use of io.getlime.security.powerauth.rest.api.model.response.v2.VaultUnlockResponse in project powerauth-restful-integration by lime-company.
the class SecureVaultService method vaultUnlock.
/**
* Unlock secure vault.
* @param signatureHeader PowerAuth signature HTTP header.
* @param request Vault unlock request.
* @param httpServletRequest HTTP servlet request.
* @return Vault unlock response.
* @throws PowerAuthSecureVaultException In case vault unlock fails.
* @throws PowerAuthAuthenticationException In case authentication fails.
*/
public VaultUnlockResponse vaultUnlock(String signatureHeader, VaultUnlockRequest request, HttpServletRequest httpServletRequest) throws PowerAuthSecureVaultException, PowerAuthAuthenticationException {
try {
// Parse the header
final PowerAuthSignatureHttpHeader header = new PowerAuthSignatureHttpHeader().fromValue(signatureHeader);
// Validate the header
try {
PowerAuthSignatureHttpHeaderValidator.validate(header);
} catch (InvalidPowerAuthHttpHeaderException ex) {
logger.warn("Signature HTTP header validation failed, error: {}", ex.getMessage());
logger.debug(ex.getMessage(), ex);
throw new PowerAuthSignatureTypeInvalidException();
}
final SignatureTypeConverter converter = new SignatureTypeConverter();
final String activationId = header.getActivationId();
final String applicationId = header.getApplicationKey();
final String signature = header.getSignature();
final SignatureType signatureType = converter.convertFrom(header.getSignatureType());
if (signatureType == null) {
logger.warn("Invalid signature type: {}", header.getSignatureType());
throw new PowerAuthSignatureTypeInvalidException();
}
final String nonce = header.getNonce();
String reason = null;
byte[] requestBodyBytes;
if ("2.0".equals(header.getVersion())) {
// Version 2.0 requires null data in signature for vault unlock.
requestBodyBytes = null;
} else if ("2.1".equals(header.getVersion())) {
// Version 2.1 or higher requires request data in signature (POST request body) for vault unlock.
if (request != null) {
// Send vault unlock reason, in case it is available.
if (request.getReason() != null) {
reason = request.getReason();
}
}
// Use POST request body as data for signature.
requestBodyBytes = authenticationProvider.extractRequestBodyBytes(httpServletRequest);
} else {
logger.warn("Invalid protocol version in secure vault: {}", header.getVersion());
throw new PowerAuthSecureVaultException();
}
final String data = PowerAuthHttpBody.getSignatureBaseString("POST", "/pa/vault/unlock", BaseEncoding.base64().decode(nonce), requestBodyBytes);
final com.wultra.security.powerauth.client.v2.VaultUnlockResponse paResponse = powerAuthClient.v2().unlockVault(activationId, applicationId, data, signature, signatureType, reason);
if (!paResponse.isSignatureValid()) {
logger.debug("Signature validation failed");
throw new PowerAuthSignatureInvalidException();
}
final VaultUnlockResponse response = new VaultUnlockResponse();
response.setActivationId(paResponse.getActivationId());
response.setEncryptedVaultEncryptionKey(paResponse.getEncryptedVaultEncryptionKey());
return response;
} catch (PowerAuthAuthenticationException ex) {
throw ex;
} catch (Exception ex) {
logger.warn("PowerAuth vault unlock failed, error: {}", ex.getMessage());
logger.debug(ex.getMessage(), ex);
throw new PowerAuthSecureVaultException();
}
}
use of io.getlime.security.powerauth.rest.api.model.response.v2.VaultUnlockResponse in project powerauth-restful-integration by lime-company.
the class SecureVaultService method vaultUnlock.
/**
* Unlock secure vault.
* @param header PowerAuth signature HTTP header.
* @param request ECIES encrypted vault unlock request.
* @param httpServletRequest HTTP servlet request.
* @return ECIES encrypted vault unlock response.
* @throws PowerAuthSecureVaultException In case vault unlock request fails.
* @throws PowerAuthAuthenticationException In case authentication fails.
*/
public EciesEncryptedResponse vaultUnlock(PowerAuthSignatureHttpHeader header, EciesEncryptedRequest request, HttpServletRequest httpServletRequest) throws PowerAuthSecureVaultException, PowerAuthAuthenticationException {
try {
final SignatureTypeConverter converter = new SignatureTypeConverter();
final String activationId = header.getActivationId();
final String applicationKey = header.getApplicationKey();
final String signature = header.getSignature();
final SignatureType signatureType = converter.convertFrom(header.getSignatureType());
if (signatureType == null) {
logger.warn("Invalid signature type: {}", header.getSignatureType());
throw new PowerAuthSignatureTypeInvalidException();
}
final String signatureVersion = header.getVersion();
final String nonce = header.getNonce();
// Fetch data from the request
final String ephemeralPublicKey = request.getEphemeralPublicKey();
final String encryptedData = request.getEncryptedData();
final String mac = request.getMac();
final String eciesNonce = request.getNonce();
// Prepare data for signature to allow signature verification on PowerAuth server
final byte[] requestBodyBytes = authenticationProvider.extractRequestBodyBytes(httpServletRequest);
final String data = PowerAuthHttpBody.getSignatureBaseString("POST", "/pa/vault/unlock", BaseEncoding.base64().decode(nonce), requestBodyBytes);
// Verify signature and get encrypted vault encryption key from PowerAuth server
final VaultUnlockResponse paResponse = powerAuthClient.unlockVault(activationId, applicationKey, signature, signatureType, signatureVersion, data, ephemeralPublicKey, encryptedData, mac, eciesNonce);
if (!paResponse.isSignatureValid()) {
logger.debug("Signature validation failed");
throw new PowerAuthSignatureInvalidException();
}
return new EciesEncryptedResponse(paResponse.getEncryptedData(), paResponse.getMac());
} catch (PowerAuthAuthenticationException ex) {
throw ex;
} catch (Exception ex) {
logger.warn("PowerAuth vault unlock failed, error: {}", ex.getMessage());
logger.debug(ex.getMessage(), ex);
throw new PowerAuthSecureVaultException();
}
}
use of io.getlime.security.powerauth.rest.api.model.response.v2.VaultUnlockResponse in project powerauth-restful-integration by lime-company.
the class SecureVaultController method unlockVault.
/**
* Request the vault unlock key.
* @param signatureHeader PowerAuth signature HTTP header.
* @param request Vault unlock request data.
* @param httpServletRequest HTTP servlet request.
* @return PowerAuth RESTful response with {@link VaultUnlockResponse} payload.
* @throws PowerAuthAuthenticationException In case authentication fails.
* @throws PowerAuthSecureVaultException In case unlocking the vault fails.
*/
@RequestMapping(value = "unlock", method = RequestMethod.POST)
public ObjectResponse<VaultUnlockResponse> unlockVault(@RequestHeader(value = PowerAuthSignatureHttpHeader.HEADER_NAME, defaultValue = "unknown") String signatureHeader, @RequestBody(required = false) ObjectRequest<VaultUnlockRequest> request, HttpServletRequest httpServletRequest) throws PowerAuthAuthenticationException, PowerAuthSecureVaultException {
// Request object is not validated - it is optional for version 2
// Parse the header
PowerAuthSignatureHttpHeader header = new PowerAuthSignatureHttpHeader().fromValue(signatureHeader);
// Validate the header
try {
PowerAuthSignatureHttpHeaderValidator.validate(header);
} catch (InvalidPowerAuthHttpHeaderException ex) {
logger.warn("Signature HTTP header validation failed, error: {}", ex.getMessage());
logger.debug(ex.getMessage(), ex);
throw new PowerAuthSignatureInvalidException();
}
if (!"2.0".equals(header.getVersion()) && !"2.1".equals(header.getVersion())) {
logger.warn("Endpoint does not support PowerAuth protocol version {}", header.getVersion());
throw new PowerAuthInvalidRequestException();
}
VaultUnlockResponse response = secureVaultServiceV2.vaultUnlock(signatureHeader, request.getRequestObject(), httpServletRequest);
return new ObjectResponse<>(response);
}
Aggregations