diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/client/activation/PowerAuthClientActivation.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/client/activation/PowerAuthClientActivation.java index a3be5e8a6..3826b3f89 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/client/activation/PowerAuthClientActivation.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/client/activation/PowerAuthClientActivation.java @@ -28,10 +28,8 @@ import java.nio.charset.StandardCharsets; import java.security.InvalidKeyException; import java.security.KeyPair; -import java.security.PrivateKey; import java.security.PublicKey; import java.security.interfaces.ECPublicKey; -import java.security.spec.InvalidKeySpecException; import java.util.Arrays; import java.util.Base64; diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/client/token/ClientTokenGenerator.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/client/token/ClientTokenGenerator.java index a2227f6ed..581cbc031 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/client/token/ClientTokenGenerator.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/client/token/ClientTokenGenerator.java @@ -55,13 +55,14 @@ public byte[] generateTokenTimestamp() { * * @param nonce Token nonce, 16 random bytes. * @param timestamp Token timestamp, Unix timestamp format encoded as bytes (from string representation). + * @param version Protocol version. * @param tokenSecret Token secret, 16 random bytes. * @return Token digest computed using provided data bytes with given token secret. * @throws GenericCryptoException In case digest computation fails. * @throws CryptoProviderException In case cryptography provider is incorrectly initialized. */ - public byte[] computeTokenDigest(byte[] nonce, byte[] timestamp, byte[] tokenSecret) throws GenericCryptoException, CryptoProviderException { - return tokenUtils.computeTokenDigest(nonce, timestamp, tokenSecret); + public byte[] computeTokenDigest(byte[] nonce, byte[] timestamp, String version, byte[] tokenSecret) throws GenericCryptoException, CryptoProviderException { + return tokenUtils.computeTokenDigest(nonce, timestamp, version, tokenSecret); } } diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/client/vault/PowerAuthClientVault.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/client/vault/PowerAuthClientVault.java index f55c66baf..c35026df7 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/client/vault/PowerAuthClientVault.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/client/vault/PowerAuthClientVault.java @@ -16,7 +16,6 @@ */ package io.getlime.security.powerauth.crypto.client.vault; -import io.getlime.security.powerauth.crypto.lib.generator.KeyGenerator; import io.getlime.security.powerauth.crypto.lib.model.exception.CryptoProviderException; import io.getlime.security.powerauth.crypto.lib.model.exception.GenericCryptoException; import io.getlime.security.powerauth.crypto.lib.util.AESEncryptionUtils; diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/EncryptorFactory.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/EncryptorFactory.java index 85098a789..949deabe5 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/EncryptorFactory.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/EncryptorFactory.java @@ -22,9 +22,9 @@ import io.getlime.security.powerauth.crypto.lib.encryptor.ecies.ServerEciesEncryptor; import io.getlime.security.powerauth.crypto.lib.encryptor.exception.EncryptorException; import io.getlime.security.powerauth.crypto.lib.encryptor.model.EncryptorId; +import io.getlime.security.powerauth.crypto.lib.encryptor.model.EncryptorParameters; import io.getlime.security.powerauth.crypto.lib.encryptor.model.EncryptorScope; import io.getlime.security.powerauth.crypto.lib.encryptor.model.EncryptorSecrets; -import io.getlime.security.powerauth.crypto.lib.encryptor.model.EncryptorParameters; /** * The {@code EncryptorFactory} class provide high level encryptors for PowerAuth End-To-End encryption implementation. diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/EciesEncryptor.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/EciesEncryptor.java index d17d430a8..f1218bada 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/EciesEncryptor.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/EciesEncryptor.java @@ -23,7 +23,10 @@ import io.getlime.security.powerauth.crypto.lib.generator.KeyGenerator; import io.getlime.security.powerauth.crypto.lib.model.exception.CryptoProviderException; import io.getlime.security.powerauth.crypto.lib.model.exception.GenericCryptoException; -import io.getlime.security.powerauth.crypto.lib.util.*; +import io.getlime.security.powerauth.crypto.lib.util.AESEncryptionUtils; +import io.getlime.security.powerauth.crypto.lib.util.EciesUtils; +import io.getlime.security.powerauth.crypto.lib.util.HMACHashUtilities; +import io.getlime.security.powerauth.crypto.lib.util.KeyConvertor; import org.slf4j.Logger; import org.slf4j.LoggerFactory; diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/model/EciesCryptogram.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/model/EciesCryptogram.java index a38d37125..d29eba2df 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/model/EciesCryptogram.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/model/EciesCryptogram.java @@ -16,7 +16,9 @@ */ package io.getlime.security.powerauth.crypto.lib.encryptor.ecies.model; -import lombok.*; +import lombok.AllArgsConstructor; +import lombok.Builder; +import lombok.Value; /** * The EciesCryptogram structure represents cryptogram transmitted over the network. diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/model/EciesParameters.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/model/EciesParameters.java index e6ee3fe30..e5d7d37dc 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/model/EciesParameters.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/model/EciesParameters.java @@ -16,7 +16,9 @@ */ package io.getlime.security.powerauth.crypto.lib.encryptor.ecies.model; -import lombok.*; +import lombok.AllArgsConstructor; +import lombok.Builder; +import lombok.Value; /** * The EciesParameters structure represents additional ECIES parameters transmitted over the network. diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/EciesUtils.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/EciesUtils.java index 1cd3120cc..d1087cca3 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/EciesUtils.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/EciesUtils.java @@ -18,8 +18,6 @@ import io.getlime.security.powerauth.crypto.lib.encryptor.ecies.exception.EciesException; import io.getlime.security.powerauth.crypto.lib.encryptor.model.EncryptorScope; -import io.getlime.security.powerauth.crypto.lib.model.exception.CryptoProviderException; -import io.getlime.security.powerauth.crypto.lib.model.exception.GenericCryptoException; import java.nio.ByteBuffer; import java.nio.charset.StandardCharsets; @@ -137,7 +135,7 @@ public static byte[] deriveSharedInfo2(String protocolVersion, byte[] sharedInfo throw new EciesException("Missing nonce parameter"); } if (timestamp == null) { - throw new EciesException("Missing nonce parameter"); + throw new EciesException("Missing timestamp parameter"); } if (associatedData == null) { throw new EciesException("Missing associatedData parameter"); diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/TokenUtils.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/TokenUtils.java index 9e53650a4..897f921fc 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/TokenUtils.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/TokenUtils.java @@ -92,14 +92,20 @@ public byte[] convertTokenTimestamp(long timestamp) { * Compute the digest of provided token information using given token secret. * @param nonce Token nonce, 16 random bytes. * @param timestamp Token timestamp, Unix timestamp format encoded as bytes (string representation). + * @param version Protocol version. * @param tokenSecret Token secret, 16 random bytes. * @return Token digest computed using provided data bytes with given token secret. * @throws GenericCryptoException In case digest computation fails. * @throws CryptoProviderException In case cryptography provider is incorrectly initialized. */ - public byte[] computeTokenDigest(byte[] nonce, byte[] timestamp, byte[] tokenSecret) throws GenericCryptoException, CryptoProviderException { - byte[] amp = "&".getBytes(StandardCharsets.UTF_8); - byte[] data = ByteUtils.concat(nonce, amp, timestamp); + public byte[] computeTokenDigest(byte[] nonce, byte[] timestamp, String version, byte[] tokenSecret) throws GenericCryptoException, CryptoProviderException { + final byte[] amp = "&".getBytes(StandardCharsets.UTF_8); + final byte[] data; + switch (version) { + case "3.2" -> data = ByteUtils.concat(nonce, amp, timestamp, amp, version.getBytes(StandardCharsets.UTF_8)); + case "3.0", "3.1" -> data = ByteUtils.concat(nonce, amp, timestamp); + default -> throw new GenericCryptoException("Unsupported version value was specified: " + version); + } return hmac.hash(tokenSecret, data); } @@ -107,14 +113,15 @@ public byte[] computeTokenDigest(byte[] nonce, byte[] timestamp, byte[] tokenSec * Validate provided token digest for given input data and provided token secret. * @param nonce Token nonce, 16 random bytes. * @param timestamp Token timestamp, Unix timestamp format encoded as bytes (string representation). + * @param version Protocol version. * @param tokenSecret Token secret, 16 random bytes. * @param tokenDigest Token digest, 32 bytes to be validated. * @return Token digest computed using provided data bytes with given token secret. * @throws GenericCryptoException In case digest computation fails. * @throws CryptoProviderException In case cryptography provider is incorrectly initialized. */ - public boolean validateTokenDigest(byte[] nonce, byte[] timestamp, byte[] tokenSecret, byte[] tokenDigest) throws GenericCryptoException, CryptoProviderException { - return SideChannelUtils.constantTimeAreEqual(computeTokenDigest(nonce, timestamp, tokenSecret), tokenDigest); + public boolean validateTokenDigest(byte[] nonce, byte[] timestamp, String version, byte[] tokenSecret, byte[] tokenDigest) throws GenericCryptoException, CryptoProviderException { + return SideChannelUtils.constantTimeAreEqual(computeTokenDigest(nonce, timestamp, version, tokenSecret), tokenDigest); } } diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/server/activation/PowerAuthServerActivation.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/server/activation/PowerAuthServerActivation.java index ebd75f0b1..9c99d0a34 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/server/activation/PowerAuthServerActivation.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/server/activation/PowerAuthServerActivation.java @@ -34,7 +34,6 @@ import java.security.PrivateKey; import java.security.PublicKey; import java.security.interfaces.ECPublicKey; -import java.security.spec.InvalidKeySpecException; import java.util.Arrays; import java.util.Base64; diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/server/token/ServerTokenVerifier.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/server/token/ServerTokenVerifier.java index 45c2187b0..5e65f9981 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/server/token/ServerTokenVerifier.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/server/token/ServerTokenVerifier.java @@ -44,14 +44,15 @@ public byte[] convertTokenTimestamp(long timestamp) { * Validate provided token digest for given input data and provided token secret. * @param nonce Token nonce, 16 random bytes. * @param timestamp Token timestamp, Unix timestamp format encoded as bytes (from string representation). + * @param version Protocol version. * @param tokenSecret Token secret, 16 random bytes. * @param tokenDigest Token digest, 32 bytes to be validated. * @return Token digest computed using provided data bytes with given token secret. * @throws GenericCryptoException In case digest computation fails. * @throws CryptoProviderException In case cryptography provider is incorrectly initialized. */ - public boolean validateTokenDigest(byte[] nonce, byte[] timestamp, byte[] tokenSecret, byte[] tokenDigest) throws GenericCryptoException, CryptoProviderException { - return tokenUtils.validateTokenDigest(nonce, timestamp, tokenSecret, tokenDigest); + public boolean validateTokenDigest(byte[] nonce, byte[] timestamp, String version, byte[] tokenSecret, byte[] tokenDigest) throws GenericCryptoException, CryptoProviderException { + return tokenUtils.validateTokenDigest(nonce, timestamp, version, tokenSecret, tokenDigest); } } diff --git a/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/validator/PowerAuthSignatureHttpHeaderValidator.java b/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/validator/PowerAuthSignatureHttpHeaderValidator.java index 6f05be557..503d6ea9f 100644 --- a/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/validator/PowerAuthSignatureHttpHeaderValidator.java +++ b/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/validator/PowerAuthSignatureHttpHeaderValidator.java @@ -95,12 +95,12 @@ public static void validate(PowerAuthSignatureHttpHeader header) throws InvalidP // Check that version is present final String version = header.getVersion(); if (version == null || version.isEmpty()) { - throw new InvalidPowerAuthHttpHeaderException("POWER_AUTH_ENCRYPTION_VERSION_EMPTY"); + throw new InvalidPowerAuthHttpHeaderException("POWER_AUTH_SIGNATURE_VERSION_EMPTY"); } // Check that version is correct if (!ValueTypeValidator.isValidProtocolVersion(version)) { - throw new InvalidPowerAuthHttpHeaderException("POWER_AUTH_ENCRYPTION_VERSION_INVALID"); + throw new InvalidPowerAuthHttpHeaderException("POWER_AUTH_SIGNATURE_VERSION_INVALID"); } } diff --git a/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/validator/PowerAuthTokenHttpHeaderValidator.java b/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/validator/PowerAuthTokenHttpHeaderValidator.java index 322945e1d..7ec285807 100644 --- a/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/validator/PowerAuthTokenHttpHeaderValidator.java +++ b/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/validator/PowerAuthTokenHttpHeaderValidator.java @@ -84,12 +84,12 @@ public static void validate(PowerAuthTokenHttpHeader header) throws InvalidPower // Check that version is present final String version = header.getVersion(); if (version == null || version.isEmpty()) { - throw new InvalidPowerAuthHttpHeaderException("POWER_AUTH_ENCRYPTION_VERSION_EMPTY"); + throw new InvalidPowerAuthHttpHeaderException("POWER_AUTH_TOKEN_VERSION_EMPTY"); } // Check that version is correct if (!ValueTypeValidator.isValidProtocolVersion(version)) { - throw new InvalidPowerAuthHttpHeaderException("POWER_AUTH_ENCRYPTION_VERSION_INVALID"); + throw new InvalidPowerAuthHttpHeaderException("POWER_AUTH_TOKEN_VERSION_INVALID"); } }