Examples with PowerAuthSignatureHttpHeader io.getlime.security.powerauth.http.PowerAuthSignatureHttpHeader used on opensource projects

Example 6 with PowerAuthSignatureHttpHeader

use of io.getlime.security.powerauth.http.PowerAuthSignatureHttpHeader in project powerauth-restful-integration by lime-company.

the class SecureVaultService method vaultUnlock.

/**
 * Unlock secure vault.
 * @param signatureHeader PowerAuth signature HTTP header.
 * @param request Vault unlock request.
 * @param httpServletRequest HTTP servlet request.
 * @return Vault unlock response.
 * @throws PowerAuthSecureVaultException In case vault unlock fails.
 * @throws PowerAuthAuthenticationException In case authentication fails.
 */
public VaultUnlockResponse vaultUnlock(String signatureHeader, VaultUnlockRequest request, HttpServletRequest httpServletRequest) throws PowerAuthSecureVaultException, PowerAuthAuthenticationException {
    try {
        // Parse the header
        final PowerAuthSignatureHttpHeader header = new PowerAuthSignatureHttpHeader().fromValue(signatureHeader);
        // Validate the header
        try {
            PowerAuthSignatureHttpHeaderValidator.validate(header);
        } catch (InvalidPowerAuthHttpHeaderException ex) {
            logger.warn("Signature HTTP header validation failed, error: {}", ex.getMessage());
            logger.debug(ex.getMessage(), ex);
            throw new PowerAuthSignatureTypeInvalidException();
        }
        final SignatureTypeConverter converter = new SignatureTypeConverter();
        final String activationId = header.getActivationId();
        final String applicationId = header.getApplicationKey();
        final String signature = header.getSignature();
        final SignatureType signatureType = converter.convertFrom(header.getSignatureType());
        if (signatureType == null) {
            logger.warn("Invalid signature type: {}", header.getSignatureType());
            throw new PowerAuthSignatureTypeInvalidException();
        }
        final String nonce = header.getNonce();
        String reason = null;
        byte[] requestBodyBytes;
        if ("2.0".equals(header.getVersion())) {
            // Version 2.0 requires null data in signature for vault unlock.
            requestBodyBytes = null;
        } else if ("2.1".equals(header.getVersion())) {
            // Version 2.1 or higher requires request data in signature (POST request body) for vault unlock.
            if (request != null) {
                // Send vault unlock reason, in case it is available.
                if (request.getReason() != null) {
                    reason = request.getReason();
                }
            }
            // Use POST request body as data for signature.
            requestBodyBytes = authenticationProvider.extractRequestBodyBytes(httpServletRequest);
        } else {
            logger.warn("Invalid protocol version in secure vault: {}", header.getVersion());
            throw new PowerAuthSecureVaultException();
        }
        final String data = PowerAuthHttpBody.getSignatureBaseString("POST", "/pa/vault/unlock", BaseEncoding.base64().decode(nonce), requestBodyBytes);
        final com.wultra.security.powerauth.client.v2.VaultUnlockResponse paResponse = powerAuthClient.v2().unlockVault(activationId, applicationId, data, signature, signatureType, reason);
        if (!paResponse.isSignatureValid()) {
            logger.debug("Signature validation failed");
            throw new PowerAuthSignatureInvalidException();
        }
        final VaultUnlockResponse response = new VaultUnlockResponse();
        response.setActivationId(paResponse.getActivationId());
        response.setEncryptedVaultEncryptionKey(paResponse.getEncryptedVaultEncryptionKey());
        return response;
    } catch (PowerAuthAuthenticationException ex) {
        throw ex;
    } catch (Exception ex) {
        logger.warn("PowerAuth vault unlock failed, error: {}", ex.getMessage());
        logger.debug(ex.getMessage(), ex);
        throw new PowerAuthSecureVaultException();
    }
}

Example 7 with PowerAuthSignatureHttpHeader

use of io.getlime.security.powerauth.http.PowerAuthSignatureHttpHeader in project powerauth-restful-integration by lime-company.

the class SecureVaultController method unlockVault.

/**
 * Request the vault unlock key.
 * @param signatureHeader PowerAuth signature HTTP header.
 * @param request Vault unlock request data.
 * @param httpServletRequest HTTP servlet request.
 * @return PowerAuth RESTful response with {@link VaultUnlockResponse} payload.
 * @throws PowerAuthAuthenticationException In case authentication fails.
 * @throws PowerAuthSecureVaultException In case unlocking the vault fails.
 */
@RequestMapping(value = "unlock", method = RequestMethod.POST)
public ObjectResponse<VaultUnlockResponse> unlockVault(@RequestHeader(value = PowerAuthSignatureHttpHeader.HEADER_NAME, defaultValue = "unknown") String signatureHeader, @RequestBody(required = false) ObjectRequest<VaultUnlockRequest> request, HttpServletRequest httpServletRequest) throws PowerAuthAuthenticationException, PowerAuthSecureVaultException {
    // Request object is not validated - it is optional for version 2
    // Parse the header
    PowerAuthSignatureHttpHeader header = new PowerAuthSignatureHttpHeader().fromValue(signatureHeader);
    // Validate the header
    try {
        PowerAuthSignatureHttpHeaderValidator.validate(header);
    } catch (InvalidPowerAuthHttpHeaderException ex) {
        logger.warn("Signature HTTP header validation failed, error: {}", ex.getMessage());
        logger.debug(ex.getMessage(), ex);
        throw new PowerAuthSignatureInvalidException();
    }
    if (!"2.0".equals(header.getVersion()) && !"2.1".equals(header.getVersion())) {
        logger.warn("Endpoint does not support PowerAuth protocol version {}", header.getVersion());
        throw new PowerAuthInvalidRequestException();
    }
    VaultUnlockResponse response = secureVaultServiceV2.vaultUnlock(signatureHeader, request.getRequestObject(), httpServletRequest);
    return new ObjectResponse<>(response);
}

Example 8 with PowerAuthSignatureHttpHeader

use of io.getlime.security.powerauth.http.PowerAuthSignatureHttpHeader in project powerauth-restful-integration by lime-company.

the class RecoveryService method confirmRecoveryCode.

/**
 * Confirm recovery code.
 * @param request ECIES encrypted request.
 * @param authentication PowerAuth API authentication object.
 * @return ECIES encrypted response.
 * @throws PowerAuthAuthenticationException In case confirm recovery fails.
 */
public EciesEncryptedResponse confirmRecoveryCode(EciesEncryptedRequest request, PowerAuthApiAuthentication authentication) throws PowerAuthAuthenticationException {
    try {
        final String activationId = authentication.getActivationContext().getActivationId();
        final PowerAuthSignatureHttpHeader httpHeader = (PowerAuthSignatureHttpHeader) authentication.getHttpHeader();
        final String applicationKey = httpHeader.getApplicationKey();
        if (activationId == null || applicationKey == null || request.getEphemeralPublicKey() == null || request.getEncryptedData() == null || request.getMac() == null) {
            logger.warn("PowerAuth confirm recovery failed because of invalid request");
            throw new PowerAuthInvalidRequestException();
        }
        final ConfirmRecoveryCodeResponse paResponse = powerAuthClient.confirmRecoveryCode(activationId, applicationKey, request.getEphemeralPublicKey(), request.getEncryptedData(), request.getMac(), request.getNonce());
        if (!paResponse.getActivationId().equals(activationId)) {
            logger.warn("PowerAuth confirm recovery failed because of invalid activation ID in response");
            throw new PowerAuthInvalidRequestException();
        }
        return new EciesEncryptedResponse(paResponse.getEncryptedData(), paResponse.getMac());
    } catch (Exception ex) {
        logger.warn("PowerAuth confirm recovery failed, error: {}", ex.getMessage());
        logger.debug(ex.getMessage(), ex);
        throw new PowerAuthRecoveryConfirmationException();
    }
}

Example 9 with PowerAuthSignatureHttpHeader

use of io.getlime.security.powerauth.http.PowerAuthSignatureHttpHeader in project powerauth-restful-integration by lime-company.

the class TokenService method createToken.

/**
 * Create token.
 *
 * @param request        ECIES encrypted create token request.
 * @param authentication PowerAuth API authentication object.
 * @return ECIES encrypted create token response.
 * @throws PowerAuthAuthenticationException In case token could not be created.
 */
public EciesEncryptedResponse createToken(EciesEncryptedRequest request, PowerAuthApiAuthentication authentication) throws PowerAuthAuthenticationException {
    try {
        // Fetch activation ID and signature type
        final PowerAuthSignatureTypes signatureFactors = authentication.getAuthenticationContext().getSignatureType();
        // Fetch data from the request
        final String ephemeralPublicKey = request.getEphemeralPublicKey();
        final String encryptedData = request.getEncryptedData();
        final String mac = request.getMac();
        final String nonce = request.getNonce();
        // Prepare a signature type converter
        final SignatureTypeConverter converter = new SignatureTypeConverter();
        final SignatureType signatureType = converter.convertFrom(signatureFactors);
        if (signatureType == null) {
            logger.warn("Invalid signature type: {}", signatureFactors);
            throw new PowerAuthSignatureTypeInvalidException();
        }
        // Get ECIES headers
        final String activationId = authentication.getActivationContext().getActivationId();
        final PowerAuthSignatureHttpHeader httpHeader = (PowerAuthSignatureHttpHeader) authentication.getHttpHeader();
        final String applicationKey = httpHeader.getApplicationKey();
        // Create a token
        final CreateTokenResponse token = powerAuthClient.createToken(activationId, applicationKey, ephemeralPublicKey, encryptedData, mac, nonce, signatureType);
        // Prepare a response
        final EciesEncryptedResponse response = new EciesEncryptedResponse();
        response.setMac(token.getMac());
        response.setEncryptedData(token.getEncryptedData());
        return response;
    } catch (Exception ex) {
        logger.warn("Creating PowerAuth token failed, error: {}", ex.getMessage());
        logger.debug(ex.getMessage(), ex);
        throw new PowerAuthTokenErrorException();
    }
}

Example 10 with PowerAuthSignatureHttpHeader

use of io.getlime.security.powerauth.http.PowerAuthSignatureHttpHeader in project powerauth-restful-integration by lime-company.

the class SecureVaultController method unlockVault.

/**
 * Request the vault unlock key.
 * @param signatureHeader PowerAuth signature HTTP header.
 * @return PowerAuth RESTful response with {@link VaultUnlockResponse} payload.
 * @throws PowerAuthAuthenticationException In case authentication fails.
 */
@RequestMapping(value = "unlock", method = RequestMethod.POST)
@ResponseBody
public ObjectResponse<VaultUnlockResponse> unlockVault(@RequestHeader(value = PowerAuthSignatureHttpHeader.HEADER_NAME, defaultValue = "unknown") String signatureHeader, @RequestBody(required = false) ObjectRequest<VaultUnlockRequest> request, HttpServletRequest httpServletRequest) throws PowerAuthAuthenticationException, PowerAuthSecureVaultException {
    try {
        // Parse the header
        PowerAuthSignatureHttpHeader header = new PowerAuthSignatureHttpHeader().fromValue(signatureHeader);
        // Validate the header
        try {
            PowerAuthSignatureHttpHeaderValidator.validate(header);
        } catch (InvalidPowerAuthHttpHeaderException e) {
            throw new PowerAuthAuthenticationException(e.getMessage());
        }
        SignatureTypeConverter converter = new SignatureTypeConverter();
        String activationId = header.getActivationId();
        String applicationId = header.getApplicationKey();
        String signature = header.getSignature();
        SignatureType signatureType = converter.convertFrom(header.getSignatureType());
        String nonce = header.getNonce();
        String reason = null;
        byte[] requestBodyBytes;
        if ("2.0".equals(header.getVersion())) {
            // Version 2.0 requires null data in signature for vault unlock.
            requestBodyBytes = null;
        } else {
            // Version 2.1 or higher requires request data in signature (POST request body) for vault unlock.
            if (request != null) {
                // Send vault unlock reason, in case it is available.
                VaultUnlockRequest vaultUnlockRequest = request.getRequestObject();
                if (vaultUnlockRequest != null && vaultUnlockRequest.getReason() != null) {
                    reason = vaultUnlockRequest.getReason();
                }
            }
            // Use POST request body as data for signature.
            String requestBodyString = ((String) httpServletRequest.getAttribute(PowerAuthRequestFilterBase.POWERAUTH_SIGNATURE_BASE_STRING));
            requestBodyBytes = requestBodyString == null ? null : BaseEncoding.base64().decode(requestBodyString);
        }
        String data = PowerAuthHttpBody.getSignatureBaseString("POST", "/pa/vault/unlock", BaseEncoding.base64().decode(nonce), requestBodyBytes);
        io.getlime.powerauth.soap.VaultUnlockResponse soapResponse = powerAuthClient.unlockVault(activationId, applicationId, data, signature, signatureType, reason);
        if (!soapResponse.isSignatureValid()) {
            throw new PowerAuthAuthenticationException();
        }
        VaultUnlockResponse response = new VaultUnlockResponse();
        response.setActivationId(soapResponse.getActivationId());
        response.setEncryptedVaultEncryptionKey(soapResponse.getEncryptedVaultEncryptionKey());
        return new ObjectResponse<>(response);
    } catch (Exception ex) {
        if (PowerAuthAuthenticationException.class.equals(ex.getClass())) {
            throw ex;
        } else {
            throw new PowerAuthSecureVaultException();
        }
    }
}