Implement support for temporary keys

powerauth-restful-model/src/main/java/io/getlime/security/powerauth/rest/api/model/request/EciesEncryptedRequest.java

@@ -30,6 +30,11 @@
 @Data
 public class EciesEncryptedRequest {
 
+    /**
+     * Identifier of the temporary key.
+     */
+    private String temporaryKeyId;
+
     /**
      * Base64 encoded ephemeral public key.
      */

powerauth-restful-model/src/main/java/io/getlime/security/powerauth/rest/api/model/request/TemporaryKeyRequest.java

@@ -0,0 +1,37 @@
+/*
+ * PowerAuth integration libraries for RESTful API applications, examples and
+ * related software components
+ *
+ * Copyright (C) 2024 Wultra s.r.o.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published
+ * by the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+package io.getlime.security.powerauth.rest.api.model.request;
+
+import lombok.Data;
+
+/**
+ * Request class with temporary public key.
+ *
+ * @author Petr Dvorak, [email protected]
+ */
+@Data
+public class TemporaryKeyRequest {
+
+    /**
+     * JWT with encoded temporary key request.
+     */
+    private String jwt;
+
+}

powerauth-restful-model/src/main/java/io/getlime/security/powerauth/rest/api/model/response/TemporaryKeyResponse.java

@@ -0,0 +1,37 @@
+/*
+ * PowerAuth integration libraries for RESTful API applications, examples and
+ * related software components
+ *
+ * Copyright (C) 2024 Wultra s.r.o.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published
+ * by the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+package io.getlime.security.powerauth.rest.api.model.response;
+
+import lombok.Data;
+
+/**
+ * Response class with temporary key.
+ *
+ * @author Petr Dvorak, [email protected]
+ */
+@Data
+public class TemporaryKeyResponse {
+
+    /**
+     * JWT with encoded temporary key response.
+     */
+    private String jwt;
+
+}

powerauth-restful-security-spring-annotation/src/main/java/io/getlime/security/powerauth/rest/api/spring/encryption/EncryptionContext.java

@@ -44,6 +44,7 @@ public class EncryptionContext {
      * Protocol version.
      */
     private final String version;
+
     /**
      * PowerAuth HTTP header used for deriving ECIES encryption context.
      */

powerauth-restful-security-spring-annotation/src/main/java/io/getlime/security/powerauth/rest/api/spring/exception/PowerAuthTemporaryKeyException.java

@@ -0,0 +1,55 @@
+/*
+ * PowerAuth integration libraries for RESTful API applications, examples and
+ * related software components
+ *
+ * Copyright (C) 2024 Wultra s.r.o.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published
+ * by the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+package io.getlime.security.powerauth.rest.api.spring.exception;
+
+/**
+ * Exception raised in case PowerAuth fails to return temporary keys.
+ *
+ * @author Petr Dvorak, [email protected]
+ */
+public class PowerAuthTemporaryKeyException extends Exception {
+
+    private static final String DEFAULT_CODE = "ERR_TEMPORARY_KEY";
+    private static final String DEFAULT_ERROR = "POWER_AUTH_TEMPORARY_KEY_FAILURE";
+
+    /**
+     * Default constructor.
+     */
+    public PowerAuthTemporaryKeyException() {
+        super(DEFAULT_ERROR);
+    }
+
+    /**
+     * Get the default error code, used for example in REST response.
+     * @return Default error code.
+     */
+    public String getDefaultCode() {
+        return DEFAULT_CODE;
+    }
+
+    /**
+     * Get default error message, used for example in the REST response.
+     * @return Default error message.
+     */
+    public String getDefaultError() {
+        return DEFAULT_ERROR;
+    }
+
+}

powerauth-restful-security-spring-annotation/src/main/java/io/getlime/security/powerauth/rest/api/spring/provider/PowerAuthEncryptionProvider.java

@@ -58,11 +58,12 @@ public PowerAuthEncryptionProvider(PowerAuthClient powerAuthClient, HttpCustomiz
     }
 
     @Override
-    public @Nonnull PowerAuthEncryptorParameters getEciesDecryptorParameters(@Nullable String activationId, @Nonnull String applicationKey, @Nonnull String ephemeralPublicKey, @Nonnull String version, String nonce, Long timestamp) throws PowerAuthEncryptionException {
+    public @Nonnull PowerAuthEncryptorParameters getEciesDecryptorParameters(@Nullable String activationId, @Nonnull String applicationKey, @Nonnull String temporaryKeyId, @Nonnull String ephemeralPublicKey, @Nonnull String version, String nonce, Long timestamp) throws PowerAuthEncryptionException {
         try {
             final GetEciesDecryptorRequest eciesDecryptorRequest = new GetEciesDecryptorRequest();
             eciesDecryptorRequest.setActivationId(activationId);
             eciesDecryptorRequest.setApplicationKey(applicationKey);
+            eciesDecryptorRequest.setTemporaryKeyId(temporaryKeyId);
             eciesDecryptorRequest.setEphemeralPublicKey(ephemeralPublicKey);
             eciesDecryptorRequest.setProtocolVersion(version);
             eciesDecryptorRequest.setNonce(nonce);

powerauth-restful-security-spring-annotation/src/main/java/io/getlime/security/powerauth/rest/api/spring/provider/PowerAuthEncryptionProviderBase.java

@@ -80,7 +80,7 @@ public abstract class PowerAuthEncryptionProviderBase {
      * @throws PowerAuthEncryptionException In case PowerAuth server call fails.
      */
     public abstract @Nonnull
-    PowerAuthEncryptorParameters getEciesDecryptorParameters(@Nullable String activationId, @Nonnull String applicationKey, @Nonnull String ephemeralPublicKey, @Nonnull String version, String nonce, Long timestamp) throws PowerAuthEncryptionException;
+    PowerAuthEncryptorParameters getEciesDecryptorParameters(@Nullable String activationId, @Nonnull String applicationKey, @Nonnull String temporaryKeyId, @Nonnull String ephemeralPublicKey, @Nonnull String version, String nonce, Long timestamp) throws PowerAuthEncryptionException;
 
     /**
      * Decrypt HTTP request body and construct object with ECIES data. Use the requestType parameter to specify
@@ -136,6 +136,7 @@ public void decryptRequest(@Nonnull HttpServletRequest request, @Nonnull Type re
 
             // Prepare and validate EncryptedRequest object
             final EncryptedRequest encryptedRequest = new EncryptedRequest(
+                    eciesRequest.getTemporaryKeyId(),
                     eciesRequest.getEphemeralPublicKey(),
                     eciesRequest.getEncryptedData(),
                     eciesRequest.getMac(),
@@ -155,6 +156,7 @@ public void decryptRequest(@Nonnull HttpServletRequest request, @Nonnull Type re
             final PowerAuthEncryptorParameters encryptorParameters = getEciesDecryptorParameters(
                     activationId,
                     applicationKey,
+                    encryptedRequest.getTemporaryKeyId(),
                     encryptedRequest.getEphemeralPublicKey(),
                     version,
                     encryptedRequest.getNonce(),
@@ -165,7 +167,7 @@ public void decryptRequest(@Nonnull HttpServletRequest request, @Nonnull Type re
             final byte[] sharedInfo2Base = Base64.getDecoder().decode(encryptorParameters.sharedInfo2());
             final ServerEncryptor serverEncryptor = encryptorFactory.getServerEncryptor(
                     encryptorData.getEncryptorId(),
-                    new EncryptorParameters(version, applicationKey, activationId),
+                    new EncryptorParameters(version, applicationKey, activationId, encryptedRequest.getTemporaryKeyId()),
                     new ServerEncryptorSecrets(secretKeyBytes, sharedInfo2Base)
             );
 

powerauth-restful-security-spring/src/main/java/io/getlime/security/powerauth/rest/api/spring/controller/KeyStoreController.java

@@ -0,0 +1,68 @@
+/*
+ * PowerAuth integration libraries for RESTful API applications, examples and
+ * related software components
+ *
+ * Copyright (C) 2024 Wultra s.r.o.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published
+ * by the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+package io.getlime.security.powerauth.rest.api.spring.controller;
+
+import io.getlime.security.powerauth.rest.api.model.request.TemporaryKeyRequest;
+import io.getlime.security.powerauth.rest.api.model.response.TemporaryKeyResponse;
+import io.getlime.security.powerauth.rest.api.spring.exception.PowerAuthTemporaryKeyException;
+import io.getlime.security.powerauth.rest.api.spring.service.KeyStoreService;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.*;
+
+/**
+ * Controller for obtaining temporary encryption keys.
+ *
+ * @author Petr Dvorak, [email protected]
+ */
+@RestController("keyStoreControllerV3")
+@RequestMapping(value = "/pa/v3/keystore")
+public class KeyStoreController {
+
+    private static final Logger logger = LoggerFactory.getLogger(KeyStoreController.class);
+
+    private final KeyStoreService service;
+
+    /**
+     * Default autowiring constructor.
+     * @param service Keystore service.
+     */
+    @Autowired
+    public KeyStoreController(KeyStoreService service) {
+        this.service = service;
+    }
+
+    /**
+     * Create a new temporary key.
+     * @param request Request for temporary key.
+     * @return Response with temporary key.
+     * @throws PowerAuthTemporaryKeyException In case temporary key cannot be returned.
+     */
+    @PostMapping("create")
+    public TemporaryKeyResponse fetchTemporaryKey(@RequestBody TemporaryKeyRequest request) throws PowerAuthTemporaryKeyException {
+        if (request == null) {
+            logger.warn("Invalid request while fetching temporary key");
+            throw new PowerAuthTemporaryKeyException();
+        }
+        return service.fetchTemporaryKey(request);
+    }
+
+}

powerauth-restful-security-spring/src/main/java/io/getlime/security/powerauth/rest/api/spring/controller/RecoveryController.java

@@ -85,8 +85,7 @@ public EciesEncryptedResponse confirmRecoveryCode(@RequestBody EciesEncryptedReq
 
         PowerAuthAuthenticationUtil.checkAuthentication(auth);
         PowerAuthVersionUtil.checkUnsupportedVersion(auth.getVersion());
-        PowerAuthVersionUtil.checkMissingRequiredNonce(auth.getVersion(), request.getNonce());
-        PowerAuthVersionUtil.checkMissingRequiredTimestamp(auth.getVersion(), request.getTimestamp());
+        PowerAuthVersionUtil.checkEciesParameters(auth.getVersion(), request);
 
         return recoveryService.confirmRecoveryCode(request, auth);
     }

powerauth-restful-security-spring/src/main/java/io/getlime/security/powerauth/rest/api/spring/controller/SecureVaultController.java

@@ -100,9 +100,7 @@ public EciesEncryptedResponse unlockVault(
         }
 
         PowerAuthVersionUtil.checkUnsupportedVersion(header.getVersion());
-        PowerAuthVersionUtil.checkMissingRequiredNonce(header.getVersion(), request.getNonce());
-        PowerAuthVersionUtil.checkMissingRequiredTimestamp(header.getVersion(), request.getTimestamp());
-
+        PowerAuthVersionUtil.checkEciesParameters(header.getVersion(), request);
 
         return secureVaultServiceV3.vaultUnlock(header, request, httpServletRequest);
     }

powerauth-restful-security-spring/src/main/java/io/getlime/security/powerauth/rest/api/spring/controller/TokenController.java

@@ -92,8 +92,7 @@ public EciesEncryptedResponse createToken(@RequestBody EciesEncryptedRequest req
 
         PowerAuthAuthenticationUtil.checkAuthentication(auth);
         PowerAuthVersionUtil.checkUnsupportedVersion(auth.getVersion());
-        PowerAuthVersionUtil.checkMissingRequiredNonce(auth.getVersion(), request.getNonce());
-        PowerAuthVersionUtil.checkMissingRequiredTimestamp(auth.getVersion(), request.getTimestamp());
+        PowerAuthVersionUtil.checkEciesParameters(auth.getVersion(), request);
 
         return tokenServiceV3.createToken(request, auth);
     }

powerauth-restful-security-spring/src/main/java/io/getlime/security/powerauth/rest/api/spring/controller/UpgradeController.java

@@ -98,8 +98,7 @@ public EciesEncryptedResponse upgradeStart(@RequestBody EciesEncryptedRequest re
         }
 
         PowerAuthVersionUtil.checkUnsupportedVersion(header.getVersion());
-        PowerAuthVersionUtil.checkMissingRequiredNonce(header.getVersion(), request.getNonce());
-        PowerAuthVersionUtil.checkMissingRequiredTimestamp(header.getVersion(), request.getTimestamp());
+        PowerAuthVersionUtil.checkEciesParameters(header.getVersion(), request);
 
         return upgradeService.upgradeStart(request, header);
 

powerauth-restful-security-spring/src/main/java/io/getlime/security/powerauth/rest/api/spring/exception/PowerAuthExceptionHandler.java

@@ -132,4 +132,16 @@ public class PowerAuthExceptionHandler {
         return new ErrorResponse(ex.getDefaultCode(), ex.getMessage());
     }
 
+    /**
+     * Handle PowerAuthTemporaryKeyException exceptions.
+     * @param ex Exception instance.
+     * @return Error response.
+     */
+    @ExceptionHandler(value = PowerAuthTemporaryKeyException.class)
+    @ResponseStatus(value = HttpStatus.BAD_REQUEST)
+    public @ResponseBody ErrorResponse handlePowerAuthTemporaryKeyException(PowerAuthTemporaryKeyException ex) {
+        logger.warn(ex.getMessage(), ex);
+        return new ErrorResponse(ex.getDefaultCode(), ex.getDefaultError());
+    }
+
 }

powerauth-restful-security-spring/src/main/java/io/getlime/security/powerauth/rest/api/spring/service/ActivationService.java

@@ -127,6 +127,7 @@ public ActivationLayer1Response createActivation(ActivationLayer1Request request
 
             final String applicationKey = eciesContext.getApplicationKey();
             final EciesEncryptedRequest activationData = request.getActivationData();
+            final String temporaryKeyId = activationData.getTemporaryKeyId();
             final String ephemeralPublicKey = activationData.getEphemeralPublicKey();
             final String encryptedData = activationData.getEncryptedData();
             final String mac = activationData.getMac();
@@ -161,6 +162,7 @@ public ActivationLayer1Response createActivation(ActivationLayer1Request request
                     prepareRequest.setActivationCode(activationCode);
                     prepareRequest.setApplicationKey(applicationKey);
                     prepareRequest.setGenerateRecoveryCodes(shouldGenerateRecoveryCodes(identity, customAttributes, context));
+                    prepareRequest.setTemporaryKeyId(temporaryKeyId);
                     prepareRequest.setEphemeralPublicKey(ephemeralPublicKey);
                     prepareRequest.setEncryptedData(encryptedData);
                     prepareRequest.setMac(mac);
@@ -285,6 +287,7 @@ public ActivationLayer1Response createActivation(ActivationLayer1Request request
                     createRequest.setGenerateRecoveryCodes(shouldGenerateRecoveryCodes);
                     createRequest.setMaxFailureCount(maxFailedCount);
                     createRequest.setApplicationKey(applicationKey);
+                    createRequest.setTemporaryKeyId(temporaryKeyId);
                     createRequest.setEphemeralPublicKey(ephemeralPublicKey);
                     createRequest.setEncryptedData(encryptedData);
                     createRequest.setMac(mac);
@@ -393,6 +396,7 @@ public ActivationLayer1Response createActivation(ActivationLayer1Request request
                     recoveryRequest.setGenerateRecoveryCodes(shouldGenerateRecoveryCodes);
                     recoveryRequest.setApplicationKey(applicationKey);
                     recoveryRequest.setMaxFailureCount(maxFailedCount);
+                    recoveryRequest.setTemporaryKeyId(temporaryKeyId);
                     recoveryRequest.setEphemeralPublicKey(ephemeralPublicKey);
                     recoveryRequest.setEncryptedData(encryptedData);
                     recoveryRequest.setMac(mac);