Fix #663: Enforce check for temporary keys in protocol version 3.3

wultra · Oct 14, 2024 · 0f1a61c · 0f1a61c
1 parent cfc0690
commit 0f1a61c
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/.../getlime/security/powerauth/crypto/lib/encryptor/ecies/EciesRequestResponseValidator.java b/.../getlime/security/powerauth/crypto/lib/encryptor/ecies/EciesRequestResponseValidator.java
@@ -35,6 +35,10 @@ public class EciesRequestResponseValidator implements RequestResponseValidator {
      */
     private final static Set<String> supportedVersions = Set.of("3.3", "3.2", "3.1", "3.0");
 
+    /**
+     * Indicate that request must contain temporaryKeyId. This is valid for protocol V3.3+.
+     */
+    private final boolean useTemporaryKeys;
     /**
      * Indicate that request and response must contain timestamp and nonce. This is valid for protocol V3.2+.
      */
@@ -53,6 +57,7 @@ public EciesRequestResponseValidator(String protocolVersion) throws EncryptorExc
         if (!supportedVersions.contains(protocolVersion)) {
             throw new EncryptorException("Unsupported protocol version " + protocolVersion);
         }
+        this.useTemporaryKeys = "3.3".equals(protocolVersion);
         this.useTimestamp = "3.3".equals(protocolVersion) || "3.2".equals(protocolVersion);
         this.useNonceForRequest = "3.3".equals(protocolVersion) || "3.2".equals(protocolVersion) || "3.1".equals(protocolVersion);
     }
@@ -65,6 +70,9 @@ public boolean validateEncryptedRequest(EncryptedRequest request) {
         if (request.getEphemeralPublicKey() == null || request.getEncryptedData() == null || request.getMac() == null) {
             return false;
         }
+        if (useTemporaryKeys == (request.getTemporaryKeyId() == null)) {
+            return false;
+        }
         if (useNonceForRequest == (request.getNonce() == null)) {
             // Fails when nonce is missing in 3.1+
             // Fails when nonce is present in 3.0