Merge pull request #533 from /issues/526-backport

Backport #526, #529, #524
wultra · Sep 7, 2023 · f42bba8 · f42bba8
2 parents ab1aeb8 + b5da2a3
commit f42bba8
Show file tree

Hide file tree

Showing 13 changed files with 34 additions and 24 deletions.
diff --git a/...ava/io/getlime/security/powerauth/crypto/client/activation/PowerAuthClientActivation.java b/...ava/io/getlime/security/powerauth/crypto/client/activation/PowerAuthClientActivation.java
@@ -28,10 +28,8 @@
 import java.nio.charset.StandardCharsets;
 import java.security.InvalidKeyException;
 import java.security.KeyPair;
-import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.security.interfaces.ECPublicKey;
-import java.security.spec.InvalidKeySpecException;
 import java.util.Arrays;
 import java.util.Base64;
 

diff --git a/...src/main/java/io/getlime/security/powerauth/crypto/client/token/ClientTokenGenerator.java b/...src/main/java/io/getlime/security/powerauth/crypto/client/token/ClientTokenGenerator.java
@@ -55,13 +55,14 @@ public byte[] generateTokenTimestamp() {
      *
      * @param nonce Token nonce, 16 random bytes.
      * @param timestamp Token timestamp, Unix timestamp format encoded as bytes (from string representation).
+     * @param version Protocol version.
      * @param tokenSecret Token secret, 16 random bytes.
      * @return Token digest computed using provided data bytes with given token secret.
      * @throws GenericCryptoException In case digest computation fails.
      * @throws CryptoProviderException In case cryptography provider is incorrectly initialized.
      */
-    public byte[] computeTokenDigest(byte[] nonce, byte[] timestamp, byte[] tokenSecret) throws GenericCryptoException, CryptoProviderException {
-        return tokenUtils.computeTokenDigest(nonce, timestamp, tokenSecret);
+    public byte[] computeTokenDigest(byte[] nonce, byte[] timestamp, String version, byte[] tokenSecret) throws GenericCryptoException, CryptoProviderException {
+        return tokenUtils.computeTokenDigest(nonce, timestamp, version, tokenSecret);
     }
 
 }
diff --git a/...src/main/java/io/getlime/security/powerauth/crypto/client/vault/PowerAuthClientVault.java b/...src/main/java/io/getlime/security/powerauth/crypto/client/vault/PowerAuthClientVault.java
@@ -16,7 +16,6 @@
  */
 package io.getlime.security.powerauth.crypto.client.vault;
 
-import io.getlime.security.powerauth.crypto.lib.generator.KeyGenerator;
 import io.getlime.security.powerauth.crypto.lib.model.exception.CryptoProviderException;
 import io.getlime.security.powerauth.crypto.lib.model.exception.GenericCryptoException;
 import io.getlime.security.powerauth.crypto.lib.util.AESEncryptionUtils;

diff --git a/...to/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/EncryptorFactory.java b/...to/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/EncryptorFactory.java
@@ -22,9 +22,9 @@
 import io.getlime.security.powerauth.crypto.lib.encryptor.ecies.ServerEciesEncryptor;
 import io.getlime.security.powerauth.crypto.lib.encryptor.exception.EncryptorException;
 import io.getlime.security.powerauth.crypto.lib.encryptor.model.EncryptorId;
+import io.getlime.security.powerauth.crypto.lib.encryptor.model.EncryptorParameters;
 import io.getlime.security.powerauth.crypto.lib.encryptor.model.EncryptorScope;
 import io.getlime.security.powerauth.crypto.lib.encryptor.model.EncryptorSecrets;
-import io.getlime.security.powerauth.crypto.lib.encryptor.model.EncryptorParameters;
 
 /**
  * The {@code EncryptorFactory} class provide high level encryptors for PowerAuth End-To-End encryption implementation.

diff --git a/...rc/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/EciesEncryptor.java b/...rc/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/EciesEncryptor.java
@@ -23,7 +23,10 @@
 import io.getlime.security.powerauth.crypto.lib.generator.KeyGenerator;
 import io.getlime.security.powerauth.crypto.lib.model.exception.CryptoProviderException;
 import io.getlime.security.powerauth.crypto.lib.model.exception.GenericCryptoException;
-import io.getlime.security.powerauth.crypto.lib.util.*;
+import io.getlime.security.powerauth.crypto.lib.util.AESEncryptionUtils;
+import io.getlime.security.powerauth.crypto.lib.util.EciesUtils;
+import io.getlime.security.powerauth.crypto.lib.util.HMACHashUtilities;
+import io.getlime.security.powerauth.crypto.lib.util.KeyConvertor;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 

diff --git a/.../java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/model/EciesCryptogram.java b/.../java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/model/EciesCryptogram.java
@@ -16,7 +16,9 @@
  */
 package io.getlime.security.powerauth.crypto.lib.encryptor.ecies.model;
 
-import lombok.*;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Value;
 
 /**
  * The EciesCryptogram structure represents cryptogram transmitted over the network.

diff --git a/.../java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/model/EciesParameters.java b/.../java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/model/EciesParameters.java
@@ -16,7 +16,9 @@
  */
 package io.getlime.security.powerauth.crypto.lib.encryptor.ecies.model;
 
-import lombok.*;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Value;
 
 /**
  * The EciesParameters structure represents additional ECIES parameters transmitted over the network.

diff --git a/...h-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/EciesUtils.java b/...h-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/EciesUtils.java
@@ -18,8 +18,6 @@
 
 import io.getlime.security.powerauth.crypto.lib.encryptor.ecies.exception.EciesException;
 import io.getlime.security.powerauth.crypto.lib.encryptor.model.EncryptorScope;
-import io.getlime.security.powerauth.crypto.lib.model.exception.CryptoProviderException;
-import io.getlime.security.powerauth.crypto.lib.model.exception.GenericCryptoException;
 
 import java.nio.ByteBuffer;
 import java.nio.charset.StandardCharsets;
@@ -137,7 +135,7 @@ public static byte[] deriveSharedInfo2(String protocolVersion, byte[] sharedInfo
                 throw new EciesException("Missing nonce parameter");
             }
             if (timestamp == null) {
-                throw new EciesException("Missing nonce parameter");
+                throw new EciesException("Missing timestamp parameter");
             }
             if (associatedData == null) {
                 throw new EciesException("Missing associatedData parameter");

diff --git a/...h-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/TokenUtils.java b/...h-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/TokenUtils.java
@@ -92,29 +92,36 @@ public byte[] convertTokenTimestamp(long timestamp) {
      * Compute the digest of provided token information using given token secret.
      * @param nonce Token nonce, 16 random bytes.
      * @param timestamp Token timestamp, Unix timestamp format encoded as bytes (string representation).
+     * @param version Protocol version.
      * @param tokenSecret Token secret, 16 random bytes.
      * @return Token digest computed using provided data bytes with given token secret.
      * @throws GenericCryptoException In case digest computation fails.
      * @throws CryptoProviderException In case cryptography provider is incorrectly initialized.
      */
-    public byte[] computeTokenDigest(byte[] nonce, byte[] timestamp, byte[] tokenSecret) throws GenericCryptoException, CryptoProviderException {
-        byte[] amp = "&".getBytes(StandardCharsets.UTF_8);
-        byte[] data = ByteUtils.concat(nonce, amp, timestamp);
+    public byte[] computeTokenDigest(byte[] nonce, byte[] timestamp, String version, byte[] tokenSecret) throws GenericCryptoException, CryptoProviderException {
+        final byte[] amp = "&".getBytes(StandardCharsets.UTF_8);
+        final byte[] data;
+        switch (version) {
+            case "3.2" -> data = ByteUtils.concat(nonce, amp, timestamp, amp, version.getBytes(StandardCharsets.UTF_8));
+            case "3.0", "3.1" -> data = ByteUtils.concat(nonce, amp, timestamp);
+            default -> throw new GenericCryptoException("Unsupported version value was specified: " + version);
+        }
         return hmac.hash(tokenSecret, data);
     }
 
     /**
      * Validate provided token digest for given input data and provided token secret.
      * @param nonce Token nonce, 16 random bytes.
      * @param timestamp Token timestamp, Unix timestamp format encoded as bytes (string representation).
+     * @param version Protocol version.
      * @param tokenSecret Token secret, 16 random bytes.
      * @param tokenDigest Token digest, 32 bytes to be validated.
      * @return Token digest computed using provided data bytes with given token secret.
      * @throws GenericCryptoException In case digest computation fails.
      * @throws CryptoProviderException In case cryptography provider is incorrectly initialized.
      */
-    public boolean validateTokenDigest(byte[] nonce, byte[] timestamp, byte[] tokenSecret, byte[] tokenDigest) throws GenericCryptoException, CryptoProviderException {
-        return SideChannelUtils.constantTimeAreEqual(computeTokenDigest(nonce, timestamp, tokenSecret), tokenDigest);
+    public boolean validateTokenDigest(byte[] nonce, byte[] timestamp, String version, byte[] tokenSecret, byte[] tokenDigest) throws GenericCryptoException, CryptoProviderException {
+        return SideChannelUtils.constantTimeAreEqual(computeTokenDigest(nonce, timestamp, version, tokenSecret), tokenDigest);
     }
 
 }
diff --git a/...ava/io/getlime/security/powerauth/crypto/server/activation/PowerAuthServerActivation.java b/...ava/io/getlime/security/powerauth/crypto/server/activation/PowerAuthServerActivation.java
@@ -34,7 +34,6 @@
 import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.security.interfaces.ECPublicKey;
-import java.security.spec.InvalidKeySpecException;
 import java.util.Arrays;
 import java.util.Base64;
 

diff --git a/.../src/main/java/io/getlime/security/powerauth/crypto/server/token/ServerTokenVerifier.java b/.../src/main/java/io/getlime/security/powerauth/crypto/server/token/ServerTokenVerifier.java
@@ -44,14 +44,15 @@ public byte[] convertTokenTimestamp(long timestamp) {
      * Validate provided token digest for given input data and provided token secret.
      * @param nonce Token nonce, 16 random bytes.
      * @param timestamp Token timestamp, Unix timestamp format encoded as bytes (from string representation).
+     * @param version Protocol version.
      * @param tokenSecret Token secret, 16 random bytes.
      * @param tokenDigest Token digest, 32 bytes to be validated.
      * @return Token digest computed using provided data bytes with given token secret.
      * @throws GenericCryptoException In case digest computation fails.
      * @throws CryptoProviderException In case cryptography provider is incorrectly initialized.
      */
-    public boolean validateTokenDigest(byte[] nonce, byte[] timestamp, byte[] tokenSecret, byte[] tokenDigest) throws GenericCryptoException, CryptoProviderException {
-        return tokenUtils.validateTokenDigest(nonce, timestamp, tokenSecret, tokenDigest);
+    public boolean validateTokenDigest(byte[] nonce, byte[] timestamp, String version, byte[] tokenSecret, byte[] tokenDigest) throws GenericCryptoException, CryptoProviderException {
+        return tokenUtils.validateTokenDigest(nonce, timestamp, version, tokenSecret, tokenDigest);
     }
 
 }
diff --git a/...a/io/getlime/security/powerauth/http/validator/PowerAuthSignatureHttpHeaderValidator.java b/...a/io/getlime/security/powerauth/http/validator/PowerAuthSignatureHttpHeaderValidator.java
@@ -95,12 +95,12 @@ public static void validate(PowerAuthSignatureHttpHeader header) throws InvalidP
         // Check that version is present
         final String version = header.getVersion();
         if (version == null || version.isEmpty()) {
-            throw new InvalidPowerAuthHttpHeaderException("POWER_AUTH_ENCRYPTION_VERSION_EMPTY");
+            throw new InvalidPowerAuthHttpHeaderException("POWER_AUTH_SIGNATURE_VERSION_EMPTY");
         }
 
         // Check that version is correct
         if (!ValueTypeValidator.isValidProtocolVersion(version)) {
-            throw new InvalidPowerAuthHttpHeaderException("POWER_AUTH_ENCRYPTION_VERSION_INVALID");
+            throw new InvalidPowerAuthHttpHeaderException("POWER_AUTH_SIGNATURE_VERSION_INVALID");
         }
 
     }

diff --git a/.../java/io/getlime/security/powerauth/http/validator/PowerAuthTokenHttpHeaderValidator.java b/.../java/io/getlime/security/powerauth/http/validator/PowerAuthTokenHttpHeaderValidator.java
@@ -84,12 +84,12 @@ public static void validate(PowerAuthTokenHttpHeader header) throws InvalidPower
         // Check that version is present
         final String version = header.getVersion();
         if (version == null || version.isEmpty()) {
-            throw new InvalidPowerAuthHttpHeaderException("POWER_AUTH_ENCRYPTION_VERSION_EMPTY");
+            throw new InvalidPowerAuthHttpHeaderException("POWER_AUTH_TOKEN_VERSION_EMPTY");
         }
 
         // Check that version is correct
         if (!ValueTypeValidator.isValidProtocolVersion(version)) {
-            throw new InvalidPowerAuthHttpHeaderException("POWER_AUTH_ENCRYPTION_VERSION_INVALID");
+            throw new InvalidPowerAuthHttpHeaderException("POWER_AUTH_TOKEN_VERSION_INVALID");
         }
 
     }