add response validation; fix README.md

Author: dnl-blkv

.idea/.idea.BunqSdkCsharp/riderModule.iml

@@ -9,8 +9,24 @@
     <Folder Include="Http" />
     <Folder Include="Model\Generated\Object" />
     <Folder Include="Samples\Assets" />
+    <Folder Include="Security" />
+    <Folder Include="Tests\BunqSdkCsharpTest\bin\Debug\netcoreapp1.1\obj\Debug\netcoreapp1.1" />
+    <Folder Include="Tests\BunqSdkCsharpTest\bin\Debug\netcoreapp1.1\tmp" />
+    <Folder Include="Tests\BunqSdkCsharpTest\obj\Debug\netcoreapp1.1" />
   </ItemGroup>
   <ItemGroup>
     <PackageReference Include="Newtonsoft.Json" Version="10.0.3" />
   </ItemGroup>
-</Project>
+  <ItemGroup>
+    <Content Include="project.json" />
+  </ItemGroup>
+  <ItemGroup>
+    <Compile Remove="Tests\BunqSdkCsharpTest\Recourses\**" />
+  </ItemGroup>
+  <ItemGroup>
+    <EmbeddedResource Remove="Tests\BunqSdkCsharpTest\Recourses\**" />
+  </ItemGroup>
+  <ItemGroup>
+    <None Remove="Tests\BunqSdkCsharpTest\Resoucres\**" />
+  </ItemGroup>
+</Project>

BunqSdkCsharp.csproj

@@ -1,22 +1,27 @@
-
-Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio 2013
-VisualStudioVersion = 12.0.0.0
-MinimumVisualStudioVersion = 10.0.0.1
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "BunqSdkCsharp", "BunqSdkCsharp.csproj", "{4A5F65F6-41AC-4693-9A91-500A7B8DE1F7}"
-EndProject
-Global
-	GlobalSection(SolutionConfigurationPlatforms) = preSolution
-		Debug|Any CPU = Debug|Any CPU
-		Release|Any CPU = Release|Any CPU
-	EndGlobalSection
-	GlobalSection(ProjectConfigurationPlatforms) = postSolution
-		{4A5F65F6-41AC-4693-9A91-500A7B8DE1F7}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{4A5F65F6-41AC-4693-9A91-500A7B8DE1F7}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{4A5F65F6-41AC-4693-9A91-500A7B8DE1F7}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{4A5F65F6-41AC-4693-9A91-500A7B8DE1F7}.Release|Any CPU.Build.0 = Release|Any CPU
-	EndGlobalSection
-	GlobalSection(SolutionProperties) = preSolution
-		HideSolutionNode = FALSE
-	EndGlobalSection
-EndGlobal
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 2013
+VisualStudioVersion = 12.0.0.0
+MinimumVisualStudioVersion = 10.0.0.1
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "BunqSdkCsharp", "BunqSdkCsharp.csproj", "{4A5F65F6-41AC-4693-9A91-500A7B8DE1F7}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "BunqSdkCsharpTest", "Tests\BunqSdkCsharpTest\BunqSdkCsharpTest.csproj", "{B9F49991-943E-48E4-A151-B3CD12AFA231}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{4A5F65F6-41AC-4693-9A91-500A7B8DE1F7}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{4A5F65F6-41AC-4693-9A91-500A7B8DE1F7}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{4A5F65F6-41AC-4693-9A91-500A7B8DE1F7}.Release|Any CPU.Build.0 = Release|Any CPU
+		{B9F49991-943E-48E4-A151-B3CD12AFA231}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{B9F49991-943E-48E4-A151-B3CD12AFA231}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{B9F49991-943E-48E4-A151-B3CD12AFA231}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{B9F49991-943E-48E4-A151-B3CD12AFA231}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal

BunqSdkCsharp.sln

@@ -86,11 +86,22 @@ private HttpResponseMessage SendRequest(HttpRequestMessage requestMessage,
             SetSessionHeaders(requestMessage);
             InitializeHttpClientIfNeeded(apiContext);
             var responseMessage = client.SendAsync(requestMessage).Result;
+            ValidateResponse(responseMessage);
             AssertResponseSuccess(responseMessage);
 
             return responseMessage;
         }
 
+        private void ValidateResponse(HttpResponseMessage responseMessage)
+        {
+            var installationContext = apiContext.InstallationContext;
+
+            if (installationContext != null)
+            {
+                SecurityUtils.ValidateResponse(responseMessage, installationContext.PublicKeyServer);
+            }
+        }
+
         private static HttpRequestMessage CreateHttpRequestMessage(HttpMethod method, string uriRelative,
             byte[] requestBodyBytes)
         {

Http/ApiClient.cs

@@ -10,7 +10,7 @@ We're very happy to introduce yet another unique product: complete banking SDKs!
 Now you can build even bigger and better apps and integrate them with your bank of the free! 🌈
 
 Before you dive into this brand new SDK, please consider:
-- Checking out our new developer’s page [bunq.com/developers](https://bunq.com/developers) 🙌  
+- Checking out our new developer’s page [https://bunq.com/en/developer](https://bunq.com/en/developer) 🙌  
 - Grabbing your production API key from the bunq app or asking our support for a Sandbox API key 🗝
 - Visiting [together.bunq.com](https://together.bunq.com) where you can share your creations,
 questions and experience 🎤

README.md

@@ -7,12 +7,18 @@
 using System.Security.Cryptography;
 using System.Text;
 using Bunq.Sdk.Context;
+using Bunq.Sdk.Exception;
 using Bunq.Sdk.Http;
 
 namespace Bunq.Sdk.Security
 {
     public class SecurityUtils
     {
+        /// <summary>
+        /// Error constants.
+        /// </summary>
+        private const string ERROR_COULD_NOT_VERIFY_RESPONSE = "Could not verify server response.";
+
         /// <summary>
         /// Constants for formatting the request textual representation for signing.
         /// </summary>
@@ -48,6 +54,7 @@ public class SecurityUtils
         private const string HEADER_CLIENT_ENCRYPTION_HMAC = "X-Bunq-Client-Encryption-Hmac";
         private const string HEADER_CLIENT_ENCRYPTION_IV = "X-Bunq-Client-Encryption-Iv";
         private const string HEADER_CLIENT_ENCRYPTION_KEY = "X-Bunq-Client-Encryption-Key";
+        private const string HEADER_SERVER_SIGNATURE = "X-Bunq-Server-Signature";
 
         /// <summary>
         /// Padding modes for the encrypted key and body.
@@ -95,7 +102,7 @@ private static byte[] GetRequestBodyBytes(HttpRequestMessage requestMessage)
         private static byte[] GenerateRequestHeadBytes(HttpRequestMessage requestMessage)
         {
             var requestHeadString = GenerateMethodAndEndpointString(requestMessage) + NEWLINE +
-                GenerateHeadersSortedString(requestMessage) + NEWLINE +
+                GenerateRequestHeadersSortedString(requestMessage) + NEWLINE +
                 NEWLINE;
 
             return Encoding.UTF8.GetBytes(requestHeadString);
@@ -109,13 +116,21 @@ private static string GenerateMethodAndEndpointString(HttpRequestMessage request
             return string.Format(FORMAT_METHOD_AND_ENDPOINT_STRING, method, endpoint);
         }
 
-        private static string GenerateHeadersSortedString(HttpRequestMessage requestMessage)
+        private static string GenerateRequestHeadersSortedString(HttpRequestMessage requestMessage)
         {
-            return requestMessage.Headers.Where(x =>
+            return GenerateHeadersSortedString(
+                requestMessage.Headers.Where(x =>
                     x.Key.StartsWith(HEADER_NAME_PREFIX_X_BUNQ) ||
                     x.Key.Equals(ApiClient.HEADER_CACHE_CONTROL) ||
                     x.Key.Equals(ApiClient.HEADER_USER_AGENT)
                 )
+            );
+        }
+
+        private static string GenerateHeadersSortedString(
+            IEnumerable<KeyValuePair<string, IEnumerable<string>>> headers)
+        {
+            return headers
                 .Select(x => new KeyValuePair<string, string>(x.Key, string.Join(DELIMITER_HEADER_VALUE, x.Value)))
                 .ToImmutableSortedDictionary()
                 .Select(x => string.Format(FORMAT_HEADER_STRING, x.Key, x.Value))
@@ -263,5 +278,40 @@ private static byte[] HashHmac(byte[] iv, byte[] bytes, byte[] key)
                 return hmacSha1.ComputeHash(buffer);
             }
         }
+
+        public static void ValidateResponse(HttpResponseMessage responseMessage, RSA serverPublicKey)
+        {
+            var headBytes = GenerateResponseHeadBytes(responseMessage);
+            var bodyBytes = responseMessage.Content.ReadAsByteArrayAsync().Result;
+            var responseBytes = ConcatenateByteArrays(headBytes, bodyBytes);
+            var serverSignatureHeader = responseMessage.Headers.First(h => h.Key == HEADER_SERVER_SIGNATURE).Value
+                .First();
+            var serverSignature = Convert.FromBase64String(serverSignatureHeader);
+
+            if (!serverPublicKey.VerifyData(responseBytes, serverSignature, HashAlgorithmName.SHA256,
+                RSASignaturePadding.Pkcs1))
+            {
+                throw new BunqException(ERROR_COULD_NOT_VERIFY_RESPONSE);
+            }
+        }
+
+        private static byte[] GenerateResponseHeadBytes(HttpResponseMessage responseMessage)
+        {
+            var requestHeadString = (int)responseMessage.StatusCode + NEWLINE +
+                GenerateResponseHeadersSortedString(responseMessage) + NEWLINE +
+                NEWLINE;
+
+            return Encoding.UTF8.GetBytes(requestHeadString);
+        }
+
+        private static string GenerateResponseHeadersSortedString(HttpResponseMessage responseMessage)
+        {
+            return GenerateHeadersSortedString(
+                responseMessage.Headers.Where(x =>
+                    x.Key.StartsWith(HEADER_NAME_PREFIX_X_BUNQ) &&
+                    !x.Key.Equals(HEADER_SERVER_SIGNATURE)
+                )
+            );
+        }
     }
 }

Security/SecurityUtils.cs

@@ -0,0 +1,9 @@
+{
+  "buildOptions": {
+    "copyToOutput": {
+      "include": [
+        "BunqSdkCsharpTest.xunit.runner.json"
+      ]
+    }
+  }
+}