Fix #1014: Add protocol version into token verification endpoint, upd…

…ate documentation (#1015)
wultra · Sep 7, 2023 · 3ff2cab · 3ff2cab
1 parent 2ca408c
commit 3ff2cab
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 8 deletions.
diff --git a/docs/WebServices-Methods.md b/docs/WebServices-Methods.md
@@ -59,7 +59,7 @@ The following `v3` methods are published using the service:
     - [getCallbackUrlList](#method-getcallbackurllist)
     - [removeCallbackUrl](#method-removecallbackurl)
 - End-To-End Encryption
-  - [getEciesDecryptor](#method-geteciesdecryptor)
+    - [getEciesDecryptor](#method-geteciesdecryptor)
 - Activation Versioning
     - [startUpgrade](#method-startupgrade)
     - [commitUpgrade](#method-commitupgrade)
@@ -419,6 +419,8 @@ REST endpoint: `POST /rest/v3/activation/prepare`
 | `String` | `encryptedData` | Base64 encoded encrypted data for ECIES |
 | `String` | `mac` | Base64 encoded mac of key and data for ECIES |
 | `String` | `nonce` | Base64 encoded nonce for IV derivation for ECIES |
+| `String` | `protocolVersion` | Cryptography protocol version |
+| `Long` | `timestamp` | Unix timestamp in milliseconds for ECIES |
 
 ECIES request should contain following data (as JSON):
  - `activationName` - Visual representation of the device, for example "Johnny's iPhone" or "Samsung Galaxy S".
@@ -473,6 +475,8 @@ REST endpoint: `POST /rest/v3/activation/create`
 | `String` | `mac` |  Base64 encoded mac of key and data for ECIES |
 | `String` | `nonce` | Base64 encoded nonce for IV derivation for ECIES |
 | `String` | `activationOtp` | Optional activation OTP |
+| `String` | `protocolVersion` | Cryptography protocol version |
+| `Long` | `timestamp` | Unix timestamp in milliseconds for ECIES |
 
 ECIES request should contain following data (as JSON):
  - `activationName` - Visual representation of the device, for example "Johnny's iPhone" or "Samsung Galaxy S".
@@ -956,6 +960,8 @@ REST endpoint: `POST /rest/v3/token/create`
 | `String` | `mac` |  Base64 encoded mac of key and data for ECIES |
 | `String` | `nonce` | Base64 encoded nonce for IV derivation for ECIES |
 | `SignatureType` | `signatureType` | Type of the signature (factors) used for token creation. |
+| `String` | `protocolVersion` | Cryptography protocol version |
+| `Long` | `timestamp` | Unix timestamp in milliseconds for ECIES |
 
 ECIES request should contain following data (an empty JSON object):
 ```json
@@ -995,6 +1001,8 @@ REST endpoint: `POST /rest/v3/token/validate`
 | `String` | `tokenDigest` | Digest computed during the token based authentication. |
 | `String` | `nonce` | Cryptographic nonce. Random 16B, Base64 encoded. |
 | `Long` | `timestamp` | Token digest timestamp, Unix timestamp format. |
+| `String` | `protocolVersion` | Cryptography protocol version |
+| `Long` | `timestamp` | Unix timestamp in milliseconds for ECIES |
 
 #### Response
 
@@ -1055,6 +1063,7 @@ REST endpoint: `POST /rest/v3/vault/unlock`
 | `String` | `encryptedData` | Base64 encoded encrypted data for ECIES |
 | `String` | `mac` |  Base64 encoded mac of key and data for ECIES |
 | `String` | `nonce` | Base64 encoded nonce for IV derivation for ECIES |
+| `Long` | `timestamp` | Unix timestamp in milliseconds for ECIES |
 
 ECIES request should contain following data:
 ```json
@@ -1460,6 +1469,9 @@ REST endpoint: `POST /rest/v3/ecies/decryptor`
 | `String` | `activationId` | A UUID4 identifier of an activation (used only in activation scope, use null value in application scope) |
 | `String` | `applicationKey` | A key (identifier) of an application, associated with given application version |
 | `String` | `ephemeralPublicKey` | A base64 encoded ephemeral public key for ECIES |
+| `String` | `nonce` | Base64 encoded nonce for IV derivation for ECIES |
+| `String` | `protocolVersion` | Cryptography protocol version |
+| `Long` | `timestamp` | Unix timestamp in milliseconds for ECIES |
 
 #### Response
 
@@ -1492,6 +1504,8 @@ REST endpoint: `POST /rest/v3/upgrade/start`
 | `String` | `encryptedData` | Base64 encoded encrypted data for ECIES |
 | `String` | `mac` |  Base64 encoded mac of key and data for ECIES |
 | `String` | `nonce` | Base64 encoded nonce for IV derivation for ECIES |
+| `String` | `protocolVersion` | Cryptography protocol version |
+| `Long` | `timestamp` | Unix timestamp in milliseconds for ECIES |
 
 #### Response
 
@@ -1566,7 +1580,7 @@ REST endpoint: `POST /rest/v3/recovery/create`
 
 ### Method `confirmRecoveryCode`
 
-Confirm a recovery code recieved using recovery postcard.
+Confirm a recovery code received using recovery postcard.
 
 #### Request
 
@@ -1582,6 +1596,8 @@ REST endpoint: `POST /rest/v3/recovery/confirm`
 | `String` | `encryptedData` | Base64 encoded encrypted data for ECIES |
 | `String` | `mac` | Base64 encoded mac of key and data for ECIES |
 | `String` | `nonce` | Base64 encoded nonce for IV derivation for ECIES |
+| `Long` | `timestamp` | Unix timestamp in milliseconds for ECIES |
+| `String` | `protocolVersion` | Cryptography protocol version |
 
 ECIES request should contain following data (as JSON):
  - `recoveryCode` - Recovery code which should be confirmed in this request.
@@ -1684,6 +1700,8 @@ REST endpoint: `POST /rest/v3/activation/recovery/create`
 | `String` | `mac` | Base64 encoded mac of key and data for ECIES |
 | `String` | `nonce` | Base64 encoded nonce for IV derivation for ECIES |
 | `String` | `activationOtp` | Optional activation OTP |
+| `String` | `protocolVersion` | Cryptography protocol version |
+| `Long` | `timestamp` | Unix timestamp in milliseconds for ECIES |
 
 ECIES request should contain following data (as JSON):
  - `activationName` - Visual representation of the device, for example "Johnny's iPhone" or "Samsung Galaxy S".

diff --git a/...ain/java/com/wultra/security/powerauth/client/model/request/ActivationHistoryRequest.java b/...ain/java/com/wultra/security/powerauth/client/model/request/ActivationHistoryRequest.java
@@ -29,6 +29,7 @@
  */
 @Data
 public class ActivationHistoryRequest {
+
     private String activationId;
     private Date timestampFrom;
     private Date timestampTo;

diff --git a/...rc/main/java/com/wultra/security/powerauth/client/model/request/ValidateTokenRequest.java b/...rc/main/java/com/wultra/security/powerauth/client/model/request/ValidateTokenRequest.java
@@ -34,6 +34,7 @@ public class ValidateTokenRequest {
     private String tokenDigest;
     @ToString.Exclude
     private String nonce;
+    private String protocolVersion;
     private long timestamp;
 
 }
diff --git a/...n/java/io/getlime/security/powerauth/app/server/service/behavior/tasks/TokenBehavior.java b/...n/java/io/getlime/security/powerauth/app/server/service/behavior/tasks/TokenBehavior.java
@@ -305,16 +305,15 @@ public ValidateTokenResponse validateToken(ValidateTokenRequest request) throws
                 isTokenValid = false;
             } else {
                 // Check MAC token verification request for replay attacks and persist unique value from request
-                // TODO Roman - just make to compile, will be fixed later
-                final String version = "3.2";
                 replayVerificationService.checkAndPersistUniqueValue(
                         UniqueValueType.MAC_TOKEN,
                         new Date(request.getTimestamp()),
                         null,
                         request.getNonce(),
-                        version);
+                        tokenId,
+                        request.getProtocolVersion());
                 // Validate MAC token
-                isTokenValid = tokenVerifier.validateTokenDigest(nonce, timestamp, version, tokenSecret, tokenDigest);
+                isTokenValid = tokenVerifier.validateTokenDigest(nonce, timestamp, request.getProtocolVersion(), tokenSecret, tokenDigest);
             }
 
             final ValidateTokenResponse response = new ValidateTokenResponse();

diff --git a/...etlime/security/powerauth/app/server/service/replay/DefaultReplayVerificationService.java b/...etlime/security/powerauth/app/server/service/replay/DefaultReplayVerificationService.java
@@ -56,9 +56,9 @@ public void checkAndPersistUniqueValue(UniqueValueType type, Date requestTimesta
         logger.debug("Checking and persisting unique value, request type: {}, identifier: {}", type, identifier);
         final int requestExpiration;
         if ("3.0".equals(version) || "3.1".equals(version)) {
-            requestExpiration = config.getRequestExpirationInMillisecondsExtended();
+            requestExpiration = powerAuthServiceConfiguration.getRequestExpirationInMillisecondsExtended();
         } else {
-            requestExpiration = config.getRequestExpirationInMilliseconds();
+            requestExpiration = powerAuthServiceConfiguration.getRequestExpirationInMilliseconds();
         }
         final Date expiration = Date.from(Instant.now().plus(requestExpiration, ChronoUnit.MILLIS));
         if (requestTimestamp.after(expiration)) {