Implement support for temporary keys (#546)

* Add temporary key ID to service calls

* Added endpoints for requesting temporary key

* Fix exception and controller bean names

* Move temporary key ID to the request body

* Fix supported version support

* Removed unnecessary annotation

* Add version to status endpoint if available

* Improve the structure of the application info in status endpoint

* Add request/response wrapper

powerauth-restful-model/src/main/java/io/getlime/security/powerauth/rest/api/model/request/EciesEncryptedRequest.java

@@ -30,6 +30,11 @@
 @Data
 public class EciesEncryptedRequest {
 
+    /**
+     * Identifier of the temporary key.
+     */
+    private String temporaryKeyId;
+
     /**
      * Base64 encoded ephemeral public key.
      */

powerauth-restful-model/src/main/java/io/getlime/security/powerauth/rest/api/model/request/TemporaryKeyRequest.java

@@ -0,0 +1,37 @@
+/*
+ * PowerAuth integration libraries for RESTful API applications, examples and
+ * related software components
+ *
+ * Copyright (C) 2024 Wultra s.r.o.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published
+ * by the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+package io.getlime.security.powerauth.rest.api.model.request;
+
+import lombok.Data;
+
+/**
+ * Request class with temporary public key.
+ *
+ * @author Petr Dvorak, [email protected]
+ */
+@Data
+public class TemporaryKeyRequest {
+
+    /**
+     * JWT with encoded temporary key request.
+     */
+    private String jwt;
+
+}

powerauth-restful-model/src/main/java/io/getlime/security/powerauth/rest/api/model/response/ServerStatusResponse.java

@@ -25,5 +25,12 @@
  * @param serverTime Server time.
  * @author Roman Strobl, [email protected]
  */
-public record ServerStatusResponse(long serverTime) {
+public record ServerStatusResponse(long serverTime, Application application) {
+    /**
+     * Record for information about the application.
+     * @param name Application name, if present in BuildProperties.
+     * @param version Application version, if present in BuildProperties.
+     */
+    public record Application(String name, String version) {
+    }
 }

powerauth-restful-model/src/main/java/io/getlime/security/powerauth/rest/api/model/response/TemporaryKeyResponse.java

@@ -0,0 +1,37 @@
+/*
+ * PowerAuth integration libraries for RESTful API applications, examples and
+ * related software components
+ *
+ * Copyright (C) 2024 Wultra s.r.o.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published
+ * by the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+package io.getlime.security.powerauth.rest.api.model.response;
+
+import lombok.Data;
+
+/**
+ * Response class with temporary key.
+ *
+ * @author Petr Dvorak, [email protected]
+ */
+@Data
+public class TemporaryKeyResponse {
+
+    /**
+     * JWT with encoded temporary key response.
+     */
+    private String jwt;
+
+}

powerauth-restful-security-spring-annotation/src/main/java/io/getlime/security/powerauth/rest/api/spring/encryption/EncryptionContext.java

@@ -44,6 +44,7 @@ public class EncryptionContext {
      * Protocol version.
      */
     private final String version;
+
     /**
      * PowerAuth HTTP header used for deriving ECIES encryption context.
      */

powerauth-restful-security-spring-annotation/src/main/java/io/getlime/security/powerauth/rest/api/spring/exception/PowerAuthTemporaryKeyException.java

@@ -0,0 +1,55 @@
+/*
+ * PowerAuth integration libraries for RESTful API applications, examples and
+ * related software components
+ *
+ * Copyright (C) 2024 Wultra s.r.o.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published
+ * by the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+package io.getlime.security.powerauth.rest.api.spring.exception;
+
+/**
+ * Exception raised in case PowerAuth fails to return temporary keys.
+ *
+ * @author Petr Dvorak, [email protected]
+ */
+public class PowerAuthTemporaryKeyException extends Exception {
+
+    private static final String DEFAULT_CODE = "ERR_TEMPORARY_KEY";
+    private static final String DEFAULT_ERROR = "POWER_AUTH_TEMPORARY_KEY_FAILURE";
+
+    /**
+     * Default constructor.
+     */
+    public PowerAuthTemporaryKeyException() {
+        super(DEFAULT_ERROR);
+    }
+
+    /**
+     * Get the default error code, used for example in REST response.
+     * @return Default error code.
+     */
+    public String getDefaultCode() {
+        return DEFAULT_CODE;
+    }
+
+    /**
+     * Get default error message, used for example in the REST response.
+     * @return Default error message.
+     */
+    public String getDefaultError() {
+        return DEFAULT_ERROR;
+    }
+
+}

powerauth-restful-security-spring-annotation/src/main/java/io/getlime/security/powerauth/rest/api/spring/provider/PowerAuthEncryptionProvider.java

@@ -58,11 +58,12 @@ public PowerAuthEncryptionProvider(PowerAuthClient powerAuthClient, HttpCustomiz
     }
 
     @Override
-    public @Nonnull PowerAuthEncryptorParameters getEciesDecryptorParameters(@Nullable String activationId, @Nonnull String applicationKey, @Nonnull String ephemeralPublicKey, @Nonnull String version, String nonce, Long timestamp) throws PowerAuthEncryptionException {
+    public @Nonnull PowerAuthEncryptorParameters getEciesDecryptorParameters(@Nullable String activationId, @Nonnull String applicationKey, @Nonnull String temporaryKeyId, @Nonnull String ephemeralPublicKey, @Nonnull String version, String nonce, Long timestamp) throws PowerAuthEncryptionException {
         try {
             final GetEciesDecryptorRequest eciesDecryptorRequest = new GetEciesDecryptorRequest();
             eciesDecryptorRequest.setActivationId(activationId);
             eciesDecryptorRequest.setApplicationKey(applicationKey);
+            eciesDecryptorRequest.setTemporaryKeyId(temporaryKeyId);
             eciesDecryptorRequest.setEphemeralPublicKey(ephemeralPublicKey);
             eciesDecryptorRequest.setProtocolVersion(version);
             eciesDecryptorRequest.setNonce(nonce);

powerauth-restful-security-spring-annotation/src/main/java/io/getlime/security/powerauth/rest/api/spring/provider/PowerAuthEncryptionProviderBase.java

@@ -80,7 +80,7 @@ public abstract class PowerAuthEncryptionProviderBase {
      * @throws PowerAuthEncryptionException In case PowerAuth server call fails.
      */
     public abstract @Nonnull
-    PowerAuthEncryptorParameters getEciesDecryptorParameters(@Nullable String activationId, @Nonnull String applicationKey, @Nonnull String ephemeralPublicKey, @Nonnull String version, String nonce, Long timestamp) throws PowerAuthEncryptionException;
+    PowerAuthEncryptorParameters getEciesDecryptorParameters(@Nullable String activationId, @Nonnull String applicationKey, @Nonnull String temporaryKeyId, @Nonnull String ephemeralPublicKey, @Nonnull String version, String nonce, Long timestamp) throws PowerAuthEncryptionException;
 
     /**
      * Decrypt HTTP request body and construct object with ECIES data. Use the requestType parameter to specify
@@ -136,6 +136,7 @@ public void decryptRequest(@Nonnull HttpServletRequest request, @Nonnull Type re
 
             // Prepare and validate EncryptedRequest object
             final EncryptedRequest encryptedRequest = new EncryptedRequest(
+                    eciesRequest.getTemporaryKeyId(),
                     eciesRequest.getEphemeralPublicKey(),
                     eciesRequest.getEncryptedData(),
                     eciesRequest.getMac(),
@@ -155,6 +156,7 @@ public void decryptRequest(@Nonnull HttpServletRequest request, @Nonnull Type re
             final PowerAuthEncryptorParameters encryptorParameters = getEciesDecryptorParameters(
                     activationId,
                     applicationKey,
+                    encryptedRequest.getTemporaryKeyId(),
                     encryptedRequest.getEphemeralPublicKey(),
                     version,
                     encryptedRequest.getNonce(),
@@ -165,7 +167,7 @@ public void decryptRequest(@Nonnull HttpServletRequest request, @Nonnull Type re
             final byte[] sharedInfo2Base = Base64.getDecoder().decode(encryptorParameters.sharedInfo2());
             final ServerEncryptor serverEncryptor = encryptorFactory.getServerEncryptor(
                     encryptorData.getEncryptorId(),
-                    new EncryptorParameters(version, applicationKey, activationId),
+                    new EncryptorParameters(version, applicationKey, activationId, encryptedRequest.getTemporaryKeyId()),
                     new ServerEncryptorSecrets(secretKeyBytes, sharedInfo2Base)
             );
 

powerauth-restful-security-spring/src/main/java/io/getlime/security/powerauth/rest/api/spring/controller/ActivationController.java

@@ -60,6 +60,9 @@
  * <p><b>PowerAuth protocol versions:</b>
  * <ul>
  *     <li>3.0</li>
+ *     <li>3.1</li>
+ *     <li>3.2</li>
+ *     <li>3.3</li>
  * </ul>
  *
  * @author Roman Strobl, [email protected]

powerauth-restful-security-spring/src/main/java/io/getlime/security/powerauth/rest/api/spring/controller/KeyStoreController.java

@@ -0,0 +1,85 @@
+/*
+ * PowerAuth integration libraries for RESTful API applications, examples and
+ * related software components
+ *
+ * Copyright (C) 2024 Wultra s.r.o.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published
+ * by the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+package io.getlime.security.powerauth.rest.api.spring.controller;
+
+import io.getlime.core.rest.model.base.request.ObjectRequest;
+import io.getlime.core.rest.model.base.response.ObjectResponse;
+import io.getlime.security.powerauth.rest.api.model.request.TemporaryKeyRequest;
+import io.getlime.security.powerauth.rest.api.model.response.TemporaryKeyResponse;
+import io.getlime.security.powerauth.rest.api.spring.exception.PowerAuthTemporaryKeyException;
+import io.getlime.security.powerauth.rest.api.spring.service.KeyStoreService;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.util.StringUtils;
+import org.springframework.web.bind.annotation.*;
+
+/**
+ * Controller for obtaining temporary encryption keys.
+ *
+ * <p><b>PowerAuth protocol versions:</b>
+ * <ul>
+ *     <li>3.3</li>
+ * </ul>
+ *
+ * @author Petr Dvorak, [email protected]
+ */
+@RestController("keyStoreControllerV3")
+@RequestMapping(value = "/pa/v3/keystore")
+public class KeyStoreController {
+
+    private static final Logger logger = LoggerFactory.getLogger(KeyStoreController.class);
+
+    private final KeyStoreService service;
+
+    /**
+     * Default autowiring constructor.
+     * @param service Keystore service.
+     */
+    @Autowired
+    public KeyStoreController(KeyStoreService service) {
+        this.service = service;
+    }
+
+    /**
+     * Create a new temporary key.
+     * @param request Request for temporary key.
+     * @return Response with temporary key.
+     * @throws PowerAuthTemporaryKeyException In case temporary key cannot be returned.
+     */
+    @PostMapping("create")
+    public ObjectResponse<TemporaryKeyResponse> fetchTemporaryKey(@RequestBody ObjectRequest<TemporaryKeyRequest> request) throws PowerAuthTemporaryKeyException {
+        if (request == null) {
+            logger.warn("Null request while fetching temporary key");
+            throw new PowerAuthTemporaryKeyException();
+        }
+        final TemporaryKeyRequest requestObject = request.getRequestObject();
+        if (requestObject == null) {
+            logger.warn("Null request object while fetching temporary key");
+            throw new PowerAuthTemporaryKeyException();
+        }
+        if (!StringUtils.hasLength(requestObject.getJwt())) {
+            logger.warn("Invalid request object with empty JWT while fetching temporary key");
+            throw new PowerAuthTemporaryKeyException();
+        }
+        return new ObjectResponse<>(service.fetchTemporaryKey(requestObject));
+    }
+
+}

powerauth-restful-security-spring/src/main/java/io/getlime/security/powerauth/rest/api/spring/controller/RecoveryController.java

@@ -44,6 +44,9 @@
  * <p><b>PowerAuth protocol versions:</b>
  * <ul>
  *     <li>3.0</li>
+ *     <li>3.1</li>
+ *     <li>3.2</li>
+ *     <li>3.3</li>
  * </ul>
  *
  * @author Roman Strobl, [email protected]
@@ -85,8 +88,7 @@ public EciesEncryptedResponse confirmRecoveryCode(@RequestBody EciesEncryptedReq
 
         PowerAuthAuthenticationUtil.checkAuthentication(auth);
         PowerAuthVersionUtil.checkUnsupportedVersion(auth.getVersion());
-        PowerAuthVersionUtil.checkMissingRequiredNonce(auth.getVersion(), request.getNonce());
-        PowerAuthVersionUtil.checkMissingRequiredTimestamp(auth.getVersion(), request.getTimestamp());
+        PowerAuthVersionUtil.checkEciesParameters(auth.getVersion(), request);
 
         return recoveryService.confirmRecoveryCode(request, auth);
     }

powerauth-restful-security-spring/src/main/java/io/getlime/security/powerauth/rest/api/spring/controller/SecureVaultController.java

@@ -44,6 +44,9 @@
  * <p><b>PowerAuth protocol versions:</b>
  * <ul>
  *     <li>3.0</li>
+ *     <li>3.1</li>
+ *     <li>3.2</li>
+ *     <li>3.3</li>
  * </ul>
  *
  * @author Roman Strobl, [email protected]
@@ -100,9 +103,7 @@ public EciesEncryptedResponse unlockVault(
         }
 
         PowerAuthVersionUtil.checkUnsupportedVersion(header.getVersion());
-        PowerAuthVersionUtil.checkMissingRequiredNonce(header.getVersion(), request.getNonce());
-        PowerAuthVersionUtil.checkMissingRequiredTimestamp(header.getVersion(), request.getTimestamp());
-
+        PowerAuthVersionUtil.checkEciesParameters(header.getVersion(), request);
 
         return secureVaultServiceV3.vaultUnlock(header, request, httpServletRequest);
     }