From 3ff2cab30777042d61e8ae33ad5640dbbdb63bec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roman=20=C5=A0trobl?= Date: Thu, 7 Sep 2023 21:16:38 +0200 Subject: [PATCH] Fix #1014: Add protocol version into token verification endpoint, update documentation (#1015) --- docs/WebServices-Methods.md | 22 +++++++++++++++++-- .../request/ActivationHistoryRequest.java | 1 + .../model/request/ValidateTokenRequest.java | 1 + .../service/behavior/tasks/TokenBehavior.java | 7 +++--- .../DefaultReplayVerificationService.java | 4 ++-- 5 files changed, 27 insertions(+), 8 deletions(-) diff --git a/docs/WebServices-Methods.md b/docs/WebServices-Methods.md index 1aa79d339..77d4b1dc6 100644 --- a/docs/WebServices-Methods.md +++ b/docs/WebServices-Methods.md @@ -59,7 +59,7 @@ The following `v3` methods are published using the service: - [getCallbackUrlList](#method-getcallbackurllist) - [removeCallbackUrl](#method-removecallbackurl) - End-To-End Encryption - - [getEciesDecryptor](#method-geteciesdecryptor) + - [getEciesDecryptor](#method-geteciesdecryptor) - Activation Versioning - [startUpgrade](#method-startupgrade) - [commitUpgrade](#method-commitupgrade) @@ -419,6 +419,8 @@ REST endpoint: `POST /rest/v3/activation/prepare` | `String` | `encryptedData` | Base64 encoded encrypted data for ECIES | | `String` | `mac` | Base64 encoded mac of key and data for ECIES | | `String` | `nonce` | Base64 encoded nonce for IV derivation for ECIES | +| `String` | `protocolVersion` | Cryptography protocol version | +| `Long` | `timestamp` | Unix timestamp in milliseconds for ECIES | ECIES request should contain following data (as JSON): - `activationName` - Visual representation of the device, for example "Johnny's iPhone" or "Samsung Galaxy S". @@ -473,6 +475,8 @@ REST endpoint: `POST /rest/v3/activation/create` | `String` | `mac` | Base64 encoded mac of key and data for ECIES | | `String` | `nonce` | Base64 encoded nonce for IV derivation for ECIES | | `String` | `activationOtp` | Optional activation OTP | +| `String` | `protocolVersion` | Cryptography protocol version | +| `Long` | `timestamp` | Unix timestamp in milliseconds for ECIES | ECIES request should contain following data (as JSON): - `activationName` - Visual representation of the device, for example "Johnny's iPhone" or "Samsung Galaxy S". @@ -956,6 +960,8 @@ REST endpoint: `POST /rest/v3/token/create` | `String` | `mac` | Base64 encoded mac of key and data for ECIES | | `String` | `nonce` | Base64 encoded nonce for IV derivation for ECIES | | `SignatureType` | `signatureType` | Type of the signature (factors) used for token creation. | +| `String` | `protocolVersion` | Cryptography protocol version | +| `Long` | `timestamp` | Unix timestamp in milliseconds for ECIES | ECIES request should contain following data (an empty JSON object): ```json @@ -995,6 +1001,8 @@ REST endpoint: `POST /rest/v3/token/validate` | `String` | `tokenDigest` | Digest computed during the token based authentication. | | `String` | `nonce` | Cryptographic nonce. Random 16B, Base64 encoded. | | `Long` | `timestamp` | Token digest timestamp, Unix timestamp format. | +| `String` | `protocolVersion` | Cryptography protocol version | +| `Long` | `timestamp` | Unix timestamp in milliseconds for ECIES | #### Response @@ -1055,6 +1063,7 @@ REST endpoint: `POST /rest/v3/vault/unlock` | `String` | `encryptedData` | Base64 encoded encrypted data for ECIES | | `String` | `mac` | Base64 encoded mac of key and data for ECIES | | `String` | `nonce` | Base64 encoded nonce for IV derivation for ECIES | +| `Long` | `timestamp` | Unix timestamp in milliseconds for ECIES | ECIES request should contain following data: ```json @@ -1460,6 +1469,9 @@ REST endpoint: `POST /rest/v3/ecies/decryptor` | `String` | `activationId` | A UUID4 identifier of an activation (used only in activation scope, use null value in application scope) | | `String` | `applicationKey` | A key (identifier) of an application, associated with given application version | | `String` | `ephemeralPublicKey` | A base64 encoded ephemeral public key for ECIES | +| `String` | `nonce` | Base64 encoded nonce for IV derivation for ECIES | +| `String` | `protocolVersion` | Cryptography protocol version | +| `Long` | `timestamp` | Unix timestamp in milliseconds for ECIES | #### Response @@ -1492,6 +1504,8 @@ REST endpoint: `POST /rest/v3/upgrade/start` | `String` | `encryptedData` | Base64 encoded encrypted data for ECIES | | `String` | `mac` | Base64 encoded mac of key and data for ECIES | | `String` | `nonce` | Base64 encoded nonce for IV derivation for ECIES | +| `String` | `protocolVersion` | Cryptography protocol version | +| `Long` | `timestamp` | Unix timestamp in milliseconds for ECIES | #### Response @@ -1566,7 +1580,7 @@ REST endpoint: `POST /rest/v3/recovery/create` ### Method `confirmRecoveryCode` -Confirm a recovery code recieved using recovery postcard. +Confirm a recovery code received using recovery postcard. #### Request @@ -1582,6 +1596,8 @@ REST endpoint: `POST /rest/v3/recovery/confirm` | `String` | `encryptedData` | Base64 encoded encrypted data for ECIES | | `String` | `mac` | Base64 encoded mac of key and data for ECIES | | `String` | `nonce` | Base64 encoded nonce for IV derivation for ECIES | +| `Long` | `timestamp` | Unix timestamp in milliseconds for ECIES | +| `String` | `protocolVersion` | Cryptography protocol version | ECIES request should contain following data (as JSON): - `recoveryCode` - Recovery code which should be confirmed in this request. @@ -1684,6 +1700,8 @@ REST endpoint: `POST /rest/v3/activation/recovery/create` | `String` | `mac` | Base64 encoded mac of key and data for ECIES | | `String` | `nonce` | Base64 encoded nonce for IV derivation for ECIES | | `String` | `activationOtp` | Optional activation OTP | +| `String` | `protocolVersion` | Cryptography protocol version | +| `Long` | `timestamp` | Unix timestamp in milliseconds for ECIES | ECIES request should contain following data (as JSON): - `activationName` - Visual representation of the device, for example "Johnny's iPhone" or "Samsung Galaxy S". diff --git a/powerauth-client-model/src/main/java/com/wultra/security/powerauth/client/model/request/ActivationHistoryRequest.java b/powerauth-client-model/src/main/java/com/wultra/security/powerauth/client/model/request/ActivationHistoryRequest.java index 711e7f8c7..0c49e9254 100644 --- a/powerauth-client-model/src/main/java/com/wultra/security/powerauth/client/model/request/ActivationHistoryRequest.java +++ b/powerauth-client-model/src/main/java/com/wultra/security/powerauth/client/model/request/ActivationHistoryRequest.java @@ -29,6 +29,7 @@ */ @Data public class ActivationHistoryRequest { + private String activationId; private Date timestampFrom; private Date timestampTo; diff --git a/powerauth-client-model/src/main/java/com/wultra/security/powerauth/client/model/request/ValidateTokenRequest.java b/powerauth-client-model/src/main/java/com/wultra/security/powerauth/client/model/request/ValidateTokenRequest.java index 3e30f2835..4c344c88d 100644 --- a/powerauth-client-model/src/main/java/com/wultra/security/powerauth/client/model/request/ValidateTokenRequest.java +++ b/powerauth-client-model/src/main/java/com/wultra/security/powerauth/client/model/request/ValidateTokenRequest.java @@ -34,6 +34,7 @@ public class ValidateTokenRequest { private String tokenDigest; @ToString.Exclude private String nonce; + private String protocolVersion; private long timestamp; } diff --git a/powerauth-java-server/src/main/java/io/getlime/security/powerauth/app/server/service/behavior/tasks/TokenBehavior.java b/powerauth-java-server/src/main/java/io/getlime/security/powerauth/app/server/service/behavior/tasks/TokenBehavior.java index b9b82dce7..ef6f00945 100644 --- a/powerauth-java-server/src/main/java/io/getlime/security/powerauth/app/server/service/behavior/tasks/TokenBehavior.java +++ b/powerauth-java-server/src/main/java/io/getlime/security/powerauth/app/server/service/behavior/tasks/TokenBehavior.java @@ -305,16 +305,15 @@ public ValidateTokenResponse validateToken(ValidateTokenRequest request) throws isTokenValid = false; } else { // Check MAC token verification request for replay attacks and persist unique value from request - // TODO Roman - just make to compile, will be fixed later - final String version = "3.2"; replayVerificationService.checkAndPersistUniqueValue( UniqueValueType.MAC_TOKEN, new Date(request.getTimestamp()), null, request.getNonce(), - version); + tokenId, + request.getProtocolVersion()); // Validate MAC token - isTokenValid = tokenVerifier.validateTokenDigest(nonce, timestamp, version, tokenSecret, tokenDigest); + isTokenValid = tokenVerifier.validateTokenDigest(nonce, timestamp, request.getProtocolVersion(), tokenSecret, tokenDigest); } final ValidateTokenResponse response = new ValidateTokenResponse(); diff --git a/powerauth-java-server/src/main/java/io/getlime/security/powerauth/app/server/service/replay/DefaultReplayVerificationService.java b/powerauth-java-server/src/main/java/io/getlime/security/powerauth/app/server/service/replay/DefaultReplayVerificationService.java index e0a27ff78..1a8368488 100644 --- a/powerauth-java-server/src/main/java/io/getlime/security/powerauth/app/server/service/replay/DefaultReplayVerificationService.java +++ b/powerauth-java-server/src/main/java/io/getlime/security/powerauth/app/server/service/replay/DefaultReplayVerificationService.java @@ -56,9 +56,9 @@ public void checkAndPersistUniqueValue(UniqueValueType type, Date requestTimesta logger.debug("Checking and persisting unique value, request type: {}, identifier: {}", type, identifier); final int requestExpiration; if ("3.0".equals(version) || "3.1".equals(version)) { - requestExpiration = config.getRequestExpirationInMillisecondsExtended(); + requestExpiration = powerAuthServiceConfiguration.getRequestExpirationInMillisecondsExtended(); } else { - requestExpiration = config.getRequestExpirationInMilliseconds(); + requestExpiration = powerAuthServiceConfiguration.getRequestExpirationInMilliseconds(); } final Date expiration = Date.from(Instant.now().plus(requestExpiration, ChronoUnit.MILLIS)); if (requestTimestamp.after(expiration)) {