Validate signature hashes

src/Altinn.App.Api/Controllers/ProcessController.cs

@@ -680,6 +680,19 @@ private ObjectResult ExceptionResponse(Exception exception, string message)
     {
         _logger.LogError(exception, message);
 
+        if (exception is PlatformHttpResponseSnapshotException phse)
+        {
+            return StatusCode(
+                phse.StatusCode,
+                new ProblemDetails()
+                {
+                    Detail = phse.Message,
+                    Status = phse.StatusCode,
+                    Title = message,
+                }
+            );
+        }
+
         if (exception is PlatformHttpException phe)
         {
             return StatusCode(

src/Altinn.App.Core/Extensions/HttpClientExtension.cs

@@ -103,6 +103,41 @@ public static async Task<HttpResponseMessage> GetAsync(
         return await httpClient.SendAsync(request, HttpCompletionOption.ResponseContentRead, CancellationToken.None);
     }
 
+    /// <summary>
+    /// Extension that adds authorization header to request and returns response configured for streaming.
+    /// Response returns immediately after headers are received, allowing content to be streamed.
+    /// </summary>
+    /// <param name="httpClient">The HttpClient</param>
+    /// <param name="authorizationToken">the authorization token (jwt)</param>
+    /// <param name="requestUri">The request Uri</param>
+    /// <param name="platformAccessToken">The platformAccess tokens</param>
+    /// <param name="cancellationToken">The cancellation token</param>
+    /// <returns>A HttpResponseMessage</returns>
+    /// <remarks>When using GetStreamingAsync() for large file downloads, ensure your HttpClient
+    /// instance has an appropriate timeout configured. The default timeout may be too short for large files.</remarks>
+    public static async Task<HttpResponseMessage> GetStreamingAsync(
+        this HttpClient httpClient,
+        string authorizationToken,
+        string requestUri,
+        string? platformAccessToken = null,
+        CancellationToken cancellationToken = default
+    )
+    {
+        using HttpRequestMessage request = new(HttpMethod.Get, requestUri);
+
+        request.Headers.Authorization = new AuthenticationHeaderValue(
+            Constants.AuthorizationSchemes.Bearer,
+            authorizationToken
+        );
+
+        if (!string.IsNullOrEmpty(platformAccessToken))
+        {
+            request.Headers.Add(Constants.General.PlatformAccessTokenHeaderName, platformAccessToken);
+        }
+
+        return await httpClient.SendAsync(request, HttpCompletionOption.ResponseHeadersRead, cancellationToken);
+    }
+
     /// <summary>
     /// Extension that add authorization header to request
     /// </summary>

src/Altinn.App.Core/Extensions/ServiceCollectionExtensions.cs

@@ -101,6 +101,13 @@ IWebHostEnvironment env
         services.AddHttpClient<IAuthenticationClient, AuthenticationClient>();
         services.AddHttpClient<IAuthorizationClient, AuthorizationClient>();
         services.AddHttpClient<IDataClient, DataClient>();
+        services.AddHttpClient(
+            "DataClient.Streaming",
+            client =>
+            {
+                client.Timeout = TimeSpan.FromMinutes(30); // Longer timeout for streaming
+            }
+        );
         services.AddHttpClient<IOrganizationClient, RegisterERClient>();
         services.AddHttpClient<IInstanceClient, InstanceClient>();
         services.AddHttpClient<IInstanceEventClient, InstanceEventClient>();
@@ -230,6 +237,7 @@ private static void AddValidationServices(IServiceCollection services, IConfigur
         services.AddTransient<IDataElementValidator, DefaultDataElementValidator>();
         services.AddTransient<ITaskValidator, DefaultTaskValidator>();
         services.AddTransient<IValidator, SigningTaskValidator>();
+        services.AddTransient<IValidator, SignatureHashValidator>();
 
         var appSettings = configuration.GetSection("AppSettings").Get<AppSettings>();
         if (appSettings?.RequiredValidation is true)

src/Altinn.App.Core/Features/Validation/Default/SignatureHashValidator.cs

@@ -0,0 +1,178 @@
+using System.Diagnostics;
+using System.Security.Cryptography;
+using Altinn.App.Core.Features.Signing.Models;
+using Altinn.App.Core.Features.Signing.Services;
+using Altinn.App.Core.Internal.App;
+using Altinn.App.Core.Internal.Data;
+using Altinn.App.Core.Internal.Process;
+using Altinn.App.Core.Internal.Process.Elements.AltinnExtensionProperties;
+using Altinn.App.Core.Models;
+using Altinn.App.Core.Models.Validation;
+using Altinn.Platform.Storage.Interface.Models;
+using Microsoft.Extensions.Logging;
+
+namespace Altinn.App.Core.Features.Validation.Default;
+
+/// <summary>
+/// Validates that signature hashes are still valid.
+/// </summary>
+internal sealed class SignatureHashValidator(
+    ISigningService signingService,
+    IProcessReader processReader,
+    IDataClient dataClient,
+    IAppMetadata appMetadata,
+    ILogger<SignatureHashValidator> logger
+) : IValidator
+{
+    private const string SigningTaskType = "signing";
+
+    /// <summary>
+    /// We implement <see cref="ShouldRunForTask"/> instead.
+    /// </summary>
+    public string TaskId => "*";
+
+    /// <summary>
+    /// Only runs for tasks that are of type "signing".
+    /// </summary>
+    public bool ShouldRunForTask(string taskId)
+    {
+        AltinnTaskExtension? taskConfig = processReader.GetAltinnTaskExtension(taskId);
+        return taskConfig?.TaskType is SigningTaskType;
+    }
+
+    public bool NoIncrementalValidation => true;
+
+    /// <inheritdoc />
+    public Task<bool> HasRelevantChanges(IInstanceDataAccessor dataAccessor, string taskId, DataElementChanges changes)
+    {
+        throw new UnreachableException(
+            "HasRelevantChanges should not be called because NoIncrementalValidation is true."
+        );
+    }
+
+    public async Task<List<ValidationIssue>> Validate(
+        IInstanceDataAccessor dataAccessor,
+        string taskId,
+        string? language
+    )
+    {
+        Instance instance = dataAccessor.Instance;
+
+        AltinnSignatureConfiguration signingConfiguration =
+            processReader.GetAltinnTaskExtension(taskId)?.SignatureConfiguration
+            ?? throw new ApplicationConfigException("Signing configuration not found in AltinnTaskExtension");
+
+        ApplicationMetadata applicationMetadata = await appMetadata.GetApplicationMetadata();
+
+        List<SigneeContext> signeeContextsResults = await signingService.GetSigneeContexts(
+            dataAccessor,
+            signingConfiguration,
+            CancellationToken.None
+        );
+
+        foreach (SigneeContext signeeContext in signeeContextsResults)
+        {
+            List<SignDocument.DataElementSignature> dataElementSignatures =
+                signeeContext.SignDocument?.DataElementSignatures ?? [];
+
+            foreach (SignDocument.DataElementSignature dataElementSignature in dataElementSignatures)
+            {
+                ValidationIssue? validationIssue = await ValidateDataElementSignature(
+                    dataElementSignature,
+                    instance,
+                    applicationMetadata
+                );
+
+                if (validationIssue != null)
+                {
+                    return [validationIssue];
+                }
+            }
+        }
+
+        logger.LogInformation("All signature hashes are valid for instance {InstanceId}", instance.Id);
+
+        return [];
+    }
+
+    private async Task<ValidationIssue?> ValidateDataElementSignature(
+        SignDocument.DataElementSignature dataElementSignature,
+        Instance instance,
+        ApplicationMetadata applicationMetadata
+    )
+    {
+        var instanceIdentifier = new InstanceIdentifier(instance);
+
+        await using Stream dataStream = await dataClient.GetBinaryDataStream(
+            instance.Org,
+            instance.AppId,
+            instanceIdentifier.InstanceOwnerPartyId,
+            instanceIdentifier.InstanceGuid,
+            Guid.Parse(dataElementSignature.DataElementId),
+            HasRestrictedRead(applicationMetadata, instance, dataElementSignature.DataElementId)
+                ? StorageAuthenticationMethod.ServiceOwner()
+                : null
+        );
+
+        string sha256Hash = await GenerateSha256Hash(dataStream);
+
+        if (sha256Hash != dataElementSignature.Sha256Hash)
+        {
+            logger.LogError(
+                "Found an invalid signature for data element {DataElementId} on instance {InstanceId}. Expected hash {ExpectedHash}, calculated hash {CalculatedHash}",
+                dataElementSignature.DataElementId,
+                instance.Id,
+                dataElementSignature.Sha256Hash,
+                sha256Hash
+            );
+
+            return new ValidationIssue
+            {
+                Code = ValidationIssueCodes.DataElementCodes.InvalidSignatureHash,
+                Severity = ValidationIssueSeverity.Error,
+                Description = ValidationIssueCodes.DataElementCodes.InvalidSignatureHash,
+            };
+        }
+
+        return null;
+    }
+
+    private static bool HasRestrictedRead(
+        ApplicationMetadata applicationMetadata,
+        Instance instance,
+        string dataElementId
+    )
+    {
+        DataElement? dataElement = instance.Data.FirstOrDefault(de => de.Id == dataElementId);
+        string? dataTypeId = dataElement?.DataType;
+        DataType? dataType = applicationMetadata.DataTypes.FirstOrDefault(dt => dt.Id == dataTypeId);
+
+        if (dataType == null)
+        {
+            throw new ApplicationConfigException(
+                $"Unable to find data type {dataTypeId} for data element {dataElementId} in applicationmetadata.json."
+            );
+        }
+
+        return !string.IsNullOrEmpty(dataType.ActionRequiredToRead);
+    }
+
+    private static async Task<string> GenerateSha256Hash(Stream stream)
+    {
+        using var sha256 = SHA256.Create();
+        byte[] digest = await sha256.ComputeHashAsync(stream);
+        return FormatShaDigest(digest);
+    }
+
+    /// <summary>
+    /// Formats a SHA digest with common best practice:<br/>
+    /// Lowercase hexadecimal representation without delimiters
+    /// </summary>
+    /// <param name="digest">The hash code (digest) to format</param>
+    /// <returns>String representation of the digest</returns>
+    /// <remarks>This mirrors how the altinn-storage formats the Sha digest when creating the signature document, and it must stay in sync.</remarks>
+    private static string FormatShaDigest(byte[] digest)
+    {
+        return Convert.ToHexString(digest).ToLowerInvariant();
+    }
+}