Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix #1014: Add protocol version into token verification endpoint, update documentation #1015

Merged
merged 2 commits into from
Sep 7, 2023
Merged

Fix #1014: Add protocol version into token verification endpoint, update documentation #1015

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7eb8cdd
Fix #1014: Add protocol version into token verification endpoint, upd…
romanstrobl Sep 7, 2023
02ec6b5
Fix formatting
romanstrobl Sep 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 20 additions & 2 deletions docs/WebServices-Methods.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ The following `v3` methods are published using the service:
- [getCallbackUrlList](#method-getcallbackurllist)
- [removeCallbackUrl](#method-removecallbackurl)
- End-To-End Encryption
- [getEciesDecryptor](#method-geteciesdecryptor)
- [getEciesDecryptor](#method-geteciesdecryptor)
- Activation Versioning
- [startUpgrade](#method-startupgrade)
- [commitUpgrade](#method-commitupgrade)
Expand Down Expand Up @@ -419,6 +419,8 @@ REST endpoint: `POST /rest/v3/activation/prepare`
| `String` | `encryptedData` | Base64 encoded encrypted data for ECIES |
| `String` | `mac` | Base64 encoded mac of key and data for ECIES |
| `String` | `nonce` | Base64 encoded nonce for IV derivation for ECIES |
| `String` | `protocolVersion` | Cryptography protocol version |
| `Long` | `timestamp` | Unix timestamp in milliseconds for ECIES |

ECIES request should contain following data (as JSON):
- `activationName` - Visual representation of the device, for example "Johnny's iPhone" or "Samsung Galaxy S".
Expand Down Expand Up @@ -473,6 +475,8 @@ REST endpoint: `POST /rest/v3/activation/create`
| `String` | `mac` | Base64 encoded mac of key and data for ECIES |
| `String` | `nonce` | Base64 encoded nonce for IV derivation for ECIES |
| `String` | `activationOtp` | Optional activation OTP |
| `String` | `protocolVersion` | Cryptography protocol version |
| `Long` | `timestamp` | Unix timestamp in milliseconds for ECIES |

ECIES request should contain following data (as JSON):
- `activationName` - Visual representation of the device, for example "Johnny's iPhone" or "Samsung Galaxy S".
Expand Down Expand Up @@ -956,6 +960,8 @@ REST endpoint: `POST /rest/v3/token/create`
| `String` | `mac` | Base64 encoded mac of key and data for ECIES |
| `String` | `nonce` | Base64 encoded nonce for IV derivation for ECIES |
| `SignatureType` | `signatureType` | Type of the signature (factors) used for token creation. |
| `String` | `protocolVersion` | Cryptography protocol version |
| `Long` | `timestamp` | Unix timestamp in milliseconds for ECIES |

ECIES request should contain following data (an empty JSON object):
```json
Expand Down Expand Up @@ -995,6 +1001,8 @@ REST endpoint: `POST /rest/v3/token/validate`
| `String` | `tokenDigest` | Digest computed during the token based authentication. |
| `String` | `nonce` | Cryptographic nonce. Random 16B, Base64 encoded. |
| `Long` | `timestamp` | Token digest timestamp, Unix timestamp format. |
| `String` | `protocolVersion` | Cryptography protocol version |
| `Long` | `timestamp` | Unix timestamp in milliseconds for ECIES |

#### Response

Expand Down Expand Up @@ -1055,6 +1063,7 @@ REST endpoint: `POST /rest/v3/vault/unlock`
| `String` | `encryptedData` | Base64 encoded encrypted data for ECIES |
| `String` | `mac` | Base64 encoded mac of key and data for ECIES |
| `String` | `nonce` | Base64 encoded nonce for IV derivation for ECIES |
| `Long` | `timestamp` | Unix timestamp in milliseconds for ECIES |

ECIES request should contain following data:
```json
Expand Down Expand Up @@ -1460,6 +1469,9 @@ REST endpoint: `POST /rest/v3/ecies/decryptor`
| `String` | `activationId` | A UUID4 identifier of an activation (used only in activation scope, use null value in application scope) |
| `String` | `applicationKey` | A key (identifier) of an application, associated with given application version |
| `String` | `ephemeralPublicKey` | A base64 encoded ephemeral public key for ECIES |
| `String` | `nonce` | Base64 encoded nonce for IV derivation for ECIES |
| `String` | `protocolVersion` | Cryptography protocol version |
| `Long` | `timestamp` | Unix timestamp in milliseconds for ECIES |

#### Response

Expand Down Expand Up @@ -1492,6 +1504,8 @@ REST endpoint: `POST /rest/v3/upgrade/start`
| `String` | `encryptedData` | Base64 encoded encrypted data for ECIES |
| `String` | `mac` | Base64 encoded mac of key and data for ECIES |
| `String` | `nonce` | Base64 encoded nonce for IV derivation for ECIES |
| `String` | `protocolVersion` | Cryptography protocol version |
| `Long` | `timestamp` | Unix timestamp in milliseconds for ECIES |

#### Response

Expand Down Expand Up @@ -1566,7 +1580,7 @@ REST endpoint: `POST /rest/v3/recovery/create`

### Method `confirmRecoveryCode`

Confirm a recovery code recieved using recovery postcard.
Confirm a recovery code received using recovery postcard.

#### Request

Expand All @@ -1582,6 +1596,8 @@ REST endpoint: `POST /rest/v3/recovery/confirm`
| `String` | `encryptedData` | Base64 encoded encrypted data for ECIES |
| `String` | `mac` | Base64 encoded mac of key and data for ECIES |
| `String` | `nonce` | Base64 encoded nonce for IV derivation for ECIES |
| `Long` | `timestamp` | Unix timestamp in milliseconds for ECIES |
| `String` | `protocolVersion` | Cryptography protocol version |

ECIES request should contain following data (as JSON):
- `recoveryCode` - Recovery code which should be confirmed in this request.
Expand Down Expand Up @@ -1684,6 +1700,8 @@ REST endpoint: `POST /rest/v3/activation/recovery/create`
| `String` | `mac` | Base64 encoded mac of key and data for ECIES |
| `String` | `nonce` | Base64 encoded nonce for IV derivation for ECIES |
| `String` | `activationOtp` | Optional activation OTP |
| `String` | `protocolVersion` | Cryptography protocol version |
| `Long` | `timestamp` | Unix timestamp in milliseconds for ECIES |

ECIES request should contain following data (as JSON):
- `activationName` - Visual representation of the device, for example "Johnny's iPhone" or "Samsung Galaxy S".
Expand Down
1 change: 1 addition & 0 deletions ...ain/java/com/wultra/security/powerauth/client/model/request/ActivationHistoryRequest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@
*/
@Data
public class ActivationHistoryRequest {

private String activationId;
private Date timestampFrom;
private Date timestampTo;
Expand Down
1 change: 1 addition & 0 deletions ...rc/main/java/com/wultra/security/powerauth/client/model/request/ValidateTokenRequest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ public class ValidateTokenRequest {
private String tokenDigest;
@ToString.Exclude
private String nonce;
private String protocolVersion;
private long timestamp;

}
7 changes: 3 additions & 4 deletions ...n/java/io/getlime/security/powerauth/app/server/service/behavior/tasks/TokenBehavior.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -305,16 +305,15 @@ public ValidateTokenResponse validateToken(ValidateTokenRequest request) throws
isTokenValid = false;
} else {
// Check MAC token verification request for replay attacks and persist unique value from request
// TODO Roman - just make to compile, will be fixed later
final String version = "3.2";
replayVerificationService.checkAndPersistUniqueValue(
UniqueValueType.MAC_TOKEN,
new Date(request.getTimestamp()),
null,
request.getNonce(),
version);
tokenId,
request.getProtocolVersion());
// Validate MAC token
isTokenValid = tokenVerifier.validateTokenDigest(nonce, timestamp, version, tokenSecret, tokenDigest);
isTokenValid = tokenVerifier.validateTokenDigest(nonce, timestamp, request.getProtocolVersion(), tokenSecret, tokenDigest);
}

final ValidateTokenResponse response = new ValidateTokenResponse();
Expand Down
4 changes: 2 additions & 2 deletions ...etlime/security/powerauth/app/server/service/replay/DefaultReplayVerificationService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,9 +56,9 @@ public void checkAndPersistUniqueValue(UniqueValueType type, Date requestTimesta
logger.debug("Checking and persisting unique value, request type: {}, identifier: {}", type, identifier);
final int requestExpiration;
if ("3.0".equals(version) || "3.1".equals(version)) {
requestExpiration = config.getRequestExpirationInMillisecondsExtended();
requestExpiration = powerAuthServiceConfiguration.getRequestExpirationInMillisecondsExtended();
} else {
requestExpiration = config.getRequestExpirationInMilliseconds();
requestExpiration = powerAuthServiceConfiguration.getRequestExpirationInMilliseconds();
}
final Date expiration = Date.from(Instant.now().plus(requestExpiration, ChronoUnit.MILLIS));
if (requestTimestamp.after(expiration)) {
Expand Down