + *

Usage

+ * 
{@code
+ * AnsVerifiedClient ansClient = AnsVerifiedClient.builder()
+ *     .agentId("my-agent-id")
+ *     .keyStorePath("/path/to/client.p12", "password")
+ *     .build();
+ *
+ * try (AnsConnection connection = ansClient.connect(serverUrl)) {
+ *     // Use MCP SDK to establish connection...
+ *     mcpClient.initialize();
+ *
+ *     // Post-verify the server certificate
+ *     VerificationResult result = connection.verifyServer();
+ *     if (!result.isSuccess()) {
+ *         throw new SecurityException("Verification failed: " + result.reason());
+ *     }
+ * }
+ * }
+ */ +public class AnsConnection implements AutoCloseable { + + private static final Logger LOGGER = LoggerFactory.getLogger(AnsConnection.class); + + private final String hostname; + private final PreVerificationResult preResult; + private final ConnectionVerifier verifier; + private final VerificationPolicy policy; + + /** + * Creates a new AnsConnection. + * + *

This constructor is package-private; use {@link AnsVerifiedClient#connect(String)} + * to create connections.

+ * + * @param hostname the hostname being connected to + * @param preResult the pre-verification result + * @param verifier the connection verifier + * @param policy the verification policy + */ + AnsConnection(String hostname, PreVerificationResult preResult, + ConnectionVerifier verifier, VerificationPolicy policy) { + this.hostname = hostname; + this.preResult = preResult; + this.verifier = verifier; + this.policy = policy; + } + + /** + * Returns the hostname being connected to. + * + * @return the hostname + */ + public String hostname() { + return hostname; + } + + /** + * Returns the combined pre-verification result. + * + * @return the pre-verification result + */ + public PreVerificationResult preVerifyResult() { + return preResult; + } + + /** + * Returns whether SCITT artifacts were present in server response. + * + * @return true if SCITT artifacts are available + */ + public boolean hasScittArtifacts() { + return preResult.hasScittExpectation(); + } + + /** + * Returns whether Badge registration was found. + * + * @return true if badge fingerprints are available + */ + public boolean hasBadgeRegistration() { + return preResult.hasBadgeExpectation(); + } + + /** + * Returns whether DANE/TLSA records were found. + * + * @return true if DANE expectations are available + */ + public boolean hasDaneRecords() { + return preResult.hasDaneExpectation(); + } + + /** + * Verifies the server certificate after TLS handshake. + * + *

Runs all enabled post-verifications (DANE, Badge, SCITT) and combines + * results according to the policy. Returns SUCCESS if all REQUIRED verifications + * pass, logs warnings for ADVISORY failures.

+ * + * @return the combined verification result + * @throws SecurityException if no server certificate was captured + */ + public VerificationResult verifyServer() { + X509Certificate[] certs = CertificateCapturingTrustManager.getCapturedCertificates(hostname); + if (certs == null || certs.length == 0) { + throw new SecurityException("No server certificate captured for " + hostname); + } + return verifyServer(certs[0]); + } + + /** + * Verifies using an explicitly provided certificate. + * + * @param serverCert the server's certificate + * @return the combined verification result + */ + public VerificationResult verifyServer(X509Certificate serverCert) { + LOGGER.debug("Post-verifying server certificate for {}", hostname); + + List results = verifier.postVerify(hostname, serverCert, preResult); + VerificationResult combined = verifier.combine(results, policy); + + LOGGER.debug("Combined verification result for {}: {} ({})", + hostname, combined.status(), combined.type()); + + return combined; + } + + /** + * Returns individual verification results without combining. + * + *

Useful for debugging or detailed logging.

+ * + * @param serverCert the server's certificate + * @return list of individual verification results + */ + public List verifyServerDetailed(X509Certificate serverCert) { + return verifier.postVerify(hostname, serverCert, preResult); + } + + /** + * Returns individual verification results without combining, using captured certificate. + * + * @return list of individual verification results + * @throws SecurityException if no server certificate was captured + */ + public List verifyServerDetailed() { + X509Certificate[] certs = CertificateCapturingTrustManager.getCapturedCertificates(hostname); + if (certs == null || certs.length == 0) { + throw new SecurityException("No server certificate captured for " + hostname); + } + return verifyServerDetailed(certs[0]); + } + + @Override + public void close() { + CertificateCapturingTrustManager.clearCapturedCertificates(hostname); + LOGGER.debug("Cleared captured certificates for {}", hostname); + } +} diff --git a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/AnsVerifiedClient.java b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/AnsVerifiedClient.java new file mode 100644 index 0000000..26835d7 --- /dev/null +++ b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/AnsVerifiedClient.java @@ -0,0 +1,528 @@ +package com.godaddy.ans.sdk.agent; + +import com.godaddy.ans.sdk.agent.http.AnsVerifiedSslContextFactory; +import com.godaddy.ans.sdk.agent.verification.BadgeVerifier; +import com.godaddy.ans.sdk.agent.verification.DaneConfig; +import com.godaddy.ans.sdk.agent.verification.DaneVerifier; +import com.godaddy.ans.sdk.agent.verification.DefaultConnectionVerifier; +import com.godaddy.ans.sdk.agent.verification.DefaultDaneTlsaVerifier; +import com.godaddy.ans.sdk.agent.verification.PreVerificationResult; +import com.godaddy.ans.sdk.agent.exception.ClientConfigurationException; +import com.godaddy.ans.sdk.agent.exception.ScittVerificationException; +import com.godaddy.ans.sdk.agent.verification.ScittVerifierAdapter; +import com.godaddy.ans.sdk.transparency.TransparencyClient; +import com.godaddy.ans.sdk.transparency.scitt.DefaultScittHeaderProvider; +import com.godaddy.ans.sdk.transparency.scitt.ScittPreVerifyResult; +import com.godaddy.ans.sdk.transparency.verification.CachingBadgeVerificationService; +import org.bouncycastle.util.Arrays; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import javax.net.ssl.SSLContext; +import java.io.FileInputStream; +import java.net.URI; +import java.net.http.HttpClient; +import java.net.http.HttpRequest; +import java.net.http.HttpResponse; +import java.security.GeneralSecurityException; +import java.security.KeyStore; +import java.time.Duration; +import java.util.HashMap; +import java.util.Map; +import java.util.Objects; +import java.util.concurrent.CompletableFuture; +import java.util.concurrent.CompletionException; + +/** + * High-level client for ANS-verified connections. + * + *

Supports all verification policies:

+ *
    + *
  • DANE: DNS-based Authentication of Named Entities (TLSA records)
    • + *
  • Badge: ANS transparency log verification (proof of registration)
    • + *
  • SCITT: Cryptographic proof via HTTP headers (receipts + status tokens)
    • + *
+ * + *

Usage with MCP SDK

+ * 
{@code
+ * AnsVerifiedClient ansClient = AnsVerifiedClient.builder()
+ *     .agentId("my-agent-id")
+ *     .keyStorePath("/path/to/client.p12", "password")
+ *     .policy(VerificationPolicy.SCITT_REQUIRED)  // or SCITT_ENHANCED, etc.
+ *     .build();
+ *
+ * AnsConnection connection = ansClient.connect(serverUrl);
+ *
+ * // Fetch SCITT headers (blocking in example code is fine during setup)
+ * Map scittHeaders = ansClient.scittHeadersAsync().join();
+ *
+ * HttpClientStreamableHttpTransport transport = HttpClientStreamableHttpTransport.builder(serverUrl)
+ *     .customizeClient(b -> b.sslContext(ansClient.sslContext()))
+ *     .customizeRequest(b -> scittHeaders.forEach(b::header))
+ *     .build();
+ *
+ * McpSyncClient mcpClient = McpClient.sync(transport).build();
+ * mcpClient.initialize();
+ *
+ * VerificationResult result = connection.verifyServer();
+ * }
+ */ +public class AnsVerifiedClient implements AutoCloseable { + + private static final Logger LOGGER = LoggerFactory.getLogger(AnsVerifiedClient.class); + + private final TransparencyClient transparencyClient; + private final DefaultConnectionVerifier connectionVerifier; + private final VerificationPolicy policy; + private final SSLContext sslContext; + private final HttpClient httpClient; + private final String agentId; + + // Lazy-loaded SCITT headers with thread-safe initialization + private volatile Map scittHeaders; + private final Object scittHeadersLock = new Object(); + + private AnsVerifiedClient(Builder builder) { + this.transparencyClient = builder.transparencyClient; + this.connectionVerifier = builder.connectionVerifier; + this.policy = builder.policy; + this.sslContext = builder.sslContext; + this.agentId = builder.agentId; + + // If SCITT is disabled or no agentId, headers are empty (no lazy fetch needed) + if (!policy.hasScittVerification() || agentId == null || agentId.isBlank()) { + this.scittHeaders = Map.of(); + } + + // Create shared HttpClient once at construction time + // HttpClient is designed to be long-lived and maintains its own connection pool + this.httpClient = HttpClient.newBuilder() + .sslContext(sslContext) + .connectTimeout(builder.connectTimeout) + .build(); + } + + /** + * Returns the SSLContext configured for mTLS and certificate capture. + * + * @return the configured SSLContext + */ + public SSLContext sslContext() { + return sslContext; + } + + /** + * Returns SCITT headers asynchronously. + * + *

If headers haven't been fetched yet and SCITT is enabled with an agent ID, + * this method initiates an async fetch of the receipt and status token from the + * transparency log. The returned future completes when headers are available.

+ * + *

The future completes with an empty map if:

+ *
    + *
  • SCITT verification is disabled in the policy
    • + *
  • No agent ID was configured
    • + *
  • Fetching artifacts failed (logged as warning)
    • + *
+ * + * @return a CompletableFuture with the unmodifiable map of SCITT headers + */ + public CompletableFuture> scittHeadersAsync() { + // Fast path: already initialized + if (scittHeaders != null) { + return CompletableFuture.completedFuture(scittHeaders); + } + + // Lazy fetch with double-checked locking + return fetchScittHeadersAsync(); + } + + /** + * Fetches SCITT headers lazily with thread-safe initialization. + */ + private CompletableFuture> fetchScittHeadersAsync() { + // Double-check after acquiring would-be lock position in async chain + if (scittHeaders != null) { + return CompletableFuture.completedFuture(scittHeaders); + } + + LOGGER.debug("Fetching SCITT artifacts for agent {} (lazy)", agentId); + + // Fetch receipt and token in parallel + CompletableFuture receiptFuture = transparencyClient.getReceiptAsync(agentId); + CompletableFuture tokenFuture = transparencyClient.getStatusTokenAsync(agentId); + + return receiptFuture.thenCombine(tokenFuture, (receipt, token) -> { + synchronized (scittHeadersLock) { + // Double-check inside synchronized block + if (scittHeaders != null) { + return scittHeaders; + } + + Map headers = Map.copyOf(DefaultScittHeaderProvider.builder() + .receipt(receipt) + .statusToken(token) + .build() + .getOutgoingHeaders()); + + LOGGER.debug("Fetched SCITT artifacts: receipt={} bytes, token={} bytes", + receipt.length, token.length); + + scittHeaders = headers; + return headers; + } + }).exceptionally(e -> { + synchronized (scittHeadersLock) { + if (scittHeaders != null) { + return scittHeaders; + } + LOGGER.warn("Could not fetch SCITT artifacts for agent {}: {}", agentId, e.getMessage()); + scittHeaders = Map.of(); + return scittHeaders; + } + }); + } + + /** + * Returns the verification policy in use. + * + * @return the verification policy + */ + public VerificationPolicy policy() { + return policy; + } + + /** + * Returns the TransparencyClient for advanced use cases. + * + * @return the transparency client + */ + public TransparencyClient transparencyClient() { + return transparencyClient; + } + + /** + * Connects to a server and performs all enabled pre-verifications. + * + *

Blocking: This method blocks the calling thread until all pre-verifications + * complete. For non-blocking behavior in reactive contexts or virtual threads, use + * {@link #connectAsync(String)} instead.

+ * + *

Based on the policy, this may:

+ *
    + *
  • Send preflight HEAD request to capture SCITT headers (if SCITT enabled)
    • + *
  • Lookup DANE/TLSA DNS records (if DANE enabled)
    • + *
  • Query transparency log for badge (if Badge enabled)
    • + *
+ * + * @param serverUrl the server URL to connect to + * @return an AnsConnection for post-verification + * @throws java.util.concurrent.CompletionException if a critical error occurs during connection + * @see #connectAsync(String) for the non-blocking equivalent + */ + public AnsConnection connect(String serverUrl) { + return connectAsync(serverUrl).join(); + } + + /** + * Connects to a server asynchronously and performs all enabled pre-verifications. + * + *

This method is non-blocking and returns immediately with a {@link CompletableFuture} + * that completes when all pre-verifications are finished. Use this method in reactive + * contexts, virtual threads, or when composing with other async operations.

+ * + *

Based on the policy, this may:

+ *
    + *
  • Send preflight HEAD request to capture SCITT headers (if SCITT enabled)
    • + *
  • Lookup DANE/TLSA DNS records (if DANE enabled)
    • + *
  • Query transparency log for badge (if Badge enabled)
    • + *
+ * + *

The returned future completes exceptionally if a critical error occurs during + * pre-verification setup (e.g., malformed URL). Network errors from individual + * verifications are captured in the {@link PreVerificationResult} rather than + * failing the future.

+ * + * @param serverUrl the server URL to connect to + * @return a CompletableFuture that completes with an AnsConnection for post-verification + * @see #connect(String) for the blocking equivalent + */ + public CompletableFuture connectAsync(String serverUrl) { + URI uri; + try { + uri = URI.create(serverUrl); + } catch (IllegalArgumentException e) { + return CompletableFuture.failedFuture(e); + } + + String hostname = uri.getHost(); + int port = uri.getPort() > 0 ? uri.getPort() : 443; + + LOGGER.debug("Connecting async to {}:{} with policy {}", hostname, port, policy); + + // Start DANE/Badge pre-verification asynchronously + CompletableFuture daneAndBadgeFuture = + connectionVerifier.preVerify(hostname, port); + + // Start SCITT preflight asynchronously (if enabled) so it runs in parallel with DANE/Badge + CompletableFuture scittFuture; + if (policy.hasScittVerification()) { + scittFuture = sendPreflightAsync(uri) + .thenCompose(connectionVerifier::scittPreVerify) + .exceptionally(e -> { + Throwable cause = e instanceof CompletionException && e.getCause() != null + ? e.getCause() : e; + LOGGER.warn("SCITT preflight failed: {}", cause.getMessage()); + return ScittPreVerifyResult.parseError("Preflight failed: " + cause.getMessage()); + }); + } else { + scittFuture = CompletableFuture.completedFuture(ScittPreVerifyResult.notPresent()); + } + + // Non-blocking: combine both futures using thenCombine + return daneAndBadgeFuture.thenCombine(scittFuture, (preResult, scittPreResult) -> { + // Fail-fast based on policy and SCITT result + // This prevents accidental unverified connections + boolean scittVerified = scittPreResult.expectation().isVerified(); + boolean scittPresent = scittPreResult.isPresent(); + + if (policy.scittMode() == VerificationMode.REQUIRED && !scittVerified) { + // REQUIRED: must have valid SCITT - reject if missing OR if verification failed + String reason = scittPreResult.expectation().failureReason(); + ScittVerificationException.FailureType failureType = mapToFailureType( + scittPreResult.expectation().status()); + throw new ScittVerificationException( + "SCITT verification required but failed: " + reason, failureType); + } + + if (policy.scittMode() == VerificationMode.ADVISORY && scittPresent && !scittVerified) { + // ADVISORY: if headers ARE present but failed, reject (don't allow garbage headers) + // If headers are NOT present, allow fallback to badge + String reason = scittPreResult.expectation().failureReason(); + ScittVerificationException.FailureType failureType = mapToFailureType( + scittPreResult.expectation().status()); + throw new ScittVerificationException( + "SCITT headers present but verification failed: " + reason, failureType); + } + + PreVerificationResult combinedResult = preResult.withScittResult(scittPreResult); + LOGGER.debug("Pre-verification complete: {}", combinedResult); + return new AnsConnection(hostname, combinedResult, connectionVerifier, policy); + }); + } + + /** + * Sends a preflight HEAD request asynchronously to capture server's SCITT headers. + * Uses HttpClient.sendAsync for non-blocking I/O, enabling parallelism with DANE/Badge. + * First fetches our SCITT headers (if not already cached) to include in the request. + */ + private CompletableFuture> sendPreflightAsync(URI uri) { + LOGGER.debug("Sending async preflight request to {}", uri); + + // First get our SCITT headers (lazy fetch if needed), then send the request + return scittHeadersAsync().thenCompose(outgoingHeaders -> { + HttpRequest.Builder requestBuilder = HttpRequest.newBuilder() + .uri(uri) + .method("HEAD", HttpRequest.BodyPublishers.noBody()); + outgoingHeaders.forEach(requestBuilder::header); + + return httpClient.sendAsync(requestBuilder.build(), HttpResponse.BodyHandlers.discarding()) + .thenApply(response -> { + Map headers = new HashMap<>(); + response.headers().map().forEach((k, v) -> { + if (!v.isEmpty()) { + headers.put(k.toLowerCase(), v.get(0)); + } + }); + LOGGER.debug("Preflight response: {} with {} headers", + response.statusCode(), headers.size()); + return headers; + }); + }); + } + + /** + * Maps ScittExpectation.Status to ScittVerificationException.FailureType. + */ + private static ScittVerificationException.FailureType mapToFailureType( + com.godaddy.ans.sdk.transparency.scitt.ScittExpectation.Status status) { + return switch (status) { + case NOT_PRESENT -> ScittVerificationException.FailureType.HEADERS_NOT_PRESENT; + case PARSE_ERROR -> ScittVerificationException.FailureType.PARSE_ERROR; + case INVALID_RECEIPT, INVALID_TOKEN -> ScittVerificationException.FailureType.INVALID_SIGNATURE; + case TOKEN_EXPIRED -> ScittVerificationException.FailureType.TOKEN_EXPIRED; + case KEY_NOT_FOUND -> ScittVerificationException.FailureType.KEY_NOT_FOUND; + case AGENT_REVOKED -> ScittVerificationException.FailureType.AGENT_REVOKED; + case AGENT_INACTIVE -> ScittVerificationException.FailureType.AGENT_INACTIVE; + case VERIFIED -> ScittVerificationException.FailureType.VERIFICATION_ERROR; // Should not happen + }; + } + + @Override + public void close() { + // TransparencyClient doesn't require explicit close + LOGGER.debug("AnsVerifiedClient closed"); + } + + /** + * Creates a new builder for AnsVerifiedClient. + * + * @return a new builder instance + */ + public static Builder builder() { + return new Builder(); + } + + /** + * Builder for AnsVerifiedClient. + */ + public static class Builder { + private String agentId; + private KeyStore keyStore; + private char[] keyPassword; + private String keyStorePath; + private TransparencyClient transparencyClient; + private VerificationPolicy policy = VerificationPolicy.SCITT_REQUIRED; + private Duration connectTimeout = Duration.ofSeconds(30); + private SSLContext sslContext; + private DefaultConnectionVerifier connectionVerifier; + + /** + * Sets the agent ID for SCITT header generation. + * + * @param agentId the agent's unique identifier + * @return this builder + */ + public Builder agentId(String agentId) { + this.agentId = agentId; + return this; + } + + /** + * Sets the keystore for mTLS client authentication. + * + * @param keyStore the PKCS12 keystore containing client certificate + * @param password the keystore password + * @return this builder + */ + public Builder keyStore(KeyStore keyStore, char[] password) { + this.keyStore = keyStore; + this.keyPassword = password; + return this; + } + + /** + * Sets the keystore path for mTLS client authentication. + * + * @param path the path to the PKCS12 keystore + * @param password the keystore password + * @return this builder + */ + public Builder keyStorePath(String path, String password) { + this.keyStorePath = path; + this.keyPassword = password.toCharArray(); + return this; + } + + /** + * Sets a custom TransparencyClient. + * + * @param client the transparency client + * @return this builder + */ + public Builder transparencyClient(TransparencyClient client) { + this.transparencyClient = client; + return this; + } + + /** + * Sets the verification policy. + * + * @param policy the verification policy (default: SCITT_REQUIRED) + * @return this builder + */ + public Builder policy(VerificationPolicy policy) { + this.policy = Objects.requireNonNull(policy); + return this; + } + + /** + * Sets the connection timeout for preflight requests. + * + * @param timeout the timeout (default: 30 seconds) + * @return this builder + */ + public Builder connectTimeout(Duration timeout) { + this.connectTimeout = timeout; + return this; + } + + /** + * Builds the AnsVerifiedClient. + * + * @return the configured client + * @throws ClientConfigurationException if keystore loading or SSLContext creation fails + */ + public AnsVerifiedClient build() { + // Create TransparencyClient if not provided + if (transparencyClient == null) { + transparencyClient = TransparencyClient.builder().build(); + } + + // Load keystore if path provided + if (keyStore == null && keyStorePath != null) { + try { + keyStore = KeyStore.getInstance("PKCS12"); + try (FileInputStream fis = new FileInputStream(keyStorePath)) { + keyStore.load(fis, keyPassword); + } + LOGGER.debug("Loaded keystore from {}", keyStorePath); + } catch (Exception e) { + throw new ClientConfigurationException("Failed to load keystore: " + e.getMessage(), e); + } + } + + // Create SSLContext + try { + sslContext = AnsVerifiedSslContextFactory.create(keyStore, keyPassword); + } catch (GeneralSecurityException e) { + throw new ClientConfigurationException("Failed to create SSLContext: " + e.getMessage(), e); + } finally { + if (keyPassword != null) { + Arrays.fill(keyPassword, '\0'); + keyPassword = null; + } + } + + // Build ConnectionVerifier based on policy + DefaultConnectionVerifier.Builder verifierBuilder = DefaultConnectionVerifier.builder(); + + // DANE verifier (if enabled) + if (policy.daneMode() != VerificationMode.DISABLED) { + DefaultDaneTlsaVerifier tlsaVerifier = new DefaultDaneTlsaVerifier(DaneConfig.defaults()); + verifierBuilder.daneVerifier(new DaneVerifier(tlsaVerifier)); + LOGGER.debug("DANE verification enabled with mode {}", policy.daneMode()); + } + + // Badge verifier (if enabled) + if (policy.badgeMode() != VerificationMode.DISABLED) { + CachingBadgeVerificationService badgeService = CachingBadgeVerificationService.create(); + verifierBuilder.badgeVerifier(new BadgeVerifier(badgeService)); + LOGGER.debug("Badge verification enabled with mode {}", policy.badgeMode()); + } + + // SCITT verifier (if enabled) + if (policy.scittMode() != VerificationMode.DISABLED) { + ScittVerifierAdapter scittVerifier = ScittVerifierAdapter.builder() + .transparencyClient(transparencyClient) + .build(); + verifierBuilder.scittVerifier(scittVerifier); + LOGGER.debug("SCITT verification enabled with mode {}", policy.scittMode()); + // Note: SCITT headers are fetched lazily on first call to scittHeaders() + } + + connectionVerifier = verifierBuilder.build(); + return new AnsVerifiedClient(this); + } + } +} diff --git a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/ClientRequestVerificationResult.java b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/ClientRequestVerificationResult.java new file mode 100644 index 0000000..53bf9ed --- /dev/null +++ b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/ClientRequestVerificationResult.java @@ -0,0 +1,184 @@ +package com.godaddy.ans.sdk.agent.verification; + +import com.godaddy.ans.sdk.agent.VerificationPolicy; +import com.godaddy.ans.sdk.transparency.scitt.ScittReceipt; +import com.godaddy.ans.sdk.transparency.scitt.StatusToken; + +import java.security.cert.X509Certificate; +import java.time.Duration; +import java.util.List; +import java.util.Objects; + +/** + * Result of client request verification. + * + *

Contains the outcome of verifying an incoming client request, including + * the extracted agent identity, SCITT artifacts, and any errors encountered.

+ * + * @param verified true if the client was successfully verified + * @param agentId the agent ID from the status token (null if verification failed) + * @param statusToken the parsed status token (null if not present or failed to parse) + * @param receipt the parsed SCITT receipt (null if not present or failed to parse) + * @param clientCertificate the client certificate that was verified + * @param errors list of error messages (empty if verification succeeded) + * @param policyUsed the verification policy that was applied + * @param verificationDuration how long verification took + */ +public record ClientRequestVerificationResult( + boolean verified, + String agentId, + StatusToken statusToken, + ScittReceipt receipt, + X509Certificate clientCertificate, + List errors, + VerificationPolicy policyUsed, + Duration verificationDuration +) { + + /** + * Compact constructor for defensive copying. + */ + public ClientRequestVerificationResult { + Objects.requireNonNull(errors, "errors cannot be null"); + Objects.requireNonNull(policyUsed, "policyUsed cannot be null"); + Objects.requireNonNull(verificationDuration, "verificationDuration cannot be null"); + errors = List.copyOf(errors); + } + + /** + * Returns true if SCITT artifacts (receipt and status token) are present. + * + * @return true if both receipt and status token are available + */ + public boolean hasScittArtifacts() { + return receipt != null && statusToken != null; + } + + /** + * Returns true if only the status token is present. + * + * @return true if status token is available but receipt is not + */ + public boolean hasStatusTokenOnly() { + return statusToken != null && receipt == null; + } + + /** + * Returns true if any SCITT artifact is present. + * + * @return true if receipt or status token is available + */ + public boolean hasAnyScittArtifact() { + return receipt != null || statusToken != null; + } + + /** + * Returns true if the client certificate was verified against the status token. + * + *

This indicates the certificate fingerprint matched one of the valid + * identity certificate fingerprints in the status token.

+ * + * @return true if certificate was trusted via SCITT verification + */ + public boolean isCertificateTrusted() { + return verified && statusToken != null; + } + + /** + * Creates a successful verification result. + * + * @param agentId the verified agent ID + * @param statusToken the verified status token + * @param receipt the verified receipt + * @param clientCertificate the client certificate + * @param policy the policy that was used + * @param duration how long verification took + * @return a successful result + */ + public static ClientRequestVerificationResult success( + String agentId, + StatusToken statusToken, + ScittReceipt receipt, + X509Certificate clientCertificate, + VerificationPolicy policy, + Duration duration) { + return new ClientRequestVerificationResult( + true, + agentId, + statusToken, + receipt, + clientCertificate, + List.of(), + policy, + duration + ); + } + + /** + * Creates a failed verification result. + * + * @param errors the error messages + * @param statusToken the status token if parsed (may be null) + * @param receipt the receipt if parsed (may be null) + * @param clientCertificate the client certificate + * @param policy the policy that was used + * @param duration how long verification took + * @return a failed result + */ + public static ClientRequestVerificationResult failure( + List errors, + StatusToken statusToken, + ScittReceipt receipt, + X509Certificate clientCertificate, + VerificationPolicy policy, + Duration duration) { + String agentId = statusToken != null ? statusToken.agentId() : null; + return new ClientRequestVerificationResult( + false, + agentId, + statusToken, + receipt, + clientCertificate, + errors, + policy, + duration + ); + } + + /** + * Creates a failed verification result with a single error. + * + * @param error the error message + * @param clientCertificate the client certificate + * @param policy the policy that was used + * @param duration how long verification took + * @return a failed result + */ + public static ClientRequestVerificationResult failure( + String error, + X509Certificate clientCertificate, + VerificationPolicy policy, + Duration duration) { + return failure( + List.of(error), + null, + null, + clientCertificate, + policy, + duration + ); + } + + @Override + public String toString() { + if (verified) { + return String.format( + "ClientRequestVerificationResult{verified=true, agentId='%s', duration=%s}", + agentId, verificationDuration); + } else { + return String.format( + "ClientRequestVerificationResult{verified=false, errors=%s, duration=%s}", + errors, verificationDuration); + } + } +} diff --git a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/ClientRequestVerifier.java b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/ClientRequestVerifier.java new file mode 100644 index 0000000..a6a64da --- /dev/null +++ b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/ClientRequestVerifier.java @@ -0,0 +1,86 @@ +package com.godaddy.ans.sdk.agent.verification; + +import com.godaddy.ans.sdk.agent.VerificationPolicy; + +import java.security.cert.X509Certificate; +import java.util.Map; +import java.util.concurrent.CompletableFuture; + +/** + * Server-side verifier for incoming client requests. + * + *

This interface provides a high-level API for MCP servers (and other server + * implementations) to verify that incoming client requests are from legitimate + * ANS-registered agents.

+ * + *

Verification involves:

+ *
    + *
  1. Extracting SCITT artifacts (receipt and status token) from request headers
    2. + *
  2. Verifying the cryptographic signatures on the artifacts
    3. + *
  3. Checking the status token hasn't expired
    4. + *
  4. Matching the client's mTLS certificate fingerprint against the + * {@code validIdentityCertFingerprints} in the status token
    5. + *
+ * + *

Usage Example

+ * 
{@code
+ * ClientRequestVerifier verifier = DefaultClientRequestVerifier.builder()
+ *     .scittVerifier(scittVerifierAdapter)
+ *     .build();
+ *
+ * // In request handler
+ * X509Certificate clientCert = (X509Certificate) sslSession.getPeerCertificates()[0];
+ * Map headers = extractHeaders(request);
+ *
+ * ClientRequestVerificationResult result = verifier
+ *     .verify(clientCert, headers, VerificationPolicy.SCITT_REQUIRED)
+ *     .join();
+ *
+ * if (!result.verified()) {
+ *     return Response.status(403)
+ *         .entity("Client verification failed: " + result.errors())
+ *         .build();
+ * }
+ *
+ * // Proceed with verified agent identity
+ * String agentId = result.agentId();
+ * }
+ * + * @see DefaultClientRequestVerifier + * @see ClientRequestVerificationResult + */ +public interface ClientRequestVerifier { + + /** + * Verifies an incoming client request. + * + *

This method extracts SCITT artifacts from the request headers, verifies + * their signatures, and matches the client certificate fingerprint against + * the status token's identity certificate fingerprints.

+ * + * @param clientCert the client's X.509 certificate from mTLS handshake + * @param requestHeaders the HTTP request headers (must include SCITT headers) + * @param policy the verification policy to apply + * @return a future that completes with the verification result + * @throws NullPointerException if any parameter is null + */ + CompletableFuture verify( + X509Certificate clientCert, + Map requestHeaders, + VerificationPolicy policy + ); + + /** + * Verifies an incoming client request using the default SCITT_REQUIRED policy. + * + * @param clientCert the client's X.509 certificate from mTLS handshake + * @param requestHeaders the HTTP request headers + * @return a future that completes with the verification result + * @throws NullPointerException if any parameter is null + */ + default CompletableFuture verify( + X509Certificate clientCert, + Map requestHeaders) { + return verify(clientCert, requestHeaders, VerificationPolicy.SCITT_REQUIRED); + } +} diff --git a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/DefaultClientRequestVerifier.java b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/DefaultClientRequestVerifier.java new file mode 100644 index 0000000..43fc95d --- /dev/null +++ b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/DefaultClientRequestVerifier.java @@ -0,0 +1,630 @@ +package com.godaddy.ans.sdk.agent.verification; + +import static com.godaddy.ans.sdk.crypto.CertificateUtils.normalizeFingerprint; + +import com.github.benmanes.caffeine.cache.Cache; +import com.github.benmanes.caffeine.cache.Caffeine; +import com.github.benmanes.caffeine.cache.Expiry; +import com.godaddy.ans.sdk.agent.VerificationMode; +import com.godaddy.ans.sdk.agent.VerificationPolicy; +import com.godaddy.ans.sdk.concurrent.AnsExecutors; +import com.godaddy.ans.sdk.crypto.CertificateUtils; +import com.godaddy.ans.sdk.transparency.TransparencyClient; +import com.godaddy.ans.sdk.transparency.scitt.DefaultScittHeaderProvider; +import com.godaddy.ans.sdk.transparency.scitt.DefaultScittVerifier; +import com.godaddy.ans.sdk.transparency.scitt.ScittExpectation; +import com.godaddy.ans.sdk.transparency.scitt.ScittHeaderProvider; +import com.godaddy.ans.sdk.transparency.scitt.ScittHeaders; +import com.godaddy.ans.sdk.transparency.scitt.ScittReceipt; +import com.godaddy.ans.sdk.transparency.scitt.ScittVerifier; +import com.godaddy.ans.sdk.transparency.scitt.StatusToken; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.security.MessageDigest; +import java.security.PublicKey; +import java.security.cert.X509Certificate; +import java.time.Duration; +import java.time.Instant; +import java.util.ArrayList; +import java.util.List; +import java.util.Map; +import java.util.Objects; +import java.util.Optional; +import java.util.concurrent.CompletableFuture; +import java.util.concurrent.CompletionException; +import java.util.concurrent.Executor; + +/** + * Default implementation of {@link ClientRequestVerifier}. + * + *

This verifier extracts SCITT artifacts from request headers, verifies their + * cryptographic signatures, and matches the client certificate fingerprint against + * the identity certificate fingerprints in the status token.

+ * + *

Key Design Decisions

+ *
    + *
  • Identity vs Server Certs: Uses {@code validIdentityCertFingerprints()} + * for client verification, NOT {@code validServerCertFingerprints()}. Identity + * certs identify the agent, server certs are for TLS endpoints.
    • + *
  • Caching: Results are cached by (receipt hash, token hash, cert fingerprint) + * to avoid redundant verification for repeated requests.
    • + *
  • Security: Uses constant-time comparison for fingerprint matching.
    • + *
+ * + * @see ClientRequestVerifier + */ +public class DefaultClientRequestVerifier implements ClientRequestVerifier { + + private static final Logger LOGGER = LoggerFactory.getLogger(DefaultClientRequestVerifier.class); + + /** + * Maximum header size in bytes to prevent DoS attacks. + */ + private static final int MAX_HEADER_SIZE = 64 * 1024; // 64KB + + /** + * Maximum cache size to prevent memory exhaustion DoS through cache flooding. + */ + private static final int MAX_CACHE_SIZE = 1000; + + private final TransparencyClient transparencyClient; + private final ScittVerifier scittVerifier; + private final ScittHeaderProvider headerProvider; + private final Executor executor; + private final Duration cacheTtl; + + // Verification result cache keyed by (receiptHash:tokenHash:certFingerprint) + // Caffeine handles automatic eviction and size limits + private final Cache verificationCache; + + private DefaultClientRequestVerifier(Builder builder) { + this.transparencyClient = builder.transparencyClient; + this.scittVerifier = builder.scittVerifier; + this.headerProvider = builder.headerProvider; + this.executor = builder.executor; + this.cacheTtl = builder.cacheTtl; + + // Build cache with custom expiry based on min(cacheTtl, tokenExpiry) + this.verificationCache = Caffeine.newBuilder() + .maximumSize(MAX_CACHE_SIZE) + .expireAfter(new VerificationResultExpiry()) + .build(); + } + + @Override + public CompletableFuture verify( + X509Certificate clientCert, + Map requestHeaders, + VerificationPolicy policy) { + + Objects.requireNonNull(clientCert, "clientCert cannot be null"); + Objects.requireNonNull(requestHeaders, "requestHeaders cannot be null"); + Objects.requireNonNull(policy, "policy cannot be null"); + + long startNanos = System.nanoTime(); + + // Steps 1-4 are synchronous (header validation, extraction, cache check) + // Step 5 (SCITT verification) is async due to getRootKeyAsync() + // Step 6 (fingerprint match) chains after Step 5 + + try { + // Step 1-3: Validate headers and extract artifacts (synchronous) + ArtifactExtractionResult extractionResult = extractAndValidateArtifacts( + requestHeaders, policy, clientCert, startNanos); + if (extractionResult.failure != null) { + return CompletableFuture.completedFuture(extractionResult.failure); + } + + ScittHeaderProvider.ScittArtifacts artifacts = extractionResult.artifacts; + ScittReceipt receipt = artifacts.receipt(); + StatusToken statusToken = artifacts.statusToken(); + + // Step 4: Check cache (synchronous) + // Use raw header values for cache key - avoids 2x SHA-256 on every lookup + String receiptHeader = requestHeaders.get(ScittHeaders.SCITT_RECEIPT_HEADER); + String tokenHeader = requestHeaders.get(ScittHeaders.STATUS_TOKEN_HEADER); + String clientFingerprint = CertificateUtils.computeSha256Fingerprint(clientCert); + String cacheKey = computeCacheKey(receiptHeader, tokenHeader, clientFingerprint); + ClientRequestVerificationResult cachedResult = checkCache(cacheKey); + if (cachedResult != null) { + return CompletableFuture.completedFuture(cachedResult); + } + + // Step 5: Verify SCITT artifacts asynchronously (uses getRootKeyAsync) + return verifyScittArtifactsAsync(receipt, statusToken, policy, clientCert, startNanos) + .thenApplyAsync(scittResult -> { + if (scittResult.failure != null) { + return scittResult.failure; + } + + // Step 6: Verify fingerprint match + ClientRequestVerificationResult fingerprintResult = verifyFingerprintMatch( + clientFingerprint, scittResult.expectation, statusToken, receipt, + clientCert, policy, startNanos); + if (fingerprintResult != null) { + return fingerprintResult; + } + + // Success - create result and cache it + return createSuccessResult(statusToken, receipt, clientCert, policy, startNanos, cacheKey); + }, executor) + .exceptionally(e -> { + Throwable cause = e instanceof CompletionException && e.getCause() != null + ? e.getCause() : e; + LOGGER.error("Unexpected error during client verification", cause); + return ClientRequestVerificationResult.failure( + "Verification error: " + cause.getMessage(), + clientCert, + policy, + durationSinceNanos(startNanos) + ); + }); + } catch (Exception e) { + LOGGER.error("Unexpected error during client verification setup", e); + return CompletableFuture.completedFuture(ClientRequestVerificationResult.failure( + "Verification error: " + e.getMessage(), + clientCert, + policy, + durationSinceNanos(startNanos) + )); + } + } + + // ==================== Artifact Extraction (Steps 1-3) ==================== + + /** + * Result of artifact extraction - either artifacts or a failure. + */ + private record ArtifactExtractionResult( + ScittHeaderProvider.ScittArtifacts artifacts, + ClientRequestVerificationResult failure + ) { + static ArtifactExtractionResult success(ScittHeaderProvider.ScittArtifacts artifacts) { + return new ArtifactExtractionResult(artifacts, null); + } + + static ArtifactExtractionResult failure(ClientRequestVerificationResult failure) { + return new ArtifactExtractionResult(null, failure); + } + } + + /** + * Validates headers and extracts SCITT artifacts (Steps 1-3). + */ + private ArtifactExtractionResult extractAndValidateArtifacts( + Map requestHeaders, + VerificationPolicy policy, + X509Certificate clientCert, + long startNanos) { + + // Step 1: Check header size limits + String oversizedHeader = checkHeaderSizeLimits(requestHeaders); + if (oversizedHeader != null) { + return ArtifactExtractionResult.failure(failureResult( + "SCITT header exceeds size limit: " + oversizedHeader, clientCert, policy, startNanos)); + } + + // Step 2: Extract SCITT artifacts from headers + Optional artifactsOpt; + try { + artifactsOpt = headerProvider.extractArtifacts(requestHeaders); + } catch (Exception e) { + LOGGER.warn("Failed to extract SCITT artifacts: {}", e.getMessage()); + String message = policy.scittMode() == VerificationMode.REQUIRED + ? "Failed to parse SCITT headers: " + e.getMessage() + : "SCITT headers invalid (advisory mode)"; + return ArtifactExtractionResult.failure(failureResult(message, clientCert, policy, startNanos)); + } + + // Step 3: Handle missing SCITT artifacts + if (artifactsOpt.isEmpty() || !artifactsOpt.get().isPresent()) { + String message = policy.scittMode() == VerificationMode.REQUIRED + ? "SCITT headers required but not present" + : "SCITT headers not present"; + if (policy.scittMode() != VerificationMode.REQUIRED) { + LOGGER.debug("SCITT headers not present, mode={}", policy.scittMode()); + } + return ArtifactExtractionResult.failure(failureResult(message, clientCert, policy, startNanos)); + } + + return ArtifactExtractionResult.success(artifactsOpt.get()); + } + + // ==================== Cache Check (Step 4) ==================== + + /** + * Checks the cache for a valid cached result. + * + *

Caffeine automatically handles expiration, so we just need to check if present.

+ * + * @return the cached result if valid, null if cache miss or expired + */ + private ClientRequestVerificationResult checkCache(String cacheKey) { + CachedResult cached = verificationCache.getIfPresent(cacheKey); + if (cached != null) { + LOGGER.debug("Cache hit for client verification"); + return cached.result(); + } + return null; + } + + // ==================== SCITT Verification (Step 5) ==================== + + /** + * Result of SCITT verification - either expectation or a failure. + */ + private record ScittVerificationResult( + ScittExpectation expectation, + ClientRequestVerificationResult failure + ) { + static ScittVerificationResult success(ScittExpectation expectation) { + return new ScittVerificationResult(expectation, null); + } + + static ScittVerificationResult failure(ClientRequestVerificationResult failure) { + return new ScittVerificationResult(null, failure); + } + } + + /** + * Verifies SCITT artifacts asynchronously - signatures, Merkle proof, expiry (Step 5). + * + *

Uses {@link TransparencyClient#getRootKeyAsync()} to avoid blocking the shared + * thread pool on network I/O during cache misses.

+ */ + private CompletableFuture verifyScittArtifactsAsync( + ScittReceipt receipt, + StatusToken statusToken, + VerificationPolicy policy, + X509Certificate clientCert, + long startNanos) { + + // Validate required artifacts are present (synchronous check) + List errors = new ArrayList<>(); + if (statusToken == null) { + errors.add("Status token is required but not present"); + } + if (receipt == null && policy.scittMode() == VerificationMode.REQUIRED) { + errors.add("Receipt is required but not present"); + } + if (!errors.isEmpty()) { + return CompletableFuture.completedFuture(ScittVerificationResult.failure( + ClientRequestVerificationResult.failure( + errors, statusToken, receipt, clientCert, policy, durationSinceNanos(startNanos)))); + } + + // Fetch public keys asynchronously to avoid blocking executor threads + return transparencyClient.getRootKeysAsync() + .thenApplyAsync((Map rootKeys) -> { + // Verify signatures + ScittExpectation expectation = scittVerifier.verify(receipt, statusToken, rootKeys); + if (!expectation.isVerified()) { + LOGGER.warn("SCITT verification failed: {}", expectation.failureReason()); + return ScittVerificationResult.failure(ClientRequestVerificationResult.failure( + List.of("SCITT verification failed: " + expectation.failureReason()), + statusToken, receipt, clientCert, policy, durationSinceNanos(startNanos))); + } + return ScittVerificationResult.success(expectation); + }, executor) + .exceptionally(e -> { + Throwable cause = e instanceof CompletionException && e.getCause() != null + ? e.getCause() : e; + LOGGER.error("Failed to fetch SCITT public keys: {}", cause.getMessage()); + return ScittVerificationResult.failure(failureResult( + "Failed to fetch SCITT public keys: " + cause.getMessage(), clientCert, policy, startNanos)); + }); + } + + // ==================== Fingerprint Verification (Step 6) ==================== + + /** + * Verifies client certificate fingerprint matches identity certs (Step 6). + * + * @return failure result if mismatch, null if fingerprint matches + */ + private ClientRequestVerificationResult verifyFingerprintMatch( + String clientFingerprint, + ScittExpectation expectation, + StatusToken statusToken, + ScittReceipt receipt, + X509Certificate clientCert, + VerificationPolicy policy, + long startNanos) { + + // CRITICAL: Use validIdentityCertFingerprints, NOT validServerCertFingerprints + List validIdentityFingerprints = expectation.validIdentityCertFingerprints(); + + if (validIdentityFingerprints.isEmpty()) { + LOGGER.warn("No valid identity certificate fingerprints in status token"); + return failureResult("No valid identity certificates in status token", clientCert, policy, startNanos); + } + + boolean fingerprintMatches = validIdentityFingerprints.stream() + .anyMatch(expected -> fingerprintMatchesConstantTime(clientFingerprint, expected)); + + if (!fingerprintMatches) { + LOGGER.warn("Client certificate fingerprint does not match any identity cert in status token"); + return ClientRequestVerificationResult.failure( + List.of("Client certificate fingerprint mismatch", + "Actual: " + truncateFingerprint(clientFingerprint), + "Expected one of: " + truncateFingerprints(validIdentityFingerprints)), + statusToken, receipt, clientCert, policy, durationSinceNanos(startNanos)); + } + + return null; // Fingerprint matches - success + } + + // ==================== Success Result & Caching ==================== + + /** + * Creates success result and caches it. + * + *

Caffeine automatically handles size limits and expiration. + * The custom {@link VerificationResultExpiry} ensures entries expire based on + * min(cacheTtl, tokenExpiry).

+ */ + private ClientRequestVerificationResult createSuccessResult( + StatusToken statusToken, + ScittReceipt receipt, + X509Certificate clientCert, + VerificationPolicy policy, + long startNanos, + String cacheKey) { + + LOGGER.info("Client verification successful for agent: {}", statusToken.agentId()); + + ClientRequestVerificationResult result = ClientRequestVerificationResult.success( + statusToken.agentId(), + statusToken, + receipt, + clientCert, + policy, + durationSinceNanos(startNanos) + ); + + // Cache the result with token expiry for custom Expiry calculation + verificationCache.put(cacheKey, new CachedResult(result, statusToken.expiresAt())); + + return result; + } + + // ==================== Helper Methods ==================== + + /** + * Creates a simple failure result with duration calculation. + */ + private ClientRequestVerificationResult failureResult( + String message, + X509Certificate clientCert, + VerificationPolicy policy, + long startNanos) { + return ClientRequestVerificationResult.failure(message, clientCert, policy, durationSinceNanos(startNanos)); + } + + /** + * Calculates duration since start time using nanosecond precision. + * + *

Uses {@link System#nanoTime()} which is more efficient than {@link java.time.Instant#now()} + * for elapsed time measurement - no object allocation until Duration is created, and it's + * monotonic (not affected by clock adjustments).

+ */ + private Duration durationSinceNanos(long startNanos) { + return Duration.ofNanos(System.nanoTime() - startNanos); + } + + /** + * Checks header size limits to prevent DoS attacks. + * + * @return the name of the oversized header, or null if all are within limits + */ + private String checkHeaderSizeLimits(Map headers) { + for (Map.Entry entry : headers.entrySet()) { + String key = entry.getKey(); + String value = entry.getValue(); + if (key != null && matchesScittHeaders(key.toLowerCase())) { + if (value != null && value.length() > MAX_HEADER_SIZE) { + return key; + } + } + } + return null; + } + + private boolean matchesScittHeaders(String lowerKey) { + return lowerKey.equals(ScittHeaders.SCITT_RECEIPT_HEADER) || + lowerKey.equals(ScittHeaders.STATUS_TOKEN_HEADER); + } + + /** + * Computes a cache key from the raw header values and certificate fingerprint. + * + *

Uses the raw Base64 header strings directly rather than hashing decoded bytes, + * avoiding 2x SHA-256 computations on every cache lookup.

+ */ + private String computeCacheKey(String receiptHeader, String tokenHeader, String certFingerprint) { + // Use raw Base64 header values directly - they're already unique identifiers + String receiptKey = receiptHeader != null ? receiptHeader : "none"; + String tokenKey = tokenHeader != null ? tokenHeader : "none"; + return receiptKey + ":" + tokenKey + ":" + certFingerprint; + } + + + /** + * Constant-time fingerprint comparison to prevent timing attacks. + */ + private boolean fingerprintMatchesConstantTime(String actual, String expected) { + if (actual == null || expected == null) { + return false; + } + // Normalize fingerprints + String normalizedActual = normalizeFingerprint(actual); + String normalizedExpected = normalizeFingerprint(expected); + if (normalizedActual.length() != normalizedExpected.length()) { + return false; + } + // Use MessageDigest.isEqual for constant-time comparison + return MessageDigest.isEqual( + normalizedActual.getBytes(), + normalizedExpected.getBytes() + ); + } + + private String truncateFingerprint(String fingerprint) { + if (fingerprint == null || fingerprint.length() <= 16) { + return fingerprint; + } + return fingerprint.substring(0, 16) + "..."; + } + + private String truncateFingerprints(List fingerprints) { + if (fingerprints.size() <= 2) { + return fingerprints.stream() + .map(this::truncateFingerprint) + .toList() + .toString(); + } + return "[" + truncateFingerprint(fingerprints.get(0)) + ", ... (" + fingerprints.size() + " total)]"; + } + + // ==================== Caffeine Cache Support ==================== + + /** + * Cached verification result with token expiry time for custom expiration. + */ + private record CachedResult(ClientRequestVerificationResult result, Instant tokenExpiresAt) { } + + /** + * Custom Caffeine expiry that uses the earlier of cache TTL or token expiry. + * + *

This ensures cached results are never returned after the underlying + * token has expired, even if the cache TTL hasn't been reached.

+ */ + private class VerificationResultExpiry implements Expiry { + + @Override + public long expireAfterCreate(String key, CachedResult value, long currentTime) { + long cacheTtlNanos = cacheTtl.toNanos(); + + // If token has no expiry, use cache TTL + if (value.tokenExpiresAt() == null) { + return cacheTtlNanos; + } + + // Use min(cacheTtl, tokenRemainingTime) + Duration tokenRemaining = Duration.between(Instant.now(), value.tokenExpiresAt()); + if (tokenRemaining.isNegative() || tokenRemaining.isZero()) { + return 0; // Already expired + } + + return Math.min(cacheTtlNanos, tokenRemaining.toNanos()); + } + + @Override + public long expireAfterUpdate(String key, CachedResult value, long currentTime, long currentDuration) { + return expireAfterCreate(key, value, currentTime); + } + + @Override + public long expireAfterRead(String key, CachedResult value, long currentTime, long currentDuration) { + return currentDuration; // No change on read + } + } + + /** + * Creates a new builder. + * + * @return a new builder instance + */ + public static Builder builder() { + return new Builder(); + } + + /** + * Builder for DefaultClientRequestVerifier. + */ + public static class Builder { + private TransparencyClient transparencyClient; + private ScittVerifier scittVerifier; + private ScittHeaderProvider headerProvider; + private Executor executor = AnsExecutors.sharedIoExecutor(); + private Duration cacheTtl = Duration.ofMinutes(5); + + /** + * Sets the TransparencyClient for root key fetching. + * + * @param transparencyClient the transparency client (required) + * @return this builder + */ + public Builder transparencyClient(TransparencyClient transparencyClient) { + this.transparencyClient = transparencyClient; + return this; + } + + /** + * Sets the SCITT verifier. + * + * @param scittVerifier the verifier + * @return this builder + */ + public Builder scittVerifier(ScittVerifier scittVerifier) { + this.scittVerifier = scittVerifier; + return this; + } + + /** + * Sets the header provider. + * + * @param headerProvider the header provider + * @return this builder + */ + public Builder headerProvider(ScittHeaderProvider headerProvider) { + this.headerProvider = headerProvider; + return this; + } + + /** + * Sets the executor for async operations. + * + * @param executor the executor + * @return this builder + */ + public Builder executor(Executor executor) { + this.executor = executor; + return this; + } + + /** + * Sets the verification cache TTL. + * + * @param ttl the cache TTL (must be positive) + * @return this builder + * @throws IllegalArgumentException if ttl is null, zero, or negative + */ + public Builder verificationCacheTtl(Duration ttl) { + Objects.requireNonNull(ttl, "ttl cannot be null"); + if (ttl.isZero() || ttl.isNegative()) { + throw new IllegalArgumentException("cacheTtl must be positive, got: " + ttl); + } + this.cacheTtl = ttl; + return this; + } + + /** + * Builds the verifier. + * + * @return the configured verifier + * @throws NullPointerException if transparencyClient is not set + */ + public DefaultClientRequestVerifier build() { + Objects.requireNonNull(transparencyClient, "transparencyClient is required"); + if (scittVerifier == null) { + scittVerifier = new DefaultScittVerifier(); + } + if (headerProvider == null) { + headerProvider = new DefaultScittHeaderProvider(); + } + return new DefaultClientRequestVerifier(this); + } + } +} diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/AnsConnectionTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/AnsConnectionTest.java new file mode 100644 index 0000000..2cc9631 --- /dev/null +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/AnsConnectionTest.java @@ -0,0 +1,238 @@ +package com.godaddy.ans.sdk.agent; + +import com.godaddy.ans.sdk.agent.http.CertificateCapturingTrustManager; +import com.godaddy.ans.sdk.agent.verification.DefaultConnectionVerifier; +import com.godaddy.ans.sdk.agent.verification.PreVerificationResult; +import com.godaddy.ans.sdk.agent.verification.VerificationResult; +import com.godaddy.ans.sdk.agent.verification.VerificationResult.VerificationType; +import org.junit.jupiter.api.AfterEach; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Nested; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.ExtendWith; +import org.mockito.Mock; +import org.mockito.junit.jupiter.MockitoExtension; + +import java.security.cert.X509Certificate; +import java.util.List; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.ArgumentMatchers.eq; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.when; + +@ExtendWith(MockitoExtension.class) +class AnsConnectionTest { + + private static final String TEST_HOSTNAME = "test.example.com"; + + @Mock + private PreVerificationResult mockPreResult; + + @Mock + private DefaultConnectionVerifier mockVerifier; + + private VerificationPolicy policy = VerificationPolicy.SCITT_REQUIRED; + + private AnsConnection connection; + + @BeforeEach + void setUp() { + connection = new AnsConnection(TEST_HOSTNAME, mockPreResult, mockVerifier, policy); + } + + @AfterEach + void tearDown() { + // Clean up any captured certificates + CertificateCapturingTrustManager.clearCapturedCertificates(TEST_HOSTNAME); + } + + @Nested + @DisplayName("Accessor tests") + class AccessorTests { + + @Test + @DisplayName("hostname() returns the hostname") + void hostnameShouldReturnHostname() { + assertThat(connection.hostname()).isEqualTo(TEST_HOSTNAME); + } + + @Test + @DisplayName("preVerifyResult() returns the pre-verification result") + void preVerifyResultShouldReturnPreResult() { + assertThat(connection.preVerifyResult()).isSameAs(mockPreResult); + } + } + + @Nested + @DisplayName("hasScittArtifacts() tests") + class HasScittArtifactsTests { + + @Test + @DisplayName("Should return true when pre-result has SCITT expectation") + void shouldReturnTrueWhenScittPresent() { + when(mockPreResult.hasScittExpectation()).thenReturn(true); + + assertThat(connection.hasScittArtifacts()).isTrue(); + } + + @Test + @DisplayName("Should return false when pre-result has no SCITT expectation") + void shouldReturnFalseWhenScittAbsent() { + when(mockPreResult.hasScittExpectation()).thenReturn(false); + + assertThat(connection.hasScittArtifacts()).isFalse(); + } + } + + @Nested + @DisplayName("hasBadgeRegistration() tests") + class HasBadgeRegistrationTests { + + @Test + @DisplayName("Should return true when pre-result has badge expectation") + void shouldReturnTrueWhenBadgePresent() { + when(mockPreResult.hasBadgeExpectation()).thenReturn(true); + + assertThat(connection.hasBadgeRegistration()).isTrue(); + } + + @Test + @DisplayName("Should return false when pre-result has no badge expectation") + void shouldReturnFalseWhenBadgeAbsent() { + when(mockPreResult.hasBadgeExpectation()).thenReturn(false); + + assertThat(connection.hasBadgeRegistration()).isFalse(); + } + } + + @Nested + @DisplayName("hasDaneRecords() tests") + class HasDaneRecordsTests { + + @Test + @DisplayName("Should return true when pre-result has DANE expectation") + void shouldReturnTrueWhenDanePresent() { + when(mockPreResult.hasDaneExpectation()).thenReturn(true); + + assertThat(connection.hasDaneRecords()).isTrue(); + } + + @Test + @DisplayName("Should return false when pre-result has no DANE expectation") + void shouldReturnFalseWhenDaneAbsent() { + when(mockPreResult.hasDaneExpectation()).thenReturn(false); + + assertThat(connection.hasDaneRecords()).isFalse(); + } + } + + @Nested + @DisplayName("verifyServer() tests") + class VerifyServerTests { + + @Test + @DisplayName("Should throw SecurityException when no certificates captured") + void shouldThrowWhenNoCertificates() { + // No certificates captured for this hostname + + assertThatThrownBy(() -> connection.verifyServer()) + .isInstanceOf(SecurityException.class) + .hasMessageContaining("No server certificate captured"); + } + + @Test + @DisplayName("Should verify with provided certificate") + void shouldVerifyWithProvidedCertificate() { + X509Certificate cert = mock(X509Certificate.class); + List results = List.of( + VerificationResult.success(VerificationType.SCITT, "fingerprint", "Server SCITT verified") + ); + VerificationResult combined = VerificationResult.success(VerificationType.SCITT, "fingerprint", "Combined"); + + when(mockVerifier.postVerify(eq(TEST_HOSTNAME), eq(cert), eq(mockPreResult))) + .thenReturn(results); + when(mockVerifier.combine(eq(results), eq(policy))).thenReturn(combined); + + VerificationResult result = connection.verifyServer(cert); + + assertThat(result).isSameAs(combined); + verify(mockVerifier).postVerify(TEST_HOSTNAME, cert, mockPreResult); + verify(mockVerifier).combine(results, policy); + } + } + + @Nested + @DisplayName("verifyServerDetailed() tests") + class VerifyServerDetailedTests { + + @Test + @DisplayName("Should throw SecurityException when no certificates captured") + void shouldThrowWhenNoCertificates() { + assertThatThrownBy(() -> connection.verifyServerDetailed()) + .isInstanceOf(SecurityException.class) + .hasMessageContaining("No server certificate captured"); + } + + @Test + @DisplayName("Should return detailed results with provided certificate") + void shouldReturnDetailedResultsWithProvidedCert() { + X509Certificate cert = mock(X509Certificate.class); + List expectedResults = List.of( + VerificationResult.success(VerificationType.SCITT, "fingerprint", "SCITT OK"), + VerificationResult.notFound(VerificationType.DANE, "DANE record not found") + ); + + when(mockVerifier.postVerify(eq(TEST_HOSTNAME), eq(cert), eq(mockPreResult))) + .thenReturn(expectedResults); + + List results = connection.verifyServerDetailed(cert); + + assertThat(results).isEqualTo(expectedResults); + } + } + + @Nested + @DisplayName("close() tests") + class CloseTests { + + @Test + @DisplayName("Should clear captured certificates on close") + void shouldClearCapturedCertificatesOnClose() { + // The close method clears captured certs - verify it doesn't throw + connection.close(); + + // Verify that getting certificates returns null/empty after close + X509Certificate[] certs = CertificateCapturingTrustManager.getCapturedCertificates(TEST_HOSTNAME); + assertThat(certs).isNull(); + } + } + + @Nested + @DisplayName("AutoCloseable behavior tests") + class AutoCloseableTests { + + @Test + @DisplayName("Should work in try-with-resources") + void shouldWorkInTryWithResources() { + X509Certificate cert = mock(X509Certificate.class); + VerificationResult successResult = VerificationResult.success(VerificationType.SCITT, "fingerprint", "OK"); + + when(mockVerifier.postVerify(any(), any(), any())).thenReturn(List.of(successResult)); + when(mockVerifier.combine(any(), any())).thenReturn(successResult); + + try (AnsConnection conn = new AnsConnection(TEST_HOSTNAME, mockPreResult, mockVerifier, policy)) { + VerificationResult result = conn.verifyServer(cert); + assertThat(result.isSuccess()).isTrue(); + } + + // After close, captured certs should be cleared + X509Certificate[] certs = CertificateCapturingTrustManager.getCapturedCertificates(TEST_HOSTNAME); + assertThat(certs).isNull(); + } + } +} diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/AnsVerifiedClientTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/AnsVerifiedClientTest.java new file mode 100644 index 0000000..5ec3ae7 --- /dev/null +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/AnsVerifiedClientTest.java @@ -0,0 +1,783 @@ +package com.godaddy.ans.sdk.agent; + +import com.github.tomakehurst.wiremock.junit5.WireMockRuntimeInfo; +import com.github.tomakehurst.wiremock.junit5.WireMockTest; +import com.godaddy.ans.sdk.transparency.TransparencyClient; +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Nested; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.ExtendWith; +import org.junit.jupiter.api.io.TempDir; +import org.mockito.Mock; +import org.mockito.junit.jupiter.MockitoExtension; + +import java.io.FileOutputStream; +import java.nio.file.Path; +import java.security.KeyStore; +import java.time.Duration; +import java.util.Map; +import java.util.concurrent.CompletableFuture; + +import static com.github.tomakehurst.wiremock.client.WireMock.aResponse; +import static com.github.tomakehurst.wiremock.client.WireMock.head; +import static com.github.tomakehurst.wiremock.client.WireMock.stubFor; +import static com.github.tomakehurst.wiremock.client.WireMock.urlEqualTo; +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; +import static org.mockito.ArgumentMatchers.anyString; +import static org.mockito.Mockito.when; + +@ExtendWith(MockitoExtension.class) +class AnsVerifiedClientTest { + + @TempDir + Path tempDir; + + @Mock + private TransparencyClient mockTransparencyClient; + + @Nested + @DisplayName("Builder tests") + class BuilderTests { + + @Test + @DisplayName("Should create client with defaults") + void shouldCreateClientWithDefaults() throws Exception { + // Create a minimal PKCS12 keystore for testing + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load(null, "password".toCharArray()); + + AnsVerifiedClient client = AnsVerifiedClient.builder() + .keyStore(keyStore, "password".toCharArray()) + .transparencyClient(mockTransparencyClient) + .build(); + + assertThat(client).isNotNull(); + assertThat(client.sslContext()).isNotNull(); + assertThat(client.policy()).isEqualTo(VerificationPolicy.SCITT_REQUIRED); + assertThat(client.scittHeadersAsync().join()).isEmpty(); // No agent ID set + client.close(); + } + + @Test + @DisplayName("Should use provided policy") + void shouldUseProvidedPolicy() throws Exception { + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load(null, "password".toCharArray()); + + AnsVerifiedClient client = AnsVerifiedClient.builder() + .keyStore(keyStore, "password".toCharArray()) + .transparencyClient(mockTransparencyClient) + .policy(VerificationPolicy.PKI_ONLY) + .build(); + + assertThat(client.policy()).isEqualTo(VerificationPolicy.PKI_ONLY); + client.close(); + } + + @Test + @DisplayName("Should throw on invalid keystore path") + void shouldThrowOnInvalidKeystorePath() { + assertThatThrownBy(() -> AnsVerifiedClient.builder() + .keyStorePath("/nonexistent/path.p12", "password") + .transparencyClient(mockTransparencyClient) + .build()) + .isInstanceOf(RuntimeException.class) + .hasMessageContaining("Failed to load keystore"); + } + + @Test + @DisplayName("Should load keystore from path") + void shouldLoadKeystoreFromPath() throws Exception { + // Create a PKCS12 keystore file + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load(null, "testpass".toCharArray()); + Path keystorePath = tempDir.resolve("test.p12"); + try (FileOutputStream fos = new FileOutputStream(keystorePath.toFile())) { + keyStore.store(fos, "testpass".toCharArray()); + } + + AnsVerifiedClient client = AnsVerifiedClient.builder() + .keyStorePath(keystorePath.toString(), "testpass") + .transparencyClient(mockTransparencyClient) + .build(); + + assertThat(client.sslContext()).isNotNull(); + client.close(); + } + + @Test + @DisplayName("Should set connect timeout") + void shouldSetConnectTimeout() throws Exception { + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load(null, "password".toCharArray()); + + // Just verify it doesn't throw + AnsVerifiedClient client = AnsVerifiedClient.builder() + .keyStore(keyStore, "password".toCharArray()) + .transparencyClient(mockTransparencyClient) + .connectTimeout(Duration.ofSeconds(15)) + .build(); + + assertThat(client).isNotNull(); + client.close(); + } + + @Test + @DisplayName("Should set agent ID") + void shouldSetAgentIdButNotFetchWithoutScitt() throws Exception { + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load(null, "password".toCharArray()); + + // With PKI_ONLY, SCITT is disabled so no headers will be fetched + AnsVerifiedClient client = AnsVerifiedClient.builder() + .agentId("test-agent-123") + .keyStore(keyStore, "password".toCharArray()) + .transparencyClient(mockTransparencyClient) + .policy(VerificationPolicy.PKI_ONLY) + .build(); + + assertThat(client.scittHeadersAsync().join()).isEmpty(); + client.close(); + } + + @Test + @DisplayName("Should fetch SCITT headers when SCITT enabled and agentId provided") + void shouldFetchScittHeadersWhenEnabled() throws Exception { + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load(null, "password".toCharArray()); + + byte[] mockReceipt = new byte[]{0x01, 0x02, 0x03}; + byte[] mockToken = new byte[]{0x04, 0x05, 0x06}; + // Mock async methods used for parallel fetch + when(mockTransparencyClient.getReceiptAsync(anyString())) + .thenReturn(CompletableFuture.completedFuture(mockReceipt)); + when(mockTransparencyClient.getStatusTokenAsync(anyString())) + .thenReturn(CompletableFuture.completedFuture(mockToken)); + + AnsVerifiedClient client = AnsVerifiedClient.builder() + .agentId("test-agent-123") + .keyStore(keyStore, "password".toCharArray()) + .transparencyClient(mockTransparencyClient) + .policy(VerificationPolicy.SCITT_REQUIRED) + .build(); + + assertThat(client.scittHeadersAsync().join()).isNotEmpty(); + assertThat(client.scittHeadersAsync().join()).containsKey("x-scitt-receipt"); + assertThat(client.scittHeadersAsync().join()).containsKey("x-ans-status-token"); + client.close(); + } + + @Test + @DisplayName("Should handle SCITT fetch failure gracefully") + void shouldHandleScittFetchFailure() throws Exception { + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load(null, "password".toCharArray()); + + // Mock async methods - receipt fails, token succeeds (but failure should propagate) + when(mockTransparencyClient.getReceiptAsync(anyString())) + .thenReturn(CompletableFuture.failedFuture(new RuntimeException("Failed to fetch"))); + when(mockTransparencyClient.getStatusTokenAsync(anyString())) + .thenReturn(CompletableFuture.completedFuture(new byte[]{0x01})); + + AnsVerifiedClient client = AnsVerifiedClient.builder() + .agentId("test-agent-123") + .keyStore(keyStore, "password".toCharArray()) + .transparencyClient(mockTransparencyClient) + .policy(VerificationPolicy.SCITT_REQUIRED) + .build(); + + // Should not throw, just have empty headers (lazy fetch fails gracefully) + assertThat(client.scittHeadersAsync().join()).isEmpty(); + client.close(); + } + } + + @Nested + @DisplayName("Accessor tests") + class AccessorTests { + + @Test + @DisplayName("transparencyClient() returns the configured client") + void transparencyClientReturnsConfiguredClient() throws Exception { + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load(null, "password".toCharArray()); + + AnsVerifiedClient client = AnsVerifiedClient.builder() + .keyStore(keyStore, "password".toCharArray()) + .transparencyClient(mockTransparencyClient) + .build(); + + assertThat(client.transparencyClient()).isSameAs(mockTransparencyClient); + client.close(); + } + + @Test + @DisplayName("scittHeaders() returns immutable map") + void scittHeadersReturnsImmutableMap() throws Exception { + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load(null, "password".toCharArray()); + + AnsVerifiedClient client = AnsVerifiedClient.builder() + .keyStore(keyStore, "password".toCharArray()) + .transparencyClient(mockTransparencyClient) + .policy(VerificationPolicy.PKI_ONLY) + .build(); + + assertThatThrownBy(() -> client.scittHeadersAsync().join().put("key", "value")) + .isInstanceOf(UnsupportedOperationException.class); + client.close(); + } + } + + @Nested + @DisplayName("scittHeadersAsync() tests") + class ScittHeadersAsyncTests { + + @Test + @DisplayName("Should return completed future when SCITT disabled") + void shouldReturnCompletedFutureWhenScittDisabled() throws Exception { + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load(null, "password".toCharArray()); + + AnsVerifiedClient client = AnsVerifiedClient.builder() + .agentId("test-agent") + .keyStore(keyStore, "password".toCharArray()) + .transparencyClient(mockTransparencyClient) + .policy(VerificationPolicy.PKI_ONLY) + .build(); + + CompletableFuture> future = client.scittHeadersAsync(); + assertThat(future).isCompletedWithValue(Map.of()); + client.close(); + } + + @Test + @DisplayName("Should fetch headers asynchronously when SCITT enabled") + void shouldFetchHeadersAsynchronously() throws Exception { + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load(null, "password".toCharArray()); + + byte[] mockReceipt = new byte[]{0x01, 0x02, 0x03}; + byte[] mockToken = new byte[]{0x04, 0x05, 0x06}; + when(mockTransparencyClient.getReceiptAsync(anyString())) + .thenReturn(CompletableFuture.completedFuture(mockReceipt)); + when(mockTransparencyClient.getStatusTokenAsync(anyString())) + .thenReturn(CompletableFuture.completedFuture(mockToken)); + + AnsVerifiedClient client = AnsVerifiedClient.builder() + .agentId("test-agent") + .keyStore(keyStore, "password".toCharArray()) + .transparencyClient(mockTransparencyClient) + .policy(VerificationPolicy.SCITT_REQUIRED) + .build(); + + CompletableFuture> future = client.scittHeadersAsync(); + assertThat(future).succeedsWithin(Duration.ofSeconds(5)); + + Map headers = future.join(); + assertThat(headers).containsKey("x-scitt-receipt"); + assertThat(headers).containsKey("x-ans-status-token"); + client.close(); + } + + @Test + @DisplayName("Should cache headers after first fetch") + void shouldCacheHeadersAfterFirstFetch() throws Exception { + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load(null, "password".toCharArray()); + + byte[] mockReceipt = new byte[]{0x01, 0x02}; + byte[] mockToken = new byte[]{0x03, 0x04}; + when(mockTransparencyClient.getReceiptAsync(anyString())) + .thenReturn(CompletableFuture.completedFuture(mockReceipt)); + when(mockTransparencyClient.getStatusTokenAsync(anyString())) + .thenReturn(CompletableFuture.completedFuture(mockToken)); + + AnsVerifiedClient client = AnsVerifiedClient.builder() + .agentId("test-agent") + .keyStore(keyStore, "password".toCharArray()) + .transparencyClient(mockTransparencyClient) + .policy(VerificationPolicy.SCITT_REQUIRED) + .build(); + + // First call triggers fetch + Map headers1 = client.scittHeadersAsync().join(); + // Second call should return cached (same instance) + Map headers2 = client.scittHeadersAsync().join(); + + assertThat(headers1).isSameAs(headers2); + client.close(); + } + + @Test + @DisplayName("scittHeadersAsync() returns cached result on subsequent calls") + void scittHeadersAsyncReturnsCachedResult() throws Exception { + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load(null, "password".toCharArray()); + + byte[] mockReceipt = new byte[]{0x01, 0x02}; + byte[] mockToken = new byte[]{0x03, 0x04}; + when(mockTransparencyClient.getReceiptAsync(anyString())) + .thenReturn(CompletableFuture.completedFuture(mockReceipt)); + when(mockTransparencyClient.getStatusTokenAsync(anyString())) + .thenReturn(CompletableFuture.completedFuture(mockToken)); + + AnsVerifiedClient client = AnsVerifiedClient.builder() + .agentId("test-agent") + .keyStore(keyStore, "password".toCharArray()) + .transparencyClient(mockTransparencyClient) + .policy(VerificationPolicy.SCITT_REQUIRED) + .build(); + + // Both calls should return the same cached result + Map headers1 = client.scittHeadersAsync().join(); + Map headers2 = client.scittHeadersAsync().join(); + + assertThat(headers1).isSameAs(headers2); + client.close(); + } + } + + @Nested + @DisplayName("AutoCloseable tests") + class AutoCloseableTests { + + @Test + @DisplayName("Should work in try-with-resources") + void shouldWorkInTryWithResources() throws Exception { + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load(null, "password".toCharArray()); + + try (AnsVerifiedClient client = AnsVerifiedClient.builder() + .keyStore(keyStore, "password".toCharArray()) + .transparencyClient(mockTransparencyClient) + .build()) { + assertThat(client).isNotNull(); + } + // No exception means close() worked + } + } + + @Nested + @DisplayName("Default TransparencyClient creation") + class DefaultTransparencyClientTests { + + @Test + @DisplayName("Should create default TransparencyClient when not provided") + void shouldCreateDefaultTransparencyClient() throws Exception { + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load(null, "password".toCharArray()); + + // Build without providing transparencyClient - it should create one + AnsVerifiedClient client = AnsVerifiedClient.builder() + .keyStore(keyStore, "password".toCharArray()) + .policy(VerificationPolicy.PKI_ONLY) // No SCITT, so no network calls + .build(); + + assertThat(client.transparencyClient()).isNotNull(); + client.close(); + } + } + + @Nested + @DisplayName("Verification policy configuration") + class VerificationPolicyTests { + + @Test + @DisplayName("BADGE_REQUIRED policy should enable badge verification") + void badgeRequiredPolicyShouldEnableBadge() throws Exception { + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load(null, "password".toCharArray()); + + AnsVerifiedClient client = AnsVerifiedClient.builder() + .keyStore(keyStore, "password".toCharArray()) + .transparencyClient(mockTransparencyClient) + .policy(VerificationPolicy.BADGE_REQUIRED) + .build(); + + assertThat(client.policy()).isEqualTo(VerificationPolicy.BADGE_REQUIRED); + assertThat(client.scittHeadersAsync().join()).isEmpty(); // BADGE_REQUIRED has SCITT disabled + client.close(); + } + + @Test + @DisplayName("DANE_REQUIRED policy should enable DANE verification") + void daneRequiredPolicyShouldEnableDane() throws Exception { + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load(null, "password".toCharArray()); + + AnsVerifiedClient client = AnsVerifiedClient.builder() + .keyStore(keyStore, "password".toCharArray()) + .transparencyClient(mockTransparencyClient) + .policy(VerificationPolicy.DANE_REQUIRED) + .build(); + + assertThat(client.policy()).isEqualTo(VerificationPolicy.DANE_REQUIRED); + client.close(); + } + + @Test + @DisplayName("SCITT_ENHANCED policy should enable SCITT with badge advisory") + void scittEnhancedPolicyShouldEnableScittWithBadge() throws Exception { + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load(null, "password".toCharArray()); + + byte[] mockReceipt = new byte[]{0x07, 0x08, 0x09}; + byte[] mockToken = new byte[]{0x0A, 0x0B, 0x0C}; + when(mockTransparencyClient.getReceiptAsync(anyString())) + .thenReturn(CompletableFuture.completedFuture(mockReceipt)); + when(mockTransparencyClient.getStatusTokenAsync(anyString())) + .thenReturn(CompletableFuture.completedFuture(mockToken)); + + AnsVerifiedClient client = AnsVerifiedClient.builder() + .agentId("test-agent") + .keyStore(keyStore, "password".toCharArray()) + .transparencyClient(mockTransparencyClient) + .policy(VerificationPolicy.SCITT_ENHANCED) + .build(); + + assertThat(client.policy()).isEqualTo(VerificationPolicy.SCITT_ENHANCED); + assertThat(client.scittHeadersAsync().join()).isNotEmpty(); + client.close(); + } + } + + @Nested + @DisplayName("Agent ID edge cases") + class AgentIdEdgeCases { + + @Test + @DisplayName("Should not fetch SCITT headers with blank agent ID") + void shouldNotFetchWithBlankAgentId() throws Exception { + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load(null, "password".toCharArray()); + + AnsVerifiedClient client = AnsVerifiedClient.builder() + .agentId(" ") // Blank + .keyStore(keyStore, "password".toCharArray()) + .transparencyClient(mockTransparencyClient) + .policy(VerificationPolicy.SCITT_REQUIRED) + .build(); + + // Should not have tried to fetch headers for blank agent ID + assertThat(client.scittHeadersAsync().join()).isEmpty(); + client.close(); + } + + @Test + @DisplayName("Should not fetch SCITT headers with empty agent ID") + void shouldNotFetchWithEmptyAgentId() throws Exception { + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load(null, "password".toCharArray()); + + AnsVerifiedClient client = AnsVerifiedClient.builder() + .agentId("") // Empty + .keyStore(keyStore, "password".toCharArray()) + .transparencyClient(mockTransparencyClient) + .policy(VerificationPolicy.SCITT_REQUIRED) + .build(); + + assertThat(client.scittHeadersAsync().join()).isEmpty(); + client.close(); + } + } + + @Nested + @DisplayName("connect() tests") + @WireMockTest + class ConnectTests { + + @Test + @DisplayName("Should connect with PKI_ONLY policy (no preflight)") + void shouldConnectWithPkiOnly(WireMockRuntimeInfo wmRuntimeInfo) throws Exception { + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load(null, "password".toCharArray()); + + AnsVerifiedClient client = AnsVerifiedClient.builder() + .keyStore(keyStore, "password".toCharArray()) + .transparencyClient(mockTransparencyClient) + .policy(VerificationPolicy.PKI_ONLY) + .build(); + + String serverUrl = wmRuntimeInfo.getHttpBaseUrl() + "/mcp"; + AnsConnection connection = client.connect(serverUrl); + + assertThat(connection).isNotNull(); + assertThat(connection.hostname()).isEqualTo("localhost"); + assertThat(connection.hasScittArtifacts()).isFalse(); + + connection.close(); + client.close(); + } + + @Test + @DisplayName("SCITT_REQUIRED: should throw when no SCITT headers present") + void scittRequiredShouldThrowWhenNoHeaders(WireMockRuntimeInfo wmRuntimeInfo) throws Exception { + // Stub preflight to return no SCITT headers + stubFor(head(urlEqualTo("/mcp")) + .willReturn(aResponse() + .withStatus(200))); + + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load(null, "password".toCharArray()); + + AnsVerifiedClient client = AnsVerifiedClient.builder() + .keyStore(keyStore, "password".toCharArray()) + .transparencyClient(mockTransparencyClient) + .policy(VerificationPolicy.SCITT_REQUIRED) + .build(); + + String serverUrl = wmRuntimeInfo.getHttpBaseUrl() + "/mcp"; + + // SCITT_REQUIRED should throw when no headers present + assertThatThrownBy(() -> client.connect(serverUrl)) + .isInstanceOf(java.util.concurrent.CompletionException.class) + .hasCauseInstanceOf(com.godaddy.ans.sdk.agent.exception.ScittVerificationException.class); + + client.close(); + } + + @Test + @DisplayName("SCITT_REQUIRED: should throw when SCITT headers present but invalid") + void scittRequiredShouldThrowWhenHeadersInvalid(WireMockRuntimeInfo wmRuntimeInfo) throws Exception { + // Stub preflight to return invalid SCITT headers (not valid COSE) + stubFor(head(urlEqualTo("/mcp")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("X-SCITT-Receipt", "aW52YWxpZA==") // "invalid" in base64 + .withHeader("X-ANS-Status-Token", "aW52YWxpZA=="))); + + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load(null, "password".toCharArray()); + + AnsVerifiedClient client = AnsVerifiedClient.builder() + .keyStore(keyStore, "password".toCharArray()) + .transparencyClient(mockTransparencyClient) + .policy(VerificationPolicy.SCITT_REQUIRED) + .build(); + + String serverUrl = wmRuntimeInfo.getHttpBaseUrl() + "/mcp"; + + // SCITT_REQUIRED should throw when headers are present but invalid + assertThatThrownBy(() -> client.connect(serverUrl)) + .isInstanceOf(java.util.concurrent.CompletionException.class) + .hasCauseInstanceOf(com.godaddy.ans.sdk.agent.exception.ScittVerificationException.class); + + client.close(); + } + + @Test + @DisplayName("SCITT_ADVISORY: should allow fallback when no SCITT headers present") + void scittAdvisoryShouldAllowFallbackWhenNoHeaders(WireMockRuntimeInfo wmRuntimeInfo) throws Exception { + // Stub preflight to return no SCITT headers + stubFor(head(urlEqualTo("/mcp")) + .willReturn(aResponse() + .withStatus(200))); + + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load(null, "password".toCharArray()); + + // SCITT ADVISORY allows fallback when no headers present + VerificationPolicy scittAdvisory = VerificationPolicy.custom() + .scitt(VerificationMode.ADVISORY) + .build(); + + AnsVerifiedClient client = AnsVerifiedClient.builder() + .keyStore(keyStore, "password".toCharArray()) + .transparencyClient(mockTransparencyClient) + .policy(scittAdvisory) + .build(); + + String serverUrl = wmRuntimeInfo.getHttpBaseUrl() + "/mcp"; + AnsConnection connection = client.connect(serverUrl); + + // Should succeed - fallback allowed when no headers + assertThat(connection).isNotNull(); + assertThat(connection.hasScittArtifacts()).isFalse(); + connection.close(); + client.close(); + } + + @Test + @DisplayName("SCITT_ADVISORY: should throw when SCITT headers present but invalid") + void scittAdvisoryShouldThrowWhenHeadersInvalid(WireMockRuntimeInfo wmRuntimeInfo) throws Exception { + // Stub preflight to return invalid SCITT headers + stubFor(head(urlEqualTo("/mcp")) + .willReturn(aResponse() + .withStatus(200) + .withHeader("X-SCITT-Receipt", "aW52YWxpZA==") + .withHeader("X-ANS-Status-Token", "aW52YWxpZA=="))); + + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load(null, "password".toCharArray()); + + // SCITT ADVISORY should reject if headers ARE present but invalid + // (prevents attackers from sending garbage headers to force fallback) + VerificationPolicy scittAdvisory = VerificationPolicy.custom() + .scitt(VerificationMode.ADVISORY) + .build(); + + AnsVerifiedClient client = AnsVerifiedClient.builder() + .keyStore(keyStore, "password".toCharArray()) + .transparencyClient(mockTransparencyClient) + .policy(scittAdvisory) + .build(); + + String serverUrl = wmRuntimeInfo.getHttpBaseUrl() + "/mcp"; + + // Should throw because headers are present but invalid + assertThatThrownBy(() -> client.connect(serverUrl)) + .isInstanceOf(java.util.concurrent.CompletionException.class) + .hasCauseInstanceOf(com.godaddy.ans.sdk.agent.exception.ScittVerificationException.class); + + client.close(); + } + + @Test + @DisplayName("Should parse URL with custom port") + void shouldParseUrlWithCustomPort(WireMockRuntimeInfo wmRuntimeInfo) throws Exception { + stubFor(head(urlEqualTo("/api")) + .willReturn(aResponse().withStatus(200))); + + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load(null, "password".toCharArray()); + + // Use PKI_ONLY to test port parsing without SCITT verification + AnsVerifiedClient client = AnsVerifiedClient.builder() + .keyStore(keyStore, "password".toCharArray()) + .transparencyClient(mockTransparencyClient) + .policy(VerificationPolicy.PKI_ONLY) + .build(); + + // WireMock provides a port, which tests the port parsing + String serverUrl = wmRuntimeInfo.getHttpBaseUrl() + "/api"; + AnsConnection connection = client.connect(serverUrl); + + assertThat(connection).isNotNull(); + assertThat(connection.hostname()).isEqualTo("localhost"); + + connection.close(); + client.close(); + } + + @Test + @DisplayName("Should include SCITT headers in preflight request") + void shouldIncludeScittHeadersInPreflight(WireMockRuntimeInfo wmRuntimeInfo) throws Exception { + stubFor(head(urlEqualTo("/mcp")) + .willReturn(aResponse().withStatus(200))); + + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load(null, "password".toCharArray()); + + byte[] mockReceipt = new byte[]{0x01, 0x02}; + byte[] mockToken = new byte[]{0x03, 0x04}; + when(mockTransparencyClient.getReceiptAsync(anyString())) + .thenReturn(CompletableFuture.completedFuture(mockReceipt)); + when(mockTransparencyClient.getStatusTokenAsync(anyString())) + .thenReturn(CompletableFuture.completedFuture(mockToken)); + + // Use SCITT ADVISORY - server returns no headers (fallback allowed) + VerificationPolicy scittAdvisory = VerificationPolicy.custom() + .scitt(VerificationMode.ADVISORY) + .build(); + + AnsVerifiedClient client = AnsVerifiedClient.builder() + .agentId("test-agent") + .keyStore(keyStore, "password".toCharArray()) + .transparencyClient(mockTransparencyClient) + .policy(scittAdvisory) + .build(); + + // Verify client has SCITT headers to send + assertThat(client.scittHeadersAsync().join()).isNotEmpty(); + + String serverUrl = wmRuntimeInfo.getHttpBaseUrl() + "/mcp"; + // Server returns no SCITT headers, but ADVISORY mode allows fallback + AnsConnection connection = client.connect(serverUrl); + + assertThat(connection).isNotNull(); + connection.close(); + client.close(); + } + } + + @Nested + @DisplayName("connectAsync() tests") + @WireMockTest + class ConnectAsyncTests { + + @Test + @DisplayName("Should return completed future with PKI_ONLY policy") + void shouldReturnCompletedFutureWithPkiOnly(WireMockRuntimeInfo wmRuntimeInfo) throws Exception { + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load(null, "password".toCharArray()); + + AnsVerifiedClient client = AnsVerifiedClient.builder() + .keyStore(keyStore, "password".toCharArray()) + .transparencyClient(mockTransparencyClient) + .policy(VerificationPolicy.PKI_ONLY) + .build(); + + String serverUrl = wmRuntimeInfo.getHttpBaseUrl() + "/mcp"; + CompletableFuture future = client.connectAsync(serverUrl); + + assertThat(future).isNotNull(); + assertThat(future).succeedsWithin(Duration.ofSeconds(5)); + + AnsConnection connection = future.join(); + assertThat(connection.hostname()).isEqualTo("localhost"); + assertThat(connection.hasScittArtifacts()).isFalse(); + + connection.close(); + client.close(); + } + + @Test + @DisplayName("Should fail future with malformed URL") + void shouldFailFutureWithMalformedUrl() throws Exception { + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load(null, "password".toCharArray()); + + AnsVerifiedClient client = AnsVerifiedClient.builder() + .keyStore(keyStore, "password".toCharArray()) + .transparencyClient(mockTransparencyClient) + .policy(VerificationPolicy.PKI_ONLY) + .build(); + + CompletableFuture future = client.connectAsync("not a valid url ://"); + + assertThat(future).failsWithin(Duration.ofSeconds(1)) + .withThrowableOfType(java.util.concurrent.ExecutionException.class) + .withCauseInstanceOf(IllegalArgumentException.class); + + client.close(); + } + + @Test + @DisplayName("connect() should delegate to connectAsync().join()") + void connectShouldDelegateToConnectAsync(WireMockRuntimeInfo wmRuntimeInfo) throws Exception { + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + keyStore.load(null, "password".toCharArray()); + + AnsVerifiedClient client = AnsVerifiedClient.builder() + .keyStore(keyStore, "password".toCharArray()) + .transparencyClient(mockTransparencyClient) + .policy(VerificationPolicy.PKI_ONLY) + .build(); + + String serverUrl = wmRuntimeInfo.getHttpBaseUrl() + "/api"; + + // Both methods should produce equivalent results + AnsConnection syncConnection = client.connect(serverUrl); + AnsConnection asyncConnection = client.connectAsync(serverUrl).join(); + + assertThat(syncConnection.hostname()).isEqualTo(asyncConnection.hostname()); + assertThat(syncConnection.hasScittArtifacts()).isEqualTo(asyncConnection.hasScittArtifacts()); + + syncConnection.close(); + asyncConnection.close(); + client.close(); + } + } +} diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ClientRequestVerificationResultTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ClientRequestVerificationResultTest.java new file mode 100644 index 0000000..5eda532 --- /dev/null +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ClientRequestVerificationResultTest.java @@ -0,0 +1,387 @@ +package com.godaddy.ans.sdk.agent.verification; + +import com.godaddy.ans.sdk.agent.VerificationPolicy; +import com.godaddy.ans.sdk.transparency.scitt.ScittReceipt; +import com.godaddy.ans.sdk.transparency.scitt.StatusToken; +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Nested; +import org.junit.jupiter.api.Test; + +import java.security.cert.X509Certificate; +import java.time.Duration; +import java.util.ArrayList; +import java.util.List; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; + +class ClientRequestVerificationResultTest { + + @Nested + @DisplayName("Constructor validation tests") + class ConstructorValidationTests { + + @Test + @DisplayName("Should throw NullPointerException when errors is null") + void shouldThrowWhenErrorsNull() { + assertThatThrownBy(() -> new ClientRequestVerificationResult( + true, + "agent-123", + mock(StatusToken.class), + mock(ScittReceipt.class), + mock(X509Certificate.class), + null, + VerificationPolicy.SCITT_REQUIRED, + Duration.ofMillis(100) + )).isInstanceOf(NullPointerException.class) + .hasMessageContaining("errors cannot be null"); + } + + @Test + @DisplayName("Should throw NullPointerException when policyUsed is null") + void shouldThrowWhenPolicyNull() { + assertThatThrownBy(() -> new ClientRequestVerificationResult( + true, + "agent-123", + mock(StatusToken.class), + mock(ScittReceipt.class), + mock(X509Certificate.class), + List.of(), + null, + Duration.ofMillis(100) + )).isInstanceOf(NullPointerException.class) + .hasMessageContaining("policyUsed cannot be null"); + } + + @Test + @DisplayName("Should throw NullPointerException when verificationDuration is null") + void shouldThrowWhenDurationNull() { + assertThatThrownBy(() -> new ClientRequestVerificationResult( + true, + "agent-123", + mock(StatusToken.class), + mock(ScittReceipt.class), + mock(X509Certificate.class), + List.of(), + VerificationPolicy.SCITT_REQUIRED, + null + )).isInstanceOf(NullPointerException.class) + .hasMessageContaining("verificationDuration cannot be null"); + } + + @Test + @DisplayName("Should create defensive copy of errors list") + void shouldCreateDefensiveCopyOfErrors() { + List errors = new ArrayList<>(); + errors.add("error1"); + + ClientRequestVerificationResult result = new ClientRequestVerificationResult( + false, + null, + null, + null, + null, + errors, + VerificationPolicy.SCITT_REQUIRED, + Duration.ofMillis(100) + ); + + // Modify original list + errors.add("error2"); + + // Result should not be affected + assertThat(result.errors()).containsExactly("error1"); + } + } + + @Nested + @DisplayName("Factory method tests") + class FactoryMethodTests { + + @Test + @DisplayName("success() should create verified result") + void successShouldCreateVerifiedResult() { + StatusToken token = mock(StatusToken.class); + ScittReceipt receipt = mock(ScittReceipt.class); + X509Certificate cert = mock(X509Certificate.class); + Duration duration = Duration.ofMillis(150); + + ClientRequestVerificationResult result = ClientRequestVerificationResult.success( + "agent-123", + token, + receipt, + cert, + VerificationPolicy.SCITT_REQUIRED, + duration + ); + + assertThat(result.verified()).isTrue(); + assertThat(result.agentId()).isEqualTo("agent-123"); + assertThat(result.statusToken()).isSameAs(token); + assertThat(result.receipt()).isSameAs(receipt); + assertThat(result.clientCertificate()).isSameAs(cert); + assertThat(result.errors()).isEmpty(); + assertThat(result.policyUsed()).isEqualTo(VerificationPolicy.SCITT_REQUIRED); + assertThat(result.verificationDuration()).isEqualTo(duration); + } + + @Test + @DisplayName("failure() with list should create failed result") + void failureWithListShouldCreateFailedResult() { + StatusToken token = mock(StatusToken.class); + when(token.agentId()).thenReturn("extracted-agent-id"); + ScittReceipt receipt = mock(ScittReceipt.class); + X509Certificate cert = mock(X509Certificate.class); + List errors = List.of("error1", "error2"); + Duration duration = Duration.ofMillis(200); + + ClientRequestVerificationResult result = ClientRequestVerificationResult.failure( + errors, + token, + receipt, + cert, + VerificationPolicy.BADGE_REQUIRED, + duration + ); + + assertThat(result.verified()).isFalse(); + assertThat(result.agentId()).isEqualTo("extracted-agent-id"); + assertThat(result.statusToken()).isSameAs(token); + assertThat(result.receipt()).isSameAs(receipt); + assertThat(result.clientCertificate()).isSameAs(cert); + assertThat(result.errors()).containsExactly("error1", "error2"); + assertThat(result.policyUsed()).isEqualTo(VerificationPolicy.BADGE_REQUIRED); + assertThat(result.verificationDuration()).isEqualTo(duration); + } + + @Test + @DisplayName("failure() with single error should create failed result") + void failureWithSingleErrorShouldCreateFailedResult() { + X509Certificate cert = mock(X509Certificate.class); + Duration duration = Duration.ofMillis(50); + + ClientRequestVerificationResult result = ClientRequestVerificationResult.failure( + "Single error message", + cert, + VerificationPolicy.PKI_ONLY, + duration + ); + + assertThat(result.verified()).isFalse(); + assertThat(result.agentId()).isNull(); + assertThat(result.statusToken()).isNull(); + assertThat(result.receipt()).isNull(); + assertThat(result.clientCertificate()).isSameAs(cert); + assertThat(result.errors()).containsExactly("Single error message"); + assertThat(result.policyUsed()).isEqualTo(VerificationPolicy.PKI_ONLY); + assertThat(result.verificationDuration()).isEqualTo(duration); + } + + @Test + @DisplayName("failure() should extract agent ID from null token") + void failureShouldHandleNullToken() { + X509Certificate cert = mock(X509Certificate.class); + + ClientRequestVerificationResult result = ClientRequestVerificationResult.failure( + List.of("error"), + null, + null, + cert, + VerificationPolicy.SCITT_REQUIRED, + Duration.ofMillis(100) + ); + + assertThat(result.agentId()).isNull(); + } + } + + @Nested + @DisplayName("Helper method tests") + class HelperMethodTests { + + @Test + @DisplayName("hasScittArtifacts() returns true when both are present") + void hasScittArtifactsReturnsTrue() { + ClientRequestVerificationResult result = ClientRequestVerificationResult.success( + "agent", + mock(StatusToken.class), + mock(ScittReceipt.class), + mock(X509Certificate.class), + VerificationPolicy.SCITT_REQUIRED, + Duration.ZERO + ); + + assertThat(result.hasScittArtifacts()).isTrue(); + } + + @Test + @DisplayName("hasScittArtifacts() returns false when receipt is null") + void hasScittArtifactsReturnsFalseNoReceipt() { + ClientRequestVerificationResult result = new ClientRequestVerificationResult( + true, "agent", mock(StatusToken.class), null, + mock(X509Certificate.class), List.of(), VerificationPolicy.SCITT_REQUIRED, Duration.ZERO + ); + + assertThat(result.hasScittArtifacts()).isFalse(); + } + + @Test + @DisplayName("hasScittArtifacts() returns false when token is null") + void hasScittArtifactsReturnsFalseNoToken() { + ClientRequestVerificationResult result = new ClientRequestVerificationResult( + true, "agent", null, mock(ScittReceipt.class), + mock(X509Certificate.class), List.of(), VerificationPolicy.SCITT_REQUIRED, Duration.ZERO + ); + + assertThat(result.hasScittArtifacts()).isFalse(); + } + + @Test + @DisplayName("hasStatusTokenOnly() returns true when token present but not receipt") + void hasStatusTokenOnlyReturnsTrue() { + ClientRequestVerificationResult result = new ClientRequestVerificationResult( + true, "agent", mock(StatusToken.class), null, + mock(X509Certificate.class), List.of(), VerificationPolicy.SCITT_REQUIRED, Duration.ZERO + ); + + assertThat(result.hasStatusTokenOnly()).isTrue(); + } + + @Test + @DisplayName("hasStatusTokenOnly() returns false when both present") + void hasStatusTokenOnlyReturnsFalseBothPresent() { + ClientRequestVerificationResult result = ClientRequestVerificationResult.success( + "agent", + mock(StatusToken.class), + mock(ScittReceipt.class), + mock(X509Certificate.class), + VerificationPolicy.SCITT_REQUIRED, + Duration.ZERO + ); + + assertThat(result.hasStatusTokenOnly()).isFalse(); + } + + @Test + @DisplayName("hasAnyScittArtifact() returns true with only receipt") + void hasAnyScittArtifactReturnsTrueOnlyReceipt() { + ClientRequestVerificationResult result = new ClientRequestVerificationResult( + true, "agent", null, mock(ScittReceipt.class), + mock(X509Certificate.class), List.of(), VerificationPolicy.SCITT_REQUIRED, Duration.ZERO + ); + + assertThat(result.hasAnyScittArtifact()).isTrue(); + } + + @Test + @DisplayName("hasAnyScittArtifact() returns true with only token") + void hasAnyScittArtifactReturnsTrueOnlyToken() { + ClientRequestVerificationResult result = new ClientRequestVerificationResult( + true, "agent", mock(StatusToken.class), null, + mock(X509Certificate.class), List.of(), VerificationPolicy.SCITT_REQUIRED, Duration.ZERO + ); + + assertThat(result.hasAnyScittArtifact()).isTrue(); + } + + @Test + @DisplayName("hasAnyScittArtifact() returns false with neither") + void hasAnyScittArtifactReturnsFalseNeither() { + ClientRequestVerificationResult result = ClientRequestVerificationResult.failure( + "error", + mock(X509Certificate.class), + VerificationPolicy.SCITT_REQUIRED, + Duration.ZERO + ); + + assertThat(result.hasAnyScittArtifact()).isFalse(); + } + + @Test + @DisplayName("isCertificateTrusted() returns true when verified with token") + void isCertificateTrustedReturnsTrue() { + ClientRequestVerificationResult result = ClientRequestVerificationResult.success( + "agent", + mock(StatusToken.class), + mock(ScittReceipt.class), + mock(X509Certificate.class), + VerificationPolicy.SCITT_REQUIRED, + Duration.ZERO + ); + + assertThat(result.isCertificateTrusted()).isTrue(); + } + + @Test + @DisplayName("isCertificateTrusted() returns false when not verified") + void isCertificateTrustedReturnsFalseNotVerified() { + ClientRequestVerificationResult result = ClientRequestVerificationResult.failure( + List.of("error"), + mock(StatusToken.class), + mock(ScittReceipt.class), + mock(X509Certificate.class), + VerificationPolicy.SCITT_REQUIRED, + Duration.ZERO + ); + + assertThat(result.isCertificateTrusted()).isFalse(); + } + + @Test + @DisplayName("isCertificateTrusted() returns false when verified without token") + void isCertificateTrustedReturnsFalseNoToken() { + ClientRequestVerificationResult result = new ClientRequestVerificationResult( + true, "agent", null, mock(ScittReceipt.class), + mock(X509Certificate.class), List.of(), VerificationPolicy.SCITT_REQUIRED, Duration.ZERO + ); + + assertThat(result.isCertificateTrusted()).isFalse(); + } + } + + @Nested + @DisplayName("toString() tests") + class ToStringTests { + + @Test + @DisplayName("toString() for verified result includes agentId and duration") + void toStringForVerifiedResult() { + ClientRequestVerificationResult result = ClientRequestVerificationResult.success( + "test-agent-id", + mock(StatusToken.class), + mock(ScittReceipt.class), + mock(X509Certificate.class), + VerificationPolicy.SCITT_REQUIRED, + Duration.ofMillis(123) + ); + + String str = result.toString(); + + assertThat(str).contains("verified=true"); + assertThat(str).contains("agentId='test-agent-id'"); + assertThat(str).contains("PT0.123S"); + } + + @Test + @DisplayName("toString() for failed result includes errors and duration") + void toStringForFailedResult() { + ClientRequestVerificationResult result = ClientRequestVerificationResult.failure( + List.of("error1", "error2"), + null, + null, + mock(X509Certificate.class), + VerificationPolicy.SCITT_REQUIRED, + Duration.ofMillis(456) + ); + + String str = result.toString(); + + assertThat(str).contains("verified=false"); + assertThat(str).contains("error1"); + assertThat(str).contains("error2"); + assertThat(str).contains("PT0.456S"); + } + } +} diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ClientRequestVerifierTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ClientRequestVerifierTest.java new file mode 100644 index 0000000..7236f38 --- /dev/null +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ClientRequestVerifierTest.java @@ -0,0 +1,644 @@ +package com.godaddy.ans.sdk.agent.verification; + +import com.godaddy.ans.sdk.agent.VerificationMode; +import com.godaddy.ans.sdk.agent.VerificationPolicy; +import com.godaddy.ans.sdk.crypto.CertificateUtils; +import com.godaddy.ans.sdk.transparency.TransparencyClient; +import com.godaddy.ans.sdk.transparency.scitt.DefaultScittHeaderProvider; +import com.godaddy.ans.sdk.transparency.scitt.ScittExpectation; +import com.godaddy.ans.sdk.transparency.scitt.ScittHeaders; +import com.godaddy.ans.sdk.transparency.scitt.ScittReceipt; +import com.godaddy.ans.sdk.transparency.scitt.ScittVerifier; +import com.godaddy.ans.sdk.transparency.scitt.StatusToken; +import com.upokecenter.cbor.CBORObject; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Nested; +import org.junit.jupiter.api.Test; + +import com.godaddy.ans.sdk.crypto.CryptoCache; + +import org.bouncycastle.util.encoders.Hex; + +import java.math.BigInteger; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.PublicKey; +import java.security.cert.X509Certificate; +import java.time.Duration; +import java.time.Instant; +import java.util.Arrays; +import java.util.Base64; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.concurrent.CompletableFuture; +import java.util.concurrent.TimeUnit; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.times; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.when; + +class ClientRequestVerifierTest { + + private TransparencyClient mockTransparencyClient; + private ScittVerifier mockScittVerifier; + private X509Certificate mockClientCert; + private DefaultClientRequestVerifier verifier; + private String clientCertFingerprint; + private KeyPair testKeyPair; + + @BeforeEach + void setUp() throws Exception { + mockTransparencyClient = mock(TransparencyClient.class); + mockScittVerifier = mock(ScittVerifier.class); + mockClientCert = createMockCertificate(); + clientCertFingerprint = CertificateUtils.computeSha256Fingerprint(mockClientCert); + + // Generate test key pair for root key mock + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC"); + keyGen.initialize(256); + testKeyPair = keyGen.generateKeyPair(); + + // Setup mock TransparencyClient + when(mockTransparencyClient.getRootKeysAsync()).thenReturn( + CompletableFuture.completedFuture(toRootKeys(testKeyPair.getPublic()))); + + verifier = DefaultClientRequestVerifier.builder() + .transparencyClient(mockTransparencyClient) + .scittVerifier(mockScittVerifier) + .headerProvider(new DefaultScittHeaderProvider()) + .verificationCacheTtl(Duration.ofMinutes(5)) + .build(); + } + + /** + * Helper to convert a PublicKey to a Map keyed by hex key ID. + */ + private Map toRootKeys(PublicKey publicKey) { + byte[] hash = CryptoCache.sha256(publicKey.getEncoded()); + String hexKeyId = Hex.toHexString(Arrays.copyOf(hash, 4)); + Map map = new HashMap<>(); + map.put(hexKeyId, publicKey); + return map; + } + + @Nested + @DisplayName("Input validation tests") + class InputValidationTests { + + @Test + @DisplayName("Should reject null client certificate") + void shouldRejectNullClientCert() { + assertThatThrownBy(() -> + verifier.verify(null, Map.of(), VerificationPolicy.SCITT_REQUIRED)) + .isInstanceOf(NullPointerException.class) + .hasMessageContaining("clientCert cannot be null"); + } + + @Test + @DisplayName("Should reject null request headers") + void shouldRejectNullHeaders() { + assertThatThrownBy(() -> + verifier.verify(mockClientCert, null, VerificationPolicy.SCITT_REQUIRED)) + .isInstanceOf(NullPointerException.class) + .hasMessageContaining("requestHeaders cannot be null"); + } + + @Test + @DisplayName("Should reject null policy") + void shouldRejectNullPolicy() { + assertThatThrownBy(() -> + verifier.verify(mockClientCert, Map.of(), null)) + .isInstanceOf(NullPointerException.class) + .hasMessageContaining("policy cannot be null"); + } + } + + @Nested + @DisplayName("Missing SCITT headers tests") + class MissingHeadersTests { + + @Test + @DisplayName("Should fail when SCITT headers required but missing") + void shouldFailWhenScittRequiredButMissing() throws Exception { + ClientRequestVerificationResult result = verifier + .verify(mockClientCert, Map.of(), VerificationPolicy.SCITT_REQUIRED) + .get(5, TimeUnit.SECONDS); + + assertThat(result.verified()).isFalse(); + assertThat(result.errors()).anyMatch(e -> e.contains("not present")); + } + + @Test + @DisplayName("Should fail gracefully when SCITT headers in advisory mode but missing") + void shouldHandleMissingHeadersInAdvisoryMode() throws Exception { + VerificationPolicy advisoryPolicy = VerificationPolicy.custom() + .scitt(VerificationMode.ADVISORY) + .build(); + + ClientRequestVerificationResult result = verifier + .verify(mockClientCert, Map.of(), advisoryPolicy) + .get(5, TimeUnit.SECONDS); + + assertThat(result.verified()).isFalse(); + assertThat(result.errors()).anyMatch(e -> e.contains("not present")); + } + } + + @Nested + @DisplayName("Successful verification tests") + class SuccessfulVerificationTests { + + @Test + @DisplayName("Should verify valid SCITT artifacts with matching certificate") + void shouldVerifyValidArtifacts() throws Exception { + // Setup mock SCITT verification to return success with matching identity cert + ScittExpectation expectation = ScittExpectation.verified( + List.of(), // server certs (not used for client verification) + List.of(clientCertFingerprint), // identity certs - must match client cert + "agent.example.com", + "test.ans", + Map.of(), + createMockStatusToken("test-agent") + ); + when(mockScittVerifier.verify(any(), any(), any())).thenReturn(expectation); + + Map headers = createValidScittHeaders(); + + ClientRequestVerificationResult result = verifier + .verify(mockClientCert, headers, VerificationPolicy.SCITT_REQUIRED) + .get(5, TimeUnit.SECONDS); + + assertThat(result.verified()).isTrue(); + assertThat(result.agentId()).isEqualTo("test-agent"); + assertThat(result.errors()).isEmpty(); + assertThat(result.hasScittArtifacts()).isTrue(); + assertThat(result.isCertificateTrusted()).isTrue(); + } + + @Test + @DisplayName("Should cache successful verification result") + void shouldCacheSuccessfulResult() throws Exception { + ScittExpectation expectation = ScittExpectation.verified( + List.of(), + List.of(clientCertFingerprint), + "agent.example.com", + "test.ans", + Map.of(), + createMockStatusToken("test-agent") + ); + when(mockScittVerifier.verify(any(), any(), any())).thenReturn(expectation); + + Map headers = createValidScittHeaders(); + + // First call + ClientRequestVerificationResult result1 = verifier + .verify(mockClientCert, headers, VerificationPolicy.SCITT_REQUIRED) + .get(5, TimeUnit.SECONDS); + + // Second call with same inputs should use cache + ClientRequestVerificationResult result2 = verifier + .verify(mockClientCert, headers, VerificationPolicy.SCITT_REQUIRED) + .get(5, TimeUnit.SECONDS); + + assertThat(result1.verified()).isTrue(); + assertThat(result2.verified()).isTrue(); + // Both should succeed (cache hit on second call) + } + + @Test + @DisplayName("Should invalidate cache when token expires before cache TTL") + void shouldInvalidateCacheWhenTokenExpires() throws Exception { + // Create a token that expires in 100ms - much shorter than cache TTL + Instant shortExpiry = Instant.now().plusMillis(100); + StatusToken shortLivedToken = createMockStatusTokenWithExpiry( + "test-agent", shortExpiry); + + ScittExpectation expectation = ScittExpectation.verified( + List.of(), + List.of(clientCertFingerprint), + "agent.example.com", + "test.ans", + Map.of(), + shortLivedToken + ); + when(mockScittVerifier.verify(any(), any(), any())).thenReturn(expectation); + + // Headers must also use short expiry - the token parsed from headers is used for cache TTL + Map headers = createValidScittHeadersWithExpiry(shortExpiry); + + // First call - should succeed and cache + ClientRequestVerificationResult result1 = verifier + .verify(mockClientCert, headers, VerificationPolicy.SCITT_REQUIRED) + .get(5, TimeUnit.SECONDS); + assertThat(result1.verified()).isTrue(); + + // Verify scittVerifier was called once + verify(mockScittVerifier, times(1)).verify(any(), any(), any()); + + // Wait for token to expire (cache TTL is 5 minutes, token expires in 100ms) + Thread.sleep(150); + + // Second call - token expired, should NOT use cache, should re-verify + ClientRequestVerificationResult result2 = verifier + .verify(mockClientCert, headers, VerificationPolicy.SCITT_REQUIRED) + .get(5, TimeUnit.SECONDS); + assertThat(result2.verified()).isTrue(); + + // Verify scittVerifier was called twice (cache was invalidated due to token expiry) + verify(mockScittVerifier, times(2)).verify(any(), any(), any()); + } + } + + @Nested + @DisplayName("Certificate fingerprint mismatch tests") + class FingerprintMismatchTests { + + @Test + @DisplayName("Should fail when certificate fingerprint does not match identity certs") + void shouldFailOnFingerprintMismatch() throws Exception { + // Return expectation with different identity cert fingerprint + ScittExpectation expectation = ScittExpectation.verified( + List.of(), + List.of("SHA256:different-fingerprint"), // Won't match client cert + "agent.example.com", + "test.ans", + Map.of(), + createMockStatusToken("test-agent") + ); + when(mockScittVerifier.verify(any(), any(), any())).thenReturn(expectation); + + Map headers = createValidScittHeaders(); + + ClientRequestVerificationResult result = verifier + .verify(mockClientCert, headers, VerificationPolicy.SCITT_REQUIRED) + .get(5, TimeUnit.SECONDS); + + assertThat(result.verified()).isFalse(); + assertThat(result.errors()).anyMatch(e -> e.contains("fingerprint mismatch")); + } + + @Test + @DisplayName("Should fail when no identity certs in status token") + void shouldFailWhenNoIdentityCerts() throws Exception { + ScittExpectation expectation = ScittExpectation.verified( + List.of("SHA256:some-server-cert"), + List.of(), // No identity certs + "agent.example.com", + "test.ans", + Map.of(), + createMockStatusToken("test-agent") + ); + when(mockScittVerifier.verify(any(), any(), any())).thenReturn(expectation); + + Map headers = createValidScittHeaders(); + + ClientRequestVerificationResult result = verifier + .verify(mockClientCert, headers, VerificationPolicy.SCITT_REQUIRED) + .get(5, TimeUnit.SECONDS); + + assertThat(result.verified()).isFalse(); + assertThat(result.errors()).anyMatch(e -> e.contains("No valid identity certificates")); + } + } + + @Nested + @DisplayName("SCITT verification failure tests") + class ScittVerificationFailureTests { + + @Test + @DisplayName("Should fail when SCITT verification fails") + void shouldFailWhenScittVerificationFails() throws Exception { + when(mockScittVerifier.verify(any(), any(), any())) + .thenReturn(ScittExpectation.invalidToken("Signature verification failed")); + + Map headers = createValidScittHeaders(); + + ClientRequestVerificationResult result = verifier + .verify(mockClientCert, headers, VerificationPolicy.SCITT_REQUIRED) + .get(5, TimeUnit.SECONDS); + + assertThat(result.verified()).isFalse(); + assertThat(result.errors()).anyMatch(e -> e.contains("SCITT verification failed")); + } + + @Test + @DisplayName("Should fail when status token is expired") + void shouldFailWhenTokenExpired() throws Exception { + when(mockScittVerifier.verify(any(), any(), any())) + .thenReturn(ScittExpectation.expired()); + + Map headers = createValidScittHeaders(); + + ClientRequestVerificationResult result = verifier + .verify(mockClientCert, headers, VerificationPolicy.SCITT_REQUIRED) + .get(5, TimeUnit.SECONDS); + + assertThat(result.verified()).isFalse(); + assertThat(result.errors()).anyMatch(e -> e.contains("SCITT verification failed")); + } + + @Test + @DisplayName("Should fail when agent is revoked") + void shouldFailWhenAgentRevoked() throws Exception { + when(mockScittVerifier.verify(any(), any(), any())) + .thenReturn(ScittExpectation.revoked("test.ans")); + + Map headers = createValidScittHeaders(); + + ClientRequestVerificationResult result = verifier + .verify(mockClientCert, headers, VerificationPolicy.SCITT_REQUIRED) + .get(5, TimeUnit.SECONDS); + + assertThat(result.verified()).isFalse(); + } + } + + @Nested + @DisplayName("Invalid header content tests") + class InvalidHeaderContentTests { + + @Test + @DisplayName("Should fail on invalid Base64 in headers") + void shouldFailOnInvalidBase64() throws Exception { + Map headers = Map.of( + ScittHeaders.STATUS_TOKEN_HEADER, "not-valid-base64!!!" + ); + + ClientRequestVerificationResult result = verifier + .verify(mockClientCert, headers, VerificationPolicy.SCITT_REQUIRED) + .get(5, TimeUnit.SECONDS); + + assertThat(result.verified()).isFalse(); + } + + @Test + @DisplayName("Should fail on invalid CBOR in headers") + void shouldFailOnInvalidCbor() throws Exception { + byte[] invalidCbor = {0x01, 0x02, 0x03}; + Map headers = Map.of( + ScittHeaders.STATUS_TOKEN_HEADER, Base64.getEncoder().encodeToString(invalidCbor) + ); + + ClientRequestVerificationResult result = verifier + .verify(mockClientCert, headers, VerificationPolicy.SCITT_REQUIRED) + .get(5, TimeUnit.SECONDS); + + assertThat(result.verified()).isFalse(); + } + } + + @Nested + @DisplayName("ClientRequestVerificationResult tests") + class ResultTests { + + @Test + @DisplayName("hasScittArtifacts should return true when both present") + void hasScittArtifactsShouldReturnTrueWhenBothPresent() { + ClientRequestVerificationResult result = ClientRequestVerificationResult.success( + "test-agent", + createMockStatusToken("test-agent"), + createMockReceipt(), + mockClientCert, + VerificationPolicy.SCITT_REQUIRED, + Duration.ofMillis(100) + ); + + assertThat(result.hasScittArtifacts()).isTrue(); + } + + @Test + @DisplayName("hasScittArtifacts should return false when receipt missing") + void hasScittArtifactsShouldReturnFalseWhenReceiptMissing() { + ClientRequestVerificationResult result = ClientRequestVerificationResult.success( + "test-agent", + createMockStatusToken("test-agent"), + null, // no receipt + mockClientCert, + VerificationPolicy.SCITT_REQUIRED, + Duration.ofMillis(100) + ); + + assertThat(result.hasScittArtifacts()).isFalse(); + assertThat(result.hasStatusTokenOnly()).isTrue(); + } + + @Test + @DisplayName("isCertificateTrusted should return true when verified with token") + void isCertificateTrustedWhenVerifiedWithToken() { + ClientRequestVerificationResult result = ClientRequestVerificationResult.success( + "test-agent", + createMockStatusToken("test-agent"), + createMockReceipt(), + mockClientCert, + VerificationPolicy.SCITT_REQUIRED, + Duration.ofMillis(100) + ); + + assertThat(result.isCertificateTrusted()).isTrue(); + } + + @Test + @DisplayName("toString should include verification duration") + void toStringShouldIncludeDuration() { + ClientRequestVerificationResult result = ClientRequestVerificationResult.success( + "test-agent", + createMockStatusToken("test-agent"), + null, + mockClientCert, + VerificationPolicy.SCITT_REQUIRED, + Duration.ofMillis(150) + ); + + assertThat(result.toString()).contains("verified=true"); + assertThat(result.toString()).contains("test-agent"); + } + } + + @Nested + @DisplayName("Builder tests") + class BuilderTests { + + @Test + @DisplayName("Should require TransparencyClient") + void shouldRequireTransparencyClient() { + assertThatThrownBy(() -> DefaultClientRequestVerifier.builder().build()) + .isInstanceOf(NullPointerException.class) + .hasMessageContaining("transparencyClient is required"); + } + + @Test + @DisplayName("Should build with TransparencyClient") + void shouldBuildWithTransparencyClient() { + DefaultClientRequestVerifier verifier = DefaultClientRequestVerifier.builder() + .transparencyClient(mockTransparencyClient) + .build(); + + assertThat(verifier).isNotNull(); + } + + @Test + @DisplayName("Should build with custom cache TTL") + void shouldBuildWithCustomCacheTtl() { + DefaultClientRequestVerifier verifier = DefaultClientRequestVerifier.builder() + .transparencyClient(mockTransparencyClient) + .verificationCacheTtl(Duration.ofMinutes(10)) + .build(); + + assertThat(verifier).isNotNull(); + } + + @Test + @DisplayName("Should reject null cache TTL") + void shouldRejectNullCacheTtl() { + assertThatThrownBy(() -> DefaultClientRequestVerifier.builder() + .verificationCacheTtl(null)) + .isInstanceOf(NullPointerException.class) + .hasMessageContaining("ttl cannot be null"); + } + + @Test + @DisplayName("Should reject zero cache TTL") + void shouldRejectZeroCacheTtl() { + assertThatThrownBy(() -> DefaultClientRequestVerifier.builder() + .verificationCacheTtl(Duration.ZERO)) + .isInstanceOf(IllegalArgumentException.class) + .hasMessageContaining("must be positive"); + } + + @Test + @DisplayName("Should reject negative cache TTL") + void shouldRejectNegativeCacheTtl() { + assertThatThrownBy(() -> DefaultClientRequestVerifier.builder() + .verificationCacheTtl(Duration.ofSeconds(-1))) + .isInstanceOf(IllegalArgumentException.class) + .hasMessageContaining("must be positive"); + } + } + + // Helper methods + + private Map createValidScittHeaders() { + return createValidScittHeadersWithExpiry(Instant.now().plusSeconds(3600)); + } + + private Map createValidScittHeadersWithExpiry(Instant expiresAt) { + byte[] receiptBytes = createValidReceiptBytes(); + byte[] tokenBytes = createValidStatusTokenBytesWithExpiry(expiresAt); + + Map headers = new HashMap<>(); + headers.put(ScittHeaders.SCITT_RECEIPT_HEADER, Base64.getEncoder().encodeToString(receiptBytes)); + headers.put(ScittHeaders.STATUS_TOKEN_HEADER, Base64.getEncoder().encodeToString(tokenBytes)); + return headers; + } + + private byte[] createValidReceiptBytes() { + CBORObject protectedHeader = CBORObject.NewMap(); + protectedHeader.Add(1, -7); // alg = ES256 + protectedHeader.Add(395, 1); // vds = RFC9162_SHA256 + byte[] protectedBytes = protectedHeader.EncodeToBytes(); + + CBORObject inclusionProofMap = CBORObject.NewMap(); + inclusionProofMap.Add(-1, 1L); + inclusionProofMap.Add(-2, 0L); + inclusionProofMap.Add(-3, CBORObject.NewArray()); + inclusionProofMap.Add(-4, CBORObject.FromObject(new byte[32])); + + CBORObject unprotectedHeader = CBORObject.NewMap(); + unprotectedHeader.Add(396, inclusionProofMap); + + CBORObject array = CBORObject.NewArray(); + array.Add(protectedBytes); + array.Add(unprotectedHeader); + array.Add("test-payload".getBytes()); + array.Add(new byte[64]); + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + return tagged.EncodeToBytes(); + } + + private byte[] createValidStatusTokenBytesWithExpiry(Instant expiresAt) { + long now = Instant.now().getEpochSecond(); + + CBORObject payload = CBORObject.NewMap(); + payload.Add(1, "test-agent"); + payload.Add(2, "ACTIVE"); + payload.Add(3, now); + payload.Add(4, expiresAt.getEpochSecond()); + + CBORObject protectedHeader = CBORObject.NewMap(); + protectedHeader.Add(1, -7); + byte[] protectedBytes = protectedHeader.EncodeToBytes(); + + CBORObject array = CBORObject.NewArray(); + array.Add(protectedBytes); + array.Add(CBORObject.NewMap()); + array.Add(payload.EncodeToBytes()); + array.Add(new byte[64]); + CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); + + return tagged.EncodeToBytes(); + } + + private X509Certificate createMockCertificate() throws Exception { + // Generate a self-signed certificate for testing + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC"); + keyGen.initialize(256); + KeyPair keyPair = keyGen.generateKeyPair(); + + // Use BouncyCastle to create a self-signed certificate + org.bouncycastle.asn1.x500.X500Name subject = + new org.bouncycastle.asn1.x500.X500Name("CN=Test Agent"); + BigInteger serial = BigInteger.valueOf(System.currentTimeMillis()); + Instant now = Instant.now(); + + org.bouncycastle.cert.X509v3CertificateBuilder certBuilder = + new org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder( + subject, + serial, + java.util.Date.from(now.minusSeconds(3600)), + java.util.Date.from(now.plusSeconds(86400)), + subject, + keyPair.getPublic() + ); + + org.bouncycastle.operator.ContentSigner signer = + new org.bouncycastle.operator.jcajce.JcaContentSignerBuilder("SHA256withECDSA") + .build(keyPair.getPrivate()); + + org.bouncycastle.cert.X509CertificateHolder certHolder = certBuilder.build(signer); + return new org.bouncycastle.cert.jcajce.JcaX509CertificateConverter() + .getCertificate(certHolder); + } + + private StatusToken createMockStatusToken(String agentId) { + return createMockStatusTokenWithExpiry(agentId, Instant.now().plusSeconds(3600)); + } + + private StatusToken createMockStatusTokenWithExpiry(String agentId, Instant expiresAt) { + return new StatusToken( + agentId, + StatusToken.Status.ACTIVE, + Instant.now(), + expiresAt, + agentId + ".ans", + "agent.example.com", + List.of(), + List.of(), + Map.of(), + null, + null, + null, + null + ); + } + + private ScittReceipt createMockReceipt() { + return mock(ScittReceipt.class); + } +} From 7c40d61125f17857dffba43d570314bca34d1925 Mon Sep 17 00:00:00 2001 From: James Hateley Date: Fri, 27 Mar 2026 12:54:55 +1100 Subject: [PATCH 06/19] docs: update examples and documentation for SCITT verification - Update all example READMEs with SCITT verification documentation - A2A client example: Add SCITT_REQUIRED policy demonstration - HTTP API example: Add per-request SCITT verification - MCP client example: Simplify and add SCITT support - Add new mcp-server-spring example: Spring Boot MCP server with SCITT header injection and client verification filters Co-Authored-By: Claude Opus 4.5 --- README.md | 4 +- ans-sdk-agent-client/examples/README.md | 3 +- .../examples/a2a-client/README.md | 90 +++++- .../ans/examples/a2a/A2aClientExample.java | 186 +++++++++++- .../examples/http-api/README.md | 84 ++++-- .../ans/examples/httpapi/HttpApiExample.java | 108 ++++++- .../examples/mcp-client/README.md | 159 +++++++--- .../examples/mcp-client/build.gradle.kts | 2 +- .../ans/examples/mcp/McpClientExample.java | 282 ++++++------------ .../examples/mcp-server-spring/README.md | 253 ++++++++++++++++ .../mcp-server-spring/build.gradle.kts | 47 +++ .../spring/McpServerSpringApplication.java | 59 ++++ .../spring/config/McpServerProperties.java | 158 ++++++++++ .../mcp/spring/config/ScittConfig.java | 101 +++++++ .../mcp/spring/config/ScittLifecycle.java | 81 +++++ .../mcp/spring/controller/McpController.java | 197 ++++++++++++ .../filter/ClientVerificationFilter.java | 172 +++++++++++ .../filter/ScittHeaderResponseFilter.java | 94 ++++++ .../spring/health/ScittHealthIndicator.java | 172 +++++++++++ .../src/main/resources/application.yml | 69 +++++ 20 files changed, 2045 insertions(+), 276 deletions(-) create mode 100644 ans-sdk-agent-client/examples/mcp-server-spring/README.md create mode 100644 ans-sdk-agent-client/examples/mcp-server-spring/build.gradle.kts create mode 100644 ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/McpServerSpringApplication.java create mode 100644 ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/config/McpServerProperties.java create mode 100644 ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/config/ScittConfig.java create mode 100644 ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/config/ScittLifecycle.java create mode 100644 ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/controller/McpController.java create mode 100644 ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/filter/ClientVerificationFilter.java create mode 100644 ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/filter/ScittHeaderResponseFilter.java create mode 100644 ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/health/ScittHealthIndicator.java create mode 100644 ans-sdk-agent-client/examples/mcp-server-spring/src/main/resources/application.yml diff --git a/README.md b/README.md index cab66d3..678845b 100644 --- a/README.md +++ b/README.md @@ -345,7 +345,7 @@ AgentConnection conn = client.connect("https://target-agent.example.com", // Full verification - DANE + Badge AgentConnection conn = client.connect("https://target-agent.example.com", ConnectOptions.builder() - .verificationPolicy(VerificationPolicy.FULL) + .verificationPolicy(VerificationPolicy.DANE_AND_BADGE) .build()); // With mTLS client certificate @@ -507,7 +507,7 @@ ConnectOptions.builder() // Full verification (DANE + Badge) ConnectOptions.builder() - .verificationPolicy(VerificationPolicy.FULL) + .verificationPolicy(VerificationPolicy.DANE_AND_BADGE) .build(); ``` diff --git a/ans-sdk-agent-client/examples/README.md b/ans-sdk-agent-client/examples/README.md index cb539c8..ec74878 100644 --- a/ans-sdk-agent-client/examples/README.md +++ b/ans-sdk-agent-client/examples/README.md @@ -47,7 +47,8 @@ All examples support different ANS verification policies: | `DANE_REQUIRED` | Requires DANE/TLSA verification | | `BADGE_REQUIRED` | Requires transparency log verification | | `DANE_AND_BADGE` | Requires both DANE and Badge | -| `FULL` | DANE + Badge (maximum security) | +| `SCITT_REQUIRED` | Requires SCITT header verification (recommended) | +| `SCITT_ENHANCED` | SCITT required with badge fallback if no headers | ## Integration Patterns diff --git a/ans-sdk-agent-client/examples/a2a-client/README.md b/ans-sdk-agent-client/examples/a2a-client/README.md index 5bb349b..995ef27 100644 --- a/ans-sdk-agent-client/examples/a2a-client/README.md +++ b/ans-sdk-agent-client/examples/a2a-client/README.md @@ -5,35 +5,45 @@ This example demonstrates ANS verification integration with the official ## Overview -The A2A SDK's built-in `JdkA2AHttpClient` doesn't expose SSL customization, so this -example includes an `HttpClientA2AAdapter` that implements `A2AHttpClient` with a custom -`SSLContext` for ANS certificate capture. +The example includes two verification approaches: + +1. **Manual Verification** - Low-level DANE/Badge flow with certificate capture +2. **SCITT with AnsVerifiedClient** - High-level SCITT verification (recommended) ## Prerequisites - A2A server with HTTPS endpoint (implements `/.well-known/agent-card.json`) - For Badge verification: Agent in ANS transparency log - For DANE verification: TLSA DNS records configured +- For SCITT verification: Agent with receipt and status token, client keystore ## Usage ```bash -# Run with default settings +# Run with default settings (Manual DANE/Badge example) ./gradlew :ans-sdk-agent-client:examples:a2a-client:run # Run with custom server URL ./gradlew :ans-sdk-agent-client:examples:a2a-client:run --args="https://your-a2a-server.example.com:8443" + +# Run SCITT example (requires keystore and agent ID) +./gradlew :ans-sdk-agent-client:examples:a2a-client:run \ + --args="https://your-server:8443 /path/to/client.p12 password agentId" ``` -## Integration Pattern +## Example 1: Manual DANE/Badge Verification -The integration follows a **Pre-verify / Connect / Post-verify** pattern: +The manual integration follows a **Pre-verify / Connect / Post-verify** pattern: ```java -// 1. Set up ConnectionVerifier +// 1. Set up ConnectionVerifier with DANE and Badge ConnectionVerifier verifier = DefaultConnectionVerifier.builder() - .daneVerifier(new DaneVerifier(new DefaultDaneTlsaVerifier(DaneConfig.defaults()))) - .badgeVerifier(new BadgeVerifier(agentVerificationService)) + .daneVerifier(new DaneVerifier(new DefaultDaneTlsaVerifier( + DaneConfig.builder().validationMode(DnssecValidationMode.VALIDATE_IN_CODE).build()))) + .badgeVerifier(new BadgeVerifier( + BadgeVerificationService.builder() + .transparencyClient(TransparencyClient.builder().build()) + .build())) .build(); // 2. Pre-verify (async DANE lookup) @@ -45,7 +55,7 @@ SSLContext sslContext = AnsVerifiedSslContextFactory.create(); // 4. Create A2A HTTP client adapter with custom SSLContext HttpClientA2AAdapter httpClient = new HttpClientA2AAdapter(sslContext); -// 5. Fetch AgentCard (triggers TLS handshake) +// 5. Fetch AgentCard (triggers TLS handshake, captures certificate) A2ACardResolver cardResolver = new A2ACardResolver(httpClient, serverUrl, null); AgentCard agentCard = cardResolver.getAgentCard(); @@ -72,6 +82,47 @@ client.sendMessage(message); CertificateCapturingTrustManager.clearCapturedCertificates(hostname); ``` +## Example 2: SCITT with AnsVerifiedClient (Recommended) + +The high-level approach using `AnsVerifiedClient` handles SCITT automatically: + +```java +// 1. Create AnsVerifiedClient with SCITT policy +try (AnsVerifiedClient ansClient = AnsVerifiedClient.builder() + .agentId(agentId) + .keyStorePath(keystorePath, keystorePassword) + .policy(VerificationPolicy.SCITT_REQUIRED) + .build()) { + + // 2. Connect (performs preflight for SCITT header exchange) + try (AnsConnection connection = ansClient.connect(serverUrl)) { + System.out.println("SCITT artifacts from server: " + connection.hasScittArtifacts()); + + // 3. Create A2A HTTP client with ANS SSLContext + HttpClientA2AAdapter httpClient = new HttpClientA2AAdapter(ansClient.sslContext()); + + // 4. Fetch AgentCard (triggers TLS handshake) + A2ACardResolver cardResolver = new A2ACardResolver(httpClient, serverUrl, null); + AgentCard agentCard = cardResolver.getAgentCard(); + + // 5. Post-verify server certificate + VerificationResult result = connection.verifyServer(); + if (!result.isSuccess()) { + throw new SecurityException("SCITT verification failed: " + result.reason()); + } + + // 6. Create A2A client and send messages + JSONRPCTransportConfig transportConfig = new JSONRPCTransportConfig(httpClient); + Client client = Client.builder(agentCard) + .withTransport(JSONRPCTransport.class, transportConfig) + .build(); + + Message message = A2A.toUserMessage("Hello from SCITT-verified A2A client!"); + client.sendMessage(message); + } +} +``` + ## HttpClientA2AAdapter The adapter wraps Java's `HttpClient` to implement A2A's `A2AHttpClient` interface: @@ -92,14 +143,28 @@ This is necessary because: - `A2AHttpClientFactory` SPI doesn't pass configuration parameters - The adapter pattern provides a clean way to inject our SSL configuration +## Verification Policies + +| Policy | Description | Use Case | +|--------|-------------|----------| +| `PKI_ONLY` | System trust store only | Development, testing | +| `DANE_REQUIRED` | Requires DANE/TLSA | High security with DNSSEC | +| `BADGE_REQUIRED` | Requires transparency log | Legacy production | +| `DANE_AND_BADGE` | Both DANE and Badge | Maximum legacy security | +| `SCITT_REQUIRED` | Requires SCITT artifacts | **Recommended for production** | +| `SCITT_ENHANCED` | SCITT with badge fallback | Migration from badge | + ## Key Classes | Class | Purpose | |-------|---------| | `HttpClientA2AAdapter` | A2AHttpClient implementation with custom SSLContext | +| `AnsVerifiedClient` | High-level client with SCITT support and mTLS | +| `AnsConnection` | Connection handle for SCITT verification flow | | `AnsVerifiedSslContextFactory` | Creates SSLContext with certificate capture | | `CertificateCapturingTrustManager` | Stores certificates during TLS handshake | -| `DefaultConnectionVerifier` | Coordinates DANE, Badge verification | +| `DefaultConnectionVerifier` | Coordinates DANE, Badge, SCITT verification | +| `TransparencyClient` | Fetches SCITT artifacts and root public key | ## Dependencies @@ -109,5 +174,6 @@ dependencies { implementation("io.github.a2asdk:a2a-java-sdk-client-transport-jsonrpc:1.0.0.Alpha1") implementation("io.github.a2asdk:a2a-java-sdk-http-client:1.0.0.Alpha1") implementation("io.github.a2asdk:a2a-java-sdk-spec:1.0.0.Alpha1") + implementation(project(":ans-sdk-agent-client")) } -``` \ No newline at end of file +``` diff --git a/ans-sdk-agent-client/examples/a2a-client/src/main/java/com/godaddy/ans/examples/a2a/A2aClientExample.java b/ans-sdk-agent-client/examples/a2a-client/src/main/java/com/godaddy/ans/examples/a2a/A2aClientExample.java index f965472..bee13dc 100644 --- a/ans-sdk-agent-client/examples/a2a-client/src/main/java/com/godaddy/ans/examples/a2a/A2aClientExample.java +++ b/ans-sdk-agent-client/examples/a2a-client/src/main/java/com/godaddy/ans/examples/a2a/A2aClientExample.java @@ -1,5 +1,7 @@ package com.godaddy.ans.examples.a2a; +import com.godaddy.ans.sdk.agent.AnsConnection; +import com.godaddy.ans.sdk.agent.AnsVerifiedClient; import com.godaddy.ans.sdk.agent.VerificationPolicy; import com.godaddy.ans.sdk.agent.http.AnsVerifiedSslContextFactory; import com.godaddy.ans.sdk.agent.http.CertificateCapturingTrustManager; @@ -39,10 +41,16 @@ /** * A2A Client Example - demonstrates ANS verification with the A2A SDK. * - *

This example shows how to integrate ANS verification (DANE, Badge) + *

This example shows how to integrate ANS verification (DANE, Badge, SCITT) * with the official A2A (Agent-to-Agent) Java SDK.

* - *

Integration Pattern

+ *

Examples

+ *
    + *
  • Example 1: Manual Verification - Low-level DANE/Badge verification flow
    • + *
  • Example 2: SCITT with AnsVerifiedClient - High-level SCITT verification
    • + *
+ * + *

Integration Pattern (Manual)

*
    *
  1. Create {@link HttpClientA2AAdapter} with SSLContext from {@link AnsVerifiedSslContextFactory}
    2. *
  2. Pre-verify (DANE lookup) before connection
    3. @@ -51,20 +59,33 @@ *
  3. Create A2A client and send messages
    4. *
* + *

Integration Pattern (SCITT with AnsVerifiedClient)

+ *
    + *
  1. Create {@link AnsVerifiedClient} with keystore and policy
    2. + *
  2. Call connect() - handles preflight and SCITT header exchange
    3. + *
  3. Use SSLContext and SCITT headers with A2A client
    4. + *
  4. Call verifyServer() after TLS handshake
    5. + *
+ * *

Prerequisites

*
    *
  1. A running A2A server with HTTPS endpoint
    2. *
  2. For DANE verification: TLSA DNS records configured
    3. *
  3. For Badge verification: Agent registered in ANS transparency log
    4. + *
  4. For SCITT verification: Agent with receipt and status token
    5. *
* *

Usage

* 
- * # Run with default settings
+ * # Run with default settings (DANE/Badge example)
  * ./gradlew :ans-sdk-agent-client:examples:a2a-client:run
  *
  * # Run with custom server URL
- * ./gradlew :ans-sdk-agent-client:examples:a2a-client:run --args="https://your-a2a-server.example.com:8443"
+ * ./gradlew :ans-sdk-agent-client:examples:a2a-client:run --args="https://your-server:8443"
+ *
+ * # Run SCITT example with keystore
+ * ./gradlew :ans-sdk-agent-client:examples:a2a-client:run \
+ *   --args="https://your-server:8443 /path/to/client.p12 password agentId"
  *
*/ public class A2aClientExample { @@ -80,9 +101,25 @@ public static void main(String[] args) { System.out.println(); try { + // Example 1: Manual DANE/Badge verification a2aWithAnsVerification(serverUrl); + + // Example 2: SCITT verification (requires keystore arguments) + if (args.length >= 4) { + String keystorePath = args[1]; + String keystorePassword = args[2]; + String agentId = args[3]; + a2aWithScittVerification(serverUrl, keystorePath, keystorePassword, agentId); + } else { + System.out.println("\n==========================================="); + System.out.println("SCITT Example (Skipped)"); + System.out.println("==========================================="); + System.out.println("To run SCITT example, provide:"); + System.out.println(" --args=\" \""); + } + System.out.println("\n==========================================="); - System.out.println("Example completed successfully!"); + System.out.println("Examples completed!"); System.out.println("==========================================="); } catch (Exception e) { System.err.println("Example failed: " + e.getMessage()); @@ -239,4 +276,143 @@ private static void a2aWithAnsVerification(String serverUrl) throws Exception { CertificateCapturingTrustManager.clearCapturedCertificates(hostname); } } + + /** + * Demonstrates A2A SDK integration with SCITT verification using AnsVerifiedClient. + * + *

This is the recommended approach for SCITT-enabled A2A communication. + * AnsVerifiedClient handles:

+ *
    + *
  • Preflight requests to exchange SCITT headers
    • + *
  • SSLContext creation with certificate capture
    • + *
  • SCITT artifact verification
    • + *
+ * + * @param serverUrl the A2A server URL + * @param keystorePath path to PKCS12 keystore for client mTLS + * @param keystorePassword keystore password + * @param agentId agent ID for SCITT header generation + */ + private static void a2aWithScittVerification(String serverUrl, String keystorePath, + String keystorePassword, String agentId) throws Exception { + System.out.println("\n==========================================="); + System.out.println("Example 2: A2A with SCITT Verification"); + System.out.println("==========================================="); + + URI serverUri = URI.create(serverUrl); + String hostname = serverUri.getHost(); + + // ============================================================ + // STEP 1: Create AnsVerifiedClient with SCITT policy + // ============================================================ + System.out.println("\nStep 1: Creating AnsVerifiedClient"); + System.out.println("-".repeat(40)); + + try (AnsVerifiedClient ansClient = AnsVerifiedClient.builder() + .agentId(agentId) + .keyStorePath(keystorePath, keystorePassword) + .policy(VerificationPolicy.SCITT_REQUIRED) + .build()) { + + System.out.println(" Policy: " + ansClient.policy()); + // Fetch SCITT headers (blocking is fine during setup, not on I/O threads) + var scittHeaders = ansClient.scittHeadersAsync().join(); + if (!scittHeaders.isEmpty()) { + System.out.println(" SCITT headers configured for outgoing requests"); + } + + // ============================================================ + // STEP 2: Connect (performs preflight for SCITT) + // ============================================================ + System.out.println("\nStep 2: Connecting with SCITT preflight"); + System.out.println("-".repeat(40)); + + try (AnsConnection connection = ansClient.connect(serverUrl)) { + System.out.println(" Connected to: " + connection.hostname()); + System.out.println(" SCITT artifacts from server: " + connection.hasScittArtifacts()); + + // ============================================================ + // STEP 3: Create A2A HTTP client with ANS SSLContext + // ============================================================ + System.out.println("\nStep 3: Creating A2A client"); + System.out.println("-".repeat(40)); + + HttpClientA2AAdapter httpClient = new HttpClientA2AAdapter(ansClient.sslContext()); + System.out.println(" Created HttpClientA2AAdapter with ANS SSLContext"); + + // ============================================================ + // STEP 4: Fetch AgentCard (triggers TLS handshake) + // ============================================================ + System.out.println("\nStep 4: Fetching AgentCard"); + System.out.println("-".repeat(40)); + + A2ACardResolver cardResolver = new A2ACardResolver(httpClient, serverUrl, null); + AgentCard agentCard = cardResolver.getAgentCard(); + + System.out.println(" AgentCard fetched:"); + System.out.println(" Name: " + agentCard.name()); + System.out.println(" Description: " + agentCard.description()); + + // ============================================================ + // STEP 5: Post-verify server certificate + // ============================================================ + System.out.println("\nStep 5: Post-verification (SCITT + captured cert)"); + System.out.println("-".repeat(40)); + + VerificationResult result = connection.verifyServer(); + + System.out.println(" Verification: " + result.status() + " (" + result.type() + ")"); + System.out.println(" Reason: " + result.reason()); + + if (!result.isSuccess()) { + throw new SecurityException("SCITT verification failed: " + result.reason()); + } + + // ============================================================ + // STEP 6: Create A2A client and send message + // ============================================================ + System.out.println("\nStep 6: Sending A2A message"); + System.out.println("-".repeat(40)); + + CompletableFuture responseFuture = new CompletableFuture<>(); + + BiConsumer eventHandler = (event, card) -> { + System.out.println(" Received event: " + event.getClass().getSimpleName()); + if (event instanceof MessageEvent messageEvent) { + Message msg = messageEvent.getMessage(); + if (msg.parts() != null) { + for (Part part : msg.parts()) { + if (part instanceof TextPart textPart) { + responseFuture.complete(textPart.text()); + } + } + } + } else if (event instanceof TaskEvent taskEvent) { + System.out.println(" Task status: " + taskEvent.getTask().status()); + } + }; + + JSONRPCTransportConfig transportConfig = new JSONRPCTransportConfig(httpClient); + + Client client = Client.builder(agentCard) + .withTransport(JSONRPCTransport.class, transportConfig) + .addConsumer(eventHandler) + .build(); + + try { + Message message = A2A.toUserMessage("Hello from SCITT-verified A2A client!"); + System.out.println(" Sending message: \"Hello from SCITT-verified A2A client!\""); + + client.sendMessage(message); + + String response = responseFuture.get(30, TimeUnit.SECONDS); + System.out.println(" Response: " + response); + System.out.println("\n Successfully communicated with SCITT-verified A2A server!"); + + } finally { + CertificateCapturingTrustManager.clearCapturedCertificates(hostname); + } + } + } + } } \ No newline at end of file diff --git a/ans-sdk-agent-client/examples/http-api/README.md b/ans-sdk-agent-client/examples/http-api/README.md index 9721cb5..55310c3 100644 --- a/ans-sdk-agent-client/examples/http-api/README.md +++ b/ans-sdk-agent-client/examples/http-api/README.md @@ -1,25 +1,34 @@ # HTTP API Example -This example demonstrates ANS verification using the `AnsClient` high-level API. +This example demonstrates ANS verification for HTTP API connections using both the +simple `AnsClient` and the full-featured `AnsVerifiedClient` with SCITT support. ## Overview -The `AnsClient` provides a simple builder-based API for connecting to ANS-registered agents -with various verification policies. This is the recommended approach for most use cases. +The example includes multiple verification approaches: + +1. **PKI_ONLY** - Standard HTTPS with system trust store +2. **BADGE_REQUIRED** - Transparency log verification +3. **DANE_AND_BADGE** - Full DANE + Badge verification +4. **SCITT_REQUIRED** - Cryptographic proof via HTTP headers (recommended) ## Usage ```bash -# Run with default settings +# Run with default settings (PKI, Badge, DANE examples) ./gradlew :ans-sdk-agent-client:examples:http-api:run # Run with custom server URL ./gradlew :ans-sdk-agent-client:examples:http-api:run --args="https://your-agent.example.com:8443" + +# Run SCITT example (requires keystore and agent ID) +./gradlew :ans-sdk-agent-client:examples:http-api:run \ + --args="https://your-agent.example.com:8443 /path/to/keystore.p12 keystorePassword myAgentId" ``` ## Code Highlights -### Basic Connection (PKI_ONLY) +### Example 1: PKI_ONLY - Standard HTTPS ```java AnsClient client = AnsClient.builder() @@ -35,9 +44,11 @@ HttpApiClient api = conn.httpApiAt(serverUrl); String response = api.get("/health"); ``` -### Badge Verification (Recommended) +### Example 2: BADGE_REQUIRED - Transparency Log ```java +AnsClient client = AnsClient.create(); + ConnectOptions options = ConnectOptions.builder() .verificationPolicy(VerificationPolicy.BADGE_REQUIRED) .build(); @@ -45,33 +56,72 @@ ConnectOptions options = ConnectOptions.builder() AgentConnection conn = client.connect(serverUrl, options); ``` -### Custom Policy (DANE Advisory + Badge Required) +### Example 3: DANE_AND_BADGE - Full Verification ```java -VerificationPolicy customPolicy = VerificationPolicy.custom() - .dane(VerificationMode.ADVISORY) - .badge(VerificationMode.REQUIRED) - .build(); - ConnectOptions options = ConnectOptions.builder() - .verificationPolicy(customPolicy) + .verificationPolicy(VerificationPolicy.DANE_AND_BADGE) .build(); AgentConnection conn = client.connect(serverUrl, options); ``` +### Example 4: SCITT Verification (Recommended) + +Uses `AnsVerifiedClient` for mTLS and SCITT cryptographic proof: + +```java +// Create client with SCITT verification +AnsVerifiedClient client = AnsVerifiedClient.builder() + .agentId(agentId) + .keyStorePath(keystorePath, keystorePassword) + .policy(VerificationPolicy.SCITT_REQUIRED) + .connectTimeout(Duration.ofSeconds(30)) + .build(); + +// Connect - sends preflight to exchange SCITT artifacts +AnsConnection connection = client.connect(serverUrl); + +// Check server SCITT artifacts +if (connection.hasScittArtifacts()) { + System.out.println("Server provided SCITT artifacts"); +} + +// Verify server certificate against policy +VerificationResult result = connection.verifyServer(); +if (!result.isSuccess()) { + throw new SecurityException("Verification failed: " + result.reason()); +} + +// Clean up +connection.close(); +client.close(); +``` + ## Verification Policies | Policy | Description | Use Case | |--------|-------------|----------| | `PKI_ONLY` | System trust store only | Development, testing | | `DANE_REQUIRED` | Requires DANE/TLSA | High security with DNSSEC | -| `BADGE_REQUIRED` | Requires transparency log | **Recommended for production** | -| `DANE_AND_BADGE` | Both DANE and Badge | Maximum security | -| `FULL` | DANE + Badge | Maximum security | +| `BADGE_REQUIRED` | Requires transparency log | Legacy production | +| `DANE_AND_BADGE` | Both DANE and Badge | Maximum legacy security | +| `SCITT_REQUIRED` | Requires SCITT artifacts | **Recommended for production** | +| `SCITT_ENHANCED` | SCITT with badge fallback | Migration from badge | + +## Key Classes + +| Class | Purpose | +|-------|---------| +| `AnsClient` | Simple client for PKI, DANE, Badge verification | +| `AnsVerifiedClient` | Full-featured client with SCITT support and mTLS | +| `AnsConnection` | Connection handle for SCITT verification flow | +| `VerificationPolicy` | Configures which verification methods to use | +| `VerificationResult` | Verification outcome (SUCCESS, MISMATCH, NOT_FOUND, ERROR) | ## Prerequisites - ANS-registered agent with HTTPS endpoint - For Badge verification: Agent in ANS transparency log -- For DANE verification: TLSA DNS records configured \ No newline at end of file +- For DANE verification: TLSA DNS records configured +- For SCITT verification: Agent with receipt and status token, client keystore diff --git a/ans-sdk-agent-client/examples/http-api/src/main/java/com/godaddy/ans/examples/httpapi/HttpApiExample.java b/ans-sdk-agent-client/examples/http-api/src/main/java/com/godaddy/ans/examples/httpapi/HttpApiExample.java index ff0cfec..10008f4 100644 --- a/ans-sdk-agent-client/examples/http-api/src/main/java/com/godaddy/ans/examples/httpapi/HttpApiExample.java +++ b/ans-sdk-agent-client/examples/http-api/src/main/java/com/godaddy/ans/examples/httpapi/HttpApiExample.java @@ -1,12 +1,16 @@ package com.godaddy.ans.examples.httpapi; import com.godaddy.ans.sdk.agent.AnsClient; +import com.godaddy.ans.sdk.agent.AnsConnection; +import com.godaddy.ans.sdk.agent.AnsVerifiedClient; import com.godaddy.ans.sdk.agent.ConnectOptions; import com.godaddy.ans.sdk.agent.VerificationPolicy; import com.godaddy.ans.sdk.agent.connection.AgentConnection; import com.godaddy.ans.sdk.agent.protocol.HttpApiClient; +import com.godaddy.ans.sdk.agent.verification.VerificationResult; import java.time.Duration; +import java.util.Map; /** * HTTP API Example - demonstrates ANS verification with AnsClient. @@ -19,6 +23,7 @@ *
  • A running ANS-registered agent with HTTPS endpoint
    • *
  • For DANE verification: TLSA DNS records configured
    • *
  • For Badge verification: Agent registered in ANS transparency log
    • + *
  • For SCITT verification: Agent has SCITT receipt and status token
    • * * *

    Usage

    @@ -28,6 +33,10 @@ * * # Run with custom server URL * ./gradlew :ans-sdk-agent-client:examples:http-api:run --args="https://your-agent.example.com:8443" + * + * # Run SCITT example with keystore and agent ID + * ./gradlew :ans-sdk-agent-client:examples:http-api:run \ + * --args="https://your-agent.example.com:8443 /path/to/keystore.p12 keystorePassword myAgentId" * * *

    Verification Policies

    @@ -36,7 +45,7 @@ *
  • DANE_REQUIRED - Requires DANE/TLSA verification
    • *
  • BADGE_REQUIRED - Requires transparency log verification
    • *
  • DANE_AND_BADGE - Requires both DANE and Badge
    • - *
  • FULL - DANE + Badge (maximum security)
    • + *
  • SCITT_REQUIRED - Requires SCITT receipt and status token verification (recommended)
    • * */ public class HttpApiExample { @@ -56,6 +65,21 @@ public static void main(String[] args) { exampleBadgeRequired(serverUrl); exampleDaneAndBadge(serverUrl); + // SCITT example requires keystore - check if arguments provided + if (args.length >= 4) { + String keystorePath = args[1]; + String keystorePassword = args[2]; + String agentId = args[3]; + exampleScittVerification(serverUrl, keystorePath, keystorePassword, agentId); + } else { + System.out.println("\nExample 4: SCITT Verification (Skipped)"); + System.out.println("-".repeat(40)); + System.out.println(" To run SCITT example, provide:"); + System.out.println(" ./gradlew :ans-sdk-agent-client:examples:http-api:run \\"); + System.out.println(" --args=\" \""); + System.out.println(); + } + System.out.println("\n==========================================="); System.out.println("Examples completed!"); System.out.println("==========================================="); @@ -152,7 +176,7 @@ private static void exampleDaneAndBadge(String serverUrl) { // Full policy: DANE + Badge ConnectOptions options = ConnectOptions.builder() - .verificationPolicy(VerificationPolicy.FULL) + .verificationPolicy(VerificationPolicy.DANE_AND_BADGE) .build(); System.out.println(" Connecting with full verification policy:"); @@ -175,6 +199,86 @@ private static void exampleDaneAndBadge(String serverUrl) { } } + /** + * Example 4: SCITT Verification - Cryptographic proof via HTTP headers. + * + *

    Uses AnsVerifiedClient for mTLS and SCITT verification. + * Demonstrates the full verification flow including preflight requests + * to exchange SCITT artifacts (receipts and status tokens).

    + * + * @param serverUrl the server URL to connect to + * @param keystorePath path to PKCS12 keystore for client authentication + * @param keystorePassword keystore password + * @param agentId the agent ID for SCITT header generation + */ + private static void exampleScittVerification(String serverUrl, String keystorePath, + String keystorePassword, String agentId) { + System.out.println("\nExample 4: SCITT Verification (Cryptographic Proof)"); + System.out.println("-".repeat(40)); + + try { + // Create AnsVerifiedClient with SCITT verification + // Note: TransparencyClient is created internally if not provided + AnsVerifiedClient client = AnsVerifiedClient.builder() + .agentId(agentId) + .keyStorePath(keystorePath, keystorePassword) + .policy(VerificationPolicy.SCITT_REQUIRED) + .connectTimeout(Duration.ofSeconds(30)) + .build(); + + System.out.println(" Created AnsVerifiedClient with policy: " + client.policy()); + + // Display SCITT headers that will be sent with requests + // (blocking is fine during setup, not on I/O threads) + Map scittHeaders = client.scittHeadersAsync().join(); + if (!scittHeaders.isEmpty()) { + System.out.println(" SCITT headers configured:"); + scittHeaders.forEach((k, v) -> + System.out.println(" " + k + ": " + truncate(v, 50) + "...")); + } + + // Connect and perform pre-verification + // This sends a preflight HEAD request to exchange SCITT headers + System.out.println("\n Connecting to " + serverUrl); + System.out.println(" (Preflight request will exchange SCITT artifacts)"); + + AnsConnection connection = client.connect(serverUrl); + System.out.println(" Connected to: " + connection.hostname()); + + // Check if server provided SCITT artifacts + if (connection.hasScittArtifacts()) { + System.out.println(" Server provided SCITT artifacts"); + } else { + System.out.println(" Server did not provide SCITT artifacts"); + } + + // Perform full verification + VerificationResult result = connection.verifyServer(); + + System.out.println("\n Verification Results:"); + System.out.println(" Overall: " + result.status() + " (" + result.type() + ")"); + System.out.println(" Reason: " + result.reason()); + + if (result.isSuccess()) { + System.out.println("\n [SUCCESS] SCITT verification completed"); + } else { + System.out.println("\n [WARNING] Verification status: " + result.status()); + } + + // Clean up + connection.close(); + client.close(); + System.out.println(); + + } catch (Exception e) { + System.out.println(" [ERROR] " + e.getMessage()); + if (e.getCause() != null) { + System.out.println(" Cause: " + e.getCause().getMessage()); + } + System.out.println(); + } + } + private static String truncate(String s, int maxLen) { if (s == null) { return "null"; diff --git a/ans-sdk-agent-client/examples/mcp-client/README.md b/ans-sdk-agent-client/examples/mcp-client/README.md index 0cfe926..6a25e29 100644 --- a/ans-sdk-agent-client/examples/mcp-client/README.md +++ b/ans-sdk-agent-client/examples/mcp-client/README.md @@ -5,84 +5,145 @@ This example demonstrates ANS verification integration with the official ## Overview -The MCP SDK's `HttpClientStreamableHttpTransport` accepts a custom `HttpClient.Builder`, -allowing us to inject an `SSLContext` configured for ANS certificate capture. +The `AnsVerifiedClient` provides a high-level API that handles: +- DANE/TLSA DNS lookup and verification +- Badge (transparency log) verification +- SCITT artifact fetching and verification via HTTP headers +- mTLS client authentication with certificate capture ## Usage ```bash +# Set environment variables +export AGENT_ID=your-agent-uuid +export KEYSTORE_PATH=/path/to/client.p12 +export KEYSTORE_PASS=changeit + # Run with default settings ./gradlew :ans-sdk-agent-client:examples:mcp-client:run # Run with custom server URL -./gradlew :ans-sdk-agent-client:examples:mcp-client:run --args="https://your-mcp-server.example.com" +./gradlew :ans-sdk-agent-client:examples:mcp-client:run --args="https://your-mcp-server.example.com/mcp" ``` ## Integration Pattern -The integration follows a **Pre-verify / Connect / Post-verify** pattern: +The integration uses the high-level `AnsVerifiedClient`: ```java -// 1. Set up ConnectionVerifier -ConnectionVerifier verifier = DefaultConnectionVerifier.builder() - .daneVerifier(new DaneVerifier(new DefaultDaneTlsaVerifier(DaneConfig.defaults()))) - .badgeVerifier(new BadgeVerifier(agentVerificationService)) - .build(); - -// 2. Pre-verify (async DANE lookup) -CompletableFuture preResultFuture = verifier.preVerify(hostname, port); - -// 3. Create SSLContext with certificate capture -SSLContext sslContext = AnsVerifiedSslContextFactory.create(); - -// 4. Create MCP transport with custom SSLContext -HttpClientStreamableHttpTransport transport = HttpClientStreamableHttpTransport - .builder(serverUrl) - .customizeClient(builder -> builder.sslContext(sslContext)) - .build(); - -// 5. Create and initialize MCP client -McpSyncClient mcpClient = McpClient.sync(transport).build(); -mcpClient.initialize(); - -// 6. Post-verify captured certificate -X509Certificate[] certs = CertificateCapturingTrustManager.getCapturedCertificates(hostname); -List results = verifier.postVerify(hostname, certs[0], preResultFuture.join()); - -// 7. Apply policy -VerificationResult combined = verifier.combine(results, VerificationPolicy.BADGE_REQUIRED); -if (!combined.isSuccess()) { - mcpClient.closeGracefully(); - throw new SecurityException("ANS verification failed: " + combined.reason()); +// 1. Create ANS verified client with policy +try (AnsVerifiedClient ansClient = AnsVerifiedClient.builder() + .agentId(agentId) // For SCITT headers (server verifies these) + .keyStorePath(keystorePath, password) // For mTLS client auth + .policy(VerificationPolicy.SCITT_REQUIRED) + .build()) { + + // 2. Connect and run pre-verifications (DANE, Badge, SCITT based on policy) + try (AnsConnection connection = ansClient.connect(serverUrl)) { + System.out.println("DANE records: " + connection.hasDaneRecords()); + System.out.println("Badge registration: " + connection.hasBadgeRegistration()); + System.out.println("SCITT artifacts: " + connection.hasScittArtifacts()); + + // 3. Create MCP transport with ANS SSLContext and SCITT headers + HttpClientStreamableHttpTransport transport = HttpClientStreamableHttpTransport.builder(serverUrl) + .customizeClient(b -> b.sslContext(ansClient.sslContext())) + .customizeRequest(b -> ansClient.scittHeaders().forEach(b::header)) + .build(); + + // 4. Initialize MCP client + McpSyncClient mcpClient = McpClient.sync(transport).build(); + mcpClient.initialize(); + + // 5. Post-verify server certificate (combines all results per policy) + VerificationResult result = connection.verifyServer(); + if (!result.isSuccess()) { + mcpClient.closeGracefully(); + throw new SecurityException("Server verification failed: " + result.reason()); + } + + // 6. Use verified MCP client + var tools = mcpClient.listTools(); + tools.tools().forEach(t -> System.out.println(" - " + t.name())); + + mcpClient.closeGracefully(); + } } +``` -// 8. Use verified MCP client -var tools = mcpClient.listTools(); +## Verification Policies -// 9. Clean up -CertificateCapturingTrustManager.clearCapturedCertificates(hostname); -``` +| Policy | DANE | Badge | SCITT | Use Case | +|--------|------|-------|-------|----------| +| `PKI_ONLY` | - | - | - | Standard TLS only | +| `BADGE_REQUIRED` | - | ✓ | - | Transparency log verification | +| `DANE_REQUIRED` | ✓ | - | - | DNSSEC/TLSA verification | +| `SCITT_REQUIRED` | - | - | ✓ | **Recommended** - SCITT via HTTP headers | +| `SCITT_ENHANCED` | - | advisory | ✓ | SCITT with badge fallback | + +### Fail-Fast Behavior + +SCITT verification policies enforce fail-fast behavior during `connect()`: + +| Policy | No Headers | Headers Present + Invalid | +|--------|------------|---------------------------| +| `SCITT_REQUIRED` | **Throws** `ScittVerificationException` | **Throws** `ScittVerificationException` | +| `SCITT_ENHANCED` | Falls back to badge verification | **Throws** `ScittVerificationException` | +| Custom ADVISORY | Falls back to badge verification | **Throws** `ScittVerificationException` | + +This prevents attackers from sending garbage SCITT headers to force badge fallback. ## Key Classes | Class | Purpose | |-------|---------| -| `AnsVerifiedSslContextFactory` | Creates SSLContext with certificate capture | -| `CertificateCapturingTrustManager` | Stores certificates during TLS handshake | -| `DefaultConnectionVerifier` | Coordinates DANE, Badge verification | -| `PreVerificationResult` | Holds pre-connection expectations | -| `VerificationResult` | Holds post-connection verification results | +| `AnsVerifiedClient` | High-level client - creates SSLContext, fetches SCITT headers, coordinates verifiers | +| `AnsConnection` | Connection handle - holds pre-verification results, performs post-verification | +| `VerificationPolicy` | Configures which verification methods to use | +| `VerificationResult` | Combined verification outcome (SUCCESS, MISMATCH, NOT_FOUND, ERROR) | +| `TransparencyClient` | Fetches SCITT artifacts and root public key from Transparency Log | + +## Environment Variables + +| Variable | Required | Description | +|----------|----------|-------------| +| `AGENT_ID` | For SCITT | Client's agent UUID for SCITT header generation | +| `KEYSTORE_PATH` | For mTLS | Path to PKCS12 keystore containing client cert + key | +| `KEYSTORE_PASS` | For mTLS | Keystore password (default: changeit) | + +## Creating a Client Keystore + +```bash +# From PEM files: +openssl pkcs12 -export -in cert.pem -inkey key.pem \ + -out client.p12 -name client -password pass:changeit + +# Include CA chain if needed: +openssl pkcs12 -export -in cert.pem -inkey key.pem -certfile ca.pem \ + -out client.p12 -name client -password pass:changeit +``` ## Prerequisites -- MCP server with HTTPS endpoint -- For Badge verification: Agent in ANS transparency log -- For DANE verification: TLSA DNS records configured +- MCP server with HTTPS endpoint supporting mTLS +- For SCITT: Agent registered in ANS transparency log +- For Badge: Agent with valid badge in transparency log +- For DANE: TLSA DNS records configured with DNSSEC ## Dependencies ```kotlin dependencies { implementation("io.modelcontextprotocol.sdk:mcp:0.17.2") + implementation(project(":ans-sdk-agent-client")) } -``` \ No newline at end of file +``` + +## How It Works + +1. **Build phase**: `AnsVerifiedClient.builder()` creates an SSLContext with certificate capture, fetches client's SCITT artifacts for outgoing headers, and configures verifiers based on policy. + +2. **Connect phase**: `ansClient.connect(url)` sends a preflight HEAD request (if SCITT enabled) to capture server's SCITT headers, runs DANE DNS lookups, and queries badge status. + +3. **MCP handshake**: The MCP SDK uses the configured SSLContext for TLS, which captures the server certificate. SCITT headers are added to all requests. + +4. **Post-verify phase**: `connection.verifyServer()` checks the captured server certificate against DANE expectations, badge fingerprints, and/or SCITT status token based on policy. \ No newline at end of file diff --git a/ans-sdk-agent-client/examples/mcp-client/build.gradle.kts b/ans-sdk-agent-client/examples/mcp-client/build.gradle.kts index d721308..1db620f 100644 --- a/ans-sdk-agent-client/examples/mcp-client/build.gradle.kts +++ b/ans-sdk-agent-client/examples/mcp-client/build.gradle.kts @@ -6,5 +6,5 @@ application { dependencies { // MCP SDK - implementation("io.modelcontextprotocol.sdk:mcp:0.17.2") + implementation("io.modelcontextprotocol.sdk:mcp:1.1.0") } \ No newline at end of file diff --git a/ans-sdk-agent-client/examples/mcp-client/src/main/java/com/godaddy/ans/examples/mcp/McpClientExample.java b/ans-sdk-agent-client/examples/mcp-client/src/main/java/com/godaddy/ans/examples/mcp/McpClientExample.java index ef789b6..0f14b14 100644 --- a/ans-sdk-agent-client/examples/mcp-client/src/main/java/com/godaddy/ans/examples/mcp/McpClientExample.java +++ b/ans-sdk-agent-client/examples/mcp-client/src/main/java/com/godaddy/ans/examples/mcp/McpClientExample.java @@ -1,223 +1,131 @@ package com.godaddy.ans.examples.mcp; +import static com.godaddy.ans.sdk.agent.VerificationPolicy.SCITT_REQUIRED; + +import com.godaddy.ans.sdk.agent.AnsConnection; +import com.godaddy.ans.sdk.agent.AnsVerifiedClient; import com.godaddy.ans.sdk.agent.VerificationPolicy; -import com.godaddy.ans.sdk.agent.http.AnsVerifiedSslContextFactory; -import com.godaddy.ans.sdk.agent.http.CertificateCapturingTrustManager; -import com.godaddy.ans.sdk.agent.verification.BadgeVerifier; -import com.godaddy.ans.sdk.agent.verification.ConnectionVerifier; -import com.godaddy.ans.sdk.agent.verification.DaneConfig; -import com.godaddy.ans.sdk.agent.verification.DaneVerifier; -import com.godaddy.ans.sdk.agent.verification.DefaultConnectionVerifier; -import com.godaddy.ans.sdk.agent.verification.DefaultDaneTlsaVerifier; -import com.godaddy.ans.sdk.agent.verification.PreVerificationResult; import com.godaddy.ans.sdk.agent.verification.VerificationResult; -import com.godaddy.ans.sdk.transparency.TransparencyClient; -import com.godaddy.ans.sdk.transparency.verification.BadgeVerificationService; import io.modelcontextprotocol.client.McpClient; import io.modelcontextprotocol.client.McpSyncClient; import io.modelcontextprotocol.client.transport.HttpClientStreamableHttpTransport; import io.modelcontextprotocol.spec.McpSchema.ClientCapabilities; -import javax.net.ssl.SSLContext; -import java.net.URI; -import java.security.cert.X509Certificate; import java.time.Duration; -import java.util.List; -import java.util.concurrent.CompletableFuture; /** * MCP Client Example - demonstrates ANS verification with the MCP SDK. * - *

    This example shows how to integrate ANS verification (DANE, Badge) - * with the official MCP (Model Context Protocol) Java SDK.

    - * - *

    Integration Pattern

    - *
      - *
    1. Create SSLContext with certificate capture using {@link AnsVerifiedSslContextFactory}
      2. - *
    2. Configure MCP transport with custom SSLContext
      3. - *
    3. Pre-verify (DANE lookup) before connection
      4. - *
    4. Connect - TLS handshake captures certificate
      5. - *
    5. Post-verify captured certificate against expectations
      6. - *
    + *

    This example shows how to integrate ANS verification with the official + * MCP (Model Context Protocol) Java SDK using the high-level {@link AnsVerifiedClient}.

    * - *

    Prerequisites

    - *
      - *
    1. A running MCP server with HTTPS endpoint
      2. - *
    2. For DANE verification: TLSA DNS records configured
      3. - *
    3. For Badge verification: Agent registered in ANS transparency log
      4. - *
    + *

    The client:

    + *
      + *
    • Automatically configures verification based on the selected policy
      • + *
    • Handles SCITT header generation and verification (if enabled)
      • + *
    • Supports DANE/TLSA, Badge, and SCITT verification methods
      • + *
    • Uses mTLS with an identity certificate for mutual authentication
      • + *
    * *

    Usage

    * 
    - * # Run with default settings
  * ./gradlew :ans-sdk-agent-client:examples:mcp-client:run
+ * ./gradlew :ans-sdk-agent-client:examples:mcp-client:run --args="https://your-server.com/mcp"
+ *
    + * + *

    Environment Variables

    + *
      + *
    • CLIENT_AGENT_ID - Agent ID for client's own SCITT artifacts
      • + *
    • CLIENT_KEYSTORE_PATH - Path to client PKCS12 keystore containing identity cert + key
      • + *
    • CLIENT_KEYSTORE_PASSWORD - Keystore password (default: changeit)
      • + *
    • VERIFICATION_POLICY - Policy: SCITT_REQUIRED (default), SCITT_ENHANCED, BADGE_REQUIRED, etc.
      • + *
    + * + *

    Creating a Client Keystore

    + * 
    + * # From PEM files:
+ * openssl pkcs12 -export -in cert.pem -inkey key.pem -out client.p12 -name client -password pass:changeit
  *
- * # Run with custom server URL
- * ./gradlew :ans-sdk-agent-client:examples:mcp-client:run --args="https://your-mcp-server.example.com"
+ * # Include CA chain if needed:
+ * openssl pkcs12 -export -in cert.pem -inkey key.pem -certfile ca.pem -out client.p12 -name client
  *
    */ public class McpClientExample { - public static void main(String[] args) { - // Parse command line arguments - String serverUrl = args.length > 0 ? args[0] : "https://your-mcp-server.example.com/mcp"; + private static final String DEFAULT_SERVER_URL = "https://your-mcp-server.example.com/mcp"; - System.out.println("==========================================="); - System.out.println("ANS SDK - MCP Client Example"); - System.out.println("==========================================="); - System.out.println("Target: " + serverUrl); - System.out.println(); + public static void main(String[] args) throws Exception { + String serverUrl = args.length > 0 ? args[0] : DEFAULT_SERVER_URL; - try { - mcpWithAnsVerification(serverUrl); - System.out.println("\n==========================================="); - System.out.println("Example completed successfully!"); - System.out.println("==========================================="); - } catch (Exception e) { - System.err.println("Example failed: " + e.getMessage()); - e.printStackTrace(); - System.exit(1); - } - } + // Client's own agent ID for SCITT headers (server verifies these) + String agentId = System.getenv("AGENT_ID"); - /** - * Demonstrates MCP SDK integration with ANS verification. - */ - private static void mcpWithAnsVerification(String serverUrl) throws Exception { - URI serverUri = URI.create(serverUrl); - String hostname = serverUri.getHost(); - int port = serverUri.getPort() == -1 ? 443 : serverUri.getPort(); - - // ============================================================ - // STEP 1: Set up the ANS ConnectionVerifier - // ============================================================ - System.out.println("Step 1: Setting up ANS ConnectionVerifier"); - System.out.println("-".repeat(40)); - - ConnectionVerifier verifier = DefaultConnectionVerifier.builder() - .daneVerifier(new DaneVerifier(new DefaultDaneTlsaVerifier(DaneConfig.defaults()))) - .badgeVerifier(new BadgeVerifier( - BadgeVerificationService.builder() - .transparencyClient(TransparencyClient.builder().build()) - .build())) - .build(); - - System.out.println(" Created verifier with DANE and Badge support"); - - // ============================================================ - // STEP 2: Pre-verify (async - can be cached) - // ============================================================ - System.out.println("\nStep 2: Pre-verification (DANE lookup)"); - System.out.println("-".repeat(40)); - - CompletableFuture preResultFuture = verifier.preVerify(hostname, port); - System.out.println(" Started async pre-verification for " + hostname + ":" + port); - - // ============================================================ - // STEP 3: Create SSLContext with certificate capture - // ============================================================ - System.out.println("\nStep 3: Creating SSLContext with certificate capture"); - System.out.println("-".repeat(40)); - - SSLContext sslContext = AnsVerifiedSslContextFactory.create(); - System.out.println(" Created SSLContext with CertificateCapturingTrustManager"); - - // ============================================================ - // STEP 4: Create MCP transport with custom SSLContext - // ============================================================ - System.out.println("\nStep 4: Creating MCP transport"); - System.out.println("-".repeat(40)); - - HttpClientStreamableHttpTransport transport = HttpClientStreamableHttpTransport - .builder(serverUrl) - .customizeClient(builder -> builder - .sslContext(sslContext) - .connectTimeout(Duration.ofSeconds(30))) - .build(); - - System.out.println(" Created HttpClientStreamableHttpTransport with custom SSLContext"); - - // ============================================================ - // STEP 5: Create MCP Client - // ============================================================ - System.out.println("\nStep 5: Creating MCP client"); - System.out.println("-".repeat(40)); - - McpSyncClient mcpClient = McpClient.sync(transport) - .requestTimeout(Duration.ofSeconds(30)) - .capabilities(ClientCapabilities.builder() - .roots(true) - .build()) - .build(); - - System.out.println(" Created McpSyncClient"); - - try { - // ============================================================ - // STEP 6: Initialize connection (triggers TLS handshake) - // ============================================================ - System.out.println("\nStep 6: Initializing MCP connection"); - System.out.println("-".repeat(40)); - - mcpClient.initialize(); - System.out.println(" MCP connection initialized"); - - // ============================================================ - // STEP 7: Post-verify the captured certificate - // ============================================================ - System.out.println("\nStep 7: Post-verification"); - System.out.println("-".repeat(40)); - - PreVerificationResult preResult = preResultFuture.join(); - X509Certificate[] capturedCerts = CertificateCapturingTrustManager.getCapturedCertificates(hostname); - - if (capturedCerts == null || capturedCerts.length == 0) { - throw new SecurityException("No certificate captured for " + hostname); - } + // Client keystore for mTLS + String keystorePath = System.getenv("KEYSTORE_PATH"); + String keystorePassword = System.getenv("KEYSTORE_PASS"); - X509Certificate serverCert = capturedCerts[0]; - System.out.println(" Captured certificate: " + serverCert.getSubjectX500Principal()); + // Policy can be set via environment: SCITT_REQUIRED (default), SCITT_ENHANCED, BADGE_REQUIRED, etc. + VerificationPolicy policy = SCITT_REQUIRED; - List results = verifier.postVerify(hostname, serverCert, preResult); + System.out.println("ANS SDK - MCP Client Example"); + System.out.println("Target: " + serverUrl); + System.out.println("Policy: " + policy); + System.out.println(); - System.out.println("\n ANS Verification Results:"); - for (VerificationResult result : results) { - String status = result.isSuccess() ? "PASS" : "FAIL"; - System.out.println(" " + result.type() + ": " + status); - if (!result.isSuccess() && result.reason() != null) { - System.out.println(" Reason: " + result.reason()); + // Create ANS verified client - handles all verification setup based on policy + try (AnsVerifiedClient ansClient = AnsVerifiedClient.builder() + .agentId(agentId) + .keyStorePath(keystorePath, keystorePassword) + .policy(policy) + .build()) { + + // Fetch SCITT headers early (blocking is fine during setup) + var scittHeaders = ansClient.scittHeadersAsync().join(); + + // Connect and run all pre-verifications (DANE, Badge, SCITT based on policy) + try (AnsConnection connection = ansClient.connect(serverUrl)) { + System.out.println("Pre-verification complete:"); + System.out.println(" DANE records: " + (connection.hasDaneRecords() ? "found" : "none")); + System.out.println(" Badge registration: " + (connection.hasBadgeRegistration() ? "found" : "none")); + System.out.println(" SCITT artifacts: " + (connection.hasScittArtifacts() ? "found" : "none")); + + // Create MCP client with ANS SSLContext and SCITT headers + HttpClientStreamableHttpTransport transport = HttpClientStreamableHttpTransport.builder(serverUrl) + .customizeClient(b -> b.sslContext(ansClient.sslContext()) + .connectTimeout(Duration.ofSeconds(30))) + .customizeRequest(b -> scittHeaders.forEach(b::header)) + .build(); + + McpSyncClient mcpClient = McpClient.sync(transport) + .requestTimeout(Duration.ofSeconds(30)) + .capabilities(ClientCapabilities.builder().roots(true).build()) + .build(); + + try { + mcpClient.initialize(); + + // Post-verify server certificate (combines all results per policy) + VerificationResult result = connection.verifyServer(); + System.out.println("\nServer verification: " + (result.isSuccess() ? "PASS" : "FAIL")); + System.out.println(" Type: " + result.type()); + if (result.reason() != null) { + System.out.println(" Reason: " + result.reason()); + } + + if (!result.isSuccess()) { + throw new SecurityException("Server verification failed: " + result.reason()); + } + + // Use verified client + var tools = mcpClient.listTools(); + System.out.println("\nAvailable tools: " + tools.tools().size()); + tools.tools().forEach(t -> System.out.println(" - " + t.name() + ": " + t.description())); + + } finally { + mcpClient.closeGracefully(); } } - - // Apply verification policy - VerificationResult combined = verifier.combine(results, VerificationPolicy.BADGE_REQUIRED); - System.out.println("\n Combined result (BADGE_REQUIRED policy): " + - (combined.isSuccess() ? "PASS" : "FAIL - " + combined.reason())); - - if (!combined.isSuccess()) { - throw new SecurityException("ANS verification failed: " + combined.reason()); - } - - // ============================================================ - // STEP 8: Use the verified MCP client - // ============================================================ - System.out.println("\nStep 8: Using verified MCP client"); - System.out.println("-".repeat(40)); - - var tools = mcpClient.listTools(); - System.out.println(" Available tools: " + tools.tools().size()); - - for (var tool : tools.tools()) { - System.out.println(" - " + tool.name() + ": " + tool.description()); - } - - System.out.println("\n Successfully communicated with ANS-verified MCP server!"); - - } finally { - // Clean up - CertificateCapturingTrustManager.clearCapturedCertificates(hostname); - mcpClient.closeGracefully(); } } } diff --git a/ans-sdk-agent-client/examples/mcp-server-spring/README.md b/ans-sdk-agent-client/examples/mcp-server-spring/README.md new file mode 100644 index 0000000..7cb543b --- /dev/null +++ b/ans-sdk-agent-client/examples/mcp-server-spring/README.md @@ -0,0 +1,253 @@ +# Spring Boot MCP Server Example + +This example demonstrates a production-ready ANS-verifiable MCP server using Spring Boot 3.x, +featuring automatic SCITT artifact refresh and client request verification. + +## Overview + +This Spring Boot example: + +- **Automatically refreshes** status tokens before they expire using `ScittArtifactManager` +- **Verifies incoming client requests** using `DefaultClientRequestVerifier` +- **Adds SCITT headers** to all responses for client verification +- **Exposes health status** via Spring Actuator endpoints +- **Supports configurable verification policies** via `application.yml` + +## Usage + +```bash +# Set required environment variables +export ANS_AGENT_ID=your-agent-uuid +export SSL_KEYSTORE_PATH=/path/to/keystore.p12 +export SSL_KEYSTORE_PASSWORD=changeit +export SSL_TRUSTSTORE_PATH=/path/to/truststore.p12 +export SSL_TRUSTSTORE_PASSWORD=changeit + +# Run the server +./gradlew :ans-sdk-agent-client:examples:mcp-server-spring:bootRun + +# Or run with custom properties +./gradlew :ans-sdk-agent-client:examples:mcp-server-spring:bootRun \ + --args="--ans.mcp.verification.policy=SCITT_REQUIRED" +``` + +## Architecture + +``` +┌─────────────────────────────────────────────────────────────┐ +│ Spring Boot Server │ +├─────────────────────────────────────────────────────────────┤ +│ ┌─────────────────────┐ ┌─────────────────────────┐ │ +│ │ ClientVerification │───▶│ ScittHeaderResponse │ │ +│ │ Filter (FIRST) │ │ Filter (LAST) │ │ +│ └─────────────────────┘ └─────────────────────────┘ │ +│ │ │ │ +│ ▼ ▼ │ +│ ┌─────────────────────┐ ┌─────────────────────────┐ │ +│ │ DefaultClient │ │ ScittArtifactManager │ │ +│ │ RequestVerifier │ │ (cached raw bytes) │ │ +│ └─────────────────────┘ └─────────────────────────┘ │ +│ │ │ │ +│ ▼ ▼ │ +│ ┌─────────────────────────────────────────────────────┐ │ +│ │ TransparencyClient │ │ +│ │ (fetches artifacts, root key) │ │ +│ └─────────────────────────────────────────────────────┘ │ +└─────────────────────────────────────────────────────────────┘ +``` + +## Key Features + +### 1. Automatic SCITT Artifact Refresh + +```java +// ScittLifecycle.java starts background refresh on startup +@Override +public void start() { + // Fetch initial artifacts + artifactManager.getReceipt(agentId).join(); + artifactManager.getStatusToken(agentId).join(); + + // Start background refresh at (exp - iat) / 2 intervals + artifactManager.startBackgroundRefresh(agentId); +} +``` + +Tokens are refreshed automatically, ensuring they never expire during operation: +- **Receipts**: Cached indefinitely (immutable Merkle proofs) +- **Status tokens**: Refreshed at `(exp - iat) / 2` intervals + +### 2. Client Request Verification + +```java +// ClientVerificationFilter.java delegates to DefaultClientRequestVerifier +ClientRequestVerificationResult result = verifier + .verify(clientCert, headers, policy) + .get(5, TimeUnit.SECONDS); + +if (!result.verified()) { + if (policy.scittMode() == VerificationMode.REQUIRED) { + response.sendError(403, "Client verification failed: " + result.errors()); + return; + } + // Advisory mode - log warning but continue +} + +// Store verified agent ID for downstream use +request.setAttribute("ans.verified.agentId", result.agentId()); +``` + +Security features provided by `DefaultClientRequestVerifier`: +- 64KB header size limit (DoS protection) +- Constant-time fingerprint comparison (timing attack protection) +- Result caching by `sha256(receipt):sha256(token):certFingerprint` +- Uses `validIdentityCertFingerprints()` for client verification + +### 3. SCITT Response Headers + +```java +// ScittHeaderResponseFilter.java adds headers to all responses +byte[] receiptBytes = artifactManager.getReceiptBytes(agentId) + .get(5, TimeUnit.SECONDS); +byte[] tokenBytes = artifactManager.getStatusTokenBytes(agentId) + .get(5, TimeUnit.SECONDS); + +if (receiptBytes != null) { + response.addHeader("X-SCITT-Receipt", Base64.getEncoder().encodeToString(receiptBytes)); +} +if (tokenBytes != null) { + response.addHeader("X-ANS-Status-Token", Base64.getEncoder().encodeToString(tokenBytes)); +} +``` + +### 4. Health Monitoring + +```bash +curl -k https://localhost:8443/actuator/health +``` + +```json +{ + "status": "UP", + "components": { + "scitt": { + "status": "UP", + "details": { + "agentId": "abc-123", + "tokenStatus": "ACTIVE", + "tokenExpiration": "2024-01-15T10:30:00Z", + "timeRemaining": "2h 30m 15s", + "stale": false + } + } + } +} +``` + +## Configuration + +### application.yml + +```yaml +server: + port: 8443 + ssl: + enabled: true + key-store: ${SSL_KEYSTORE_PATH} + key-store-password: ${SSL_KEYSTORE_PASSWORD} + client-auth: need # mTLS required + trust-store: ${SSL_TRUSTSTORE_PATH} + trust-store-password: ${SSL_TRUSTSTORE_PASSWORD} + +ans: + mcp: + agent-id: ${ANS_AGENT_ID} + verification: + enabled: true + policy: SCITT_REQUIRED # See policies below + scitt: + domain: transparency.ans.godaddy.com +``` + +### Verification Policies + +| Policy | DANE | Badge | SCITT | Description | +|--------|------|-------|-------|-------------| +| `PKI_ONLY` | - | - | - | No additional verification beyond TLS | +| `BADGE_REQUIRED` | - | ✓ | - | Require valid badge | +| `SCITT_REQUIRED` | - | - | ✓ | **Recommended** - require SCITT headers | +| `SCITT_ENHANCED` | - | advisory | ✓ | SCITT with badge fallback | +| `DANE_REQUIRED` | ✓ | - | - | Strict DANE verification | + +### VerificationMode Options + +| Mode | Behavior | +|------|----------| +| `DISABLED` | Skip this verification type | +| `ADVISORY` | Allow fallback if headers absent; **reject if headers present but invalid** | +| `REQUIRED` | Reject connection if verification fails or headers missing | + +**Note:** ADVISORY mode still rejects invalid SCITT headers to prevent downgrade attacks where attackers send garbage headers to force badge fallback. + +## Key Classes + +| Class | Location | Purpose | +|-------|----------|---------| +| `ScittArtifactManager` | ans-sdk-transparency | Background refresh and caching of SCITT artifacts | +| `DefaultClientRequestVerifier` | ans-sdk-agent-client | Verifies client SCITT artifacts with security protections | +| `ClientRequestVerificationResult` | ans-sdk-agent-client | Verification outcome (verified, agentId, errors, duration) | +| `TransparencyClient` | ans-sdk-transparency | Fetches artifacts and root public key from TL | +| `ClientVerificationFilter` | example | Spring filter that extracts cert + headers, calls verifier | +| `ScittHeaderResponseFilter` | example | Spring filter that adds SCITT headers to responses | +| `ScittHealthIndicator` | example | Actuator health endpoint for SCITT status | + +## How Client Verification Works + +1. **Extract client certificate** from `jakarta.servlet.request.X509Certificate` (mTLS) +2. **Extract SCITT headers** (`X-SCITT-Receipt`, `X-ANS-Status-Token`) from request +3. **Check cache** - keyed by `sha256(receipt):sha256(token):certFingerprint` +4. **Verify receipt signature** - ES256 over COSE Sig_structure +5. **Verify Merkle proof** - RFC 9162 inclusion proof +6. **Verify token signature** - ES256 + expiry check with clock skew tolerance +7. **Match fingerprint** - client cert SHA-256 vs `validIdentityCertFingerprints()` (constant-time) +8. **Return result** - includes `agentId`, `statusToken`, `receipt`, verification duration + +## Prerequisites + +- Java 17+ +- Valid SSL keystore with server certificate +- Truststore with trusted client CA certificates +- Agent registered in ANS transparency log +- For client verification: Clients must include SCITT headers + +## Testing with MCP Client + +```bash +# Terminal 1: Start Spring server +./gradlew :ans-sdk-agent-client:examples:mcp-server-spring:bootRun + +# Terminal 2: Run client example (once server is up) +./gradlew :ans-sdk-agent-client:examples:mcp-client:run \ + --args="https://localhost:8443/mcp" +``` + +## Dependencies + +```kotlin +dependencies { + implementation(platform("org.springframework.boot:spring-boot-dependencies:3.2.5")) + implementation("org.springframework.boot:spring-boot-starter-web") + implementation("org.springframework.boot:spring-boot-starter-actuator") + implementation("io.modelcontextprotocol.sdk:mcp:1.1.0") + implementation(project(":ans-sdk-agent-client")) + implementation(project(":ans-sdk-transparency")) +} +``` + +## Security Considerations + +- **DoS protection**: 64KB header size limit prevents memory exhaustion +- **Timing attacks**: Constant-time `MessageDigest.isEqual()` for fingerprint comparison +- **Cache efficiency**: Results cached to avoid redundant crypto operations +- **Downgrade protection**: `SCITT_REQUIRED` policy prevents stripping headers to force badge fallback +- **mTLS required**: `client-auth: need` ensures mutual authentication \ No newline at end of file diff --git a/ans-sdk-agent-client/examples/mcp-server-spring/build.gradle.kts b/ans-sdk-agent-client/examples/mcp-server-spring/build.gradle.kts new file mode 100644 index 0000000..f3d037c --- /dev/null +++ b/ans-sdk-agent-client/examples/mcp-server-spring/build.gradle.kts @@ -0,0 +1,47 @@ +// Spring Boot MCP Server Example - demonstrates ANS-verifiable MCP server with: +// - Automatic SCITT artifact refresh (receipts and status tokens) +// - Client request verification with mTLS +// - Health indicators for SCITT artifact status + +plugins { + application +} + +val springBootVersion = "3.2.5" + +application { + mainClass.set("com.godaddy.ans.examples.mcp.spring.McpServerSpringApplication") +} + +configurations.all { + // Exclude slf4j-simple to avoid conflict with Logback in tests + exclude(group = "org.slf4j", module = "slf4j-simple") +} + +dependencies { + // Spring Boot BOM for version management + implementation(platform("org.springframework.boot:spring-boot-dependencies:$springBootVersion")) + + // Spring Boot + implementation("org.springframework.boot:spring-boot-starter-web") + implementation("org.springframework.boot:spring-boot-starter-actuator") + annotationProcessor("org.springframework.boot:spring-boot-configuration-processor:$springBootVersion") + + // MCP SDK (servlet transport) + implementation("io.modelcontextprotocol.sdk:mcp:1.1.0") + + // ANS SDK - agent client includes transparency module transitively + implementation(project(":ans-sdk-agent-client")) + + // Bouncy Castle for PEM certificate loading + implementation("org.bouncycastle:bcpkix-jdk18on:1.80") + +} + +tasks.withType { + manifest { + attributes( + "Main-Class" to "com.godaddy.ans.examples.mcp.spring.McpServerSpringApplication" + ) + } +} diff --git a/ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/McpServerSpringApplication.java b/ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/McpServerSpringApplication.java new file mode 100644 index 0000000..eb107be --- /dev/null +++ b/ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/McpServerSpringApplication.java @@ -0,0 +1,59 @@ +package com.godaddy.ans.examples.mcp.spring; + +import com.godaddy.ans.examples.mcp.spring.config.McpServerProperties; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; +import org.springframework.boot.context.properties.EnableConfigurationProperties; + +import java.security.Security; + +/** + * Spring Boot MCP Server with ANS verification. + * + *

    This example demonstrates a production-ready MCP server that:

    + *
      + *
    • Automatically refreshes SCITT artifacts (receipts and status tokens)
      • + *
    • Adds SCITT headers to all outgoing responses
      • + *
    • Verifies incoming client requests against SCITT artifacts
      • + *
    • Exposes SCITT health status via Spring Actuator
      • + *
    + * + *

    Quick Start

    + * 
    + * # Set required environment variables
+ * export ANS_AGENT_ID=your-agent-uuid
+ * export SSL_KEYSTORE_PATH=/path/to/keystore.p12
+ * export SSL_KEYSTORE_PASSWORD=changeit
+ * export SSL_TRUSTSTORE_PATH=/path/to/truststore.p12
+ * export SSL_TRUSTSTORE_PASSWORD=changeit
+ *
+ * # Run the server
+ * ./gradlew :ans-sdk-agent-client:examples:mcp-server-spring:bootRun
+ *
    + * + *

    Health Check

    + * 
    + * curl -k https://localhost:8443/actuator/health
+ *
    + * + * @see com.godaddy.ans.examples.mcp.spring.config.ScittConfig + * @see com.godaddy.ans.examples.mcp.spring.filter.ClientVerificationFilter + * @see com.godaddy.ans.examples.mcp.spring.filter.ScittHeaderResponseFilter + */ +@SpringBootApplication +@EnableConfigurationProperties(McpServerProperties.class) +public class McpServerSpringApplication { + + private static final Logger LOGGER = LoggerFactory.getLogger(McpServerSpringApplication.class); + + public static void main(String[] args) { + // Register BouncyCastle provider for PEM certificate handling + Security.addProvider(new BouncyCastleProvider()); + LOGGER.info("Registered BouncyCastle security provider"); + + SpringApplication.run(McpServerSpringApplication.class, args); + } +} diff --git a/ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/config/McpServerProperties.java b/ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/config/McpServerProperties.java new file mode 100644 index 0000000..8bcc272 --- /dev/null +++ b/ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/config/McpServerProperties.java @@ -0,0 +1,158 @@ +package com.godaddy.ans.examples.mcp.spring.config; + +import com.godaddy.ans.sdk.agent.VerificationPolicy; +import org.springframework.boot.context.properties.ConfigurationProperties; + +/** + * Configuration properties for the ANS MCP server. + * + *

    Configurable via application.yml with prefix {@code ans.mcp}.

    + */ +@ConfigurationProperties(prefix = "ans.mcp") +public class McpServerProperties { + + /** + * Agent UUID for SCITT artifact fetching from the Transparency Log. + */ + private String agentId; + + /** + * Server identification. + */ + private ServerInfo serverInfo = new ServerInfo(); + + /** + * Client verification settings. + */ + private Verification verification = new Verification(); + + /** + * SCITT configuration. + */ + private Scitt scitt = new Scitt(); + + public String getAgentId() { + return agentId; + } + + public void setAgentId(String agentId) { + this.agentId = agentId; + } + + public ServerInfo getServerInfo() { + return serverInfo; + } + + public void setServerInfo(ServerInfo serverInfo) { + this.serverInfo = serverInfo; + } + + public Verification getVerification() { + return verification; + } + + public void setVerification(Verification verification) { + this.verification = verification; + } + + public Scitt getScitt() { + return scitt; + } + + public void setScitt(Scitt scitt) { + this.scitt = scitt; + } + + /** + * Server identification settings. + */ + public static class ServerInfo { + private String name = "ans-mcp-server"; + private String version = "1.0.0"; + + public String getName() { + return name; + } + + public void setName(String name) { + this.name = name; + } + + public String getVersion() { + return version; + } + + public void setVersion(String version) { + this.version = version; + } + } + + /** + * Client verification settings. + */ + public static class Verification { + /** + * Whether to enable client verification. + */ + private boolean enabled = true; + + /** + * Verification policy name. Supported values: + * - PKI_ONLY: No additional verification beyond TLS + * - SCITT_REQUIRED: Require valid SCITT artifacts (recommended for production) + * - SCITT_ENHANCED: SCITT with badge fallback + */ + private String policy = "SCITT_REQUIRED"; + + public boolean isEnabled() { + return enabled; + } + + public void setEnabled(boolean enabled) { + this.enabled = enabled; + } + + public String getPolicy() { + return policy; + } + + public void setPolicy(String policy) { + this.policy = policy; + } + + /** + * Returns the verification policy instance based on the configured policy name. + */ + public VerificationPolicy getVerificationPolicy() { + return switch (policy.toUpperCase()) { + case "PKI_ONLY" -> VerificationPolicy.PKI_ONLY; + case "BADGE_REQUIRED" -> VerificationPolicy.BADGE_REQUIRED; + case "DANE_ADVISORY" -> VerificationPolicy.DANE_ADVISORY; + case "DANE_REQUIRED" -> VerificationPolicy.DANE_REQUIRED; + case "DANE_AND_BADGE" -> VerificationPolicy.DANE_AND_BADGE; + case "SCITT_ENHANCED" -> VerificationPolicy.SCITT_ENHANCED; + case "SCITT_REQUIRED" -> VerificationPolicy.SCITT_REQUIRED; + default -> throw new IllegalArgumentException("Unknown verification policy: " + policy); + }; + } + } + + /** + * SCITT configuration settings. + */ + public static class Scitt { + /** + * Transparency Log domain for SCITT operations. + * Default is OTE (testing environment). + */ + private String domain = "transparency.ans.ote-godaddy.com"; + + public String getDomain() { + return domain; + } + + public void setDomain(String domain) { + this.domain = domain; + } + } +} diff --git a/ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/config/ScittConfig.java b/ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/config/ScittConfig.java new file mode 100644 index 0000000..26e3e64 --- /dev/null +++ b/ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/config/ScittConfig.java @@ -0,0 +1,101 @@ +package com.godaddy.ans.examples.mcp.spring.config; + +import com.godaddy.ans.sdk.agent.verification.DefaultClientRequestVerifier; +import com.godaddy.ans.sdk.transparency.TransparencyClient; +import com.godaddy.ans.sdk.transparency.scitt.ScittArtifactManager; +import jakarta.annotation.PreDestroy; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; + +/** + * Spring configuration for SCITT artifact management and client verification. + * + *

    This configuration creates and manages the lifecycle of:

    + *
      + *
    • {@link TransparencyClient} - for fetching SCITT artifacts from the Transparency Log
      • + *
    • {@link ScittArtifactManager} - for caching and background refresh of artifacts
      • + *
    • {@link DefaultClientRequestVerifier} - for verifying incoming client requests
      • + *
    + * + *

    Background refresh is automatically started on application startup and stopped on shutdown.

    + */ +@Configuration +public class ScittConfig { + + private static final Logger LOGGER = LoggerFactory.getLogger(ScittConfig.class); + + private final McpServerProperties properties; + private ScittArtifactManager artifactManager; + + public ScittConfig(McpServerProperties properties) { + this.properties = properties; + } + + /** + * Creates the Transparency Client for fetching SCITT artifacts. + * + *

    Uses the configured SCITT domain from properties, defaulting to + * the TransparencyClient's default (OTE) if not specified.

    + */ + @Bean + public TransparencyClient transparencyClient() { + String domain = properties.getScitt().getDomain(); + String baseUrl = "https://" + domain; + LOGGER.info("Configuring TransparencyClient with baseUrl: {}", baseUrl); + return TransparencyClient.builder() + .baseUrl(baseUrl) + .build(); + } + + /** + * Creates the SCITT Artifact Manager for caching and background refresh. + * + *

    The manager caches receipts indefinitely (they are immutable Merkle proofs) + * and automatically refreshes status tokens before they expire.

    + */ + @Bean + public ScittArtifactManager scittArtifactManager(TransparencyClient transparencyClient) { + artifactManager = ScittArtifactManager.builder() + .transparencyClient(transparencyClient) + .build(); + return artifactManager; + } + + /** + * Creates the Client Request Verifier for validating incoming requests. + * + *

    The verifier extracts SCITT artifacts from request headers, validates + * cryptographic signatures, and matches client certificate fingerprints + * against the status token's identity certificates.

    + * + *

    Features:

    + *
      + *
    • 64KB header size limit (DoS protection)
      • + *
    • Constant-time fingerprint comparison (timing attack protection)
      • + *
    • Result caching based on (receipt hash, token hash, cert fingerprint)
      • + *
    + */ + @Bean + public DefaultClientRequestVerifier clientRequestVerifier(TransparencyClient transparencyClient) { + return DefaultClientRequestVerifier.builder() + .transparencyClient(transparencyClient) + .build(); + } + + /** + * Stops background refresh and releases resources on shutdown. + */ + @PreDestroy + public void stopBackgroundRefresh() { + if (artifactManager != null) { + String agentId = properties.getAgentId(); + if (agentId != null && !agentId.isBlank()) { + LOGGER.info("Stopping SCITT artifact background refresh for agent: {}", agentId); + artifactManager.stopBackgroundRefresh(agentId); + } + artifactManager.close(); + } + } +} diff --git a/ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/config/ScittLifecycle.java b/ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/config/ScittLifecycle.java new file mode 100644 index 0000000..ec8060d --- /dev/null +++ b/ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/config/ScittLifecycle.java @@ -0,0 +1,81 @@ +package com.godaddy.ans.examples.mcp.spring.config; + +import com.godaddy.ans.sdk.transparency.scitt.ScittArtifactManager; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.context.SmartLifecycle; +import org.springframework.stereotype.Component; + +/** + * Manages the lifecycle of SCITT artifact background refresh. + * + *

    Implements {@link SmartLifecycle} to ensure background refresh starts + * after all beans are created and stops before they are destroyed.

    + */ +@Component +public class ScittLifecycle implements SmartLifecycle { + + private static final Logger LOGGER = LoggerFactory.getLogger(ScittLifecycle.class); + + private final McpServerProperties properties; + private final ScittArtifactManager artifactManager; + private volatile boolean running = false; + + public ScittLifecycle(McpServerProperties properties, ScittArtifactManager artifactManager) { + this.properties = properties; + this.artifactManager = artifactManager; + } + + @Override + public void start() { + String agentId = properties.getAgentId(); + if (agentId != null && !agentId.isBlank()) { + LOGGER.info("Starting SCITT artifact management for agent: {}", agentId); + + // Pre-fetch both artifacts to warm the cache before first request + LOGGER.info("Pre-fetching SCITT artifacts for agent: {}", agentId); + artifactManager.getReceipt(agentId) + .thenAccept(receipt -> LOGGER.info("Receipt pre-fetched (tree size: {})", + receipt.inclusionProof().treeSize())) + .exceptionally(e -> { + LOGGER.warn("Failed to pre-fetch receipt: {}", e.getMessage()); + return null; + }); + artifactManager.getStatusToken(agentId) + .thenAccept(token -> LOGGER.info("Status token pre-fetched (expires: {})", token.expiresAt())) + .exceptionally(e -> { + LOGGER.warn("Failed to pre-fetch status token: {}", e.getMessage()); + return null; + }); + + // Start background refresh to keep status token fresh + artifactManager.startBackgroundRefresh(agentId); + running = true; + } else { + LOGGER.warn("No agent ID configured - SCITT artifact refresh not started"); + } + } + + @Override + public void stop() { + if (running) { + String agentId = properties.getAgentId(); + if (agentId != null && !agentId.isBlank()) { + LOGGER.info("Stopping SCITT artifact background refresh for agent: {}", agentId); + artifactManager.stopBackgroundRefresh(agentId); + } + running = false; + } + } + + @Override + public boolean isRunning() { + return running; + } + + @Override + public int getPhase() { + // Start late (after other beans), stop early (before other beans) + return Integer.MAX_VALUE - 100; + } +} diff --git a/ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/controller/McpController.java b/ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/controller/McpController.java new file mode 100644 index 0000000..bcd1916 --- /dev/null +++ b/ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/controller/McpController.java @@ -0,0 +1,197 @@ +package com.godaddy.ans.examples.mcp.spring.controller; + +import com.godaddy.ans.examples.mcp.spring.config.McpServerProperties; +import io.modelcontextprotocol.json.McpJsonMapper; +import io.modelcontextprotocol.json.jackson3.JacksonMcpJsonMapper; +import io.modelcontextprotocol.server.McpServer; +import io.modelcontextprotocol.server.McpStatelessServerFeatures.SyncToolSpecification; +import io.modelcontextprotocol.server.McpStatelessSyncServer; +import io.modelcontextprotocol.server.transport.HttpServletStatelessServerTransport; +import io.modelcontextprotocol.spec.McpSchema.CallToolResult; +import io.modelcontextprotocol.spec.McpSchema.ServerCapabilities; +import io.modelcontextprotocol.spec.McpSchema.Tool; +import jakarta.annotation.PostConstruct; +import jakarta.annotation.PreDestroy; +import jakarta.servlet.ServletException; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; +import java.io.IOException; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; +import org.springframework.web.bind.annotation.RestController; +import tools.jackson.databind.json.JsonMapper; + +/** + * REST controller that handles MCP protocol requests. + * + *

    Integrates the MCP SDK's servlet transport with Spring MVC. The MCP server + * is configured with demo tools (hello, echo) for testing.

    + * + *

    Example usage:

    + * 
    + * POST /mcp
+ * Content-Type: application/json
+ *
+ * {"jsonrpc": "2.0", "method": "tools/list", "id": 1}
+ *
    + */ +@RestController +@RequestMapping("/mcp") +public class McpController { + + private static final Logger LOGGER = LoggerFactory.getLogger(McpController.class); + + private final McpServerProperties properties; + private HttpServletStatelessServerTransport transport; + private McpStatelessSyncServer server; + + public McpController(McpServerProperties properties) { + this.properties = properties; + } + + @PostConstruct + public void init() { + LOGGER.info("Initializing MCP server: {} v{}", + properties.getServerInfo().getName(), + properties.getServerInfo().getVersion()); + + // Create JSON mapper using Jackson 3.x + McpJsonMapper jsonMapper = new JacksonMcpJsonMapper(JsonMapper.builder().build()); + + // Create stateless servlet transport + transport = HttpServletStatelessServerTransport.builder() + .jsonMapper(jsonMapper) + .build(); + + // Build MCP server with demo tools + server = McpServer.sync(transport) + .serverInfo(properties.getServerInfo().getName(), properties.getServerInfo().getVersion()) + .capabilities(ServerCapabilities.builder().tools(true).build()) + .tools(createHelloToolSpec(jsonMapper), createEchoToolSpec(jsonMapper)) + .build(); + + LOGGER.info("MCP server initialized with tools: hello, echo"); + } + + @PreDestroy + public void destroy() { + if (server != null) { + LOGGER.info("Shutting down MCP server"); + server.close(); + } + if (transport != null) { + transport.close(); + } + } + + /** + * Handles HEAD requests for endpoint availability checks. + */ + @RequestMapping(method = RequestMethod.HEAD) + public void handleHead() { + // Returns 200 OK - MCP SDK uses HEAD to check endpoint availability + } + + /** + * Handles GET requests for SSE streaming. + * + *

    Stateless servers don't push notifications, so we return an empty SSE stream + * that closes immediately. This satisfies the MCP protocol without errors.

    + */ + @RequestMapping(method = RequestMethod.GET) + public void handleSse(HttpServletResponse response) throws IOException { + response.setContentType("text/event-stream"); + response.setCharacterEncoding("UTF-8"); + response.setHeader("Cache-Control", "no-cache"); + response.setHeader("Connection", "keep-alive"); + response.getWriter().flush(); + // Stream closes immediately - no notifications from stateless server + } + + /** + * Handles MCP JSON-RPC requests. + * + *

    At this point, the client has already been verified by + * {@link com.godaddy.ans.examples.mcp.spring.filter.ClientVerificationFilter} + * and SCITT headers will be added by + * {@link com.godaddy.ans.examples.mcp.spring.filter.ScittHeaderResponseFilter}.

    + */ + @RequestMapping(method = RequestMethod.POST) + public void handleMcp(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + LOGGER.debug("Handling MCP POST request"); + transport.service(request, response); + } + + /** + * Creates the hello tool specification. + */ + private SyncToolSpecification createHelloToolSpec(McpJsonMapper jsonMapper) { + Tool tool = Tool.builder() + .name("hello") + .description("Greets the user by name. A simple demo tool for testing.") + .inputSchema(jsonMapper, """ + { + "type": "object", + "properties": { + "name": { + "type": "string", + "description": "The name to greet" + } + }, + "required": ["name"] + } + """) + .build(); + + return SyncToolSpecification.builder() + .tool(tool) + .callHandler((context, request) -> { + String name = "World"; + if (request.arguments() != null && request.arguments().containsKey("name")) { + name = request.arguments().get("name").toString(); + } + return CallToolResult.builder() + .addTextContent("Hello, " + name + "! Welcome to the ANS-verified MCP server.") + .build(); + }) + .build(); + } + + /** + * Creates the echo tool specification. + */ + private SyncToolSpecification createEchoToolSpec(McpJsonMapper jsonMapper) { + Tool tool = Tool.builder() + .name("echo") + .description("Echoes back the provided message. Useful for testing connectivity.") + .inputSchema(jsonMapper, """ + { + "type": "object", + "properties": { + "message": { + "type": "string", + "description": "The message to echo" + } + }, + "required": ["message"] + } + """) + .build(); + + return SyncToolSpecification.builder() + .tool(tool) + .callHandler((context, request) -> { + String message = ""; + if (request.arguments() != null && request.arguments().containsKey("message")) { + message = request.arguments().get("message").toString(); + } + return CallToolResult.builder() + .addTextContent("Echo: " + message) + .build(); + }) + .build(); + } +} diff --git a/ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/filter/ClientVerificationFilter.java b/ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/filter/ClientVerificationFilter.java new file mode 100644 index 0000000..3ab992e --- /dev/null +++ b/ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/filter/ClientVerificationFilter.java @@ -0,0 +1,172 @@ +package com.godaddy.ans.examples.mcp.spring.filter; + +import com.godaddy.ans.examples.mcp.spring.config.McpServerProperties; +import com.godaddy.ans.sdk.agent.VerificationMode; +import com.godaddy.ans.sdk.agent.VerificationPolicy; +import com.godaddy.ans.sdk.agent.verification.ClientRequestVerificationResult; +import com.godaddy.ans.sdk.agent.verification.DefaultClientRequestVerifier; +import jakarta.servlet.FilterChain; +import jakarta.servlet.ServletException; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.core.Ordered; +import org.springframework.core.annotation.Order; +import org.springframework.stereotype.Component; +import org.springframework.web.filter.OncePerRequestFilter; + +import java.io.IOException; +import java.security.cert.X509Certificate; +import java.util.Enumeration; +import java.util.HashMap; +import java.util.Map; +import java.util.concurrent.TimeUnit; + +/** + * Servlet filter that verifies incoming client requests against SCITT artifacts. + * + *

    This filter extracts the client certificate from mTLS and SCITT headers from + * the request, then uses {@link DefaultClientRequestVerifier} to validate:

    + *
      + *
    • SCITT receipt signature (proof of Transparency Log inclusion)
      • + *
    • Status token signature and validity period
      • + *
    • Client certificate fingerprint against identity certs in token
      • + *
    + * + *

    Security features provided by the SDK verifier:

    + *
      + *
    • 64KB header size limit (DoS protection)
      • + *
    • Constant-time fingerprint comparison (timing attack protection)
      • + *
    • Result caching based on (receipt hash, token hash, cert fingerprint)
      • + *
    + * + *

    On successful verification, the verified agent ID is stored as a request + * attribute for downstream use.

    + * + * @see DefaultClientRequestVerifier + */ +@Component +@Order(Ordered.HIGHEST_PRECEDENCE) // Run first +public class ClientVerificationFilter extends OncePerRequestFilter { + + private static final Logger LOGGER = LoggerFactory.getLogger(ClientVerificationFilter.class); + private static final long VERIFICATION_TIMEOUT_SECONDS = 5; + + /** + * Request attribute key for the verified agent ID. + */ + public static final String VERIFIED_AGENT_ID_ATTR = "ans.verified.agentId"; + + /** + * Request attribute key for the full verification result. + */ + public static final String VERIFICATION_RESULT_ATTR = "ans.verification.result"; + + private final DefaultClientRequestVerifier verifier; + private final boolean verificationEnabled; + private final VerificationPolicy policy; + + public ClientVerificationFilter( + DefaultClientRequestVerifier verifier, + McpServerProperties properties) { + this.verifier = verifier; + this.verificationEnabled = properties.getVerification().isEnabled(); + this.policy = properties.getVerification().getVerificationPolicy(); + } + + @Override + protected void doFilterInternal( + HttpServletRequest request, + HttpServletResponse response, + FilterChain filterChain) throws ServletException, IOException { + + if (!verificationEnabled) { + LOGGER.debug("Client verification disabled - skipping"); + filterChain.doFilter(request, response); + return; + } + + // Extract client certificate from mTLS + X509Certificate[] certs = (X509Certificate[]) + request.getAttribute("jakarta.servlet.request.X509Certificate"); + + if (certs == null || certs.length == 0) { + // No client certificate - check if verification is required + if (policy.scittMode() == VerificationMode.REQUIRED) { + LOGGER.warn("Client certificate required but not provided"); + response.sendError(HttpServletResponse.SC_FORBIDDEN, + "Client certificate required for SCITT verification"); + return; + } + LOGGER.debug("No client certificate - proceeding without verification"); + filterChain.doFilter(request, response); + return; + } + + X509Certificate clientCert = certs[0]; + LOGGER.debug("Verifying client certificate: {}", clientCert.getSubjectX500Principal()); + + // Extract all headers for verification + Map headers = extractHeaders(request); + + try { + // Verify using SDK (handles caching, fingerprint matching internally) + ClientRequestVerificationResult result = verifier + .verify(clientCert, headers, policy) + .get(VERIFICATION_TIMEOUT_SECONDS, TimeUnit.SECONDS); + + // Store result for downstream use + request.setAttribute(VERIFICATION_RESULT_ATTR, result); + + if (!result.verified()) { + LOGGER.warn("Client verification failed: {}", result.errors()); + + if (policy.scittMode() == VerificationMode.REQUIRED) { + response.sendError(HttpServletResponse.SC_FORBIDDEN, + "Client verification failed: " + String.join(", ", result.errors())); + return; + } + // Advisory mode - log warning but continue + LOGGER.info("Proceeding despite verification failure (advisory mode)"); + } else { + // Verification successful + String agentId = result.agentId(); + request.setAttribute(VERIFIED_AGENT_ID_ATTR, agentId); + LOGGER.info("Verified agent: {} (verification took {}ms)", + agentId, result.verificationDuration().toMillis()); + } + + } catch (Exception e) { + LOGGER.error("Verification error: {}", e.getMessage(), e); + + if (policy.scittMode() == VerificationMode.REQUIRED) { + response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, + "Verification error: " + e.getMessage()); + return; + } + // Advisory mode - continue despite error + LOGGER.warn("Proceeding despite verification error (advisory mode)"); + } + + filterChain.doFilter(request, response); + } + + /** + * Extracts all HTTP headers from the request. + * + *

    For headers with multiple values, only the first value is used.

    + */ + private Map extractHeaders(HttpServletRequest request) { + Map headers = new HashMap<>(); + Enumeration headerNames = request.getHeaderNames(); + + while (headerNames.hasMoreElements()) { + String name = headerNames.nextElement(); + String value = request.getHeader(name); + headers.put(name, value); + } + + return headers; + } +} diff --git a/ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/filter/ScittHeaderResponseFilter.java b/ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/filter/ScittHeaderResponseFilter.java new file mode 100644 index 0000000..0f1d1cf --- /dev/null +++ b/ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/filter/ScittHeaderResponseFilter.java @@ -0,0 +1,94 @@ +package com.godaddy.ans.examples.mcp.spring.filter; + +import com.godaddy.ans.examples.mcp.spring.config.McpServerProperties; +import com.godaddy.ans.sdk.transparency.scitt.ScittArtifactManager; +import com.godaddy.ans.sdk.transparency.scitt.ScittHeaders; +import jakarta.servlet.Filter; +import jakarta.servlet.FilterChain; +import jakarta.servlet.ServletException; +import jakarta.servlet.ServletRequest; +import jakarta.servlet.ServletResponse; +import jakarta.servlet.http.HttpServletResponse; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.stereotype.Component; + +import java.io.IOException; +import java.util.concurrent.CompletableFuture; +import java.util.concurrent.TimeUnit; + +/** + * Servlet filter that adds SCITT headers to all outgoing responses. + * + *

    This filter retrieves the current SCITT artifacts (receipt and status token) + * from the {@link ScittArtifactManager} cache and adds them as Base64-encoded headers + * to every HTTP response.

    + * + *

    Headers added:

    + *
      + *
    • {@code X-SCITT-Receipt} - Cryptographic proof of Transparency Log inclusion
      • + *
    • {@code X-ANS-Status-Token} - Time-bounded assertion of agent status
      • + *
    + * + *

    The artifact manager caches artifacts and refreshes them in the background, + * so this filter benefits from cached values without making HTTP calls on each request.

    + * + * @see ScittHeaders + * @see ScittArtifactManager + */ +@Component +public class ScittHeaderResponseFilter implements Filter { + + private static final Logger LOGGER = LoggerFactory.getLogger(ScittHeaderResponseFilter.class); + private static final long ARTIFACT_TIMEOUT_SECONDS = 5; + + private final ScittArtifactManager artifactManager; + private final String agentId; + + public ScittHeaderResponseFilter( + ScittArtifactManager artifactManager, + McpServerProperties properties) { + this.artifactManager = artifactManager; + this.agentId = properties.getAgentId(); + } + + @Override + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) + throws IOException, ServletException { + + if (agentId == null || agentId.isBlank()) { + // No agent ID configured - skip SCITT headers + chain.doFilter(request, response); + return; + } + + HttpServletResponse httpResponse = (HttpServletResponse) response; + + try { + // Fetch pre-computed Base64 artifacts concurrently + CompletableFuture receiptFuture = artifactManager.getReceiptBase64(agentId); + CompletableFuture tokenFuture = artifactManager.getStatusTokenBase64(agentId); + + // Wait for both with timeout + String receipt = receiptFuture.get(ARTIFACT_TIMEOUT_SECONDS, TimeUnit.SECONDS); + String token = tokenFuture.get(ARTIFACT_TIMEOUT_SECONDS, TimeUnit.SECONDS); + + // Add SCITT headers + if (receipt != null && !receipt.isEmpty()) { + httpResponse.addHeader(ScittHeaders.SCITT_RECEIPT_HEADER, receipt); + LOGGER.debug("Added SCITT receipt header for agent: {}", agentId); + } + + if (token != null && !token.isEmpty()) { + httpResponse.addHeader(ScittHeaders.STATUS_TOKEN_HEADER, token); + LOGGER.debug("Added status token header for agent: {}", agentId); + } + + } catch (Exception e) { + LOGGER.warn("Failed to fetch SCITT artifacts for agent {}: {}", agentId, e.getMessage()); + // Continue without SCITT headers - graceful degradation + } + + chain.doFilter(request, response); + } +} diff --git a/ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/health/ScittHealthIndicator.java b/ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/health/ScittHealthIndicator.java new file mode 100644 index 0000000..7f1e0c4 --- /dev/null +++ b/ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/health/ScittHealthIndicator.java @@ -0,0 +1,172 @@ +package com.godaddy.ans.examples.mcp.spring.health; + +import com.godaddy.ans.examples.mcp.spring.config.McpServerProperties; +import com.godaddy.ans.sdk.transparency.scitt.ScittArtifactManager; +import com.godaddy.ans.sdk.transparency.scitt.StatusToken; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.boot.actuate.health.Health; +import org.springframework.boot.actuate.health.HealthIndicator; +import org.springframework.stereotype.Component; + +import java.time.Duration; +import java.time.Instant; +import java.util.concurrent.TimeUnit; + +/** + * Health indicator that exposes SCITT artifact status to /actuator/health. + * + *

    Provides visibility into:

    + *
      + *
    • Agent ID being served
      • + *
    • Status token expiration and time remaining
      • + *
    • Whether artifacts are stale (refresh failed)
      • + *
    • Token status (ACTIVE, WARNING, EXPIRED)
      • + *
    + * + *

    Example output:

    + * 
    + * {
+ *   "status": "UP",
+ *   "details": {
+ *     "agentId": "abc-123",
+ *     "tokenStatus": "ACTIVE",
+ *     "tokenExpiration": "2024-01-15T10:30:00Z",
+ *     "timeRemaining": "PT2H30M",
+ *     "stale": false
+ *   }
+ * }
+ *
    + */ +@Component +public class ScittHealthIndicator implements HealthIndicator { + + private static final Logger LOGGER = LoggerFactory.getLogger(ScittHealthIndicator.class); + + /** + * Warn if token expires within this duration. + */ + private static final Duration WARNING_THRESHOLD = Duration.ofMinutes(30); + + private final ScittArtifactManager artifactManager; + private final String agentId; + + public ScittHealthIndicator( + ScittArtifactManager artifactManager, + McpServerProperties properties) { + this.artifactManager = artifactManager; + this.agentId = properties.getAgentId(); + } + + @Override + public Health health() { + if (agentId == null || agentId.isBlank()) { + return Health.unknown() + .withDetail("reason", "No agent ID configured") + .build(); + } + + try { + // Try to get current status token (cached, non-blocking if available) + StatusToken token = artifactManager.getStatusToken(agentId) + .get(2, TimeUnit.SECONDS); + + if (token == null) { + return Health.down() + .withDetail("agentId", agentId) + .withDetail("reason", "No status token available") + .withDetail("stale", true) + .build(); + } + + Instant now = Instant.now(); + Instant expiration = token.expiresAt(); + + // Handle case where expiration is not set + if (expiration == null) { + return Health.up() + .withDetail("agentId", agentId) + .withDetail("tokenStatus", TokenStatus.ACTIVE.name()) + .withDetail("tokenExpiration", "none") + .withDetail("stale", false) + .build(); + } + + Duration timeRemaining = Duration.between(now, expiration); + + // Determine token status + TokenStatus status; + Health.Builder healthBuilder; + + if (timeRemaining.isNegative()) { + status = TokenStatus.EXPIRED; + healthBuilder = Health.down(); + } else if (timeRemaining.compareTo(WARNING_THRESHOLD) < 0) { + status = TokenStatus.WARNING; + healthBuilder = Health.status("WARNING"); + } else { + status = TokenStatus.ACTIVE; + healthBuilder = Health.up(); + } + + return healthBuilder + .withDetail("agentId", agentId) + .withDetail("tokenStatus", status.name()) + .withDetail("tokenExpiration", expiration.toString()) + .withDetail("timeRemaining", formatDuration(timeRemaining)) + .withDetail("tokenIssuedAt", token.issuedAt() != null ? token.issuedAt().toString() : "unknown") + .withDetail("stale", false) + .build(); + + } catch (Exception e) { + LOGGER.warn("Failed to check SCITT health for agent {}: {}", agentId, e.getMessage()); + + return Health.down() + .withDetail("agentId", agentId) + .withDetail("reason", "Failed to fetch status token: " + e.getMessage()) + .withDetail("stale", true) + .build(); + } + } + + /** + * Formats a duration in a human-readable format. + */ + private String formatDuration(Duration duration) { + if (duration.isNegative()) { + return "EXPIRED"; + } + + long hours = duration.toHours(); + long minutes = duration.toMinutesPart(); + long seconds = duration.toSecondsPart(); + + if (hours > 0) { + return String.format("%dh %dm %ds", hours, minutes, seconds); + } else if (minutes > 0) { + return String.format("%dm %ds", minutes, seconds); + } else { + return String.format("%ds", seconds); + } + } + + /** + * Token status levels. + */ + private enum TokenStatus { + /** + * Token is valid and has sufficient time remaining. + */ + ACTIVE, + + /** + * Token is valid but expiring soon. + */ + WARNING, + + /** + * Token has expired. + */ + EXPIRED + } +} diff --git a/ans-sdk-agent-client/examples/mcp-server-spring/src/main/resources/application.yml b/ans-sdk-agent-client/examples/mcp-server-spring/src/main/resources/application.yml new file mode 100644 index 0000000..6f7cbce --- /dev/null +++ b/ans-sdk-agent-client/examples/mcp-server-spring/src/main/resources/application.yml @@ -0,0 +1,69 @@ +# Spring Boot MCP Server with ANS Verification +# =========================================================== +# This configuration enables: +# - HTTPS with optional mTLS (client certificate) +# - SCITT artifact injection on all responses +# - SCITT-based client verification +# - Health monitoring via Actuator + +server: + port: 8443 + ssl: + enabled: true + enabled-protocols: TLSv1.2 + # Path to the keystore containing the server certificate and private key + key-store: ${SSL_KEYSTORE_PATH} + key-store-password: ${SSL_KEYSTORE_PASSWORD} + key-store-type: ${SSL_KEYSTORE_TYPE:PKCS12} + # Client certificate authentication mode: + # none - no client cert required (default for development) + # want - request client cert but don't require it + # need - require client cert (production with mTLS) + client-auth: ${SSL_CLIENT_AUTH:need} + # For mTLS, uncomment and configure truststore: + trust-store: ${SSL_TRUSTSTORE_PATH} + trust-store-password: ${SSL_TRUSTSTORE_PASSWORD} + trust-store-type: ${SSL_TRUSTSTORE_TYPE:PKCS12} + +# ANS MCP Server Configuration +ans: + mcp: + # Agent UUID for SCITT artifact fetching (required) + agent-id: ${ANS_AGENT_ID:e3cf3df4-092e-497d-80f3-55ad0e38588a} + + # Server identification for MCP protocol + server-info: + name: ans-mcp-server + version: 1.0.0 + + # Client verification settings + verification: + # Enable/disable client verification + enabled: ${ANS_VERIFICATION_ENABLED:true} + # Verification policy (SCITT_REQUIRED recommended for production) + # Options: PKI_ONLY, BADGE_REQUIRED, DANE_ADVISORY, DANE_REQUIRED, + # DANE_AND_BADGE, SCITT_ENHANCED, SCITT_REQUIRED + policy: ${ANS_VERIFICATION_POLICY:SCITT_REQUIRED} + + # SCITT configuration + scitt: + # Transparency Log domain (use OTE for testing, production for live) + domain: ${ANS_SCITT_DOMAIN:transparency.ans.ote-godaddy.com} + +# Spring Actuator (health monitoring) +management: + endpoints: + web: + exposure: + include: health,info + endpoint: + health: + show-details: always + show-components: always + +# Logging +logging: + level: + com.godaddy.ans: INFO + com.godaddy.ans.sdk.transparency: DEBUG + com.godaddy.ans.examples.mcp.spring: DEBUG From 73b5cd9da4c350a1b912b27e3c6c06847614d725 Mon Sep 17 00:00:00 2001 From: James Hateley Date: Fri, 27 Mar 2026 13:16:59 +1100 Subject: [PATCH 07/19] feat: test coverage --- .../ScittVerifierAdapterTest.java | 180 ++++++++++++++++++ 1 file changed, 180 insertions(+) diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapterTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapterTest.java index 0e8c041..07e961b 100644 --- a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapterTest.java +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapterTest.java @@ -231,6 +231,152 @@ void shouldReturnParseErrorOnException() throws Exception { ScittPreVerifyResult result = future.get(5, TimeUnit.SECONDS); assertThat(result.expectation().status()).isEqualTo(ScittExpectation.Status.PARSE_ERROR); } + + @Test + @DisplayName("Should return parseError on verification exception") + void shouldReturnParseErrorOnVerificationException() throws Exception { + ScittReceipt receipt = mock(ScittReceipt.class); + StatusToken token = mock(StatusToken.class); + ScittHeaderProvider.ScittArtifacts artifacts = + new ScittHeaderProvider.ScittArtifacts(receipt, token, new byte[10], new byte[10]); + + when(mockHeaderProvider.extractArtifacts(any())).thenReturn(Optional.of(artifacts)); + when(mockTransparencyClient.getRootKeysAsync()) + .thenReturn(CompletableFuture.completedFuture(toRootKeys(testKeyPair.getPublic()))); + when(mockScittVerifier.verify(any(), any(), any())) + .thenThrow(new RuntimeException("Verification error")); + + CompletableFuture future = adapter.preVerify(Map.of()); + + ScittPreVerifyResult result = future.get(5, TimeUnit.SECONDS); + assertThat(result.expectation().status()).isEqualTo(ScittExpectation.Status.PARSE_ERROR); + } + + @Test + @DisplayName("Should handle async exception via exceptionally") + void shouldHandleAsyncException() throws Exception { + ScittReceipt receipt = mock(ScittReceipt.class); + StatusToken token = mock(StatusToken.class); + ScittHeaderProvider.ScittArtifacts artifacts = + new ScittHeaderProvider.ScittArtifacts(receipt, token, new byte[10], new byte[10]); + + when(mockHeaderProvider.extractArtifacts(any())).thenReturn(Optional.of(artifacts)); + when(mockTransparencyClient.getRootKeysAsync()) + .thenReturn(CompletableFuture.failedFuture(new RuntimeException("Async failure"))); + + CompletableFuture future = adapter.preVerify(Map.of()); + + ScittPreVerifyResult result = future.get(5, TimeUnit.SECONDS); + assertThat(result.expectation().status()).isEqualTo(ScittExpectation.Status.PARSE_ERROR); + assertThat(result.expectation().failureReason()).contains("Async failure"); + } + + @Test + @DisplayName("Should handle key not found with REJECT decision") + void shouldHandleKeyNotFoundWithReject() throws Exception { + ScittReceipt receipt = mock(ScittReceipt.class); + StatusToken token = mock(StatusToken.class); + when(token.issuedAt()).thenReturn(java.time.Instant.now().minusSeconds(3600)); + ScittHeaderProvider.ScittArtifacts artifacts = + new ScittHeaderProvider.ScittArtifacts(receipt, token, new byte[10], new byte[10]); + + when(mockHeaderProvider.extractArtifacts(any())).thenReturn(Optional.of(artifacts)); + when(mockTransparencyClient.getRootKeysAsync()) + .thenReturn(CompletableFuture.completedFuture(toRootKeys(testKeyPair.getPublic()))); + + ScittExpectation keyNotFound = ScittExpectation.keyNotFound("unknown-key-id"); + when(mockScittVerifier.verify(any(), any(), any())).thenReturn(keyNotFound); + + com.godaddy.ans.sdk.transparency.scitt.RefreshDecision rejectDecision = + com.godaddy.ans.sdk.transparency.scitt.RefreshDecision.reject("Too old"); + when(mockTransparencyClient.refreshRootKeysIfNeeded(any())).thenReturn(rejectDecision); + + CompletableFuture future = adapter.preVerify(Map.of()); + + ScittPreVerifyResult result = future.get(5, TimeUnit.SECONDS); + assertThat(result.expectation().status()).isEqualTo(ScittExpectation.Status.KEY_NOT_FOUND); + } + + @Test + @DisplayName("Should handle key not found with DEFER decision") + void shouldHandleKeyNotFoundWithDefer() throws Exception { + ScittReceipt receipt = mock(ScittReceipt.class); + StatusToken token = mock(StatusToken.class); + when(token.issuedAt()).thenReturn(java.time.Instant.now()); + ScittHeaderProvider.ScittArtifacts artifacts = + new ScittHeaderProvider.ScittArtifacts(receipt, token, new byte[10], new byte[10]); + + when(mockHeaderProvider.extractArtifacts(any())).thenReturn(Optional.of(artifacts)); + when(mockTransparencyClient.getRootKeysAsync()) + .thenReturn(CompletableFuture.completedFuture(toRootKeys(testKeyPair.getPublic()))); + + ScittExpectation keyNotFound = ScittExpectation.keyNotFound("unknown-key-id"); + when(mockScittVerifier.verify(any(), any(), any())).thenReturn(keyNotFound); + + com.godaddy.ans.sdk.transparency.scitt.RefreshDecision deferDecision = + com.godaddy.ans.sdk.transparency.scitt.RefreshDecision.defer("Cooldown active"); + when(mockTransparencyClient.refreshRootKeysIfNeeded(any())).thenReturn(deferDecision); + + CompletableFuture future = adapter.preVerify(Map.of()); + + ScittPreVerifyResult result = future.get(5, TimeUnit.SECONDS); + assertThat(result.expectation().status()).isEqualTo(ScittExpectation.Status.PARSE_ERROR); + } + + @Test + @DisplayName("Should handle key not found with REFRESHED decision") + void shouldHandleKeyNotFoundWithRefreshed() throws Exception { + ScittReceipt receipt = mock(ScittReceipt.class); + StatusToken token = mock(StatusToken.class); + when(token.issuedAt()).thenReturn(java.time.Instant.now()); + ScittHeaderProvider.ScittArtifacts artifacts = + new ScittHeaderProvider.ScittArtifacts(receipt, token, new byte[10], new byte[10]); + + when(mockHeaderProvider.extractArtifacts(any())).thenReturn(Optional.of(artifacts)); + when(mockTransparencyClient.getRootKeysAsync()) + .thenReturn(CompletableFuture.completedFuture(toRootKeys(testKeyPair.getPublic()))); + + ScittExpectation keyNotFound = ScittExpectation.keyNotFound("unknown-key-id"); + ScittExpectation verified = ScittExpectation.verified( + List.of("abc123"), List.of(), "host", "ans.test", Map.of(), null); + when(mockScittVerifier.verify(any(), any(), any())) + .thenReturn(keyNotFound) + .thenReturn(verified); + + Map freshKeys = toRootKeys(testKeyPair.getPublic()); + com.godaddy.ans.sdk.transparency.scitt.RefreshDecision refreshedDecision = + com.godaddy.ans.sdk.transparency.scitt.RefreshDecision.refreshed(freshKeys); + when(mockTransparencyClient.refreshRootKeysIfNeeded(any())).thenReturn(refreshedDecision); + + CompletableFuture future = adapter.preVerify(Map.of()); + + ScittPreVerifyResult result = future.get(5, TimeUnit.SECONDS); + assertThat(result.expectation().isVerified()).isTrue(); + } + + @Test + @DisplayName("Should handle key not found with null issued-at") + void shouldHandleKeyNotFoundWithNullIssuedAt() throws Exception { + ScittReceipt receipt = mock(ScittReceipt.class); + StatusToken token = mock(StatusToken.class); + when(token.issuedAt()).thenReturn(null); + when(receipt.protectedHeader()).thenReturn(null); + ScittHeaderProvider.ScittArtifacts artifacts = + new ScittHeaderProvider.ScittArtifacts(receipt, token, new byte[10], new byte[10]); + + when(mockHeaderProvider.extractArtifacts(any())).thenReturn(Optional.of(artifacts)); + when(mockTransparencyClient.getRootKeysAsync()) + .thenReturn(CompletableFuture.completedFuture(toRootKeys(testKeyPair.getPublic()))); + + ScittExpectation keyNotFound = ScittExpectation.keyNotFound("unknown-key-id"); + when(mockScittVerifier.verify(any(), any(), any())).thenReturn(keyNotFound); + + CompletableFuture future = adapter.preVerify(Map.of()); + + ScittPreVerifyResult result = future.get(5, TimeUnit.SECONDS); + // Should return original key not found since we can't determine artifact time + assertThat(result.expectation().status()).isEqualTo(ScittExpectation.Status.KEY_NOT_FOUND); + } } @Nested @@ -337,6 +483,40 @@ void shouldReturnMismatchWhenPostVerificationFails() { assertThat(result.status()).isEqualTo(VerificationResult.Status.MISMATCH); assertThat(result.type()).isEqualTo(VerificationResult.VerificationType.SCITT); } + + @Test + @DisplayName("Should return MISMATCH with unknown expected when fingerprints empty") + void shouldReturnMismatchWithUnknownWhenFingerprintsEmpty() { + X509Certificate cert = mock(X509Certificate.class); + ScittExpectation expectation = ScittExpectation.verified( + List.of(), List.of(), "host", "ans.test", Map.of(), null); + ScittPreVerifyResult preResult = ScittPreVerifyResult.verified( + expectation, mock(ScittReceipt.class), mock(StatusToken.class)); + + ScittVerifier.ScittVerificationResult verifyResult = + ScittVerifier.ScittVerificationResult.mismatch("actual456", "No valid fingerprints"); + when(mockScittVerifier.postVerify(any(), any(), any())).thenReturn(verifyResult); + + VerificationResult result = adapter.postVerify("test.example.com", cert, preResult); + + assertThat(result.status()).isEqualTo(VerificationResult.Status.MISMATCH); + assertThat(result.expectedFingerprint()).isEqualTo("unknown"); + } + + @Test + @DisplayName("Should return ERROR with default message when failureReason is null") + void shouldReturnErrorWithDefaultMessageWhenFailureReasonNull() { + X509Certificate cert = mock(X509Certificate.class); + // Create expectation with null failureReason + ScittExpectation failedExpectation = ScittExpectation.keyNotFound(null); + ScittPreVerifyResult preResult = ScittPreVerifyResult.verified( + failedExpectation, mock(ScittReceipt.class), mock(StatusToken.class)); + + VerificationResult result = adapter.postVerify("test.example.com", cert, preResult); + + assertThat(result.status()).isEqualTo(VerificationResult.Status.ERROR); + assertThat(result.reason()).contains("SCITT verification failed"); + } } } From 53b0f605db12c7f7166afeab69426d707004be3d Mon Sep 17 00:00:00 2001 From: James Hateley Date: Fri, 27 Mar 2026 13:17:30 +1100 Subject: [PATCH 08/19] chore(deps): Bump gradle/actions from 5.0.2 to 6.0.1 --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e6210b2..43de992 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -33,7 +33,7 @@ jobs: distribution: 'temurin' - name: Validate Gradle wrapper - uses: gradle/actions/wrapper-validation@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 + uses: gradle/actions/wrapper-validation@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6.0.1 - name: Cache Gradle packages uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 From 93a4515a757f40c5ab88dde623ee42fa1457b58b Mon Sep 17 00:00:00 2001 From: James Hateley Date: Fri, 27 Mar 2026 13:18:01 +1100 Subject: [PATCH 09/19] chore(deps): Bump org.openapi.generator from 7.20.0 to 7.21.0 --- build.gradle.kts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle.kts b/build.gradle.kts index 3b90b25..6cf8edd 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -2,7 +2,7 @@ plugins { java `java-library` checkstyle - id("org.openapi.generator") version "7.20.0" apply false + id("org.openapi.generator") version "7.21.0" apply false id("com.vanniktech.maven.publish") version "0.36.0" apply false } From ef427f0c3df153f9f3a5cc05f823ead597758579 Mon Sep 17 00:00:00 2001 From: James Hateley Date: Fri, 27 Mar 2026 13:18:16 +1100 Subject: [PATCH 10/19] chore(deps): Bump gradle-wrapper from 9.4.0 to 9.4.1 --- gradle/wrapper/gradle-wrapper.properties | 2 +- gradlew | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties index dbc3ce4..c61a118 100644 --- a/gradle/wrapper/gradle-wrapper.properties +++ b/gradle/wrapper/gradle-wrapper.properties @@ -1,6 +1,6 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-9.4.0-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-9.4.1-bin.zip networkTimeout=10000 validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME diff --git a/gradlew b/gradlew index 0262dcb..739907d 100755 --- a/gradlew +++ b/gradlew @@ -57,7 +57,7 @@ # Darwin, MinGW, and NonStop. # # (3) This script is generated from the Groovy template -# https://github.com/gradle/gradle/blob/b631911858264c0b6e4d6603d677ff5218766cee/platforms/jvm/plugins-application/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# https://github.com/gradle/gradle/blob/2d6327017519d23b96af35865dc997fcb544fb40/platforms/jvm/plugins-application/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt # within the Gradle project. # # You can find Gradle at https://github.com/gradle/gradle/. From 468e4af9c2d0db38fe0075cb3a9f5fc084777212 Mon Sep 17 00:00:00 2001 From: James Hateley Date: Fri, 27 Mar 2026 13:19:27 +1100 Subject: [PATCH 11/19] chore(deps): Bump actions/cache from 5.0.3 to 5.0.4 --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 43de992..1c136b5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -36,7 +36,7 @@ jobs: uses: gradle/actions/wrapper-validation@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6.0.1 - name: Cache Gradle packages - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: | ~/.gradle/caches From 24bb686a84e584fefd570a5b540fde60ca7ebdbc Mon Sep 17 00:00:00 2001 From: James Hateley Date: Tue, 31 Mar 2026 15:05:28 +1100 Subject: [PATCH 12/19] feat: code cleanup and refactor --- ans-sdk-agent-client/build.gradle.kts | 3 +- .../filter/ScittHeaderResponseFilter.java | 25 +-- .../ClientRequestVerifierTest.java | 18 +-- .../DefaultConnectionVerifierTest.java | 6 +- .../PreVerificationResultTest.java | 10 +- .../ScittVerifierAdapterTest.java | 10 +- .../ans/sdk/concurrent/AnsExecutors.java | 6 +- .../godaddy/ans/sdk/crypto/CryptoCache.java | 29 ++++ ans-sdk-transparency/build.gradle.kts | 3 +- .../ans/sdk/transparency/scitt/CwtClaims.java | 54 ------- .../scitt/DefaultScittVerifier.java | 93 +---------- .../scitt/ScittArtifactManager.java | 61 ++++---- .../transparency/scitt/ScittExpectation.java | 43 ++---- .../sdk/transparency/scitt/StatusToken.java | 24 ++- .../scitt/DefaultScittHeaderProviderTest.java | 3 +- .../scitt/DefaultScittVerifierTest.java | 35 ++--- .../scitt/ScittArtifactManagerTest.java | 146 +++++++----------- .../scitt/ScittExpectationTest.java | 13 +- .../scitt/ScittPreVerifyResultTest.java | 7 +- .../transparency/scitt/StatusTokenTest.java | 65 +------- gradle.properties | 1 + 21 files changed, 207 insertions(+), 448 deletions(-) diff --git a/ans-sdk-agent-client/build.gradle.kts b/ans-sdk-agent-client/build.gradle.kts index f8faffa..af21c2b 100644 --- a/ans-sdk-agent-client/build.gradle.kts +++ b/ans-sdk-agent-client/build.gradle.kts @@ -7,6 +7,7 @@ val junitVersion: String by project val mockitoVersion: String by project val assertjVersion: String by project val wiremockVersion: String by project +val cborVersion: String by project dependencies { // Core and crypto modules @@ -42,6 +43,6 @@ dependencies { testImplementation("org.assertj:assertj-core:$assertjVersion") testImplementation("org.wiremock:wiremock:$wiremockVersion") testImplementation("io.projectreactor:reactor-test:$reactorVersion") - testImplementation("com.upokecenter:cbor:4.5.4") + testImplementation("com.upokecenter:cbor:$cborVersion") testRuntimeOnly("org.slf4j:slf4j-simple:$slf4jVersion") } \ No newline at end of file diff --git a/ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/filter/ScittHeaderResponseFilter.java b/ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/filter/ScittHeaderResponseFilter.java index 0f1d1cf..0bac457 100644 --- a/ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/filter/ScittHeaderResponseFilter.java +++ b/ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/filter/ScittHeaderResponseFilter.java @@ -2,7 +2,6 @@ import com.godaddy.ans.examples.mcp.spring.config.McpServerProperties; import com.godaddy.ans.sdk.transparency.scitt.ScittArtifactManager; -import com.godaddy.ans.sdk.transparency.scitt.ScittHeaders; import jakarta.servlet.Filter; import jakarta.servlet.FilterChain; import jakarta.servlet.ServletException; @@ -14,7 +13,7 @@ import org.springframework.stereotype.Component; import java.io.IOException; -import java.util.concurrent.CompletableFuture; +import java.util.Map; import java.util.concurrent.TimeUnit; /** @@ -65,23 +64,15 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha HttpServletResponse httpResponse = (HttpServletResponse) response; try { - // Fetch pre-computed Base64 artifacts concurrently - CompletableFuture receiptFuture = artifactManager.getReceiptBase64(agentId); - CompletableFuture tokenFuture = artifactManager.getStatusTokenBase64(agentId); + // Fetch pre-computed headers (receipt + status token) + Map headers = artifactManager.getOutgoingHeaders(agentId) + .get(ARTIFACT_TIMEOUT_SECONDS, TimeUnit.SECONDS); - // Wait for both with timeout - String receipt = receiptFuture.get(ARTIFACT_TIMEOUT_SECONDS, TimeUnit.SECONDS); - String token = tokenFuture.get(ARTIFACT_TIMEOUT_SECONDS, TimeUnit.SECONDS); + // Add SCITT headers to response + headers.forEach(httpResponse::addHeader); - // Add SCITT headers - if (receipt != null && !receipt.isEmpty()) { - httpResponse.addHeader(ScittHeaders.SCITT_RECEIPT_HEADER, receipt); - LOGGER.debug("Added SCITT receipt header for agent: {}", agentId); - } - - if (token != null && !token.isEmpty()) { - httpResponse.addHeader(ScittHeaders.STATUS_TOKEN_HEADER, token); - LOGGER.debug("Added status token header for agent: {}", agentId); + if (!headers.isEmpty()) { + LOGGER.debug("Added {} SCITT header(s) for agent: {}", headers.size(), agentId); } } catch (Exception e) { diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ClientRequestVerifierTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ClientRequestVerifierTest.java index 7236f38..091b9de 100644 --- a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ClientRequestVerifierTest.java +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ClientRequestVerifierTest.java @@ -161,8 +161,7 @@ void shouldVerifyValidArtifacts() throws Exception { ScittExpectation expectation = ScittExpectation.verified( List.of(), // server certs (not used for client verification) List.of(clientCertFingerprint), // identity certs - must match client cert - "agent.example.com", - "test.ans", + "test.ans", Map.of(), createMockStatusToken("test-agent") ); @@ -187,8 +186,7 @@ void shouldCacheSuccessfulResult() throws Exception { ScittExpectation expectation = ScittExpectation.verified( List.of(), List.of(clientCertFingerprint), - "agent.example.com", - "test.ans", + "test.ans", Map.of(), createMockStatusToken("test-agent") ); @@ -222,8 +220,7 @@ void shouldInvalidateCacheWhenTokenExpires() throws Exception { ScittExpectation expectation = ScittExpectation.verified( List.of(), List.of(clientCertFingerprint), - "agent.example.com", - "test.ans", + "test.ans", Map.of(), shortLivedToken ); @@ -266,8 +263,7 @@ void shouldFailOnFingerprintMismatch() throws Exception { ScittExpectation expectation = ScittExpectation.verified( List.of(), List.of("SHA256:different-fingerprint"), // Won't match client cert - "agent.example.com", - "test.ans", + "test.ans", Map.of(), createMockStatusToken("test-agent") ); @@ -289,8 +285,7 @@ void shouldFailWhenNoIdentityCerts() throws Exception { ScittExpectation expectation = ScittExpectation.verified( List.of("SHA256:some-server-cert"), List.of(), // No identity certs - "agent.example.com", - "test.ans", + "test.ans", Map.of(), createMockStatusToken("test-agent") ); @@ -627,8 +622,7 @@ private StatusToken createMockStatusTokenWithExpiry(String agentId, Instant expi Instant.now(), expiresAt, agentId + ".ans", - "agent.example.com", - List.of(), + List.of(), List.of(), Map.of(), null, diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DefaultConnectionVerifierTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DefaultConnectionVerifierTest.java index 4f6eadd..dc74ae9 100644 --- a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DefaultConnectionVerifierTest.java +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DefaultConnectionVerifierTest.java @@ -369,7 +369,7 @@ void scittPreVerifyReturnsNotPresentWhenNoScittVerifier() throws ExecutionExcept @Test void scittPreVerifyDelegatesToScittVerifier() throws ExecutionException, InterruptedException { ScittExpectation expectation = ScittExpectation.verified( - List.of("fp123"), List.of(), "host", "test.ans", Map.of(), null); + List.of("fp123"), List.of(), "test.ans", Map.of(), null); ScittPreVerifyResult expectedResult = ScittPreVerifyResult.verified( expectation, mock(ScittReceipt.class), mock(StatusToken.class)); @@ -394,7 +394,7 @@ void withScittResultCreatesEnhancedPreVerificationResult() { .build(); ScittExpectation expectation = ScittExpectation.verified( - List.of("scitt-fp"), List.of(), "host", "test.ans", Map.of(), null); + List.of("scitt-fp"), List.of(), "test.ans", Map.of(), null); ScittPreVerifyResult scittResult = ScittPreVerifyResult.verified( expectation, mock(ScittReceipt.class), mock(StatusToken.class)); @@ -420,7 +420,7 @@ void postVerifyWithScittVerifierAndExpectation() { .build(); ScittExpectation expectation = ScittExpectation.verified( - List.of("fp123"), List.of(), "host", "test.ans", Map.of(), null); + List.of("fp123"), List.of(), "test.ans", Map.of(), null); ScittPreVerifyResult scittPreResult = ScittPreVerifyResult.verified( expectation, mock(ScittReceipt.class), mock(StatusToken.class)); diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/PreVerificationResultTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/PreVerificationResultTest.java index 06b057b..dd5737f 100644 --- a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/PreVerificationResultTest.java +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/PreVerificationResultTest.java @@ -218,7 +218,7 @@ void hasScittExpectationReturnsFalseWhenNotPresent() { @Test void hasScittExpectationReturnsTrueWhenPresent() { ScittExpectation expectation = ScittExpectation.verified( - List.of("fp1"), List.of(), "host", "test.ans", Map.of(), null); + List.of("fp1"), List.of(), "test.ans", Map.of(), null); ScittPreVerifyResult scittResult = ScittPreVerifyResult.verified(expectation, null, null); PreVerificationResult result = PreVerificationResult.builder("test.com", 443) @@ -308,7 +308,7 @@ void scittPreVerifySucceededReturnsFalseForRevoked() { @Test void scittPreVerifySucceededReturnsTrueWhenVerified() { ScittExpectation expectation = ScittExpectation.verified( - List.of("server-fp"), List.of("identity-fp"), "agent.example.com", "test.ans", Map.of(), null); + List.of("server-fp"), List.of("identity-fp"), "test.ans", Map.of(), null); ScittPreVerifyResult scittResult = ScittPreVerifyResult.verified(expectation, null, null); PreVerificationResult result = PreVerificationResult.builder("test.com", 443) @@ -321,7 +321,7 @@ void scittPreVerifySucceededReturnsTrueWhenVerified() { @Test void builderWithScittPreVerifyResult() { ScittExpectation expectation = ScittExpectation.verified( - List.of("fp1", "fp2"), List.of(), "host", "test.ans", Map.of("https", "SHA256:abc"), null); + List.of("fp1", "fp2"), List.of(), "test.ans", Map.of("https", "SHA256:abc"), null); ScittPreVerifyResult scittResult = ScittPreVerifyResult.verified(expectation, null, null); PreVerificationResult result = PreVerificationResult.builder("test.com", 443) @@ -337,7 +337,7 @@ void builderWithScittPreVerifyResult() { @Test void toStringIncludesScittInfo() { ScittExpectation expectation = ScittExpectation.verified( - List.of("fp1"), List.of(), "host", "test.ans", Map.of(), null); + List.of("fp1"), List.of(), "test.ans", Map.of(), null); ScittPreVerifyResult scittResult = ScittPreVerifyResult.verified(expectation, null, null); PreVerificationResult result = PreVerificationResult.builder("test.com", 443) @@ -359,7 +359,7 @@ void toStringShowsScittFalseWhenNotPresent() { @Test void recordConstructorWithScittPreVerifyResult() { ScittExpectation expectation = ScittExpectation.verified( - List.of("fp1"), List.of(), "host", "test.ans", Map.of(), null); + List.of("fp1"), List.of(), "test.ans", Map.of(), null); ScittPreVerifyResult scittResult = ScittPreVerifyResult.verified(expectation, null, null); PreVerificationResult result = new PreVerificationResult( diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapterTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapterTest.java index 07e961b..1f19dda 100644 --- a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapterTest.java +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapterTest.java @@ -210,7 +210,7 @@ void shouldVerifyCompleteArtifacts() throws Exception { .thenReturn(CompletableFuture.completedFuture(toRootKeys(testKeyPair.getPublic()))); ScittExpectation expectation = ScittExpectation.verified( - List.of("abc123"), List.of(), "host", "ans.test", Map.of(), null); + List.of("abc123"), List.of(), "ans.test", Map.of(), null); when(mockScittVerifier.verify(any(), any(), any())).thenReturn(expectation); CompletableFuture future = adapter.preVerify(Map.of()); @@ -338,7 +338,7 @@ void shouldHandleKeyNotFoundWithRefreshed() throws Exception { ScittExpectation keyNotFound = ScittExpectation.keyNotFound("unknown-key-id"); ScittExpectation verified = ScittExpectation.verified( - List.of("abc123"), List.of(), "host", "ans.test", Map.of(), null); + List.of("abc123"), List.of(), "ans.test", Map.of(), null); when(mockScittVerifier.verify(any(), any(), any())) .thenReturn(keyNotFound) .thenReturn(verified); @@ -451,7 +451,7 @@ void shouldReturnErrorWhenPreVerificationFailed() { void shouldReturnSuccessWhenPostVerificationSucceeds() { X509Certificate cert = mock(X509Certificate.class); ScittExpectation expectation = ScittExpectation.verified( - List.of("abc123"), List.of(), "host", "ans.test", Map.of(), null); + List.of("abc123"), List.of(), "ans.test", Map.of(), null); ScittPreVerifyResult preResult = ScittPreVerifyResult.verified( expectation, mock(ScittReceipt.class), mock(StatusToken.class)); @@ -470,7 +470,7 @@ void shouldReturnSuccessWhenPostVerificationSucceeds() { void shouldReturnMismatchWhenPostVerificationFails() { X509Certificate cert = mock(X509Certificate.class); ScittExpectation expectation = ScittExpectation.verified( - List.of("expected123"), List.of(), "host", "ans.test", Map.of(), null); + List.of("expected123"), List.of(), "ans.test", Map.of(), null); ScittPreVerifyResult preResult = ScittPreVerifyResult.verified( expectation, mock(ScittReceipt.class), mock(StatusToken.class)); @@ -489,7 +489,7 @@ void shouldReturnMismatchWhenPostVerificationFails() { void shouldReturnMismatchWithUnknownWhenFingerprintsEmpty() { X509Certificate cert = mock(X509Certificate.class); ScittExpectation expectation = ScittExpectation.verified( - List.of(), List.of(), "host", "ans.test", Map.of(), null); + List.of(), List.of(), "ans.test", Map.of(), null); ScittPreVerifyResult preResult = ScittPreVerifyResult.verified( expectation, mock(ScittReceipt.class), mock(StatusToken.class)); diff --git a/ans-sdk-core/src/main/java/com/godaddy/ans/sdk/concurrent/AnsExecutors.java b/ans-sdk-core/src/main/java/com/godaddy/ans/sdk/concurrent/AnsExecutors.java index eccc313..0e5a4e6 100644 --- a/ans-sdk-core/src/main/java/com/godaddy/ans/sdk/concurrent/AnsExecutors.java +++ b/ans-sdk-core/src/main/java/com/godaddy/ans/sdk/concurrent/AnsExecutors.java @@ -86,7 +86,7 @@ public static Executor sharedIoExecutor() { synchronized (LOCK) { executor = sharedExecutor; if (executor == null) { - executor = createSharedExecutor(DEFAULT_POOL_SIZE); + executor = newIoExecutor(DEFAULT_POOL_SIZE); sharedExecutor = executor; LOGGER.debug("Created shared ANS I/O executor with {} threads", DEFAULT_POOL_SIZE); } @@ -180,10 +180,6 @@ public static boolean isInitialized() { return sharedExecutor != null; } - private static ExecutorService createSharedExecutor(int poolSize) { - return newIoExecutor(poolSize); - } - /** * Thread factory that creates daemon threads with descriptive names. */ diff --git a/ans-sdk-core/src/main/java/com/godaddy/ans/sdk/crypto/CryptoCache.java b/ans-sdk-core/src/main/java/com/godaddy/ans/sdk/crypto/CryptoCache.java index 88e6ecb..d8730f8 100644 --- a/ans-sdk-core/src/main/java/com/godaddy/ans/sdk/crypto/CryptoCache.java +++ b/ans-sdk-core/src/main/java/com/godaddy/ans/sdk/crypto/CryptoCache.java @@ -65,6 +65,14 @@ public final class CryptoCache { } }); + private static final ThreadLocal ES256_P1363 = ThreadLocal.withInitial(() -> { + try { + return Signature.getInstance("SHA256withECDSAinP1363Format"); + } catch (NoSuchAlgorithmException e) { + throw new RuntimeException("SHA256withECDSAinP1363Format not available", e); + } + }); + private CryptoCache() { // Utility class } @@ -113,4 +121,25 @@ public static boolean verifyEs256(byte[] data, byte[] signature, PublicKey publi sig.update(data); return sig.verify(signature); } + + /** + * Verifies an ES256 (ECDSA with SHA-256 on P-21363) signature. + * + *

    Uses a thread-local Signature instance to avoid the overhead of + * provider lookup on each verification.

    + * + * @param data the data that was signed + * @param signature the signature (typically in DER format for Java's Signature API) + * @param publicKey the EC public key to verify against + * @return true if the signature is valid, false otherwise + * @throws InvalidKeyException if the public key is invalid + * @throws SignatureException if the signature format is invalid + */ + public static boolean verifyEs256P1363(byte[] data, byte[] signature, PublicKey publicKey) + throws InvalidKeyException, SignatureException { + Signature sig = ES256_P1363.get(); + sig.initVerify(publicKey); + sig.update(data); + return sig.verify(signature); + } } diff --git a/ans-sdk-transparency/build.gradle.kts b/ans-sdk-transparency/build.gradle.kts index f6a40a3..b60c1c6 100644 --- a/ans-sdk-transparency/build.gradle.kts +++ b/ans-sdk-transparency/build.gradle.kts @@ -6,6 +6,7 @@ val assertjVersion: String by project val wiremockVersion: String by project val bouncyCastleVersion: String by project val caffeineVersion: String by project +val cborVersion: String by project dependencies { // Core module for exceptions and HTTP utilities @@ -28,7 +29,7 @@ dependencies { implementation("dnsjava:dnsjava:3.6.4") // CBOR parsing for SCITT COSE_Sign1 structures - implementation("com.upokecenter:cbor:4.5.4") + implementation("com.upokecenter:cbor:$cborVersion") // Caffeine for high-performance caching with TTL and automatic eviction implementation("com.github.ben-manes.caffeine:caffeine:$caffeineVersion") diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/CwtClaims.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/CwtClaims.java index 7b029ee..12c778a 100644 --- a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/CwtClaims.java +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/CwtClaims.java @@ -50,58 +50,4 @@ public Instant notBeforeTime() { public Instant issuedAtTime() { return iat != null ? Instant.ofEpochSecond(iat) : null; } - - /** - * Checks if the token is expired at the given time. - * - * @param now the current time - * @return true if the token is expired - */ - public boolean isExpired(Instant now) { - if (exp == null) { - return false; // No expiration set - } - return now.isAfter(expirationTime()); - } - - /** - * Checks if the token is expired at the given time with clock skew tolerance. - * - * @param now the current time - * @param clockSkewSeconds allowed clock skew in seconds - * @return true if the token is expired (accounting for clock skew) - */ - public boolean isExpired(Instant now, long clockSkewSeconds) { - if (exp == null) { - return false; - } - return now.minusSeconds(clockSkewSeconds).isAfter(expirationTime()); - } - - /** - * Checks if the token is not yet valid at the given time. - * - * @param now the current time - * @return true if the token is not yet valid - */ - public boolean isNotYetValid(Instant now) { - if (nbf == null) { - return false; // No not-before set - } - return now.isBefore(notBeforeTime()); - } - - /** - * Checks if the token is not yet valid at the given time with clock skew tolerance. - * - * @param now the current time - * @param clockSkewSeconds allowed clock skew in seconds - * @return true if the token is not yet valid (accounting for clock skew) - */ - public boolean isNotYetValid(Instant now, long clockSkewSeconds) { - if (nbf == null) { - return false; - } - return now.plusSeconds(clockSkewSeconds).isBefore(notBeforeTime()); - } } diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittVerifier.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittVerifier.java index 867beac..8064be3 100644 --- a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittVerifier.java +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittVerifier.java @@ -133,8 +133,7 @@ public ScittExpectation verify( return ScittExpectation.verified( token.serverCertFingerprints(), token.identityCertFingerprints(), - token.agentHost(), - token.ansName(), + token.ansName(), token.metadataHashes(), token ); @@ -289,92 +288,7 @@ private boolean verifyTokenSignature(StatusToken token, PublicKey raPublicKey) { * @return true if signature is valid */ private boolean verifyEs256Signature(byte[] data, byte[] signature, PublicKey publicKey) throws Exception { - // Convert IEEE P1363 format to DER format for Java's Signature API - byte[] derSignature = convertP1363ToDer(signature); - - return CryptoCache.verifyEs256(data, derSignature, publicKey); - } - - /** - * Converts an ECDSA signature from IEEE P1363 format (r || s) to DER format. - * - *

    Java's Signature API expects DER-encoded signatures, but COSE uses - * the IEEE P1363 format (fixed-size concatenation of r and s).

    - */ - private byte[] convertP1363ToDer(byte[] p1363Signature) { - if (p1363Signature.length != 64) { - throw new IllegalArgumentException("Expected 64-byte P1363 signature, got " + p1363Signature.length); - } - - // Split into r and s (each 32 bytes for P-256) - byte[] r = new byte[32]; - byte[] s = new byte[32]; - System.arraycopy(p1363Signature, 0, r, 0, 32); - System.arraycopy(p1363Signature, 32, s, 0, 32); - - // Convert to DER format - return toDerSignature(r, s); - } - - /** - * Encodes r and s as a DER SEQUENCE of two INTEGERs. - */ - private byte[] toDerSignature(byte[] r, byte[] s) { - byte[] rDer = toDerInteger(r); - byte[] sDer = toDerInteger(s); - - // SEQUENCE { r INTEGER, s INTEGER } - int totalLen = rDer.length + sDer.length; - byte[] der; - - if (totalLen < 128) { - der = new byte[2 + totalLen]; - der[0] = 0x30; // SEQUENCE - der[1] = (byte) totalLen; - System.arraycopy(rDer, 0, der, 2, rDer.length); - System.arraycopy(sDer, 0, der, 2 + rDer.length, sDer.length); - } else { - der = new byte[3 + totalLen]; - der[0] = 0x30; // SEQUENCE - der[1] = (byte) 0x81; // Long form length - der[2] = (byte) totalLen; - System.arraycopy(rDer, 0, der, 3, rDer.length); - System.arraycopy(sDer, 0, der, 3 + rDer.length, sDer.length); - } - - return der; - } - - /** - * Encodes a big integer value as a DER INTEGER. - */ - private byte[] toDerInteger(byte[] value) { - // Skip leading zeros but ensure at least one byte - int start = 0; - while (start < value.length - 1 && value[start] == 0) { - start++; - } - - // Check if we need a leading zero (if high bit is set) - boolean needLeadingZero = (value[start] & 0x80) != 0; - - int length = value.length - start; - if (needLeadingZero) { - length++; - } - - byte[] der = new byte[2 + length]; - der[0] = 0x02; // INTEGER - der[1] = (byte) length; - - if (needLeadingZero) { - der[2] = 0x00; - System.arraycopy(value, start, der, 3, value.length - start); - } else { - System.arraycopy(value, start, der, 2, value.length - start); - } - - return der; + return CryptoCache.verifyEs256P1363(data, signature, publicKey); } /** @@ -410,10 +324,9 @@ private boolean fingerprintMatches(String actual, String expected) { } private String normalizeFingerprint(String fingerprint) { - String normalized = fingerprint.toLowerCase() + return fingerprint.toLowerCase() .replace("sha256:", "") // Remove prefix first .replace(":", ""); // Then remove colons - return normalized; } private static String bytesToHex(byte[] bytes) { diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittArtifactManager.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittArtifactManager.java index b6d9085..92e20d2 100644 --- a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittArtifactManager.java +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittArtifactManager.java @@ -11,6 +11,8 @@ import java.time.Duration; import java.time.Instant; import java.util.Base64; +import java.util.Collections; +import java.util.HashMap; import java.util.Map; import java.util.Objects; import java.util.concurrent.CompletableFuture; @@ -47,11 +49,9 @@ * // Start background refresh to keep token fresh * manager.startBackgroundRefresh(myAgentId); * - * // When handling requests, get pre-computed Base64 strings for response headers - * String receiptBase64 = manager.getReceiptBase64(myAgentId).join(); - * String tokenBase64 = manager.getStatusTokenBase64(myAgentId).join(); - * response.addHeader("X-SCITT-Receipt", receiptBase64); - * response.addHeader("X-ANS-Status-Token", tokenBase64); + * // When handling requests, get pre-computed headers for responses + * Map headers = manager.getOutgoingHeaders(myAgentId).join(); + * headers.forEach((name, value) -> response.addHeader(name, value)); * * // On shutdown * manager.close(); @@ -143,16 +143,22 @@ public CompletableFuture getReceipt(String agentId) { } /** - * Fetches the Base64-encoded SCITT receipt for an agent. + * Fetches SCITT headers for an agent, ready to add to HTTP responses. * - *

    This method returns the pre-computed Base64 string ready for use in - * HTTP headers. The Base64 encoding is computed once at cache-fill time, + *

    Returns a map containing the Base64-encoded receipt and status token + * headers. The Base64 encoding is computed once at cache-fill time, * avoiding byte array allocation on each call.

    * + *

    Example usage:

    + * 
    {@code
+     * Map headers = manager.getOutgoingHeaders(agentId).join();
+     * headers.forEach((name, value) -> response.addHeader(name, value));
+     * }
    + * * @param agentId the agent's unique identifier - * @return future containing the Base64-encoded receipt + * @return future containing a map of header names to Base64-encoded values */ - public CompletableFuture getReceiptBase64(String agentId) { + public CompletableFuture> getOutgoingHeaders(String agentId) { Objects.requireNonNull(agentId, "agentId cannot be null"); if (closed) { @@ -160,7 +166,19 @@ public CompletableFuture getReceiptBase64(String agentId) { new IllegalStateException("ScittArtifactManager is closed")); } - return receiptCache.get(agentId).thenApply(CachedReceipt::base64); + CompletableFuture receiptFuture = receiptCache.get(agentId); + CompletableFuture tokenFuture = tokenCache.get(agentId); + + return receiptFuture.thenCombine(tokenFuture, (receipt, token) -> { + Map headers = new HashMap<>(); + if (receipt != null && receipt.base64() != null) { + headers.put(ScittHeaders.SCITT_RECEIPT_HEADER, receipt.base64()); + } + if (token != null && token.base64() != null) { + headers.put(ScittHeaders.STATUS_TOKEN_HEADER, token.base64()); + } + return Collections.unmodifiableMap(headers); + }); } /** @@ -182,27 +200,6 @@ public CompletableFuture getStatusToken(String agentId) { return tokenCache.get(agentId).thenApply(CachedToken::token); } - /** - * Fetches the Base64-encoded status token for an agent. - * - *

    This method returns the pre-computed Base64 string ready for use in - * HTTP headers. The Base64 encoding is computed once at cache-fill time, - * avoiding byte array allocation on each call.

    - * - * @param agentId the agent's unique identifier - * @return future containing the Base64-encoded status token - */ - public CompletableFuture getStatusTokenBase64(String agentId) { - Objects.requireNonNull(agentId, "agentId cannot be null"); - - if (closed) { - return CompletableFuture.failedFuture( - new IllegalStateException("ScittArtifactManager is closed")); - } - - return tokenCache.get(agentId).thenApply(CachedToken::base64); - } - /** * Starts background refresh for an agent's status token. * diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittExpectation.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittExpectation.java index 81645c8..6ef3063 100644 --- a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittExpectation.java +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittExpectation.java @@ -39,7 +39,6 @@ public enum Status { private final Status status; private final List validServerCertFingerprints; private final List validIdentityCertFingerprints; - private final String agentHost; private final String ansName; private final Map metadataHashes; private final String failureReason; @@ -49,7 +48,6 @@ private ScittExpectation( Status status, List validServerCertFingerprints, List validIdentityCertFingerprints, - String agentHost, String ansName, Map metadataHashes, String failureReason, @@ -59,7 +57,6 @@ private ScittExpectation( ? List.copyOf(validServerCertFingerprints) : List.of(); this.validIdentityCertFingerprints = validIdentityCertFingerprints != null ? List.copyOf(validIdentityCertFingerprints) : List.of(); - this.agentHost = agentHost; this.ansName = ansName; this.metadataHashes = metadataHashes != null ? Map.copyOf(metadataHashes) : Map.of(); this.failureReason = failureReason; @@ -71,18 +68,16 @@ private ScittExpectation( /** * Creates a verified expectation with all valid data. * - * @param serverCertFingerprints valid server certificate fingerprints + * @param serverCertFingerprints valid server certificate fingerprints * @param identityCertFingerprints valid identity certificate fingerprints - * @param agentHost the agent's host - * @param ansName the agent's ANS name - * @param metadataHashes the metadata hashes - * @param statusToken the verified status token + * @param ansName the agent's ANS name + * @param metadataHashes the metadata hashes + * @param statusToken the verified status token * @return verified expectation */ public static ScittExpectation verified( List serverCertFingerprints, List identityCertFingerprints, - String agentHost, String ansName, Map metadataHashes, StatusToken statusToken) { @@ -90,7 +85,6 @@ public static ScittExpectation verified( Status.VERIFIED, serverCertFingerprints, identityCertFingerprints, - agentHost, ansName, metadataHashes, null, @@ -107,9 +101,8 @@ public static ScittExpectation verified( public static ScittExpectation invalidReceipt(String reason) { return new ScittExpectation( Status.INVALID_RECEIPT, - null, null, null, null, null, - reason, - null + null, null, null, null, + reason, null ); } @@ -122,9 +115,8 @@ public static ScittExpectation invalidReceipt(String reason) { public static ScittExpectation invalidToken(String reason) { return new ScittExpectation( Status.INVALID_TOKEN, - null, null, null, null, null, - reason, - null + null, null, null, null, + reason, null ); } @@ -136,7 +128,7 @@ public static ScittExpectation invalidToken(String reason) { public static ScittExpectation expired() { return new ScittExpectation( Status.TOKEN_EXPIRED, - null, null, null, null, null, + null, null, null, null, "Status token has expired", null ); @@ -151,7 +143,7 @@ public static ScittExpectation expired() { public static ScittExpectation revoked(String ansName) { return new ScittExpectation( Status.AGENT_REVOKED, - null, null, null, ansName, null, + null, null, ansName, null, "Agent registration has been revoked", null ); @@ -167,7 +159,7 @@ public static ScittExpectation revoked(String ansName) { public static ScittExpectation inactive(StatusToken.Status status, String ansName) { return new ScittExpectation( Status.AGENT_INACTIVE, - null, null, null, ansName, null, + null, null, ansName, null, "Agent status is " + status, null ); @@ -182,9 +174,8 @@ public static ScittExpectation inactive(StatusToken.Status status, String ansNam public static ScittExpectation keyNotFound(String reason) { return new ScittExpectation( Status.KEY_NOT_FOUND, - null, null, null, null, null, - reason, - null + null, null, null, null, reason, + null ); } @@ -196,7 +187,7 @@ public static ScittExpectation keyNotFound(String reason) { public static ScittExpectation notPresent() { return new ScittExpectation( Status.NOT_PRESENT, - null, null, null, null, null, + null, null, null, null, "SCITT headers not present in response", null ); @@ -211,7 +202,7 @@ public static ScittExpectation notPresent() { public static ScittExpectation parseError(String reason) { return new ScittExpectation( Status.PARSE_ERROR, - null, null, null, null, null, + null, null, null, null, reason, null ); @@ -231,10 +222,6 @@ public List validIdentityCertFingerprints() { return validIdentityCertFingerprints; } - public String agentHost() { - return agentHost; - } - public String ansName() { return ansName; } diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/StatusToken.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/StatusToken.java index 1b71f3e..4257564 100644 --- a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/StatusToken.java +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/StatusToken.java @@ -29,18 +29,17 @@ *
  • Valid certificate fingerprints (identity and server)
    • *
  • Metadata hashes for endpoint protocols
    • * + * @param agentId the agent's unique identifier * - * @param agentId the agent's unique identifier - * @param status the agent's current status - * @param issuedAt when the token was issued - * @param expiresAt when the token expires - * @param ansName the agent's ANS name - * @param agentHost the agent's host (FQDN) + * @param status the agent's current status + * @param issuedAt when the token was issued + * @param expiresAt when the token expires + * @param ansName the agent's ANS name * @param validIdentityCerts valid identity certificate fingerprints - * @param validServerCerts valid server certificate fingerprints - * @param metadataHashes map of protocol to metadata hash (SHA256:...) - * @param protectedHeader the COSE protected header - * @param signature the RA signature + * @param validServerCerts valid server certificate fingerprints + * @param metadataHashes map of protocol to metadata hash (SHA256:...) + * @param protectedHeader the COSE protected header + * @param signature the RA signature */ public record StatusToken( String agentId, @@ -48,7 +47,6 @@ public record StatusToken( Instant issuedAt, Instant expiresAt, String ansName, - String agentHost, List validIdentityCerts, List validServerCerts, Map metadataHashes, @@ -182,7 +180,6 @@ public static StatusToken fromParsedCose(CoseSign1Parser.ParsedCoseSign1 parsed) issuedAt, expiresAt, ansName, - agentHost, identityCerts, serverCerts, metadataHashes, @@ -382,7 +379,6 @@ public boolean equals(Object o) { && Objects.equals(issuedAt, that.issuedAt) && Objects.equals(expiresAt, that.expiresAt) && Objects.equals(ansName, that.ansName) - && Objects.equals(agentHost, that.agentHost) && Objects.equals(validIdentityCerts, that.validIdentityCerts) && Objects.equals(validServerCerts, that.validServerCerts) && Objects.equals(metadataHashes, that.metadataHashes) @@ -391,7 +387,7 @@ public boolean equals(Object o) { @Override public int hashCode() { - int result = Objects.hash(agentId, status, issuedAt, expiresAt, ansName, agentHost, + int result = Objects.hash(agentId, status, issuedAt, expiresAt, ansName, validIdentityCerts, validServerCerts, metadataHashes); result = 31 * result + Arrays.hashCode(signature); return result; diff --git a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittHeaderProviderTest.java b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittHeaderProviderTest.java index 5e4ddfb..d4c1a5d 100644 --- a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittHeaderProviderTest.java +++ b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittHeaderProviderTest.java @@ -385,8 +385,7 @@ private StatusToken createMockToken() { Instant.now(), Instant.now().plusSeconds(3600), "test.ans", - "agent.example.com", - java.util.List.of(), + java.util.List.of(), java.util.List.of(), java.util.Map.of(), null, diff --git a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittVerifierTest.java b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittVerifierTest.java index d181611..b222620 100644 --- a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittVerifierTest.java +++ b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittVerifierTest.java @@ -186,7 +186,7 @@ class PostVerifyTests { void shouldRejectNullHostname() { X509Certificate cert = mock(X509Certificate.class); ScittExpectation expectation = ScittExpectation.verified( - List.of("abc123"), List.of(), "host", "ans.test", Map.of(), null); + List.of("abc123"), List.of(), "ans.test", Map.of(), null); assertThatThrownBy(() -> verifier.postVerify(null, cert, expectation)) .isInstanceOf(NullPointerException.class) @@ -197,7 +197,7 @@ void shouldRejectNullHostname() { @DisplayName("Should reject null server certificate") void shouldRejectNullServerCert() { ScittExpectation expectation = ScittExpectation.verified( - List.of("abc123"), List.of(), "host", "ans.test", Map.of(), null); + List.of("abc123"), List.of(), "ans.test", Map.of(), null); assertThatThrownBy(() -> verifier.postVerify("test.example.com", null, expectation)) .isInstanceOf(NullPointerException.class) @@ -232,7 +232,7 @@ void shouldReturnErrorForUnverifiedExpectation() { void shouldReturnErrorWhenNoFingerprints() { X509Certificate cert = mock(X509Certificate.class); ScittExpectation expectation = ScittExpectation.verified( - List.of(), List.of(), "host", "ans.test", Map.of(), null); + List.of(), List.of(), "ans.test", Map.of(), null); ScittVerifier.ScittVerificationResult result = verifier.postVerify("test.example.com", cert, expectation); @@ -255,7 +255,7 @@ void shouldReturnSuccessWhenFingerprintMatches() throws Exception { String expectedFingerprint = bytesToHex(digest); ScittExpectation expectation = ScittExpectation.verified( - List.of(expectedFingerprint), List.of(), "host", "ans.test", Map.of(), null); + List.of(expectedFingerprint), List.of(), "ans.test", Map.of(), null); ScittVerifier.ScittVerificationResult result = verifier.postVerify("test.example.com", cert, expectation); @@ -272,7 +272,7 @@ void shouldReturnMismatchWhenFingerprintDoesNotMatch() throws Exception { ScittExpectation expectation = ScittExpectation.verified( List.of("deadbeef00000000000000000000000000000000000000000000000000000000"), - List.of(), "host", "ans.test", Map.of(), null); + List.of(), "ans.test", Map.of(), null); ScittVerifier.ScittVerificationResult result = verifier.postVerify("test.example.com", cert, expectation); @@ -302,7 +302,7 @@ void shouldNormalizeFingerprintsWithColons() throws Exception { } ScittExpectation expectation = ScittExpectation.verified( - List.of(colonFormatted.toString()), List.of(), "host", "ans.test", Map.of(), null); + List.of(colonFormatted.toString()), List.of(), "ans.test", Map.of(), null); ScittVerifier.ScittVerificationResult result = verifier.postVerify("test.example.com", cert, expectation); @@ -327,7 +327,7 @@ void shouldMatchAnyOfMultipleFingerprints() throws Exception { expectedFingerprint, "wrong2000000000000000000000000000000000000000000000000000000000" ), - List.of(), "host", "ans.test", Map.of(), null); + List.of(), "ans.test", Map.of(), null); ScittVerifier.ScittVerificationResult result = verifier.postVerify("test.example.com", cert, expectation); @@ -606,7 +606,7 @@ void shouldHandleCertificateEncodingException() throws Exception { when(cert.getEncoded()).thenThrow(new java.security.cert.CertificateEncodingException("Test error")); ScittExpectation expectation = ScittExpectation.verified( - List.of("abc123"), List.of(), "host", "ans.test", Map.of(), null); + List.of("abc123"), List.of(), "ans.test", Map.of(), null); ScittVerifier.ScittVerificationResult result = verifier.postVerify("test.example.com", cert, expectation); @@ -658,7 +658,7 @@ void shouldNormalizeUppercaseFingerprint() throws Exception { String expectedFingerprint = bytesToHex(digest).toUpperCase(); ScittExpectation expectation = ScittExpectation.verified( - List.of(expectedFingerprint), List.of(), "host", "ans.test", Map.of(), null); + List.of(expectedFingerprint), List.of(), "ans.test", Map.of(), null); ScittVerifier.ScittVerificationResult result = verifier.postVerify("test.example.com", cert, expectation); @@ -679,7 +679,7 @@ void shouldHandleMixedCaseSha256Prefix() throws Exception { String fingerprintWithPrefix = "SHA256:" + hexFingerprint; ScittExpectation expectation = ScittExpectation.verified( - List.of(fingerprintWithPrefix), List.of(), "host", "ans.test", Map.of(), null); + List.of(fingerprintWithPrefix), List.of(), "ans.test", Map.of(), null); ScittVerifier.ScittVerificationResult result = verifier.postVerify("test.example.com", cert, expectation); @@ -741,8 +741,7 @@ void shouldRejectTokenWithMismatchedKeyId() throws Exception { Instant.now().minusSeconds(60), Instant.now().plusSeconds(3600), "test.ans", - "test.example.com", - List.of(), + List.of(), List.of(), Map.of(), tokenHeader, @@ -811,8 +810,7 @@ void shouldRejectTokenWithMissingKeyId() throws Exception { Instant.now().minusSeconds(60), Instant.now().plusSeconds(3600), "test.ans", - "test.example.com", - List.of(), + List.of(), List.of(), Map.of(), tokenHeader, @@ -947,8 +945,7 @@ private StatusToken createMockStatusToken(StatusToken.Status status) { Instant.now().minusSeconds(60), Instant.now().plusSeconds(3600), "test.ans", - "test.example.com", - List.of(), + List.of(), List.of(), Map.of(), new CoseProtectedHeader(-7, keyId, null, null, null), @@ -982,8 +979,7 @@ private StatusToken createValidSignedToken(PrivateKey privateKey, StatusToken.St Instant.now().minusSeconds(60), Instant.now().plusSeconds(3600), "test.ans", - "test.example.com", - List.of(), + List.of(), List.of(), Map.of(), header, @@ -1014,8 +1010,7 @@ private StatusToken createExpiredToken(PrivateKey privateKey, Duration expiredAg Instant.now().minusSeconds(7200), Instant.now().minus(expiredAgo), // Expired "test.ans", - "test.example.com", - List.of(), + List.of(), List.of(), Map.of(), header, diff --git a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittArtifactManagerTest.java b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittArtifactManagerTest.java index c12c32d..2c46d79 100644 --- a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittArtifactManagerTest.java +++ b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittArtifactManagerTest.java @@ -9,6 +9,7 @@ import org.junit.jupiter.api.Test; import java.time.Instant; +import java.util.Map; import java.util.concurrent.CompletableFuture; import java.util.concurrent.ScheduledExecutorService; import java.util.concurrent.Executors; @@ -274,8 +275,8 @@ void shouldCoalesceConcurrentRequests() throws Exception { } @Nested - @DisplayName("getReceiptBase64() tests") - class GetReceiptBytesTests { + @DisplayName("getOutgoingHeaders() tests") + class GetOutgoingHeadersTests { @Test @DisplayName("Should reject null agentId") @@ -284,7 +285,7 @@ void shouldRejectNullAgentId() { .transparencyClient(mockClient) .build(); - assertThatThrownBy(() -> manager.getReceiptBase64(null)) + assertThatThrownBy(() -> manager.getOutgoingHeaders(null)) .isInstanceOf(NullPointerException.class) .hasMessageContaining("agentId cannot be null"); } @@ -298,145 +299,116 @@ void shouldReturnFailedFutureWhenClosed() { manager.close(); - CompletableFuture future = manager.getReceiptBase64("test-agent"); + CompletableFuture> future = manager.getOutgoingHeaders("test-agent"); assertThat(future).isCompletedExceptionally(); } @Test - @DisplayName("Should fetch receipt Base64 from transparency client") - void shouldFetchReceiptBase64FromClient() throws Exception { + @DisplayName("Should return both headers from transparency client") + void shouldReturnBothHeaders() throws Exception { byte[] receiptBytes = createValidReceiptBytes(); + byte[] tokenBytes = createValidStatusTokenBytes(); when(mockClient.getReceipt("test-agent")).thenReturn(receiptBytes); + when(mockClient.getStatusToken("test-agent")).thenReturn(tokenBytes); manager = ScittArtifactManager.builder() .transparencyClient(mockClient) .build(); - CompletableFuture future = manager.getReceiptBase64("test-agent"); - String result = future.get(5, TimeUnit.SECONDS); + Map headers = manager.getOutgoingHeaders("test-agent") + .get(5, TimeUnit.SECONDS); + + assertThat(headers).hasSize(2); + assertThat(headers).containsKey(ScittHeaders.SCITT_RECEIPT_HEADER); + assertThat(headers).containsKey(ScittHeaders.STATUS_TOKEN_HEADER); + + // Verify Base64 values decode to original bytes + assertThat(java.util.Base64.getDecoder().decode( + headers.get(ScittHeaders.SCITT_RECEIPT_HEADER))).isEqualTo(receiptBytes); + assertThat(java.util.Base64.getDecoder().decode( + headers.get(ScittHeaders.STATUS_TOKEN_HEADER))).isEqualTo(tokenBytes); - assertThat(result).isNotNull(); - assertThat(result).isNotEmpty(); - // Verify it's valid Base64 that decodes to the original bytes - assertThat(java.util.Base64.getDecoder().decode(result)).isEqualTo(receiptBytes); verify(mockClient).getReceipt("test-agent"); + verify(mockClient).getStatusToken("test-agent"); } @Test - @DisplayName("Should cache receipt Base64 on subsequent calls") - void shouldCacheReceiptBase64() throws Exception { + @DisplayName("Should cache headers on subsequent calls") + void shouldCacheHeaders() throws Exception { byte[] receiptBytes = createValidReceiptBytes(); + byte[] tokenBytes = createValidStatusTokenBytes(); when(mockClient.getReceipt("test-agent")).thenReturn(receiptBytes); + when(mockClient.getStatusToken("test-agent")).thenReturn(tokenBytes); manager = ScittArtifactManager.builder() .transparencyClient(mockClient) .build(); // First call - String first = manager.getReceiptBase64("test-agent").get(5, TimeUnit.SECONDS); - // Second call should use cache and return same String instance - String second = manager.getReceiptBase64("test-agent").get(5, TimeUnit.SECONDS); - - assertThat(first).isSameAs(second); - // Client should only be called once - verify(mockClient, times(1)).getReceipt("test-agent"); - } - - @Test - @DisplayName("Should wrap client exception in ScittFetchException") - void shouldWrapClientException() { - when(mockClient.getReceipt(anyString())).thenThrow(new RuntimeException("Network error")); - - manager = ScittArtifactManager.builder() - .transparencyClient(mockClient) - .build(); - - CompletableFuture future = manager.getReceiptBase64("test-agent"); - - assertThatThrownBy(() -> future.get(5, TimeUnit.SECONDS)) - .hasCauseInstanceOf(ScittFetchException.class) - .hasMessageContaining("Failed to fetch receipt"); - } - } - - @Nested - @DisplayName("getStatusTokenBase64() tests") - class GetStatusTokenBytesTests { - - @Test - @DisplayName("Should reject null agentId") - void shouldRejectNullAgentId() { - manager = ScittArtifactManager.builder() - .transparencyClient(mockClient) - .build(); - - assertThatThrownBy(() -> manager.getStatusTokenBase64(null)) - .isInstanceOf(NullPointerException.class) - .hasMessageContaining("agentId cannot be null"); - } - - @Test - @DisplayName("Should return failed future when manager is closed") - void shouldReturnFailedFutureWhenClosed() { - manager = ScittArtifactManager.builder() - .transparencyClient(mockClient) - .build(); + Map first = manager.getOutgoingHeaders("test-agent") + .get(5, TimeUnit.SECONDS); + // Second call should use cache + Map second = manager.getOutgoingHeaders("test-agent") + .get(5, TimeUnit.SECONDS); - manager.close(); + // Values should be the same (from cache) + assertThat(first.get(ScittHeaders.SCITT_RECEIPT_HEADER)) + .isEqualTo(second.get(ScittHeaders.SCITT_RECEIPT_HEADER)); + assertThat(first.get(ScittHeaders.STATUS_TOKEN_HEADER)) + .isEqualTo(second.get(ScittHeaders.STATUS_TOKEN_HEADER)); - CompletableFuture future = manager.getStatusTokenBase64("test-agent"); - assertThat(future).isCompletedExceptionally(); + // Client should only be called once for each artifact + verify(mockClient, times(1)).getReceipt("test-agent"); + verify(mockClient, times(1)).getStatusToken("test-agent"); } @Test - @DisplayName("Should fetch status token Base64 from transparency client") - void shouldFetchTokenBase64FromClient() throws Exception { + @DisplayName("Should return immutable map") + void shouldReturnImmutableMap() throws Exception { + byte[] receiptBytes = createValidReceiptBytes(); byte[] tokenBytes = createValidStatusTokenBytes(); + when(mockClient.getReceipt("test-agent")).thenReturn(receiptBytes); when(mockClient.getStatusToken("test-agent")).thenReturn(tokenBytes); manager = ScittArtifactManager.builder() .transparencyClient(mockClient) .build(); - CompletableFuture future = manager.getStatusTokenBase64("test-agent"); - String result = future.get(5, TimeUnit.SECONDS); + Map headers = manager.getOutgoingHeaders("test-agent") + .get(5, TimeUnit.SECONDS); - assertThat(result).isNotNull(); - assertThat(result).isNotEmpty(); - // Verify it's valid Base64 that decodes to the original bytes - assertThat(java.util.Base64.getDecoder().decode(result)).isEqualTo(tokenBytes); - verify(mockClient).getStatusToken("test-agent"); + assertThatThrownBy(() -> headers.put("new-key", "value")) + .isInstanceOf(UnsupportedOperationException.class); } @Test - @DisplayName("Should cache status token Base64 on subsequent calls") - void shouldCacheTokenBase64() throws Exception { - byte[] tokenBytes = createValidStatusTokenBytes(); - when(mockClient.getStatusToken("test-agent")).thenReturn(tokenBytes); + @DisplayName("Should wrap receipt fetch exception") + void shouldWrapReceiptFetchException() { + when(mockClient.getReceipt(anyString())).thenThrow(new RuntimeException("Network error")); manager = ScittArtifactManager.builder() .transparencyClient(mockClient) .build(); - // First call - String first = manager.getStatusTokenBase64("test-agent").get(5, TimeUnit.SECONDS); - // Second call should use cache and return same String instance - String second = manager.getStatusTokenBase64("test-agent").get(5, TimeUnit.SECONDS); + CompletableFuture> future = manager.getOutgoingHeaders("test-agent"); - assertThat(first).isSameAs(second); - verify(mockClient, times(1)).getStatusToken("test-agent"); + assertThatThrownBy(() -> future.get(5, TimeUnit.SECONDS)) + .hasCauseInstanceOf(ScittFetchException.class) + .hasMessageContaining("Failed to fetch receipt"); } @Test - @DisplayName("Should wrap client exception in ScittFetchException") - void shouldWrapClientException() { + @DisplayName("Should wrap token fetch exception") + void shouldWrapTokenFetchException() { + byte[] receiptBytes = createValidReceiptBytes(); + when(mockClient.getReceipt("test-agent")).thenReturn(receiptBytes); when(mockClient.getStatusToken(anyString())).thenThrow(new RuntimeException("Network error")); manager = ScittArtifactManager.builder() .transparencyClient(mockClient) .build(); - CompletableFuture future = manager.getStatusTokenBase64("test-agent"); + CompletableFuture> future = manager.getOutgoingHeaders("test-agent"); assertThatThrownBy(() -> future.get(5, TimeUnit.SECONDS)) .hasCauseInstanceOf(ScittFetchException.class) diff --git a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittExpectationTest.java b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittExpectationTest.java index 19dd52a..be199c0 100644 --- a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittExpectationTest.java +++ b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittExpectationTest.java @@ -23,13 +23,12 @@ void verifiedShouldCreateExpectationWithAllData() { Map metadataHashes = Map.of("a2a", "SHA256:metadata1"); ScittExpectation expectation = ScittExpectation.verified( - serverCerts, identityCerts, "agent.example.com", "ans://test", + serverCerts, identityCerts, "ans://test", metadataHashes, null); assertThat(expectation.status()).isEqualTo(ScittExpectation.Status.VERIFIED); assertThat(expectation.validServerCertFingerprints()).containsExactlyElementsOf(serverCerts); assertThat(expectation.validIdentityCertFingerprints()).containsExactlyElementsOf(identityCerts); - assertThat(expectation.agentHost()).isEqualTo("agent.example.com"); assertThat(expectation.ansName()).isEqualTo("ans://test"); assertThat(expectation.metadataHashes()).isEqualTo(metadataHashes); assertThat(expectation.failureReason()).isNull(); @@ -128,7 +127,7 @@ class StatusBehaviorTests { @Test @DisplayName("shouldFail() should return correct values for each status") void shouldFailShouldReturnCorrectValues() { - assertThat(ScittExpectation.verified(List.of(), List.of(), null, null, null, null) + assertThat(ScittExpectation.verified(List.of(), List.of(), null, null, null) .shouldFail()).isFalse(); assertThat(ScittExpectation.notPresent().shouldFail()).isFalse(); @@ -144,7 +143,7 @@ void shouldFailShouldReturnCorrectValues() { @Test @DisplayName("isVerified() should only return true for VERIFIED status") void isVerifiedShouldOnlyBeTrueForVerifiedStatus() { - assertThat(ScittExpectation.verified(List.of(), List.of(), null, null, null, null) + assertThat(ScittExpectation.verified(List.of(), List.of(), null, null, null) .isVerified()).isTrue(); assertThat(ScittExpectation.notPresent().isVerified()).isFalse(); @@ -157,7 +156,7 @@ void isVerifiedShouldOnlyBeTrueForVerifiedStatus() { void isNotPresentShouldOnlyBeTrueForNotPresentStatus() { assertThat(ScittExpectation.notPresent().isNotPresent()).isTrue(); - assertThat(ScittExpectation.verified(List.of(), List.of(), null, null, null, null) + assertThat(ScittExpectation.verified(List.of(), List.of(), null, null, null) .isNotPresent()).isFalse(); assertThat(ScittExpectation.invalidReceipt("").isNotPresent()).isFalse(); } @@ -174,7 +173,7 @@ void shouldDefensivelyCopyServerCerts() { mutableList.add("cert1"); ScittExpectation expectation = ScittExpectation.verified( - mutableList, List.of(), null, null, null, null); + mutableList, List.of(), null, null, null); mutableList.add("cert2"); @@ -188,7 +187,7 @@ void shouldDefensivelyCopyMetadataHashes() { mutableMap.put("key1", "value1"); ScittExpectation expectation = ScittExpectation.verified( - List.of(), List.of(), null, null, mutableMap, null); + List.of(), List.of(), null, mutableMap, null); mutableMap.put("key2", "value2"); diff --git a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittPreVerifyResultTest.java b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittPreVerifyResultTest.java index e69e825..de7e1fc 100644 --- a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittPreVerifyResultTest.java +++ b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittPreVerifyResultTest.java @@ -45,7 +45,7 @@ void parseErrorShouldCreateResultWithIsPresentTrue() { @DisplayName("verified() should create result with all components") void verifiedShouldCreateResultWithAllComponents() { ScittExpectation expectation = ScittExpectation.verified( - List.of("fp1"), List.of("fp2"), "host", "ans.test", Map.of(), null); + List.of("fp1"), List.of("fp2"), "ans.test", Map.of(), null); ScittReceipt receipt = createMockReceipt(); StatusToken token = createMockToken(); @@ -67,7 +67,7 @@ class RecordAccessorTests { @DisplayName("Should access all record components") void shouldAccessAllRecordComponents() { ScittExpectation expectation = ScittExpectation.verified( - List.of("fp1"), List.of(), "host", "ans.test", Map.of(), null); + List.of("fp1"), List.of(), "ans.test", Map.of(), null); ScittReceipt receipt = createMockReceipt(); StatusToken token = createMockToken(); @@ -104,8 +104,7 @@ private StatusToken createMockToken() { Instant.now(), Instant.now().plusSeconds(3600), "test.ans", - "agent.example.com", - List.of(), + List.of(), List.of(), Map.of(), null, diff --git a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/StatusTokenTest.java b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/StatusTokenTest.java index 61276fd..2fe0aa1 100644 --- a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/StatusTokenTest.java +++ b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/StatusTokenTest.java @@ -41,62 +41,6 @@ void shouldReturnNullForMissingTimestamps() { assertThat(claims.notBeforeTime()).isNull(); assertThat(claims.issuedAtTime()).isNull(); } - - @Test - @DisplayName("Should check expiration correctly") - void shouldCheckExpirationCorrectly() { - long futureExp = Instant.now().plusSeconds(3600).getEpochSecond(); - long pastExp = Instant.now().minusSeconds(3600).getEpochSecond(); - - CwtClaims futureClaims = new CwtClaims(null, null, null, futureExp, null, null); - CwtClaims pastClaims = new CwtClaims(null, null, null, pastExp, null, null); - CwtClaims noClaims = new CwtClaims(null, null, null, null, null, null); - - assertThat(futureClaims.isExpired(Instant.now())).isFalse(); - assertThat(pastClaims.isExpired(Instant.now())).isTrue(); - assertThat(noClaims.isExpired(Instant.now())).isFalse(); - } - - @Test - @DisplayName("Should check expiration with clock skew") - void shouldCheckExpirationWithClockSkew() { - // Token that expired 30 seconds ago - long exp = Instant.now().minusSeconds(30).getEpochSecond(); - CwtClaims claims = new CwtClaims(null, null, null, exp, null, null); - - // Without clock skew, it's expired - assertThat(claims.isExpired(Instant.now(), 0)).isTrue(); - - // With 60 second clock skew, it's still valid - assertThat(claims.isExpired(Instant.now(), 60)).isFalse(); - } - - @Test - @DisplayName("Should check not-before correctly") - void shouldCheckNotBeforeCorrectly() { - long futureNbf = Instant.now().plusSeconds(3600).getEpochSecond(); - long pastNbf = Instant.now().minusSeconds(3600).getEpochSecond(); - - CwtClaims futureClaims = new CwtClaims(null, null, null, null, futureNbf, null); - CwtClaims pastClaims = new CwtClaims(null, null, null, null, pastNbf, null); - - assertThat(futureClaims.isNotYetValid(Instant.now())).isTrue(); - assertThat(pastClaims.isNotYetValid(Instant.now())).isFalse(); - } - - @Test - @DisplayName("Should check not-before with clock skew") - void shouldCheckNotBeforeWithClockSkew() { - // Token that becomes valid 30 seconds from now - long nbf = Instant.now().plusSeconds(30).getEpochSecond(); - CwtClaims claims = new CwtClaims(null, null, null, null, nbf, null); - - // Without clock skew, it's not yet valid - assertThat(claims.isNotYetValid(Instant.now(), 0)).isTrue(); - - // With 60 second clock skew, it's valid - assertThat(claims.isNotYetValid(Instant.now(), 60)).isFalse(); - } } @Nested @@ -389,7 +333,7 @@ void shouldReturnServerCertFingerprints() { StatusToken token = new StatusToken( "id", StatusToken.Status.ACTIVE, null, null, - null, null, List.of(), List.of(cert1, cert2), + null, List.of(), List.of(cert1, cert2), Map.of(), null, null, null, null ); @@ -406,7 +350,7 @@ void shouldReturnIdentityCertFingerprints() { StatusToken token = new StatusToken( "id", StatusToken.Status.ACTIVE, null, null, - null, null, List.of(cert1, cert2), List.of(), + null, List.of(cert1, cert2), List.of(), Map.of(), null, null, null, null ); @@ -423,7 +367,7 @@ void shouldFilterNullFingerprints() { StatusToken token = new StatusToken( "id", StatusToken.Status.ACTIVE, null, null, - null, null, List.of(), List.of(cert1, cert2), + null, List.of(), List.of(cert1, cert2), Map.of(), null, null, null, null ); @@ -496,8 +440,7 @@ private StatusToken createToken(String agentId, StatusToken.Status status, issuedAt, expiresAt, "ans://test", - "agent.example.com", - List.of(), + List.of(), List.of(), Map.of(), null, diff --git a/gradle.properties b/gradle.properties index 0de87d3..547270f 100644 --- a/gradle.properties +++ b/gradle.properties @@ -5,6 +5,7 @@ bouncyCastleVersion=1.79 reactorVersion=3.6.0 mcpSdkVersion=1.1.0 caffeineVersion=3.1.8 +cborVersion=4.5.4 # Test versions junitVersion=5.10.1 From bc5228b43b4913c2c24da5c688409f28c69ac2e0 Mon Sep 17 00:00:00 2001 From: James Hateley Date: Wed, 1 Apr 2026 21:45:33 +1100 Subject: [PATCH 13/19] docs: fix errors found in code review feedback --- .../examples/mcp-client/README.md | 2 +- .../examples/mcp-server-spring/README.md | 30 +++++++++++-------- .../godaddy/ans/sdk/crypto/CryptoCache.java | 2 +- .../transparency/scitt/ScittExpectation.java | 2 +- 4 files changed, 21 insertions(+), 15 deletions(-) diff --git a/ans-sdk-agent-client/examples/mcp-client/README.md b/ans-sdk-agent-client/examples/mcp-client/README.md index 6a25e29..b4287da 100644 --- a/ans-sdk-agent-client/examples/mcp-client/README.md +++ b/ans-sdk-agent-client/examples/mcp-client/README.md @@ -133,7 +133,7 @@ openssl pkcs12 -export -in cert.pem -inkey key.pem -certfile ca.pem \ ```kotlin dependencies { - implementation("io.modelcontextprotocol.sdk:mcp:0.17.2") + implementation("io.modelcontextprotocol.sdk:mcp:1.1.0") implementation(project(":ans-sdk-agent-client")) } ``` diff --git a/ans-sdk-agent-client/examples/mcp-server-spring/README.md b/ans-sdk-agent-client/examples/mcp-server-spring/README.md index 7cb543b..f4975ae 100644 --- a/ans-sdk-agent-client/examples/mcp-server-spring/README.md +++ b/ans-sdk-agent-client/examples/mcp-server-spring/README.md @@ -107,17 +107,11 @@ Security features provided by `DefaultClientRequestVerifier`: ```java // ScittHeaderResponseFilter.java adds headers to all responses -byte[] receiptBytes = artifactManager.getReceiptBytes(agentId) - .get(5, TimeUnit.SECONDS); -byte[] tokenBytes = artifactManager.getStatusTokenBytes(agentId) +Map headers = artifactManager.getOutgoingHeaders(agentId) .get(5, TimeUnit.SECONDS); -if (receiptBytes != null) { - response.addHeader("X-SCITT-Receipt", Base64.getEncoder().encodeToString(receiptBytes)); -} -if (tokenBytes != null) { - response.addHeader("X-ANS-Status-Token", Base64.getEncoder().encodeToString(tokenBytes)); -} +// Add SCITT headers to response (X-SCITT-Receipt, X-ANS-Status-Token) +headers.forEach(httpResponse::addHeader); ``` ### 4. Health Monitoring @@ -223,14 +217,26 @@ ans: ## Testing with MCP Client ```bash -# Terminal 1: Start Spring server -./gradlew :ans-sdk-agent-client:examples:mcp-server-spring:bootRun +# Terminal 1: Set server environment variables and start Spring server +export SSL_KEYSTORE_PATH=/path/to/server.p12 +export SSL_KEYSTORE_PASSWORD=changeit +export SSL_TRUSTSTORE_PATH=/path/to/truststore.p12 +export SSL_TRUSTSTORE_PASSWORD=changeit +export ANS_AGENT_ID=your-server-agent-uuid + +./gradlew :ans-sdk-agent-client:examples:mcp-server-spring:run + +# Terminal 2: Set client environment variables and run client (once server is up) +export AGENT_ID=your-client-agent-uuid +export KEYSTORE_PATH=/path/to/client.p12 +export KEYSTORE_PASS=changeit -# Terminal 2: Run client example (once server is up) ./gradlew :ans-sdk-agent-client:examples:mcp-client:run \ --args="https://localhost:8443/mcp" ``` +See `application.yml` for additional configuration options (verification policy, SCITT domain, etc.). + ## Dependencies ```kotlin diff --git a/ans-sdk-core/src/main/java/com/godaddy/ans/sdk/crypto/CryptoCache.java b/ans-sdk-core/src/main/java/com/godaddy/ans/sdk/crypto/CryptoCache.java index d8730f8..c8c93c0 100644 --- a/ans-sdk-core/src/main/java/com/godaddy/ans/sdk/crypto/CryptoCache.java +++ b/ans-sdk-core/src/main/java/com/godaddy/ans/sdk/crypto/CryptoCache.java @@ -123,7 +123,7 @@ public static boolean verifyEs256(byte[] data, byte[] signature, PublicKey publi } /** - * Verifies an ES256 (ECDSA with SHA-256 on P-21363) signature. + * Verifies an ES256 (ECDSA with SHA-256 on P-1363) signature. * *

    Uses a thread-local Signature instance to avoid the overhead of * provider lookup on each verification.

    diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittExpectation.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittExpectation.java index 6ef3063..06d1f8d 100644 --- a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittExpectation.java +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittExpectation.java @@ -248,7 +248,7 @@ public boolean isVerified() { } /** - * Returns true if SCITT satus NOT_FOUND. + * Returns true if SCITT status NOT_FOUND. * * @return true if verified */ From cb8376b9a05ff493d3595bcd1bb548d71c3ca75c Mon Sep 17 00:00:00 2001 From: James Hateley Date: Wed, 1 Apr 2026 22:25:26 +1100 Subject: [PATCH 14/19] refactor: code review feedback - Add javadoc to ClientRequestVerifier.verify() and ScittVerifierAdapter.preVerify() documenting that header keys must be lowercase (x-scitt-receipt, x-ans-status-token) - Remove unused receiptBytes and tokenBytes fields from ScittArtifacts record These fields were never accessed after construction and added unnecessary complexity Co-Authored-By: Claude Opus 4.5 --- .../verification/ClientRequestVerifier.java | 5 +++-- .../agent/verification/ScittVerifierAdapter.java | 3 ++- .../verification/ScittVerifierAdapterTest.java | 16 ++++++++-------- .../scitt/DefaultScittHeaderProvider.java | 14 +++----------- .../transparency/scitt/ScittHeaderProvider.java | 6 +----- .../scitt/DefaultScittHeaderProviderTest.java | 10 +++++----- 6 files changed, 22 insertions(+), 32 deletions(-) diff --git a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/ClientRequestVerifier.java b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/ClientRequestVerifier.java index a6a64da..0c1e401 100644 --- a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/ClientRequestVerifier.java +++ b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/ClientRequestVerifier.java @@ -59,7 +59,8 @@ public interface ClientRequestVerifier { * the status token's identity certificate fingerprints.

    * * @param clientCert the client's X.509 certificate from mTLS handshake - * @param requestHeaders the HTTP request headers (must include SCITT headers) + * @param requestHeaders the HTTP request headers (must include SCITT headers). + * Header keys must be lowercase (e.g., {@code x-scitt-receipt}, {@code x-ans-status-token}). * @param policy the verification policy to apply * @return a future that completes with the verification result * @throws NullPointerException if any parameter is null @@ -74,7 +75,7 @@ CompletableFuture verify( * Verifies an incoming client request using the default SCITT_REQUIRED policy. * * @param clientCert the client's X.509 certificate from mTLS handshake - * @param requestHeaders the HTTP request headers + * @param requestHeaders the HTTP request headers (keys must be lowercase) * @return a future that completes with the verification result * @throws NullPointerException if any parameter is null */ diff --git a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapter.java b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapter.java index ffd585b..ebdb725 100644 --- a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapter.java +++ b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapter.java @@ -73,7 +73,8 @@ public class ScittVerifierAdapter { * post-verification of the TLS certificate. The domain is automatically * derived from the TransparencyClient configuration.

    * - * @param responseHeaders the HTTP response headers + * @param responseHeaders the HTTP response headers (keys must be lowercase, + * e.g., {@code x-scitt-receipt}, {@code x-ans-status-token}) * @return future containing the pre-verification result */ public CompletableFuture preVerify(Map responseHeaders) { diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapterTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapterTest.java index 1f19dda..b6fbeec 100644 --- a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapterTest.java +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapterTest.java @@ -188,7 +188,7 @@ void shouldReturnNotPresentWhenHeadersEmpty() throws Exception { @DisplayName("Should return notPresent when artifacts are incomplete") void shouldReturnNotPresentWhenIncomplete() throws Exception { ScittHeaderProvider.ScittArtifacts incomplete = - new ScittHeaderProvider.ScittArtifacts(null, null, null, null); + new ScittHeaderProvider.ScittArtifacts(null, null); when(mockHeaderProvider.extractArtifacts(any())).thenReturn(Optional.of(incomplete)); CompletableFuture future = adapter.preVerify(Map.of()); @@ -203,7 +203,7 @@ void shouldVerifyCompleteArtifacts() throws Exception { ScittReceipt receipt = mock(ScittReceipt.class); StatusToken token = mock(StatusToken.class); ScittHeaderProvider.ScittArtifacts artifacts = - new ScittHeaderProvider.ScittArtifacts(receipt, token, new byte[10], new byte[10]); + new ScittHeaderProvider.ScittArtifacts(receipt, token); when(mockHeaderProvider.extractArtifacts(any())).thenReturn(Optional.of(artifacts)); when(mockTransparencyClient.getRootKeysAsync()) @@ -238,7 +238,7 @@ void shouldReturnParseErrorOnVerificationException() throws Exception { ScittReceipt receipt = mock(ScittReceipt.class); StatusToken token = mock(StatusToken.class); ScittHeaderProvider.ScittArtifacts artifacts = - new ScittHeaderProvider.ScittArtifacts(receipt, token, new byte[10], new byte[10]); + new ScittHeaderProvider.ScittArtifacts(receipt, token); when(mockHeaderProvider.extractArtifacts(any())).thenReturn(Optional.of(artifacts)); when(mockTransparencyClient.getRootKeysAsync()) @@ -258,7 +258,7 @@ void shouldHandleAsyncException() throws Exception { ScittReceipt receipt = mock(ScittReceipt.class); StatusToken token = mock(StatusToken.class); ScittHeaderProvider.ScittArtifacts artifacts = - new ScittHeaderProvider.ScittArtifacts(receipt, token, new byte[10], new byte[10]); + new ScittHeaderProvider.ScittArtifacts(receipt, token); when(mockHeaderProvider.extractArtifacts(any())).thenReturn(Optional.of(artifacts)); when(mockTransparencyClient.getRootKeysAsync()) @@ -278,7 +278,7 @@ void shouldHandleKeyNotFoundWithReject() throws Exception { StatusToken token = mock(StatusToken.class); when(token.issuedAt()).thenReturn(java.time.Instant.now().minusSeconds(3600)); ScittHeaderProvider.ScittArtifacts artifacts = - new ScittHeaderProvider.ScittArtifacts(receipt, token, new byte[10], new byte[10]); + new ScittHeaderProvider.ScittArtifacts(receipt, token); when(mockHeaderProvider.extractArtifacts(any())).thenReturn(Optional.of(artifacts)); when(mockTransparencyClient.getRootKeysAsync()) @@ -304,7 +304,7 @@ void shouldHandleKeyNotFoundWithDefer() throws Exception { StatusToken token = mock(StatusToken.class); when(token.issuedAt()).thenReturn(java.time.Instant.now()); ScittHeaderProvider.ScittArtifacts artifacts = - new ScittHeaderProvider.ScittArtifacts(receipt, token, new byte[10], new byte[10]); + new ScittHeaderProvider.ScittArtifacts(receipt, token); when(mockHeaderProvider.extractArtifacts(any())).thenReturn(Optional.of(artifacts)); when(mockTransparencyClient.getRootKeysAsync()) @@ -330,7 +330,7 @@ void shouldHandleKeyNotFoundWithRefreshed() throws Exception { StatusToken token = mock(StatusToken.class); when(token.issuedAt()).thenReturn(java.time.Instant.now()); ScittHeaderProvider.ScittArtifacts artifacts = - new ScittHeaderProvider.ScittArtifacts(receipt, token, new byte[10], new byte[10]); + new ScittHeaderProvider.ScittArtifacts(receipt, token); when(mockHeaderProvider.extractArtifacts(any())).thenReturn(Optional.of(artifacts)); when(mockTransparencyClient.getRootKeysAsync()) @@ -362,7 +362,7 @@ void shouldHandleKeyNotFoundWithNullIssuedAt() throws Exception { when(token.issuedAt()).thenReturn(null); when(receipt.protectedHeader()).thenReturn(null); ScittHeaderProvider.ScittArtifacts artifacts = - new ScittHeaderProvider.ScittArtifacts(receipt, token, new byte[10], new byte[10]); + new ScittHeaderProvider.ScittArtifacts(receipt, token); when(mockHeaderProvider.extractArtifacts(any())).thenReturn(Optional.of(artifacts)); when(mockTransparencyClient.getRootKeysAsync()) diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittHeaderProvider.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittHeaderProvider.java index 4eab815..3602520 100644 --- a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittHeaderProvider.java +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittHeaderProvider.java @@ -81,8 +81,8 @@ public Map getOutgoingHeaders() { public Optional extractArtifacts(Map headers) { Objects.requireNonNull(headers, "headers cannot be null"); - String receiptHeader = getHeaderCaseInsensitive(headers, ScittHeaders.SCITT_RECEIPT_HEADER); - String tokenHeader = getHeaderCaseInsensitive(headers, ScittHeaders.STATUS_TOKEN_HEADER); + String receiptHeader = headers.get(ScittHeaders.SCITT_RECEIPT_HEADER); + String tokenHeader = headers.get(ScittHeaders.STATUS_TOKEN_HEADER); if (receiptHeader == null && tokenHeader == null) { LOGGER.debug("No SCITT headers present in response"); @@ -138,15 +138,7 @@ public Optional extractArtifacts(Map headers) { "SCITT headers present but failed to parse: " + errorDetail); } - return Optional.of(new ScittArtifacts(receipt, statusToken, receiptBytes, tokenBytes)); - } - - /** - * Gets a header value with case-insensitive key lookup. - * Headers are expected to have lowercase keys (normalized by caller). - */ - private String getHeaderCaseInsensitive(Map headers, String key) { - return headers.get(key.toLowerCase()); + return Optional.of(new ScittArtifacts(receipt, statusToken)); } /** diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittHeaderProvider.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittHeaderProvider.java index 49a0fa3..3cbaf08 100644 --- a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittHeaderProvider.java +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittHeaderProvider.java @@ -51,14 +51,10 @@ public interface ScittHeaderProvider { * * @param receipt the parsed SCITT receipt (null if not present) * @param statusToken the parsed status token (null if not present) - * @param receiptBytes raw receipt bytes for caching - * @param tokenBytes raw token bytes for caching */ record ScittArtifacts( ScittReceipt receipt, - StatusToken statusToken, - byte[] receiptBytes, - byte[] tokenBytes + StatusToken statusToken ) { /** * Returns true if both receipt and status token are present. diff --git a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittHeaderProviderTest.java b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittHeaderProviderTest.java index d4c1a5d..1dc9f9f 100644 --- a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittHeaderProviderTest.java +++ b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittHeaderProviderTest.java @@ -272,7 +272,7 @@ void isCompleteShouldReturnTrueWhenBothPresent() { StatusToken token = createMockToken(); ScittHeaderProvider.ScittArtifacts artifacts = - new ScittHeaderProvider.ScittArtifacts(receipt, token, new byte[0], new byte[0]); + new ScittHeaderProvider.ScittArtifacts(receipt, token); assertThat(artifacts.isComplete()).isTrue(); } @@ -283,7 +283,7 @@ void isCompleteShouldReturnFalseWhenReceiptMissing() { StatusToken token = createMockToken(); ScittHeaderProvider.ScittArtifacts artifacts = - new ScittHeaderProvider.ScittArtifacts(null, token, null, new byte[0]); + new ScittHeaderProvider.ScittArtifacts(null, token); assertThat(artifacts.isComplete()).isFalse(); } @@ -294,7 +294,7 @@ void isCompleteShouldReturnFalseWhenTokenMissing() { ScittReceipt receipt = createMockReceipt(); ScittHeaderProvider.ScittArtifacts artifacts = - new ScittHeaderProvider.ScittArtifacts(receipt, null, new byte[0], null); + new ScittHeaderProvider.ScittArtifacts(receipt, null); assertThat(artifacts.isComplete()).isFalse(); } @@ -305,7 +305,7 @@ void isPresentShouldReturnTrueWhenAtLeastOnePresent() { ScittReceipt receipt = createMockReceipt(); ScittHeaderProvider.ScittArtifacts artifacts = - new ScittHeaderProvider.ScittArtifacts(receipt, null, new byte[0], null); + new ScittHeaderProvider.ScittArtifacts(receipt, null); assertThat(artifacts.isPresent()).isTrue(); } @@ -314,7 +314,7 @@ void isPresentShouldReturnTrueWhenAtLeastOnePresent() { @DisplayName("isPresent should return false when both null") void isPresentShouldReturnFalseWhenBothNull() { ScittHeaderProvider.ScittArtifacts artifacts = - new ScittHeaderProvider.ScittArtifacts(null, null, null, null); + new ScittHeaderProvider.ScittArtifacts(null, null); assertThat(artifacts.isPresent()).isFalse(); } From 496ca8dd8923e0e7ce7da92ddbee981f5aa1b6a5 Mon Sep 17 00:00:00 2001 From: James Hateley Date: Thu, 2 Apr 2026 11:36:51 +1100 Subject: [PATCH 15/19] refactor: address code review feedback for SCITT verification Security improvements: - Add defensive byte array copies in ScittReceipt, CoseSign1Parser, CoseProtectedHeader to prevent mutation attacks on immutable records - Add input validation for negative tree size and leaf index values - Add hash path length limit (max 64) to prevent DoS via oversized proofs - Use KEY_NOT_FOUND status for missing keys (better error differentiation) Concurrency/resource fixes: - Don't cache SCITT fetch failures in AnsVerifiedClient - allows retry on transient errors instead of permanent silent degradation - Add CryptoCache.cleanup() to prevent ThreadLocal/classloader leaks in servlet containers with pooled threads - Call CryptoCache.cleanup() from AnsExecutors.shutdown() DRY refactoring: - Add VerificationPolicy.allowsScittFallbackToBadge() method as single source of truth for fallback policy decisions - Add VerificationPolicy.rejectsInvalidScittHeaders() for garbage header attack prevention logic - Simplify DefaultConnectionVerifier.determineCombineStrategy() to delegate to policy methods instead of duplicating logic - Simplify AnsVerifiedClient SCITT validation to use policy methods Test improvements: - Rename ClientRequestVerifierTest to DefaultClientRequestVerifierTest - Add DoS protection tests (header size limits) - Add async error handling tests - Add fingerprint matching edge case tests (case sensitivity, multiple certs) - Add cache expiry edge case tests - Add agent status variation tests - Add tests for new VerificationPolicy methods - Add test for CryptoCache.cleanup() Co-Authored-By: Claude Opus 4.5 --- .../ans/sdk/agent/AnsVerifiedClient.java | 38 +- .../ans/sdk/agent/VerificationPolicy.java | 32 ++ .../DefaultConnectionVerifier.java | 31 +- .../ans/sdk/agent/VerificationPolicyTest.java | 78 ++++ ... => DefaultClientRequestVerifierTest.java} | 348 +++++++++++++++--- .../ans/sdk/concurrent/AnsExecutors.java | 8 + .../godaddy/ans/sdk/crypto/CryptoCache.java | 17 + .../ans/sdk/crypto/CryptoCacheTest.java | 16 + .../scitt/CoseProtectedHeader.java | 16 + .../transparency/scitt/CoseSign1Parser.java | 41 ++- .../scitt/DefaultScittVerifier.java | 8 +- .../sdk/transparency/scitt/ScittReceipt.java | 89 ++++- .../scitt/DefaultScittVerifierTest.java | 10 +- 13 files changed, 627 insertions(+), 105 deletions(-) rename ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/{ClientRequestVerifierTest.java => DefaultClientRequestVerifierTest.java} (64%) diff --git a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/AnsVerifiedClient.java b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/AnsVerifiedClient.java index 26835d7..5535e25 100644 --- a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/AnsVerifiedClient.java +++ b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/AnsVerifiedClient.java @@ -172,14 +172,14 @@ private CompletableFuture> fetchScittHeadersAsync() { return headers; } }).exceptionally(e -> { - synchronized (scittHeadersLock) { - if (scittHeaders != null) { - return scittHeaders; - } - LOGGER.warn("Could not fetch SCITT artifacts for agent {}: {}", agentId, e.getMessage()); - scittHeaders = Map.of(); + // Check if another thread succeeded while we were failing + if (scittHeaders != null) { return scittHeaders; } + // Don't cache failures - return empty for this call but allow retry on next call + LOGGER.warn("Could not fetch SCITT artifacts for agent {} (will retry on next request): {}", + agentId, e.getMessage()); + return Map.of(); }); } @@ -286,23 +286,27 @@ public CompletableFuture connectAsync(String serverUrl) { boolean scittVerified = scittPreResult.expectation().isVerified(); boolean scittPresent = scittPreResult.isPresent(); - if (policy.scittMode() == VerificationMode.REQUIRED && !scittVerified) { - // REQUIRED: must have valid SCITT - reject if missing OR if verification failed + // Reject invalid SCITT headers regardless of mode (prevents garbage header attacks) + if (policy.rejectsInvalidScittHeaders() && scittPresent && !scittVerified) { String reason = scittPreResult.expectation().failureReason(); ScittVerificationException.FailureType failureType = mapToFailureType( scittPreResult.expectation().status()); throw new ScittVerificationException( - "SCITT verification required but failed: " + reason, failureType); + "SCITT headers present but verification failed: " + reason, failureType); } - if (policy.scittMode() == VerificationMode.ADVISORY && scittPresent && !scittVerified) { - // ADVISORY: if headers ARE present but failed, reject (don't allow garbage headers) - // If headers are NOT present, allow fallback to badge - String reason = scittPreResult.expectation().failureReason(); - ScittVerificationException.FailureType failureType = mapToFailureType( - scittPreResult.expectation().status()); - throw new ScittVerificationException( - "SCITT headers present but verification failed: " + reason, failureType); + // Handle missing SCITT headers based on policy + if (policy.scittMode() == VerificationMode.REQUIRED && !scittVerified) { + if (policy.allowsScittFallbackToBadge() && !scittPresent) { + // Allow fallback - badge verification will happen in post-verify + LOGGER.debug("SCITT headers not present, will fall back to badge verification"); + } else { + String reason = scittPreResult.expectation().failureReason(); + ScittVerificationException.FailureType failureType = mapToFailureType( + scittPreResult.expectation().status()); + throw new ScittVerificationException( + "SCITT verification required but failed: " + reason, failureType); + } } PreVerificationResult combinedResult = preResult.withScittResult(scittPreResult); diff --git a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/VerificationPolicy.java b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/VerificationPolicy.java index 966fdc6..3c34e81 100644 --- a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/VerificationPolicy.java +++ b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/VerificationPolicy.java @@ -184,6 +184,38 @@ public boolean hasScittVerification() { return scittMode != VerificationMode.DISABLED; } + /** + * Returns true if this policy allows falling back to badge verification + * when SCITT headers are not present. + * + *

    Fallback is allowed when: + *

      + *
    • SCITT mode is REQUIRED (so we want SCITT if available)
      • + *
    • Badge mode is ADVISORY (provides audit trail fallback)
      • + *
    + * This matches {@link #SCITT_ENHANCED} - the migration scenario.

    + * + * @return true if badge fallback is allowed when SCITT headers are missing + */ + public boolean allowsScittFallbackToBadge() { + return scittMode == VerificationMode.REQUIRED + && badgeMode == VerificationMode.ADVISORY; + } + + /** + * Returns true if SCITT verification failure with present headers + * should reject the connection (regardless of fallback settings). + * + *

    When SCITT headers are present but invalid, we always reject + * to prevent garbage header attacks. This is true for both REQUIRED + * and ADVISORY modes when headers exist.

    + * + * @return true if invalid SCITT headers should cause rejection + */ + public boolean rejectsInvalidScittHeaders() { + return scittMode != VerificationMode.DISABLED; + } + @Override public String toString() { return "VerificationPolicy{dane=" + daneMode + diff --git a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/DefaultConnectionVerifier.java b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/DefaultConnectionVerifier.java index 5c0a24d..de6e886 100644 --- a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/DefaultConnectionVerifier.java +++ b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/DefaultConnectionVerifier.java @@ -226,42 +226,29 @@ public VerificationResult combine(List results, Verification /** * Determines the combine strategy based on results and policy. * - *

    Fallback invariants:

    - *
      - *
    • SCITT-to-Badge fallback is ONLY allowed when: - *
        - *
      1. SCITT mode is REQUIRED
        2. - *
      2. Badge mode is ADVISORY (not REQUIRED or DISABLED)
        3. - *
      3. SCITT result is NOT_FOUND (headers missing, not verification failure)
        4. - *
      4. Badge verification succeeded
        5. - *
      - *
      • - *
    • This matches {@link VerificationPolicy#SCITT_ENHANCED} - the migration scenario - * where SCITT is preferred but badge provides an audit trail fallback.
      • - *
    • When badge is REQUIRED, both verifications must pass independently - - * no fallback allowed.
      • - *
    • When badge is DISABLED (e.g., {@link VerificationPolicy#SCITT_REQUIRED}), - * fallback is impossible - SCITT NOT_FOUND becomes a hard failure.
      • - *
    + *

    Uses {@link VerificationPolicy#allowsScittFallbackToBadge()} as the single source + * of truth for fallback policy. Runtime conditions (SCITT missing, badge succeeded) + * are checked only when the policy permits fallback.

    + * + * @see VerificationPolicy#allowsScittFallbackToBadge() */ private CombineStrategy determineCombineStrategy(List results, VerificationPolicy policy) { - // Fallback only applies when SCITT is REQUIRED - if (policy.scittMode() != VerificationMode.REQUIRED) { + // Check policy-level fallback permission first + if (!policy.allowsScittFallbackToBadge()) { return CombineStrategy.STANDARD; } + // Policy allows fallback - check runtime conditions Optional scittResult = findResultByType(results, VerificationResult.VerificationType.SCITT); Optional badgeResult = findResultByType(results, VerificationResult.VerificationType.BADGE); - // Check fallback conditions boolean scittMissing = scittResult.map(VerificationResult::isNotFound).orElse(false); boolean badgeSucceeded = badgeResult.map(VerificationResult::isSuccess).orElse(false); - boolean badgeIsAdvisory = policy.badgeMode() == VerificationMode.ADVISORY; - if (scittMissing && badgeSucceeded && badgeIsAdvisory) { + if (scittMissing && badgeSucceeded) { LOGGER.info("SCITT headers not present, falling back to badge verification for audit trail"); return CombineStrategy.SCITT_FALLBACK_TO_BADGE; } diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/VerificationPolicyTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/VerificationPolicyTest.java index ede7953..8c20308 100644 --- a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/VerificationPolicyTest.java +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/VerificationPolicyTest.java @@ -139,4 +139,82 @@ void presetPoliciesAreNotNull() { assertNotNull(VerificationPolicy.DANE_REQUIRED); assertNotNull(VerificationPolicy.DANE_AND_BADGE); } + + // Tests for allowsScittFallbackToBadge() + + @Test + void scittEnhancedAllowsFallbackToBadge() { + assertTrue(VerificationPolicy.SCITT_ENHANCED.allowsScittFallbackToBadge(), + "SCITT_ENHANCED (scitt=REQUIRED, badge=ADVISORY) should allow fallback"); + } + + @Test + void scittRequiredDoesNotAllowFallbackToBadge() { + assertFalse(VerificationPolicy.SCITT_REQUIRED.allowsScittFallbackToBadge(), + "SCITT_REQUIRED (badge=DISABLED) should not allow fallback"); + } + + @Test + void badgeRequiredDoesNotAllowFallbackToBadge() { + assertFalse(VerificationPolicy.BADGE_REQUIRED.allowsScittFallbackToBadge(), + "BADGE_REQUIRED (scitt=DISABLED) should not allow fallback"); + } + + @Test + void customPolicyWithScittRequiredAndBadgeRequiredDoesNotAllowFallback() { + VerificationPolicy policy = VerificationPolicy.custom() + .scitt(VerificationMode.REQUIRED) + .badge(VerificationMode.REQUIRED) + .build(); + + assertFalse(policy.allowsScittFallbackToBadge(), + "When both SCITT and Badge are REQUIRED, no fallback should be allowed"); + } + + @Test + void customPolicyWithScittAdvisoryDoesNotAllowFallback() { + VerificationPolicy policy = VerificationPolicy.custom() + .scitt(VerificationMode.ADVISORY) + .badge(VerificationMode.ADVISORY) + .build(); + + assertFalse(policy.allowsScittFallbackToBadge(), + "SCITT ADVISORY mode should not allow fallback (must be REQUIRED)"); + } + + // Tests for rejectsInvalidScittHeaders() + + @Test + void scittRequiredRejectsInvalidHeaders() { + assertTrue(VerificationPolicy.SCITT_REQUIRED.rejectsInvalidScittHeaders(), + "SCITT_REQUIRED should reject invalid headers"); + } + + @Test + void scittEnhancedRejectsInvalidHeaders() { + assertTrue(VerificationPolicy.SCITT_ENHANCED.rejectsInvalidScittHeaders(), + "SCITT_ENHANCED should reject invalid headers"); + } + + @Test + void badgeRequiredDoesNotRejectInvalidHeaders() { + assertFalse(VerificationPolicy.BADGE_REQUIRED.rejectsInvalidScittHeaders(), + "BADGE_REQUIRED (scitt=DISABLED) should not reject SCITT headers"); + } + + @Test + void pkiOnlyDoesNotRejectInvalidHeaders() { + assertFalse(VerificationPolicy.PKI_ONLY.rejectsInvalidScittHeaders(), + "PKI_ONLY should not reject SCITT headers"); + } + + @Test + void customPolicyWithScittAdvisoryRejectsInvalidHeaders() { + VerificationPolicy policy = VerificationPolicy.custom() + .scitt(VerificationMode.ADVISORY) + .build(); + + assertTrue(policy.rejectsInvalidScittHeaders(), + "SCITT ADVISORY should still reject invalid headers when present"); + } } diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ClientRequestVerifierTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DefaultClientRequestVerifierTest.java similarity index 64% rename from ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ClientRequestVerifierTest.java rename to ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DefaultClientRequestVerifierTest.java index 091b9de..3061ad0 100644 --- a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ClientRequestVerifierTest.java +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DefaultClientRequestVerifierTest.java @@ -3,6 +3,7 @@ import com.godaddy.ans.sdk.agent.VerificationMode; import com.godaddy.ans.sdk.agent.VerificationPolicy; import com.godaddy.ans.sdk.crypto.CertificateUtils; +import com.godaddy.ans.sdk.crypto.CryptoCache; import com.godaddy.ans.sdk.transparency.TransparencyClient; import com.godaddy.ans.sdk.transparency.scitt.DefaultScittHeaderProvider; import com.godaddy.ans.sdk.transparency.scitt.ScittExpectation; @@ -11,15 +12,19 @@ import com.godaddy.ans.sdk.transparency.scitt.ScittVerifier; import com.godaddy.ans.sdk.transparency.scitt.StatusToken; import com.upokecenter.cbor.CBORObject; +import org.bouncycastle.asn1.x500.X500Name; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.X509v3CertificateBuilder; +import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; +import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder; +import org.bouncycastle.operator.ContentSigner; +import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; +import org.bouncycastle.util.encoders.Hex; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.DisplayName; import org.junit.jupiter.api.Nested; import org.junit.jupiter.api.Test; -import com.godaddy.ans.sdk.crypto.CryptoCache; - -import org.bouncycastle.util.encoders.Hex; - import java.math.BigInteger; import java.security.KeyPair; import java.security.KeyPairGenerator; @@ -29,10 +34,13 @@ import java.time.Instant; import java.util.Arrays; import java.util.Base64; +import java.util.Date; import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.concurrent.CompletableFuture; +import java.util.concurrent.Executor; +import java.util.concurrent.Executors; import java.util.concurrent.TimeUnit; import static org.assertj.core.api.Assertions.assertThat; @@ -43,7 +51,13 @@ import static org.mockito.Mockito.verify; import static org.mockito.Mockito.when; -class ClientRequestVerifierTest { +/** + * Tests for {@link DefaultClientRequestVerifier}. + * + *

    Covers input validation, SCITT verification, caching behavior, + * DoS protection, and error handling paths.

    + */ +class DefaultClientRequestVerifierTest { private TransparencyClient mockTransparencyClient; private ScittVerifier mockScittVerifier; @@ -59,12 +73,10 @@ void setUp() throws Exception { mockClientCert = createMockCertificate(); clientCertFingerprint = CertificateUtils.computeSha256Fingerprint(mockClientCert); - // Generate test key pair for root key mock KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC"); keyGen.initialize(256); testKeyPair = keyGen.generateKeyPair(); - // Setup mock TransparencyClient when(mockTransparencyClient.getRootKeysAsync()).thenReturn( CompletableFuture.completedFuture(toRootKeys(testKeyPair.getPublic()))); @@ -76,9 +88,6 @@ void setUp() throws Exception { .build(); } - /** - * Helper to convert a PublicKey to a Map keyed by hex key ID. - */ private Map toRootKeys(PublicKey publicKey) { byte[] hash = CryptoCache.sha256(publicKey.getEncoded()); String hexKeyId = Hex.toHexString(Arrays.copyOf(hash, 4)); @@ -157,11 +166,10 @@ class SuccessfulVerificationTests { @Test @DisplayName("Should verify valid SCITT artifacts with matching certificate") void shouldVerifyValidArtifacts() throws Exception { - // Setup mock SCITT verification to return success with matching identity cert ScittExpectation expectation = ScittExpectation.verified( - List.of(), // server certs (not used for client verification) - List.of(clientCertFingerprint), // identity certs - must match client cert - "test.ans", + List.of(), + List.of(clientCertFingerprint), + "test.ans", Map.of(), createMockStatusToken("test-agent") ); @@ -186,7 +194,7 @@ void shouldCacheSuccessfulResult() throws Exception { ScittExpectation expectation = ScittExpectation.verified( List.of(), List.of(clientCertFingerprint), - "test.ans", + "test.ans", Map.of(), createMockStatusToken("test-agent") ); @@ -194,25 +202,21 @@ void shouldCacheSuccessfulResult() throws Exception { Map headers = createValidScittHeaders(); - // First call ClientRequestVerificationResult result1 = verifier .verify(mockClientCert, headers, VerificationPolicy.SCITT_REQUIRED) .get(5, TimeUnit.SECONDS); - // Second call with same inputs should use cache ClientRequestVerificationResult result2 = verifier .verify(mockClientCert, headers, VerificationPolicy.SCITT_REQUIRED) .get(5, TimeUnit.SECONDS); assertThat(result1.verified()).isTrue(); assertThat(result2.verified()).isTrue(); - // Both should succeed (cache hit on second call) } @Test @DisplayName("Should invalidate cache when token expires before cache TTL") void shouldInvalidateCacheWhenTokenExpires() throws Exception { - // Create a token that expires in 100ms - much shorter than cache TTL Instant shortExpiry = Instant.now().plusMillis(100); StatusToken shortLivedToken = createMockStatusTokenWithExpiry( "test-agent", shortExpiry); @@ -220,34 +224,28 @@ void shouldInvalidateCacheWhenTokenExpires() throws Exception { ScittExpectation expectation = ScittExpectation.verified( List.of(), List.of(clientCertFingerprint), - "test.ans", + "test.ans", Map.of(), shortLivedToken ); when(mockScittVerifier.verify(any(), any(), any())).thenReturn(expectation); - // Headers must also use short expiry - the token parsed from headers is used for cache TTL Map headers = createValidScittHeadersWithExpiry(shortExpiry); - // First call - should succeed and cache ClientRequestVerificationResult result1 = verifier .verify(mockClientCert, headers, VerificationPolicy.SCITT_REQUIRED) .get(5, TimeUnit.SECONDS); assertThat(result1.verified()).isTrue(); - // Verify scittVerifier was called once verify(mockScittVerifier, times(1)).verify(any(), any(), any()); - // Wait for token to expire (cache TTL is 5 minutes, token expires in 100ms) Thread.sleep(150); - // Second call - token expired, should NOT use cache, should re-verify ClientRequestVerificationResult result2 = verifier .verify(mockClientCert, headers, VerificationPolicy.SCITT_REQUIRED) .get(5, TimeUnit.SECONDS); assertThat(result2.verified()).isTrue(); - // Verify scittVerifier was called twice (cache was invalidated due to token expiry) verify(mockScittVerifier, times(2)).verify(any(), any(), any()); } } @@ -259,11 +257,10 @@ class FingerprintMismatchTests { @Test @DisplayName("Should fail when certificate fingerprint does not match identity certs") void shouldFailOnFingerprintMismatch() throws Exception { - // Return expectation with different identity cert fingerprint ScittExpectation expectation = ScittExpectation.verified( List.of(), - List.of("SHA256:different-fingerprint"), // Won't match client cert - "test.ans", + List.of("SHA256:different-fingerprint"), + "test.ans", Map.of(), createMockStatusToken("test-agent") ); @@ -284,8 +281,8 @@ void shouldFailOnFingerprintMismatch() throws Exception { void shouldFailWhenNoIdentityCerts() throws Exception { ScittExpectation expectation = ScittExpectation.verified( List.of("SHA256:some-server-cert"), - List.of(), // No identity certs - "test.ans", + List.of(), + "test.ans", Map.of(), createMockStatusToken("test-agent") ); @@ -388,6 +385,237 @@ void shouldFailOnInvalidCbor() throws Exception { } } + @Nested + @DisplayName("DoS protection tests") + class DoSProtectionTests { + + @Test + @DisplayName("Should fail when receipt header exceeds size limit") + void shouldFailWhenReceiptHeaderExceedsSizeLimit() throws Exception { + String oversizedHeader = "A".repeat(65 * 1024); + Map headers = new HashMap<>(); + headers.put(ScittHeaders.SCITT_RECEIPT_HEADER, oversizedHeader); + headers.put(ScittHeaders.STATUS_TOKEN_HEADER, + Base64.getEncoder().encodeToString(createValidStatusTokenBytes())); + + ClientRequestVerificationResult result = verifier + .verify(mockClientCert, headers, VerificationPolicy.SCITT_REQUIRED) + .get(5, TimeUnit.SECONDS); + + assertThat(result.verified()).isFalse(); + assertThat(result.errors()).anyMatch(e -> e.contains("exceeds size limit")); + } + + @Test + @DisplayName("Should fail when status token header exceeds size limit") + void shouldFailWhenStatusTokenHeaderExceedsSizeLimit() throws Exception { + String oversizedHeader = "B".repeat(65 * 1024); + Map headers = new HashMap<>(); + headers.put(ScittHeaders.SCITT_RECEIPT_HEADER, + Base64.getEncoder().encodeToString(createValidReceiptBytes())); + headers.put(ScittHeaders.STATUS_TOKEN_HEADER, oversizedHeader); + + ClientRequestVerificationResult result = verifier + .verify(mockClientCert, headers, VerificationPolicy.SCITT_REQUIRED) + .get(5, TimeUnit.SECONDS); + + assertThat(result.verified()).isFalse(); + assertThat(result.errors()).anyMatch(e -> e.contains("exceeds size limit")); + } + + @Test + @DisplayName("Should accept headers just under size limit") + void shouldAcceptHeadersJustUnderSizeLimit() throws Exception { + ScittExpectation expectation = ScittExpectation.verified( + List.of(), + List.of(clientCertFingerprint), + "test.ans", + Map.of(), + createMockStatusToken("test-agent") + ); + when(mockScittVerifier.verify(any(), any(), any())).thenReturn(expectation); + + String largeButValidReceipt = "A".repeat(64 * 1024 - 1); + Map headers = new HashMap<>(); + headers.put(ScittHeaders.SCITT_RECEIPT_HEADER, largeButValidReceipt); + headers.put(ScittHeaders.STATUS_TOKEN_HEADER, + Base64.getEncoder().encodeToString(createValidStatusTokenBytes())); + + ClientRequestVerificationResult result = verifier + .verify(mockClientCert, headers, VerificationPolicy.SCITT_REQUIRED) + .get(5, TimeUnit.SECONDS); + + assertThat(result.errors()).noneMatch(e -> e.contains("exceeds size limit")); + } + } + + @Nested + @DisplayName("Async error handling tests") + class AsyncErrorHandlingTests { + + @Test + @DisplayName("Should handle root key fetch failure") + void shouldHandleRootKeyFetchFailure() throws Exception { + when(mockTransparencyClient.getRootKeysAsync()) + .thenReturn(CompletableFuture.failedFuture( + new RuntimeException("Network error"))); + + Map headers = createValidScittHeaders(); + + ClientRequestVerificationResult result = verifier + .verify(mockClientCert, headers, VerificationPolicy.SCITT_REQUIRED) + .get(5, TimeUnit.SECONDS); + + assertThat(result.verified()).isFalse(); + assertThat(result.errors()).anyMatch(e -> + e.contains("Failed to fetch SCITT public keys") || e.contains("Network error")); + } + + @Test + @DisplayName("Should handle unexpected exception during verification") + void shouldHandleUnexpectedExceptionDuringVerification() throws Exception { + when(mockTransparencyClient.getRootKeysAsync()) + .thenReturn(CompletableFuture.completedFuture(toRootKeys(testKeyPair.getPublic()))); + when(mockScittVerifier.verify(any(), any(), any())) + .thenThrow(new RuntimeException("Unexpected error")); + + Map headers = createValidScittHeaders(); + + ClientRequestVerificationResult result = verifier + .verify(mockClientCert, headers, VerificationPolicy.SCITT_REQUIRED) + .get(5, TimeUnit.SECONDS); + + assertThat(result.verified()).isFalse(); + assertThat(result.errors()).anyMatch(e -> e.contains("error")); + } + } + + @Nested + @DisplayName("Fingerprint matching edge cases") + class FingerprintMatchingEdgeCaseTests { + + @Test + @DisplayName("Should match fingerprint when present in multiple identity certs") + void shouldMatchFingerprintInMultipleIdentityCerts() throws Exception { + ScittExpectation expectation = ScittExpectation.verified( + List.of(), + List.of("SHA256:other-fp-1", clientCertFingerprint, "SHA256:other-fp-2"), + "test.ans", + Map.of(), + createMockStatusToken("test-agent") + ); + when(mockScittVerifier.verify(any(), any(), any())).thenReturn(expectation); + + Map headers = createValidScittHeaders(); + + ClientRequestVerificationResult result = verifier + .verify(mockClientCert, headers, VerificationPolicy.SCITT_REQUIRED) + .get(5, TimeUnit.SECONDS); + + assertThat(result.verified()).isTrue(); + } + + @Test + @DisplayName("Should match fingerprint with different case") + void shouldMatchFingerprintWithDifferentCase() throws Exception { + String upperCaseFingerprint = clientCertFingerprint.toUpperCase(); + + ScittExpectation expectation = ScittExpectation.verified( + List.of(), + List.of(upperCaseFingerprint), + "test.ans", + Map.of(), + createMockStatusToken("test-agent") + ); + when(mockScittVerifier.verify(any(), any(), any())).thenReturn(expectation); + + Map headers = createValidScittHeaders(); + + ClientRequestVerificationResult result = verifier + .verify(mockClientCert, headers, VerificationPolicy.SCITT_REQUIRED) + .get(5, TimeUnit.SECONDS); + + assertThat(result.verified()).isTrue(); + } + } + + @Nested + @DisplayName("Cache expiry edge cases") + class CacheExpiryEdgeCaseTests { + + @Test + @DisplayName("Should use different cache keys for different certificates") + void shouldUseDifferentCacheKeysForDifferentCerts() throws Exception { + X509Certificate secondCert = createMockCertificate(); + String secondFingerprint = CertificateUtils.computeSha256Fingerprint(secondCert); + + // Use Answer to return appropriate expectation based on which cert is being verified + when(mockScittVerifier.verify(any(), any(), any())).thenAnswer(invocation -> { + // Return expectation that matches whichever fingerprint we're checking + // Since both calls use the same headers, the verifier is called for both + return ScittExpectation.verified( + List.of(), + List.of(clientCertFingerprint, secondFingerprint), + "test.ans", + Map.of(), + createMockStatusToken("test-agent") + ); + }); + + Map headers = createValidScittHeaders(); + + ClientRequestVerificationResult result1 = verifier + .verify(mockClientCert, headers, VerificationPolicy.SCITT_REQUIRED) + .get(5, TimeUnit.SECONDS); + + ClientRequestVerificationResult result2 = verifier + .verify(secondCert, headers, VerificationPolicy.SCITT_REQUIRED) + .get(5, TimeUnit.SECONDS); + + // Both should succeed + assertThat(result1.verified()).isTrue(); + assertThat(result2.verified()).isTrue(); + // Critical: mock should be called twice - different cert fingerprints mean different cache keys + verify(mockScittVerifier, times(2)).verify(any(), any(), any()); + } + } + + @Nested + @DisplayName("Agent status variations") + class AgentStatusVariationsTests { + + @Test + @DisplayName("Should fail when agent status is inactive") + void shouldFailWhenAgentStatusIsInactive() throws Exception { + when(mockScittVerifier.verify(any(), any(), any())) + .thenReturn(ScittExpectation.inactive(StatusToken.Status.DEPRECATED, "test.ans")); + + Map headers = createValidScittHeaders(); + + ClientRequestVerificationResult result = verifier + .verify(mockClientCert, headers, VerificationPolicy.SCITT_REQUIRED) + .get(5, TimeUnit.SECONDS); + + assertThat(result.verified()).isFalse(); + } + + @Test + @DisplayName("Should fail when key not found") + void shouldFailWhenKeyNotFound() throws Exception { + when(mockScittVerifier.verify(any(), any(), any())) + .thenReturn(ScittExpectation.keyNotFound("Required key ID not in registry")); + + Map headers = createValidScittHeaders(); + + ClientRequestVerificationResult result = verifier + .verify(mockClientCert, headers, VerificationPolicy.SCITT_REQUIRED) + .get(5, TimeUnit.SECONDS); + + assertThat(result.verified()).isFalse(); + assertThat(result.errors()).anyMatch(e -> e.contains("SCITT verification failed")); + } + } + @Nested @DisplayName("ClientRequestVerificationResult tests") class ResultTests { @@ -413,7 +641,7 @@ void hasScittArtifactsShouldReturnFalseWhenReceiptMissing() { ClientRequestVerificationResult result = ClientRequestVerificationResult.success( "test-agent", createMockStatusToken("test-agent"), - null, // no receipt + null, mockClientCert, VerificationPolicy.SCITT_REQUIRED, Duration.ofMillis(100) @@ -514,9 +742,21 @@ void shouldRejectNegativeCacheTtl() { .isInstanceOf(IllegalArgumentException.class) .hasMessageContaining("must be positive"); } + + @Test + @DisplayName("Should build with custom executor") + void shouldBuildWithCustomExecutor() { + Executor customExecutor = Executors.newSingleThreadExecutor(); + DefaultClientRequestVerifier verifier = DefaultClientRequestVerifier.builder() + .transparencyClient(mockTransparencyClient) + .executor(customExecutor) + .build(); + + assertThat(verifier).isNotNull(); + } } - // Helper methods + // ==================== Helper Methods ==================== private Map createValidScittHeaders() { return createValidScittHeadersWithExpiry(Instant.now().plusSeconds(3600)); @@ -534,8 +774,8 @@ private Map createValidScittHeadersWithExpiry(Instant expiresAt) private byte[] createValidReceiptBytes() { CBORObject protectedHeader = CBORObject.NewMap(); - protectedHeader.Add(1, -7); // alg = ES256 - protectedHeader.Add(395, 1); // vds = RFC9162_SHA256 + protectedHeader.Add(1, -7); + protectedHeader.Add(395, 1); byte[] protectedBytes = protectedHeader.EncodeToBytes(); CBORObject inclusionProofMap = CBORObject.NewMap(); @@ -557,6 +797,10 @@ private byte[] createValidReceiptBytes() { return tagged.EncodeToBytes(); } + private byte[] createValidStatusTokenBytes() { + return createValidStatusTokenBytesWithExpiry(Instant.now().plusSeconds(3600)); + } + private byte[] createValidStatusTokenBytesWithExpiry(Instant expiresAt) { long now = Instant.now().getEpochSecond(); @@ -581,34 +825,28 @@ private byte[] createValidStatusTokenBytesWithExpiry(Instant expiresAt) { } private X509Certificate createMockCertificate() throws Exception { - // Generate a self-signed certificate for testing KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC"); keyGen.initialize(256); KeyPair keyPair = keyGen.generateKeyPair(); - // Use BouncyCastle to create a self-signed certificate - org.bouncycastle.asn1.x500.X500Name subject = - new org.bouncycastle.asn1.x500.X500Name("CN=Test Agent"); + X500Name subject = new X500Name("CN=Test Agent"); BigInteger serial = BigInteger.valueOf(System.currentTimeMillis()); Instant now = Instant.now(); - org.bouncycastle.cert.X509v3CertificateBuilder certBuilder = - new org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder( - subject, - serial, - java.util.Date.from(now.minusSeconds(3600)), - java.util.Date.from(now.plusSeconds(86400)), - subject, - keyPair.getPublic() - ); + X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder( + subject, + serial, + Date.from(now.minusSeconds(3600)), + Date.from(now.plusSeconds(86400)), + subject, + keyPair.getPublic() + ); - org.bouncycastle.operator.ContentSigner signer = - new org.bouncycastle.operator.jcajce.JcaContentSignerBuilder("SHA256withECDSA") - .build(keyPair.getPrivate()); + ContentSigner signer = new JcaContentSignerBuilder("SHA256withECDSA") + .build(keyPair.getPrivate()); - org.bouncycastle.cert.X509CertificateHolder certHolder = certBuilder.build(signer); - return new org.bouncycastle.cert.jcajce.JcaX509CertificateConverter() - .getCertificate(certHolder); + X509CertificateHolder certHolder = certBuilder.build(signer); + return new JcaX509CertificateConverter().getCertificate(certHolder); } private StatusToken createMockStatusToken(String agentId) { @@ -622,7 +860,7 @@ private StatusToken createMockStatusTokenWithExpiry(String agentId, Instant expi Instant.now(), expiresAt, agentId + ".ans", - List.of(), + List.of(), List.of(), Map.of(), null, diff --git a/ans-sdk-core/src/main/java/com/godaddy/ans/sdk/concurrent/AnsExecutors.java b/ans-sdk-core/src/main/java/com/godaddy/ans/sdk/concurrent/AnsExecutors.java index 0e5a4e6..11a91ed 100644 --- a/ans-sdk-core/src/main/java/com/godaddy/ans/sdk/concurrent/AnsExecutors.java +++ b/ans-sdk-core/src/main/java/com/godaddy/ans/sdk/concurrent/AnsExecutors.java @@ -13,6 +13,8 @@ import java.util.concurrent.TimeUnit; import java.util.concurrent.atomic.AtomicInteger; +import com.godaddy.ans.sdk.crypto.CryptoCache; + /** * Provides shared executors for ANS SDK operations. * @@ -148,6 +150,9 @@ public static ScheduledExecutorService newSingleThreadScheduledExecutor() { * *

    After shutdown, subsequent calls to {@link #sharedIoExecutor()} will * create a new executor.

    + * + *

    This method also cleans up ThreadLocal entries in {@link CryptoCache} + * to prevent classloader leaks in servlet containers.

    */ public static void shutdown() { synchronized (LOCK) { @@ -166,6 +171,9 @@ public static void shutdown() { sharedExecutor = null; } } + + // Clean up ThreadLocal entries to prevent classloader leaks + CryptoCache.cleanup(); } /** diff --git a/ans-sdk-core/src/main/java/com/godaddy/ans/sdk/crypto/CryptoCache.java b/ans-sdk-core/src/main/java/com/godaddy/ans/sdk/crypto/CryptoCache.java index c8c93c0..e68d6a7 100644 --- a/ans-sdk-core/src/main/java/com/godaddy/ans/sdk/crypto/CryptoCache.java +++ b/ans-sdk-core/src/main/java/com/godaddy/ans/sdk/crypto/CryptoCache.java @@ -77,6 +77,23 @@ private CryptoCache() { // Utility class } + /** + * Removes ThreadLocal entries for the current thread. + * + *

    Call this method during application shutdown or when using the SDK in + * servlet containers with pooled threads. This prevents classloader leaks + * where pooled threads retain references to the SDK's classes.

    + * + *

    Note: This method is called automatically by + * {@link com.godaddy.ans.sdk.concurrent.AnsExecutors#shutdown()}.

    + */ + public static void cleanup() { + SHA256.remove(); + SHA512.remove(); + ES256.remove(); + ES256_P1363.remove(); + } + /** * Computes the SHA-256 hash of the given data. * diff --git a/ans-sdk-core/src/test/java/com/godaddy/ans/sdk/crypto/CryptoCacheTest.java b/ans-sdk-core/src/test/java/com/godaddy/ans/sdk/crypto/CryptoCacheTest.java index 26ff4d9..4ef1fad 100644 --- a/ans-sdk-core/src/test/java/com/godaddy/ans/sdk/crypto/CryptoCacheTest.java +++ b/ans-sdk-core/src/test/java/com/godaddy/ans/sdk/crypto/CryptoCacheTest.java @@ -248,6 +248,22 @@ void verifyEs256ShouldRejectInvalidSignature() throws Exception { assertThat(result).isFalse(); } + @Test + @DisplayName("cleanup should remove ThreadLocal entries and allow re-initialization") + void cleanupShouldRemoveThreadLocalEntries() { + // Use cache to initialize ThreadLocals + byte[] data = "test data".getBytes(StandardCharsets.UTF_8); + CryptoCache.sha256(data); + CryptoCache.sha512(data); + + // Cleanup should not throw + CryptoCache.cleanup(); + + // Cache should still work after cleanup (re-initializes ThreadLocals) + byte[] result = CryptoCache.sha256(data); + assertThat(result).hasSize(32); + } + @Test @DisplayName("verifyEs256 should be thread-safe") void verifyEs256ShouldBeThreadSafe() throws Exception { diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/CoseProtectedHeader.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/CoseProtectedHeader.java index 0e509d3..cdc7c28 100644 --- a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/CoseProtectedHeader.java +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/CoseProtectedHeader.java @@ -18,6 +18,22 @@ public record CoseProtectedHeader( CwtClaims cwtClaims, String contentType ) { + /** + * Compact constructor that performs defensive copy of mutable byte array. + */ + public CoseProtectedHeader { + keyId = keyId != null ? keyId.clone() : null; + } + + /** + * Returns a defensive copy of the key ID. + * + * @return a copy of the key ID bytes, or null if not present + */ + @Override + public byte[] keyId() { + return keyId != null ? keyId.clone() : null; + } /** * VDS type for RFC 9162 SHA-256 Merkle trees. diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/CoseSign1Parser.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/CoseSign1Parser.java index f090769..ab4b803 100644 --- a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/CoseSign1Parser.java +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/CoseSign1Parser.java @@ -282,5 +282,44 @@ public record ParsedCoseSign1( CBORObject unprotectedHeader, byte[] payload, byte[] signature - ) {} + ) { + /** + * Compact constructor that performs defensive copies of mutable byte arrays. + */ + public ParsedCoseSign1 { + protectedHeaderBytes = protectedHeaderBytes != null ? protectedHeaderBytes.clone() : null; + payload = payload != null ? payload.clone() : null; + signature = signature != null ? signature.clone() : null; + } + + /** + * Returns a defensive copy of the protected header bytes. + * + * @return a copy of the protected header bytes + */ + @Override + public byte[] protectedHeaderBytes() { + return protectedHeaderBytes != null ? protectedHeaderBytes.clone() : null; + } + + /** + * Returns a defensive copy of the payload. + * + * @return a copy of the payload bytes, or null if detached + */ + @Override + public byte[] payload() { + return payload != null ? payload.clone() : null; + } + + /** + * Returns a defensive copy of the signature. + * + * @return a copy of the signature bytes + */ + @Override + public byte[] signature() { + return signature != null ? signature.clone() : null; + } + } } diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittVerifier.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittVerifier.java index 8064be3..c6980f2 100644 --- a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittVerifier.java +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittVerifier.java @@ -71,8 +71,8 @@ public ScittExpectation verify( if (receiptKey == null) { LOGGER.warn("Receipt key ID {} not in trust store (have {} keys)", receiptKeyId, rootKeys.size()); - return ScittExpectation.invalidReceipt( - "Key ID " + receiptKeyId + " not in trust store (have " + rootKeys.size() + " keys)"); + return ScittExpectation.keyNotFound( + "Receipt key ID " + receiptKeyId + " not in trust store (have " + rootKeys.size() + " keys)"); } LOGGER.debug("Found receipt key with ID {}", receiptKeyId); @@ -96,8 +96,8 @@ public ScittExpectation verify( if (tokenKey == null) { LOGGER.warn("Token key ID {} not in trust store (have {} keys)", tokenKeyId, rootKeys.size()); - return ScittExpectation.invalidToken( - "Key ID " + tokenKeyId + " not in trust store (have " + rootKeys.size() + " keys)"); + return ScittExpectation.keyNotFound( + "Token key ID " + tokenKeyId + " not in trust store (have " + rootKeys.size() + " keys)"); } LOGGER.debug("Found token key with ID {}", tokenKeyId); diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittReceipt.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittReceipt.java index 284c70f..f0923a0 100644 --- a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittReceipt.java +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittReceipt.java @@ -33,6 +33,44 @@ public record ScittReceipt( byte[] eventPayload, byte[] signature ) { + /** + * Compact constructor that performs defensive copies of mutable byte arrays. + */ + public ScittReceipt { + protectedHeaderBytes = protectedHeaderBytes != null ? protectedHeaderBytes.clone() : null; + eventPayload = eventPayload != null ? eventPayload.clone() : null; + signature = signature != null ? signature.clone() : null; + } + + /** + * Returns a defensive copy of the protected header bytes. + * + * @return a copy of the protected header bytes + */ + @Override + public byte[] protectedHeaderBytes() { + return protectedHeaderBytes != null ? protectedHeaderBytes.clone() : null; + } + + /** + * Returns a defensive copy of the event payload. + * + * @return a copy of the event payload bytes + */ + @Override + public byte[] eventPayload() { + return eventPayload != null ? eventPayload.clone() : null; + } + + /** + * Returns a defensive copy of the signature. + * + * @return a copy of the signature bytes + */ + @Override + public byte[] signature() { + return signature != null ? signature.clone() : null; + } /** * Merkle tree inclusion proof extracted from the receipt. @@ -48,8 +86,45 @@ public record InclusionProof( byte[] rootHash, List hashPath ) { + /** + * Compact constructor that performs defensive copies of mutable data. + */ public InclusionProof { - hashPath = hashPath != null ? List.copyOf(hashPath) : List.of(); + rootHash = rootHash != null ? rootHash.clone() : null; + // Deep copy the hash path - clone each byte array + if (hashPath != null) { + List copied = new ArrayList<>(hashPath.size()); + for (byte[] hash : hashPath) { + copied.add(hash != null ? hash.clone() : null); + } + hashPath = List.copyOf(copied); + } else { + hashPath = List.of(); + } + } + + /** + * Returns a defensive copy of the root hash. + * + * @return a copy of the root hash bytes, or null if not present + */ + @Override + public byte[] rootHash() { + return rootHash != null ? rootHash.clone() : null; + } + + /** + * Returns a defensive copy of the hash path. + * + * @return a new list with copies of all hash byte arrays + */ + @Override + public List hashPath() { + List copied = new ArrayList<>(hashPath.size()); + for (byte[] hash : hashPath) { + copied.add(hash != null ? hash.clone() : null); + } + return List.copyOf(copied); } @Override @@ -185,6 +260,10 @@ private static InclusionProof parseMapFormatProof(CBORObject proofMap) throws Sc } long treeSize = treeSizeObj.AsInt64Value(); + if (treeSize < 0) { + throw new ScittParseException("Invalid tree size: " + treeSize + " (must be non-negative)"); + } + // Extract leaf_index (-2) - required CBORObject leafIndexObj = proofMap.get(CBORObject.FromObject(-2)); if (leafIndexObj == null || !leafIndexObj.isNumber()) { @@ -192,10 +271,18 @@ private static InclusionProof parseMapFormatProof(CBORObject proofMap) throws Sc } long leafIndex = leafIndexObj.AsInt64Value(); + if (leafIndex < 0) { + throw new ScittParseException("Invalid leaf index: " + leafIndex + " (must be non-negative)"); + } + // Extract hash_path (-3) - optional array of 32-byte hashes List hashPath = new ArrayList<>(); CBORObject hashPathObj = proofMap.get(CBORObject.FromObject(-3)); if (hashPathObj != null && hashPathObj.getType() == CBORType.Array) { + if (hashPathObj.size() > 64) { + // Even for 2^64 leaves, path length would be at most 64 + throw new ScittParseException("Hash path too long: " + hashPathObj.size() + " (max 64)"); + } for (int i = 0; i < hashPathObj.size(); i++) { CBORObject element = hashPathObj.get(i); if (element.getType() == CBORType.ByteString) { diff --git a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittVerifierTest.java b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittVerifierTest.java index b222620..35c6cc0 100644 --- a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittVerifierTest.java +++ b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittVerifierTest.java @@ -482,7 +482,7 @@ void shouldFailWithWrongKey() throws Exception { // Verify with wrong key ScittExpectation result = verifier.verify(receipt, token, toRootKeys(wrongKeyPair.getPublic())); - assertThat(result.status()).isEqualTo(ScittExpectation.Status.INVALID_RECEIPT); + assertThat(result.status()).isEqualTo(ScittExpectation.Status.KEY_NOT_FOUND); } } @@ -710,7 +710,7 @@ void shouldRejectReceiptWithMismatchedKeyId() throws Exception { ScittExpectation result = verifier.verify(receipt, token, toRootKeys(keyPair.getPublic())); - assertThat(result.status()).isEqualTo(ScittExpectation.Status.INVALID_RECEIPT); + assertThat(result.status()).isEqualTo(ScittExpectation.Status.KEY_NOT_FOUND); assertThat(result.failureReason()).contains("not in trust store"); } @@ -752,7 +752,7 @@ void shouldRejectTokenWithMismatchedKeyId() throws Exception { ScittExpectation result = verifier.verify(receipt, token, toRootKeys(keyPair.getPublic())); - assertThat(result.status()).isEqualTo(ScittExpectation.Status.INVALID_TOKEN); + assertThat(result.status()).isEqualTo(ScittExpectation.Status.KEY_NOT_FOUND); assertThat(result.failureReason()).contains("not in trust store"); } @@ -781,7 +781,7 @@ void shouldRejectReceiptWithMissingKeyId() throws Exception { ScittExpectation result = verifier.verify(receipt, token, toRootKeys(keyPair.getPublic())); - assertThat(result.status()).isEqualTo(ScittExpectation.Status.INVALID_RECEIPT); + assertThat(result.status()).isEqualTo(ScittExpectation.Status.KEY_NOT_FOUND); assertThat(result.failureReason()).contains("not in trust store"); } @@ -821,7 +821,7 @@ void shouldRejectTokenWithMissingKeyId() throws Exception { ScittExpectation result = verifier.verify(receipt, token, toRootKeys(keyPair.getPublic())); - assertThat(result.status()).isEqualTo(ScittExpectation.Status.INVALID_TOKEN); + assertThat(result.status()).isEqualTo(ScittExpectation.Status.KEY_NOT_FOUND); assertThat(result.failureReason()).contains("not in trust store"); } From cccbff1b82f4cd65e6c49803e6208211cb701c6d Mon Sep 17 00:00:00 2001 From: James Hateley Date: Thu, 2 Apr 2026 13:57:53 +1100 Subject: [PATCH 16/19] refactor: introduce FALLBACK_ALLOWED mode for cleaner SCITT policy semantics Add explicit FALLBACK_ALLOWED verification mode instead of inferring fallback behavior from SCITT=REQUIRED + Badge=ADVISORY combination. This makes the API intent clearer and simplifies the policy logic. Also improves null safety in CertificateUtils.normalizeFingerprint, uses HexFormat for constant-time hash comparison in MetadataHashVerifier, and disables network-dependent test for CI stability. Co-Authored-By: Claude Opus 4.5 --- .../ans/sdk/agent/AnsVerifiedClient.java | 28 ++++++++------- .../ans/sdk/agent/VerificationMode.java | 15 +++++++- .../ans/sdk/agent/VerificationPolicy.java | 24 +++++++------ .../ans/sdk/agent/AnsVerifiedClientTest.java | 10 +++--- .../ans/sdk/agent/VerificationModeTest.java | 8 ++++- .../DefaultCertificateFetcherTest.java | 2 ++ .../DefaultConnectionVerifierTest.java | 4 +-- .../ans/sdk/crypto/CertificateUtils.java | 13 +++++++ .../ans/sdk/crypto/CertificateUtilsTest.java | 36 +++++++++++++++++++ .../scitt/MetadataHashVerifier.java | 14 ++++---- 10 files changed, 114 insertions(+), 40 deletions(-) diff --git a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/AnsVerifiedClient.java b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/AnsVerifiedClient.java index 5535e25..a959fce 100644 --- a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/AnsVerifiedClient.java +++ b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/AnsVerifiedClient.java @@ -284,20 +284,11 @@ public CompletableFuture connectAsync(String serverUrl) { // Fail-fast based on policy and SCITT result // This prevents accidental unverified connections boolean scittVerified = scittPreResult.expectation().isVerified(); - boolean scittPresent = scittPreResult.isPresent(); - - // Reject invalid SCITT headers regardless of mode (prevents garbage header attacks) - if (policy.rejectsInvalidScittHeaders() && scittPresent && !scittVerified) { - String reason = scittPreResult.expectation().failureReason(); - ScittVerificationException.FailureType failureType = mapToFailureType( - scittPreResult.expectation().status()); - throw new ScittVerificationException( - "SCITT headers present but verification failed: " + reason, failureType); - } - // Handle missing SCITT headers based on policy - if (policy.scittMode() == VerificationMode.REQUIRED && !scittVerified) { - if (policy.allowsScittFallbackToBadge() && !scittPresent) { + assertScittResult(scittPreResult, scittVerified); + + if (policy.hasScittVerification() && !scittVerified) { + if (policy.allowsScittFallbackToBadge() && !scittPreResult.isPresent()) { // Allow fallback - badge verification will happen in post-verify LOGGER.debug("SCITT headers not present, will fall back to badge verification"); } else { @@ -315,6 +306,17 @@ public CompletableFuture connectAsync(String serverUrl) { }); } + private void assertScittResult(ScittPreVerifyResult scittPreResult, boolean scittVerified) { + // Reject invalid SCITT headers regardless of mode (prevents garbage header attacks) + if (policy.rejectsInvalidScittHeaders() && scittPreResult.isPresent() && !scittVerified) { + String reason = scittPreResult.expectation().failureReason(); + ScittVerificationException.FailureType failureType = mapToFailureType( + scittPreResult.expectation().status()); + throw new ScittVerificationException( + "SCITT headers present but verification failed: " + reason, failureType); + } + } + /** * Sends a preflight HEAD request asynchronously to capture server's SCITT headers. * Uses HttpClient.sendAsync for non-blocking I/O, enabling parallelism with DANE/Badge. diff --git a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/VerificationMode.java b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/VerificationMode.java index 37f6ac4..dcfad5c 100644 --- a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/VerificationMode.java +++ b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/VerificationMode.java @@ -33,5 +33,18 @@ public enum VerificationMode { *

    If verification fails, the connection is rejected with an exception. * Use this for strict security requirements where verification must succeed.

    */ - REQUIRED + REQUIRED, + + /** + * Prefer this verification but allow fallback to another method if unavailable. + * + *

    Currently only supported for SCITT mode. When SCITT headers are not present, + * verification falls back to badge verification (which must be REQUIRED). + * If SCITT headers are present, they must verify successfully.

    + * + *

    Use this during migration when some endpoints may not yet provide SCITT headers.

    + * + * @see VerificationPolicy#SCITT_ENHANCED + */ + FALLBACK_ALLOWED } \ No newline at end of file diff --git a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/VerificationPolicy.java b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/VerificationPolicy.java index 3c34e81..cd8480c 100644 --- a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/VerificationPolicy.java +++ b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/VerificationPolicy.java @@ -118,13 +118,20 @@ public record VerificationPolicy( * SCITT verification with badge fallback. * *

    Uses SCITT artifacts (receipts and status tokens) delivered via HTTP headers - * for verification. Falls back to badge verification if SCITT headers are not - * present. This is the recommended migration path from badge-based verification.

    + * for verification when available. Falls back to badge verification if SCITT headers + * are not present. This is the recommended migration path from badge-based verification.

    + * + *

    Behavior:

    + *
      + *
    • SCITT headers present and valid → SCITT verification used
      • + *
    • SCITT headers present but invalid → Connection rejected
      • + *
    • SCITT headers absent → Badge verification required as fallback
      • + *
    */ public static final VerificationPolicy SCITT_ENHANCED = new VerificationPolicy( VerificationMode.DISABLED, - VerificationMode.ADVISORY, - VerificationMode.REQUIRED + VerificationMode.REQUIRED, + VerificationMode.FALLBACK_ALLOWED ); /** @@ -188,18 +195,13 @@ public boolean hasScittVerification() { * Returns true if this policy allows falling back to badge verification * when SCITT headers are not present. * - *

    Fallback is allowed when: - *

      - *
    • SCITT mode is REQUIRED (so we want SCITT if available)
      • - *
    • Badge mode is ADVISORY (provides audit trail fallback)
      • - *
    + *

    Fallback is allowed when SCITT mode is {@link VerificationMode#FALLBACK_ALLOWED}. * This matches {@link #SCITT_ENHANCED} - the migration scenario.

    * * @return true if badge fallback is allowed when SCITT headers are missing */ public boolean allowsScittFallbackToBadge() { - return scittMode == VerificationMode.REQUIRED - && badgeMode == VerificationMode.ADVISORY; + return scittMode == VerificationMode.FALLBACK_ALLOWED; } /** diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/AnsVerifiedClientTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/AnsVerifiedClientTest.java index 5ec3ae7..8531c6c 100644 --- a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/AnsVerifiedClientTest.java +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/AnsVerifiedClientTest.java @@ -568,8 +568,8 @@ void scittRequiredShouldThrowWhenHeadersInvalid(WireMockRuntimeInfo wmRuntimeInf } @Test - @DisplayName("SCITT_ADVISORY: should allow fallback when no SCITT headers present") - void scittAdvisoryShouldAllowFallbackWhenNoHeaders(WireMockRuntimeInfo wmRuntimeInfo) throws Exception { + @DisplayName("SCITT_FALLBACK: should allow fallback when no SCITT headers present") + void scittFallbackShouldAllowFallbackWhenNoHeaders(WireMockRuntimeInfo wmRuntimeInfo) throws Exception { // Stub preflight to return no SCITT headers stubFor(head(urlEqualTo("/mcp")) .willReturn(aResponse() @@ -580,7 +580,7 @@ void scittAdvisoryShouldAllowFallbackWhenNoHeaders(WireMockRuntimeInfo wmRuntime // SCITT ADVISORY allows fallback when no headers present VerificationPolicy scittAdvisory = VerificationPolicy.custom() - .scitt(VerificationMode.ADVISORY) + .scitt(VerificationMode.FALLBACK_ALLOWED) .build(); AnsVerifiedClient client = AnsVerifiedClient.builder() @@ -600,7 +600,7 @@ void scittAdvisoryShouldAllowFallbackWhenNoHeaders(WireMockRuntimeInfo wmRuntime } @Test - @DisplayName("SCITT_ADVISORY: should throw when SCITT headers present but invalid") + @DisplayName("SCITT_FALLBACK: should throw when SCITT headers present but invalid") void scittAdvisoryShouldThrowWhenHeadersInvalid(WireMockRuntimeInfo wmRuntimeInfo) throws Exception { // Stub preflight to return invalid SCITT headers stubFor(head(urlEqualTo("/mcp")) @@ -679,7 +679,7 @@ void shouldIncludeScittHeadersInPreflight(WireMockRuntimeInfo wmRuntimeInfo) thr // Use SCITT ADVISORY - server returns no headers (fallback allowed) VerificationPolicy scittAdvisory = VerificationPolicy.custom() - .scitt(VerificationMode.ADVISORY) + .scitt(VerificationMode.FALLBACK_ALLOWED) .build(); AnsVerifiedClient client = AnsVerifiedClient.builder() diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/VerificationModeTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/VerificationModeTest.java index e0c1805..68a9d9b 100644 --- a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/VerificationModeTest.java +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/VerificationModeTest.java @@ -14,7 +14,7 @@ class VerificationModeTest { @Test void enumHasThreeValues() { - assertEquals(3, VerificationMode.values().length); + assertEquals(4, VerificationMode.values().length); } @Test @@ -32,6 +32,11 @@ void requiredExists() { assertEquals(VerificationMode.REQUIRED, VerificationMode.valueOf("REQUIRED")); } + @Test + void fallbackExists() { + assertEquals(VerificationMode.FALLBACK_ALLOWED, VerificationMode.valueOf("FALLBACK_ALLOWED")); + } + @ParameterizedTest @EnumSource(VerificationMode.class) void allValuesAreNotNull(VerificationMode mode) { @@ -44,5 +49,6 @@ void ordinalValues() { assertEquals(0, VerificationMode.DISABLED.ordinal()); assertEquals(1, VerificationMode.ADVISORY.ordinal()); assertEquals(2, VerificationMode.REQUIRED.ordinal()); + assertEquals(3, VerificationMode.FALLBACK_ALLOWED.ordinal()); } } diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DefaultCertificateFetcherTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DefaultCertificateFetcherTest.java index d80caa6..6175284 100644 --- a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DefaultCertificateFetcherTest.java +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DefaultCertificateFetcherTest.java @@ -1,5 +1,6 @@ package com.godaddy.ans.sdk.agent.verification; +import org.junit.jupiter.api.Disabled; import org.junit.jupiter.api.DisplayName; import org.junit.jupiter.api.Nested; import org.junit.jupiter.api.Test; @@ -45,6 +46,7 @@ void instanceShouldBeSameReference() { class GetCertificateTests { @Test + @Disabled("Requires network access - run manually on dev machine to verify SSL certificate fetching") @DisplayName("Should fetch certificate from real host") void shouldFetchCertificateFromRealHost() throws IOException { // Connect to a well-known host diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DefaultConnectionVerifierTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DefaultConnectionVerifierTest.java index dc74ae9..7f96245 100644 --- a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DefaultConnectionVerifierTest.java +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DefaultConnectionVerifierTest.java @@ -469,8 +469,8 @@ void combineWithScittNotFoundFallsBackToBadge() { DefaultConnectionVerifier verifier = DefaultConnectionVerifier.builder().build(); VerificationPolicy scittWithBadgeFallback = VerificationPolicy.custom() - .scitt(VerificationMode.REQUIRED) - .badge(VerificationMode.ADVISORY) + .scitt(VerificationMode.FALLBACK_ALLOWED) + .badge(VerificationMode.REQUIRED) .build(); List results = List.of( diff --git a/ans-sdk-crypto/src/main/java/com/godaddy/ans/sdk/crypto/CertificateUtils.java b/ans-sdk-crypto/src/main/java/com/godaddy/ans/sdk/crypto/CertificateUtils.java index df5b768..caf2288 100644 --- a/ans-sdk-crypto/src/main/java/com/godaddy/ans/sdk/crypto/CertificateUtils.java +++ b/ans-sdk-crypto/src/main/java/com/godaddy/ans/sdk/crypto/CertificateUtils.java @@ -238,7 +238,20 @@ public static boolean fingerprintMatches(String actual, String expected) { return normalizedActual.equals(normalizedExpected); } + /** + * Normalizes a certificate fingerprint for comparison. + * + *

    Normalization includes: lowercase conversion, removing common prefixes + * (sha256:, sha-256:), and stripping colons and spaces.

    + * + * @param fingerprint the fingerprint to normalize + * @return the normalized fingerprint + * @throws IllegalArgumentException if fingerprint is null + */ public static String normalizeFingerprint(String fingerprint) { + if (fingerprint == null) { + throw new IllegalArgumentException("fingerprint cannot be null"); + } String normalized = fingerprint.toLowerCase().trim(); // Remove common prefixes if (normalized.startsWith("sha256:")) { diff --git a/ans-sdk-crypto/src/test/java/com/godaddy/ans/sdk/crypto/CertificateUtilsTest.java b/ans-sdk-crypto/src/test/java/com/godaddy/ans/sdk/crypto/CertificateUtilsTest.java index 177938e..5124028 100644 --- a/ans-sdk-crypto/src/test/java/com/godaddy/ans/sdk/crypto/CertificateUtilsTest.java +++ b/ans-sdk-crypto/src/test/java/com/godaddy/ans/sdk/crypto/CertificateUtilsTest.java @@ -275,6 +275,42 @@ void fingerprintMatchesShouldHandleNullInputs() { assertThat(CertificateUtils.fingerprintMatches(null, "abc")).isFalse(); } + @Test + @DisplayName("normalizeFingerprint should throw for null input") + void normalizeFingerprintShouldThrowForNullInput() { + assertThatThrownBy(() -> CertificateUtils.normalizeFingerprint(null)) + .isInstanceOf(IllegalArgumentException.class) + .hasMessageContaining("null"); + } + + @Test + @DisplayName("normalizeFingerprint should normalize various formats") + void normalizeFingerprintShouldNormalizeVariousFormats() { + String hex = "abcdef1234567890"; + + // Plain hex + assertThat(CertificateUtils.normalizeFingerprint(hex)).isEqualTo(hex); + + // Uppercase + assertThat(CertificateUtils.normalizeFingerprint("ABCDEF1234567890")).isEqualTo(hex); + + // With sha256: prefix + assertThat(CertificateUtils.normalizeFingerprint("sha256:" + hex)).isEqualTo(hex); + assertThat(CertificateUtils.normalizeFingerprint("SHA256:" + hex)).isEqualTo(hex); + + // With sha-256: prefix + assertThat(CertificateUtils.normalizeFingerprint("sha-256:" + hex)).isEqualTo(hex); + + // With colons + assertThat(CertificateUtils.normalizeFingerprint("ab:cd:ef:12:34:56:78:90")).isEqualTo(hex); + + // With spaces + assertThat(CertificateUtils.normalizeFingerprint("ab cd ef 12 34 56 78 90")).isEqualTo(hex); + + // With whitespace trim + assertThat(CertificateUtils.normalizeFingerprint(" " + hex + " ")).isEqualTo(hex); + } + @Test @DisplayName("getDnsSubjectAltNames should return empty list for cert without SANs") void getDnsSubjectAltNamesShouldReturnEmptyListForCertWithoutSans() { diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/MetadataHashVerifier.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/MetadataHashVerifier.java index d29bc25..3880d53 100644 --- a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/MetadataHashVerifier.java +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/MetadataHashVerifier.java @@ -4,6 +4,7 @@ import org.slf4j.LoggerFactory; import java.security.MessageDigest; +import java.util.HexFormat; import java.util.Objects; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -65,17 +66,16 @@ public static boolean verify(byte[] metadataBytes, String expectedHash) { // Compute actual hash MessageDigest md = MessageDigest.getInstance("SHA-256"); byte[] actualHash = md.digest(metadataBytes); - String actualHex = bytesToHex(actualHash); - // SECURITY: Use constant-time comparison - boolean matches = MessageDigest.isEqual( - actualHex.getBytes(), - expectedHex.getBytes() - ); + // Decode expected hex to bytes using Java 17 HexFormat + byte[] expectedBytes = HexFormat.of().parseHex(expectedHex); + + // SECURITY: Use constant-time comparison on raw bytes + boolean matches = MessageDigest.isEqual(actualHash, expectedBytes); if (!matches) { LOGGER.warn("Metadata hash mismatch: expected {}, got SHA256:{}", - expectedHash, actualHex); + expectedHash, bytesToHex(actualHash)); } return matches; From 5b0a0595914d25220ab38fcffae1fd4e7c3196a0 Mon Sep 17 00:00:00 2001 From: James Hateley Date: Thu, 2 Apr 2026 17:00:17 +1100 Subject: [PATCH 17/19] refactor: make refreshRootKeysIfNeeded fully async to avoid blocking Change refreshRootKeysIfNeeded() to return CompletableFuture instead of blocking with .join() for up to 30 seconds. This prevents thread pool exhaustion when the Transparency Log endpoint is slow. - TransparencyService: Early validation returns completed futures, key fetch uses thenApply/exceptionally instead of join - TransparencyClient: Public API updated to return CompletableFuture - ScittVerifierAdapter: handleKeyNotFound returns CompletableFuture, preVerify uses thenComposeAsync for the key-not-found path Co-Authored-By: Claude Opus 4.5 --- .../verification/ScittVerifierAdapter.java | 67 ++++++++++--------- .../ScittVerifierAdapterTest.java | 9 ++- .../sdk/transparency/TransparencyClient.java | 4 +- .../sdk/transparency/TransparencyService.java | 38 ++++++----- .../transparency/TransparencyServiceTest.java | 16 ++--- 5 files changed, 72 insertions(+), 62 deletions(-) diff --git a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapter.java b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapter.java index ebdb725..1d505ad 100644 --- a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapter.java +++ b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapter.java @@ -5,7 +5,6 @@ import com.godaddy.ans.sdk.transparency.scitt.CwtClaims; import com.godaddy.ans.sdk.transparency.scitt.DefaultScittHeaderProvider; import com.godaddy.ans.sdk.transparency.scitt.DefaultScittVerifier; -import com.godaddy.ans.sdk.transparency.scitt.RefreshDecision; import com.godaddy.ans.sdk.transparency.scitt.ScittExpectation; import com.godaddy.ans.sdk.transparency.scitt.ScittHeaderProvider; import com.godaddy.ans.sdk.transparency.scitt.ScittPreVerifyResult; @@ -100,7 +99,7 @@ public CompletableFuture preVerify(Map res // Step 2: fetch keys asynchronously — uses transparencyClient's configured domain return transparencyClient.getRootKeysAsync() - .thenApplyAsync((Map rootKeys) -> { + .thenComposeAsync((Map rootKeys) -> { try { ScittExpectation expectation = scittVerifier.verify(receipt, token, rootKeys); @@ -110,10 +109,12 @@ public CompletableFuture preVerify(Map res } LOGGER.debug("SCITT pre-verification result: {}", expectation.status()); - return ScittPreVerifyResult.verified(expectation, receipt, token); + return CompletableFuture.completedFuture( + ScittPreVerifyResult.verified(expectation, receipt, token)); } catch (RuntimeException e) { LOGGER.error("SCITT verification error: {}", e.getMessage(), e); - return ScittPreVerifyResult.parseError("Verification error: " + e.getMessage()); + return CompletableFuture.completedFuture( + ScittPreVerifyResult.parseError("Verification error: " + e.getMessage())); } }, executor) .exceptionally(e -> { @@ -135,7 +136,7 @@ public CompletableFuture preVerify(Map res *
  • Retries verification once with refreshed keys
    • * */ - private ScittPreVerifyResult handleKeyNotFound( + private CompletableFuture handleKeyNotFound( ScittReceipt receipt, StatusToken token, ScittExpectation originalExpectation) { @@ -144,37 +145,39 @@ private ScittPreVerifyResult handleKeyNotFound( Instant artifactIssuedAt = getArtifactIssuedAt(receipt, token); if (artifactIssuedAt == null) { LOGGER.warn("Cannot determine artifact issued-at time, failing verification"); - return ScittPreVerifyResult.verified(originalExpectation, receipt, token); + return CompletableFuture.completedFuture( + ScittPreVerifyResult.verified(originalExpectation, receipt, token)); } LOGGER.debug("Key not found, checking if cache refresh is needed (artifact iat={})", artifactIssuedAt); - // Attempt refresh with security checks - RefreshDecision decision = transparencyClient.refreshRootKeysIfNeeded(artifactIssuedAt); - - switch (decision.action()) { - case REJECT: - // Artifact is invalid (too old or from future) - return original error - LOGGER.warn("Cache refresh rejected: {}", decision.reason()); - return ScittPreVerifyResult.verified(originalExpectation, receipt, token); - - case DEFER: - // Cooldown in effect - return temporary failure - LOGGER.info("Cache refresh deferred: {}", decision.reason()); - return ScittPreVerifyResult.parseError("Verification deferred: " + decision.reason()); - - case REFRESHED: - // Retry verification with fresh keys - LOGGER.info("Cache refreshed, retrying verification"); - Map freshKeys = decision.keys(); - ScittExpectation retryExpectation = scittVerifier.verify(receipt, token, freshKeys); - LOGGER.debug("Retry verification result: {}", retryExpectation.status()); - return ScittPreVerifyResult.verified(retryExpectation, receipt, token); - - default: - // Should never happen - return ScittPreVerifyResult.verified(originalExpectation, receipt, token); - } + // Attempt refresh with security checks asynchronously + return transparencyClient.refreshRootKeysIfNeeded(artifactIssuedAt) + .thenApply(decision -> { + switch (decision.action()) { + case REJECT: + // Artifact is invalid (too old or from future) - return original error + LOGGER.warn("Cache refresh rejected: {}", decision.reason()); + return ScittPreVerifyResult.verified(originalExpectation, receipt, token); + + case DEFER: + // Cooldown in effect - return temporary failure + LOGGER.info("Cache refresh deferred: {}", decision.reason()); + return ScittPreVerifyResult.parseError("Verification deferred: " + decision.reason()); + + case REFRESHED: + // Retry verification with fresh keys + LOGGER.info("Cache refreshed, retrying verification"); + Map freshKeys = decision.keys(); + ScittExpectation retryExpectation = scittVerifier.verify(receipt, token, freshKeys); + LOGGER.debug("Retry verification result: {}", retryExpectation.status()); + return ScittPreVerifyResult.verified(retryExpectation, receipt, token); + + default: + // Should never happen + return ScittPreVerifyResult.verified(originalExpectation, receipt, token); + } + }); } /** diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapterTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapterTest.java index b6fbeec..51f06b4 100644 --- a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapterTest.java +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/ScittVerifierAdapterTest.java @@ -289,7 +289,8 @@ void shouldHandleKeyNotFoundWithReject() throws Exception { com.godaddy.ans.sdk.transparency.scitt.RefreshDecision rejectDecision = com.godaddy.ans.sdk.transparency.scitt.RefreshDecision.reject("Too old"); - when(mockTransparencyClient.refreshRootKeysIfNeeded(any())).thenReturn(rejectDecision); + when(mockTransparencyClient.refreshRootKeysIfNeeded(any())) + .thenReturn(CompletableFuture.completedFuture(rejectDecision)); CompletableFuture future = adapter.preVerify(Map.of()); @@ -315,7 +316,8 @@ void shouldHandleKeyNotFoundWithDefer() throws Exception { com.godaddy.ans.sdk.transparency.scitt.RefreshDecision deferDecision = com.godaddy.ans.sdk.transparency.scitt.RefreshDecision.defer("Cooldown active"); - when(mockTransparencyClient.refreshRootKeysIfNeeded(any())).thenReturn(deferDecision); + when(mockTransparencyClient.refreshRootKeysIfNeeded(any())) + .thenReturn(CompletableFuture.completedFuture(deferDecision)); CompletableFuture future = adapter.preVerify(Map.of()); @@ -346,7 +348,8 @@ void shouldHandleKeyNotFoundWithRefreshed() throws Exception { Map freshKeys = toRootKeys(testKeyPair.getPublic()); com.godaddy.ans.sdk.transparency.scitt.RefreshDecision refreshedDecision = com.godaddy.ans.sdk.transparency.scitt.RefreshDecision.refreshed(freshKeys); - when(mockTransparencyClient.refreshRootKeysIfNeeded(any())).thenReturn(refreshedDecision); + when(mockTransparencyClient.refreshRootKeysIfNeeded(any())) + .thenReturn(CompletableFuture.completedFuture(refreshedDecision)); CompletableFuture future = adapter.preVerify(Map.of()); diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/TransparencyClient.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/TransparencyClient.java index c703c0c..2b326ec 100644 --- a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/TransparencyClient.java +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/TransparencyClient.java @@ -243,9 +243,9 @@ public Instant getCachePopulatedAt() { * potentially recover from a key rotation scenario.

    * * @param artifactIssuedAt the issued-at timestamp from the SCITT artifact - * @return the refresh decision indicating whether to retry verification + * @return a future containing the refresh decision indicating whether to retry verification */ - public RefreshDecision refreshRootKeysIfNeeded(Instant artifactIssuedAt) { + public CompletableFuture refreshRootKeysIfNeeded(Instant artifactIssuedAt) { return service.refreshRootKeysIfNeeded(artifactIssuedAt); } diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/TransparencyService.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/TransparencyService.java index 74bf1f6..072f0fd 100644 --- a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/TransparencyService.java +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/TransparencyService.java @@ -46,6 +46,7 @@ import java.util.Map; import java.util.StringJoiner; import java.util.concurrent.CompletableFuture; +import java.util.concurrent.CompletionException; import java.util.concurrent.atomic.AtomicReference; /** @@ -299,9 +300,9 @@ Instant getCachePopulatedAt() { * * * @param artifactIssuedAt the issued-at timestamp from the SCITT artifact - * @return the refresh decision with action, reason, and optionally refreshed keys + * @return a future containing the refresh decision with action, reason, and optionally refreshed keys */ - RefreshDecision refreshRootKeysIfNeeded(Instant artifactIssuedAt) { + CompletableFuture refreshRootKeysIfNeeded(Instant artifactIssuedAt) { Instant now = Instant.now(); Instant cacheTime = cachePopulatedAt.get(); @@ -309,7 +310,8 @@ RefreshDecision refreshRootKeysIfNeeded(Instant artifactIssuedAt) { if (artifactIssuedAt.isAfter(now.plus(FUTURE_TOLERANCE))) { LOGGER.warn("Artifact timestamp {} is in the future (now={}), rejecting", artifactIssuedAt, now); - return RefreshDecision.reject("Artifact timestamp is in the future"); + return CompletableFuture.completedFuture( + RefreshDecision.reject("Artifact timestamp is in the future")); } // Check 2: Reject artifacts older than cache (with past tolerance for race conditions) @@ -318,8 +320,8 @@ RefreshDecision refreshRootKeysIfNeeded(Instant artifactIssuedAt) { LOGGER.debug("Artifact issued at {} predates cache refresh at {} (with {}min tolerance), " + "key should be present - rejecting refresh", artifactIssuedAt, cacheTime, PAST_TOLERANCE.toMinutes()); - return RefreshDecision.reject( - "Key not found and artifact predates cache refresh"); + return CompletableFuture.completedFuture( + RefreshDecision.reject("Key not found and artifact predates cache refresh")); } // Check 3: Enforce global cooldown to prevent cache thrashing @@ -327,8 +329,8 @@ RefreshDecision refreshRootKeysIfNeeded(Instant artifactIssuedAt) { if (lastAttempt.plus(REFRESH_COOLDOWN).isAfter(now)) { Duration remaining = Duration.between(now, lastAttempt.plus(REFRESH_COOLDOWN)); LOGGER.debug("Cache refresh on cooldown, {} remaining", remaining); - return RefreshDecision.defer( - "Cache was recently refreshed, retry in " + remaining.toSeconds() + "s"); + return CompletableFuture.completedFuture( + RefreshDecision.defer("Cache was recently refreshed, retry in " + remaining.toSeconds() + "s")); } // All checks passed - attempt refresh @@ -338,16 +340,18 @@ RefreshDecision refreshRootKeysIfNeeded(Instant artifactIssuedAt) { // Update cooldown timestamp before fetch to prevent concurrent refresh attempts lastRefreshAttempt.set(now); - try { - // Invalidate and fetch fresh keys - invalidateRootKeyCache(); - Map freshKeys = getRootKeysAsync().join(); - LOGGER.info("Cache refresh complete, now have {} keys", freshKeys.size()); - return RefreshDecision.refreshed(freshKeys); - } catch (Exception e) { - LOGGER.error("Failed to refresh root keys: {}", e.getMessage()); - return RefreshDecision.defer("Failed to refresh: " + e.getMessage()); - } + // Invalidate and fetch fresh keys asynchronously + invalidateRootKeyCache(); + return getRootKeysAsync() + .thenApply(freshKeys -> { + LOGGER.info("Cache refresh complete, now have {} keys", freshKeys.size()); + return RefreshDecision.refreshed(freshKeys); + }) + .exceptionally(e -> { + Throwable cause = e instanceof CompletionException ? e.getCause() : e; + LOGGER.error("Failed to refresh root keys: {}", cause.getMessage()); + return RefreshDecision.defer("Failed to refresh: " + cause.getMessage()); + }); } /** diff --git a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/TransparencyServiceTest.java b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/TransparencyServiceTest.java index 2b3bcb0..6855492 100644 --- a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/TransparencyServiceTest.java +++ b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/TransparencyServiceTest.java @@ -781,7 +781,7 @@ void shouldRejectArtifactFromFuture(WireMockRuntimeInfo wmRuntimeInfo) { // Try refresh with artifact claiming to be 2 minutes in the future (beyond 60s tolerance) Instant futureTime = Instant.now().plus(Duration.ofMinutes(2)); - RefreshDecision decision = service.refreshRootKeysIfNeeded(futureTime); + RefreshDecision decision = service.refreshRootKeysIfNeeded(futureTime).join(); assertThat(decision.action()).isEqualTo(RefreshDecision.RefreshAction.REJECT); assertThat(decision.reason()).contains("future"); @@ -805,7 +805,7 @@ void shouldRejectArtifactOlderThanCache(WireMockRuntimeInfo wmRuntimeInfo) { // Try refresh with artifact from 10 minutes ago (beyond 5 min past tolerance) Instant oldTime = Instant.now().minus(Duration.ofMinutes(10)); - RefreshDecision decision = service.refreshRootKeysIfNeeded(oldTime); + RefreshDecision decision = service.refreshRootKeysIfNeeded(oldTime).join(); assertThat(decision.action()).isEqualTo(RefreshDecision.RefreshAction.REJECT); assertThat(decision.reason()).contains("predates cache refresh"); @@ -830,7 +830,7 @@ void shouldAllowRefreshForNewerArtifact(WireMockRuntimeInfo wmRuntimeInfo) { // Try refresh with artifact issued just now (after cache was populated) Instant recentTime = Instant.now(); - RefreshDecision decision = service.refreshRootKeysIfNeeded(recentTime); + RefreshDecision decision = service.refreshRootKeysIfNeeded(recentTime).join(); assertThat(decision.action()).isEqualTo(RefreshDecision.RefreshAction.REFRESHED); assertThat(decision.keys()).isNotNull(); @@ -858,11 +858,11 @@ void shouldDeferRefreshDuringCooldown(WireMockRuntimeInfo wmRuntimeInfo) { // First refresh should succeed Instant recentTime = Instant.now(); - RefreshDecision decision1 = service.refreshRootKeysIfNeeded(recentTime); + RefreshDecision decision1 = service.refreshRootKeysIfNeeded(recentTime).join(); assertThat(decision1.action()).isEqualTo(RefreshDecision.RefreshAction.REFRESHED); // Second refresh immediately after should be deferred (30s cooldown) - RefreshDecision decision2 = service.refreshRootKeysIfNeeded(Instant.now()); + RefreshDecision decision2 = service.refreshRootKeysIfNeeded(Instant.now()).join(); assertThat(decision2.action()).isEqualTo(RefreshDecision.RefreshAction.DEFER); assertThat(decision2.reason()).contains("recently refreshed"); } @@ -911,7 +911,7 @@ void shouldAllowArtifactWithinPastTolerance(WireMockRuntimeInfo wmRuntimeInfo) { // Artifact from 3 minutes ago should be allowed (within 5 min past tolerance) Instant threeMinutesAgo = Instant.now().minus(Duration.ofMinutes(3)); - RefreshDecision decision = service.refreshRootKeysIfNeeded(threeMinutesAgo); + RefreshDecision decision = service.refreshRootKeysIfNeeded(threeMinutesAgo).join(); // Should allow refresh since it's within tolerance assertThat(decision.action()).isEqualTo(RefreshDecision.RefreshAction.REFRESHED); @@ -935,7 +935,7 @@ void shouldAllowArtifactWithinClockSkewTolerance(WireMockRuntimeInfo wmRuntimeIn // Artifact from 30 seconds in future should be allowed (within 60s tolerance) Instant thirtySecondsAhead = Instant.now().plus(Duration.ofSeconds(30)); - RefreshDecision decision = service.refreshRootKeysIfNeeded(thirtySecondsAhead); + RefreshDecision decision = service.refreshRootKeysIfNeeded(thirtySecondsAhead).join(); // Should allow refresh since it's within clock skew tolerance assertThat(decision.action()).isEqualTo(RefreshDecision.RefreshAction.REFRESHED); @@ -971,7 +971,7 @@ void shouldDeferOnNetworkError(WireMockRuntimeInfo wmRuntimeInfo) { // Attempt refresh - should fail and return DEFER Instant recentTime = Instant.now(); - RefreshDecision decision = service.refreshRootKeysIfNeeded(recentTime); + RefreshDecision decision = service.refreshRootKeysIfNeeded(recentTime).join(); assertThat(decision.action()).isEqualTo(RefreshDecision.RefreshAction.DEFER); assertThat(decision.reason()).contains("Failed to refresh"); From e485564c53d4f06664bb1db85baf206bcc212cd8 Mon Sep 17 00:00:00 2001 From: James Hateley Date: Thu, 2 Apr 2026 20:00:34 +1100 Subject: [PATCH 18/19] refactor: replace volatile with AtomicReference --- .../ans/examples/a2a/A2aClientExample.java | 2 +- .../ans/examples/httpapi/HttpApiExample.java | 2 +- .../ans/examples/mcp/McpClientExample.java | 2 +- .../ans/sdk/agent/AnsVerifiedClient.java | 77 ++++++++++--------- .../ans/sdk/agent/AnsVerifiedClientTest.java | 36 ++++----- 5 files changed, 61 insertions(+), 58 deletions(-) diff --git a/ans-sdk-agent-client/examples/a2a-client/src/main/java/com/godaddy/ans/examples/a2a/A2aClientExample.java b/ans-sdk-agent-client/examples/a2a-client/src/main/java/com/godaddy/ans/examples/a2a/A2aClientExample.java index bee13dc..f713fe4 100644 --- a/ans-sdk-agent-client/examples/a2a-client/src/main/java/com/godaddy/ans/examples/a2a/A2aClientExample.java +++ b/ans-sdk-agent-client/examples/a2a-client/src/main/java/com/godaddy/ans/examples/a2a/A2aClientExample.java @@ -316,7 +316,7 @@ private static void a2aWithScittVerification(String serverUrl, String keystorePa System.out.println(" Policy: " + ansClient.policy()); // Fetch SCITT headers (blocking is fine during setup, not on I/O threads) - var scittHeaders = ansClient.scittHeadersAsync().join(); + var scittHeaders = ansClient.fetchScittHeadersAsync().join(); if (!scittHeaders.isEmpty()) { System.out.println(" SCITT headers configured for outgoing requests"); } diff --git a/ans-sdk-agent-client/examples/http-api/src/main/java/com/godaddy/ans/examples/httpapi/HttpApiExample.java b/ans-sdk-agent-client/examples/http-api/src/main/java/com/godaddy/ans/examples/httpapi/HttpApiExample.java index 10008f4..e611fd4 100644 --- a/ans-sdk-agent-client/examples/http-api/src/main/java/com/godaddy/ans/examples/httpapi/HttpApiExample.java +++ b/ans-sdk-agent-client/examples/http-api/src/main/java/com/godaddy/ans/examples/httpapi/HttpApiExample.java @@ -230,7 +230,7 @@ private static void exampleScittVerification(String serverUrl, String keystorePa // Display SCITT headers that will be sent with requests // (blocking is fine during setup, not on I/O threads) - Map scittHeaders = client.scittHeadersAsync().join(); + Map scittHeaders = client.fetchScittHeadersAsync().join(); if (!scittHeaders.isEmpty()) { System.out.println(" SCITT headers configured:"); scittHeaders.forEach((k, v) -> diff --git a/ans-sdk-agent-client/examples/mcp-client/src/main/java/com/godaddy/ans/examples/mcp/McpClientExample.java b/ans-sdk-agent-client/examples/mcp-client/src/main/java/com/godaddy/ans/examples/mcp/McpClientExample.java index 0f14b14..550fb5d 100644 --- a/ans-sdk-agent-client/examples/mcp-client/src/main/java/com/godaddy/ans/examples/mcp/McpClientExample.java +++ b/ans-sdk-agent-client/examples/mcp-client/src/main/java/com/godaddy/ans/examples/mcp/McpClientExample.java @@ -81,7 +81,7 @@ public static void main(String[] args) throws Exception { .build()) { // Fetch SCITT headers early (blocking is fine during setup) - var scittHeaders = ansClient.scittHeadersAsync().join(); + var scittHeaders = ansClient.fetchScittHeadersAsync().join(); // Connect and run all pre-verifications (DANE, Badge, SCITT based on policy) try (AnsConnection connection = ansClient.connect(serverUrl)) { diff --git a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/AnsVerifiedClient.java b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/AnsVerifiedClient.java index a959fce..b8ed90f 100644 --- a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/AnsVerifiedClient.java +++ b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/AnsVerifiedClient.java @@ -32,6 +32,7 @@ import java.util.Objects; import java.util.concurrent.CompletableFuture; import java.util.concurrent.CompletionException; +import java.util.concurrent.atomic.AtomicReference; /** * High-level client for ANS-verified connections. @@ -78,9 +79,8 @@ public class AnsVerifiedClient implements AutoCloseable { private final HttpClient httpClient; private final String agentId; - // Lazy-loaded SCITT headers with thread-safe initialization - private volatile Map scittHeaders; - private final Object scittHeadersLock = new Object(); + // Lazy-loaded SCITT headers using AtomicReference for lock-free thread safety. + private final AtomicReference> scittHeaders = new AtomicReference<>(); private AnsVerifiedClient(Builder builder) { this.transparencyClient = builder.transparencyClient; @@ -91,7 +91,7 @@ private AnsVerifiedClient(Builder builder) { // If SCITT is disabled or no agentId, headers are empty (no lazy fetch needed) if (!policy.hasScittVerification() || agentId == null || agentId.isBlank()) { - this.scittHeaders = Map.of(); + this.scittHeaders.set(Map.of()); } // Create shared HttpClient once at construction time @@ -112,38 +112,37 @@ public SSLContext sslContext() { } /** - * Returns SCITT headers asynchronously. + * Fetches SCITT headers asynchronously with lazy initialization. * *

    If headers haven't been fetched yet and SCITT is enabled with an agent ID, * this method initiates an async fetch of the receipt and status token from the * transparency log. The returned future completes when headers are available.

    * + *

    Thread Safety

    + *

    Uses {@link AtomicReference} with compare-and-set (CAS) for lock-free thread safety:

    + *
      + *
    • Fast path: If headers are already cached, returns immediately
      • + *
    • Concurrent fetches: Multiple threads may initiate fetches simultaneously, + * but only the first to complete stores its result via CAS
      • + *
    • Race handling: Threads that lose the CAS race return the winner's + * cached value, ensuring all callers see the same headers
      • + *
    + * *

    The future completes with an empty map if:

    *
      *
    • SCITT verification is disabled in the policy
      • *
    • No agent ID was configured
      • - *
    • Fetching artifacts failed (logged as warning)
      • + *
    • Fetching artifacts failed (logged as warning, allows retry on next call)
      • *
    * * @return a CompletableFuture with the unmodifiable map of SCITT headers + * @see AtomicReference#compareAndSet(Object, Object) */ - public CompletableFuture> scittHeadersAsync() { + public CompletableFuture> fetchScittHeadersAsync() { // Fast path: already initialized - if (scittHeaders != null) { - return CompletableFuture.completedFuture(scittHeaders); - } - - // Lazy fetch with double-checked locking - return fetchScittHeadersAsync(); - } - - /** - * Fetches SCITT headers lazily with thread-safe initialization. - */ - private CompletableFuture> fetchScittHeadersAsync() { - // Double-check after acquiring would-be lock position in async chain - if (scittHeaders != null) { - return CompletableFuture.completedFuture(scittHeaders); + Map cached = scittHeaders.get(); + if (cached != null) { + return CompletableFuture.completedFuture(cached); } LOGGER.debug("Fetching SCITT artifacts for agent {} (lazy)", agentId); @@ -153,32 +152,36 @@ private CompletableFuture> fetchScittHeadersAsync() { CompletableFuture tokenFuture = transparencyClient.getStatusTokenAsync(agentId); return receiptFuture.thenCombine(tokenFuture, (receipt, token) -> { - synchronized (scittHeadersLock) { - // Double-check inside synchronized block - if (scittHeaders != null) { - return scittHeaders; - } + // Double-check: another thread might have completed while we were fetching + Map existing = scittHeaders.get(); + if (existing != null) { + return existing; + } - Map headers = Map.copyOf(DefaultScittHeaderProvider.builder() + Map headers = Map.copyOf(DefaultScittHeaderProvider.builder() .receipt(receipt) .statusToken(token) .build() .getOutgoingHeaders()); - LOGGER.debug("Fetched SCITT artifacts: receipt={} bytes, token={} bytes", + LOGGER.debug("Fetched SCITT artifacts: receipt={} bytes, token={} bytes", receipt.length, token.length); - scittHeaders = headers; - return headers; - } + // Atomic update: only set if still null (first thread wins) + scittHeaders.compareAndSet(null, headers); + + // Return whatever is in the reference (handles race: if another thread + // won the compareAndSet, we return their value instead) + return scittHeaders.get(); }).exceptionally(e -> { // Check if another thread succeeded while we were failing - if (scittHeaders != null) { - return scittHeaders; + Map recheckedCache = scittHeaders.get(); + if (recheckedCache != null) { + return recheckedCache; } - // Don't cache failures - return empty for this call but allow retry on next call + // Don't cache failures - return empty for this call but allow retry on next request LOGGER.warn("Could not fetch SCITT artifacts for agent {} (will retry on next request): {}", - agentId, e.getMessage()); + agentId, e.getMessage()); return Map.of(); }); } @@ -326,7 +329,7 @@ private CompletableFuture> sendPreflightAsync(URI uri) { LOGGER.debug("Sending async preflight request to {}", uri); // First get our SCITT headers (lazy fetch if needed), then send the request - return scittHeadersAsync().thenCompose(outgoingHeaders -> { + return fetchScittHeadersAsync().thenCompose(outgoingHeaders -> { HttpRequest.Builder requestBuilder = HttpRequest.newBuilder() .uri(uri) .method("HEAD", HttpRequest.BodyPublishers.noBody()); diff --git a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/AnsVerifiedClientTest.java b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/AnsVerifiedClientTest.java index 8531c6c..0d5e143 100644 --- a/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/AnsVerifiedClientTest.java +++ b/ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/AnsVerifiedClientTest.java @@ -55,7 +55,7 @@ void shouldCreateClientWithDefaults() throws Exception { assertThat(client).isNotNull(); assertThat(client.sslContext()).isNotNull(); assertThat(client.policy()).isEqualTo(VerificationPolicy.SCITT_REQUIRED); - assertThat(client.scittHeadersAsync().join()).isEmpty(); // No agent ID set + assertThat(client.fetchScittHeadersAsync().join()).isEmpty(); // No agent ID set client.close(); } @@ -137,7 +137,7 @@ void shouldSetAgentIdButNotFetchWithoutScitt() throws Exception { .policy(VerificationPolicy.PKI_ONLY) .build(); - assertThat(client.scittHeadersAsync().join()).isEmpty(); + assertThat(client.fetchScittHeadersAsync().join()).isEmpty(); client.close(); } @@ -162,9 +162,9 @@ void shouldFetchScittHeadersWhenEnabled() throws Exception { .policy(VerificationPolicy.SCITT_REQUIRED) .build(); - assertThat(client.scittHeadersAsync().join()).isNotEmpty(); - assertThat(client.scittHeadersAsync().join()).containsKey("x-scitt-receipt"); - assertThat(client.scittHeadersAsync().join()).containsKey("x-ans-status-token"); + assertThat(client.fetchScittHeadersAsync().join()).isNotEmpty(); + assertThat(client.fetchScittHeadersAsync().join()).containsKey("x-scitt-receipt"); + assertThat(client.fetchScittHeadersAsync().join()).containsKey("x-ans-status-token"); client.close(); } @@ -188,7 +188,7 @@ void shouldHandleScittFetchFailure() throws Exception { .build(); // Should not throw, just have empty headers (lazy fetch fails gracefully) - assertThat(client.scittHeadersAsync().join()).isEmpty(); + assertThat(client.fetchScittHeadersAsync().join()).isEmpty(); client.close(); } } @@ -224,7 +224,7 @@ void scittHeadersReturnsImmutableMap() throws Exception { .policy(VerificationPolicy.PKI_ONLY) .build(); - assertThatThrownBy(() -> client.scittHeadersAsync().join().put("key", "value")) + assertThatThrownBy(() -> client.fetchScittHeadersAsync().join().put("key", "value")) .isInstanceOf(UnsupportedOperationException.class); client.close(); } @@ -247,7 +247,7 @@ void shouldReturnCompletedFutureWhenScittDisabled() throws Exception { .policy(VerificationPolicy.PKI_ONLY) .build(); - CompletableFuture> future = client.scittHeadersAsync(); + CompletableFuture> future = client.fetchScittHeadersAsync(); assertThat(future).isCompletedWithValue(Map.of()); client.close(); } @@ -272,7 +272,7 @@ void shouldFetchHeadersAsynchronously() throws Exception { .policy(VerificationPolicy.SCITT_REQUIRED) .build(); - CompletableFuture> future = client.scittHeadersAsync(); + CompletableFuture> future = client.fetchScittHeadersAsync(); assertThat(future).succeedsWithin(Duration.ofSeconds(5)); Map headers = future.join(); @@ -302,9 +302,9 @@ void shouldCacheHeadersAfterFirstFetch() throws Exception { .build(); // First call triggers fetch - Map headers1 = client.scittHeadersAsync().join(); + Map headers1 = client.fetchScittHeadersAsync().join(); // Second call should return cached (same instance) - Map headers2 = client.scittHeadersAsync().join(); + Map headers2 = client.fetchScittHeadersAsync().join(); assertThat(headers1).isSameAs(headers2); client.close(); @@ -331,8 +331,8 @@ void scittHeadersAsyncReturnsCachedResult() throws Exception { .build(); // Both calls should return the same cached result - Map headers1 = client.scittHeadersAsync().join(); - Map headers2 = client.scittHeadersAsync().join(); + Map headers1 = client.fetchScittHeadersAsync().join(); + Map headers2 = client.fetchScittHeadersAsync().join(); assertThat(headers1).isSameAs(headers2); client.close(); @@ -397,7 +397,7 @@ void badgeRequiredPolicyShouldEnableBadge() throws Exception { .build(); assertThat(client.policy()).isEqualTo(VerificationPolicy.BADGE_REQUIRED); - assertThat(client.scittHeadersAsync().join()).isEmpty(); // BADGE_REQUIRED has SCITT disabled + assertThat(client.fetchScittHeadersAsync().join()).isEmpty(); // BADGE_REQUIRED has SCITT disabled client.close(); } @@ -438,7 +438,7 @@ void scittEnhancedPolicyShouldEnableScittWithBadge() throws Exception { .build(); assertThat(client.policy()).isEqualTo(VerificationPolicy.SCITT_ENHANCED); - assertThat(client.scittHeadersAsync().join()).isNotEmpty(); + assertThat(client.fetchScittHeadersAsync().join()).isNotEmpty(); client.close(); } } @@ -461,7 +461,7 @@ void shouldNotFetchWithBlankAgentId() throws Exception { .build(); // Should not have tried to fetch headers for blank agent ID - assertThat(client.scittHeadersAsync().join()).isEmpty(); + assertThat(client.fetchScittHeadersAsync().join()).isEmpty(); client.close(); } @@ -478,7 +478,7 @@ void shouldNotFetchWithEmptyAgentId() throws Exception { .policy(VerificationPolicy.SCITT_REQUIRED) .build(); - assertThat(client.scittHeadersAsync().join()).isEmpty(); + assertThat(client.fetchScittHeadersAsync().join()).isEmpty(); client.close(); } } @@ -690,7 +690,7 @@ void shouldIncludeScittHeadersInPreflight(WireMockRuntimeInfo wmRuntimeInfo) thr .build(); // Verify client has SCITT headers to send - assertThat(client.scittHeadersAsync().join()).isNotEmpty(); + assertThat(client.fetchScittHeadersAsync().join()).isNotEmpty(); String serverUrl = wmRuntimeInfo.getHttpBaseUrl() + "/mcp"; // Server returns no SCITT headers, but ADVISORY mode allows fallback From 2f9cbcfe603bab60e8a2be02449e1bdb9574b5b2 Mon Sep 17 00:00:00 2001 From: James Hateley Date: Fri, 10 Apr 2026 14:38:07 +1000 Subject: [PATCH 19/19] refactor: harden SCITT verification with fail-fast parsing and resource safety - Use try-with-resources for AnsVerifiedClient and AnsConnection cleanup - Add 10s timeout to preflight HEAD request to prevent indefinite hangs - Hash cache keys with SHA-256 to prevent memory pressure from large headers - Fix TOCTOU race in root key refresh with compareAndSet - Reject invalid hash sizes in ScittReceipt instead of silently skipping - Change Accept header to text/plain for C2SP note format compatibility Co-Authored-By: Claude Opus 4.5 --- .../ans/examples/httpapi/HttpApiExample.java | 47 +++++++++---------- .../ans/sdk/agent/AnsVerifiedClient.java | 1 + .../DefaultClientRequestVerifier.java | 17 ++++--- .../sdk/transparency/TransparencyService.java | 10 ++-- .../sdk/transparency/scitt/ScittReceipt.java | 12 +++-- .../transparency/scitt/ScittReceiptTest.java | 17 +++---- 6 files changed, 57 insertions(+), 47 deletions(-) diff --git a/ans-sdk-agent-client/examples/http-api/src/main/java/com/godaddy/ans/examples/httpapi/HttpApiExample.java b/ans-sdk-agent-client/examples/http-api/src/main/java/com/godaddy/ans/examples/httpapi/HttpApiExample.java index e611fd4..c695388 100644 --- a/ans-sdk-agent-client/examples/http-api/src/main/java/com/godaddy/ans/examples/httpapi/HttpApiExample.java +++ b/ans-sdk-agent-client/examples/http-api/src/main/java/com/godaddy/ans/examples/httpapi/HttpApiExample.java @@ -216,15 +216,13 @@ private static void exampleScittVerification(String serverUrl, String keystorePa System.out.println("\nExample 4: SCITT Verification (Cryptographic Proof)"); System.out.println("-".repeat(40)); - try { - // Create AnsVerifiedClient with SCITT verification - // Note: TransparencyClient is created internally if not provided - AnsVerifiedClient client = AnsVerifiedClient.builder() + // Use try-with-resources to ensure proper cleanup on all paths + try (AnsVerifiedClient client = AnsVerifiedClient.builder() .agentId(agentId) .keyStorePath(keystorePath, keystorePassword) .policy(VerificationPolicy.SCITT_REQUIRED) .connectTimeout(Duration.ofSeconds(30)) - .build(); + .build()) { System.out.println(" Created AnsVerifiedClient with policy: " + client.policy()); @@ -242,32 +240,29 @@ private static void exampleScittVerification(String serverUrl, String keystorePa System.out.println("\n Connecting to " + serverUrl); System.out.println(" (Preflight request will exchange SCITT artifacts)"); - AnsConnection connection = client.connect(serverUrl); - System.out.println(" Connected to: " + connection.hostname()); + try (AnsConnection connection = client.connect(serverUrl)) { + System.out.println(" Connected to: " + connection.hostname()); - // Check if server provided SCITT artifacts - if (connection.hasScittArtifacts()) { - System.out.println(" Server provided SCITT artifacts"); - } else { - System.out.println(" Server did not provide SCITT artifacts"); - } + // Check if server provided SCITT artifacts + if (connection.hasScittArtifacts()) { + System.out.println(" Server provided SCITT artifacts"); + } else { + System.out.println(" Server did not provide SCITT artifacts"); + } - // Perform full verification - VerificationResult result = connection.verifyServer(); + // Perform full verification + VerificationResult result = connection.verifyServer(); - System.out.println("\n Verification Results:"); - System.out.println(" Overall: " + result.status() + " (" + result.type() + ")"); - System.out.println(" Reason: " + result.reason()); + System.out.println("\n Verification Results:"); + System.out.println(" Overall: " + result.status() + " (" + result.type() + ")"); + System.out.println(" Reason: " + result.reason()); - if (result.isSuccess()) { - System.out.println("\n [SUCCESS] SCITT verification completed"); - } else { - System.out.println("\n [WARNING] Verification status: " + result.status()); + if (result.isSuccess()) { + System.out.println("\n [SUCCESS] SCITT verification completed"); + } else { + System.out.println("\n [WARNING] Verification status: " + result.status()); + } } - - // Clean up - connection.close(); - client.close(); System.out.println(); } catch (Exception e) { diff --git a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/AnsVerifiedClient.java b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/AnsVerifiedClient.java index b8ed90f..9131641 100644 --- a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/AnsVerifiedClient.java +++ b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/AnsVerifiedClient.java @@ -332,6 +332,7 @@ private CompletableFuture> sendPreflightAsync(URI uri) { return fetchScittHeadersAsync().thenCompose(outgoingHeaders -> { HttpRequest.Builder requestBuilder = HttpRequest.newBuilder() .uri(uri) + .timeout(Duration.ofSeconds(10)) .method("HEAD", HttpRequest.BodyPublishers.noBody()); outgoingHeaders.forEach(requestBuilder::header); diff --git a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/DefaultClientRequestVerifier.java b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/DefaultClientRequestVerifier.java index 43fc95d..dabf984 100644 --- a/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/DefaultClientRequestVerifier.java +++ b/ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/DefaultClientRequestVerifier.java @@ -9,6 +9,7 @@ import com.godaddy.ans.sdk.agent.VerificationPolicy; import com.godaddy.ans.sdk.concurrent.AnsExecutors; import com.godaddy.ans.sdk.crypto.CertificateUtils; +import com.godaddy.ans.sdk.crypto.CryptoCache; import com.godaddy.ans.sdk.transparency.TransparencyClient; import com.godaddy.ans.sdk.transparency.scitt.DefaultScittHeaderProvider; import com.godaddy.ans.sdk.transparency.scitt.DefaultScittVerifier; @@ -21,7 +22,9 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import java.nio.charset.StandardCharsets; import java.security.MessageDigest; +import java.util.HexFormat; import java.security.PublicKey; import java.security.cert.X509Certificate; import java.time.Duration; @@ -439,14 +442,16 @@ private boolean matchesScittHeaders(String lowerKey) { /** * Computes a cache key from the raw header values and certificate fingerprint. * - *

    Uses the raw Base64 header strings directly rather than hashing decoded bytes, - * avoiding 2x SHA-256 computations on every cache lookup.

    + *

    Hashes the concatenated inputs to produce a fixed-size key. This prevents + * memory pressure from large Base64 headers and avoids sentinel collision + * (e.g., a header literally containing "none").

    */ private String computeCacheKey(String receiptHeader, String tokenHeader, String certFingerprint) { - // Use raw Base64 header values directly - they're already unique identifiers - String receiptKey = receiptHeader != null ? receiptHeader : "none"; - String tokenKey = tokenHeader != null ? tokenHeader : "none"; - return receiptKey + ":" + tokenKey + ":" + certFingerprint; + // Use null byte as sentinel - cannot appear in header values + String raw = (receiptHeader != null ? receiptHeader : "\0") + "|" + + (tokenHeader != null ? tokenHeader : "\0") + "|" + + certFingerprint; + return HexFormat.of().formatHex(CryptoCache.sha256(raw.getBytes(StandardCharsets.UTF_8))); } diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/TransparencyService.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/TransparencyService.java index 072f0fd..060bf15 100644 --- a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/TransparencyService.java +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/TransparencyService.java @@ -337,8 +337,12 @@ CompletableFuture refreshRootKeysIfNeeded(Instant artifactIssue LOGGER.info("Artifact issued at {} is newer than cache at {}, refreshing root keys", artifactIssuedAt, cacheTime); - // Update cooldown timestamp before fetch to prevent concurrent refresh attempts - lastRefreshAttempt.set(now); + // Atomically claim the refresh slot to prevent concurrent refresh attempts + if (!lastRefreshAttempt.compareAndSet(lastAttempt, now)) { + LOGGER.debug("Concurrent refresh already in progress, deferring"); + return CompletableFuture.completedFuture( + RefreshDecision.defer("Concurrent refresh in progress")); + } // Invalidate and fetch fresh keys asynchronously invalidateRootKeyCache(); @@ -361,7 +365,7 @@ private CompletableFuture> fetchRootKeysFromServerAsync() LOGGER.info("Fetching root keys from server"); HttpRequest request = HttpRequest.newBuilder() .uri(URI.create(baseUrl + "/root-keys")) - .header("Accept", "application/json") + .header("Accept", "text/plain") .timeout(readTimeout) .GET() .build(); diff --git a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittReceipt.java b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittReceipt.java index f0923a0..0feefcb 100644 --- a/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittReceipt.java +++ b/ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittReceipt.java @@ -287,9 +287,11 @@ private static InclusionProof parseMapFormatProof(CBORObject proofMap) throws Sc CBORObject element = hashPathObj.get(i); if (element.getType() == CBORType.ByteString) { byte[] hash = element.GetByteString(); - if (hash.length == 32) { - hashPath.add(hash); + if (hash.length != 32) { + throw new ScittParseException( + "Invalid hash at path index " + i + ": expected 32 bytes, got " + hash.length); } + hashPath.add(hash); } } } @@ -299,9 +301,11 @@ private static InclusionProof parseMapFormatProof(CBORObject proofMap) throws Sc CBORObject rootHashObj = proofMap.get(CBORObject.FromObject(-4)); if (rootHashObj != null && rootHashObj.getType() == CBORType.ByteString) { byte[] hash = rootHashObj.GetByteString(); - if (hash.length == 32) { - rootHash = hash; + if (hash.length != 32) { + throw new ScittParseException( + "Invalid root hash: expected 32 bytes, got " + hash.length); } + rootHash = hash; } return new InclusionProof(treeSize, leafIndex, rootHash, hashPath); diff --git a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittReceiptTest.java b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittReceiptTest.java index 6f2a1f7..a1d95e5 100644 --- a/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittReceiptTest.java +++ b/ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittReceiptTest.java @@ -560,8 +560,8 @@ void shouldParseReceiptWithMinimalRequiredFields() throws ScittParseException { } @Test - @DisplayName("Should skip non-32-byte entries in hash path") - void shouldSkipNon32ByteEntriesInHashPath() throws ScittParseException { + @DisplayName("Should reject non-32-byte entries in hash path") + void shouldRejectNon32ByteEntriesInHashPath() { CBORObject protectedHeader = CBORObject.NewMap(); protectedHeader.Add(1, -7); protectedHeader.Add(395, 1); @@ -570,12 +570,12 @@ void shouldSkipNon32ByteEntriesInHashPath() throws ScittParseException { // Hash path with mixed valid and invalid entries CBORObject hashPathArray = CBORObject.NewArray(); hashPathArray.Add(CBORObject.FromObject(new byte[32])); // valid 32-byte hash - hashPathArray.Add(CBORObject.FromObject(new byte[16])); // invalid 16-byte (skipped) + hashPathArray.Add(CBORObject.FromObject(new byte[16])); // invalid 16-byte CBORObject inclusionProofMap = CBORObject.NewMap(); inclusionProofMap.Add(-1, 4L); // tree_size inclusionProofMap.Add(-2, 1L); // leaf_index - inclusionProofMap.Add(-3, hashPathArray); // hash_path with mixed sizes + inclusionProofMap.Add(-3, hashPathArray); // hash_path with invalid entry inclusionProofMap.Add(-4, CBORObject.FromObject(new byte[32])); // root_hash CBORObject unprotectedHeader = CBORObject.NewMap(); @@ -588,10 +588,11 @@ void shouldSkipNon32ByteEntriesInHashPath() throws ScittParseException { array.Add(new byte[64]); CBORObject tagged = CBORObject.FromObjectAndTag(array, 18); - ScittReceipt receipt = ScittReceipt.parse(tagged.EncodeToBytes()); - - // Only the valid 32-byte hash should be included - assertThat(receipt.inclusionProof().hashPath()).hasSize(1); + // Invalid hash size should now throw instead of being silently skipped + assertThatThrownBy(() -> ScittReceipt.parse(tagged.EncodeToBytes())) + .isInstanceOf(ScittParseException.class) + .hasMessageContaining("Invalid hash at path index 1") + .hasMessageContaining("expected 32 bytes, got 16"); } }