Search in sources :

Example 1 with PowerAuthRequestBody

use of io.getlime.security.powerauth.rest.api.spring.model.PowerAuthRequestBody in project powerauth-restful-integration by lime-company.

the class PowerAuthEncryptionProviderBase method decryptRequest.

/**
 * Decrypt HTTP request body and construct object with ECIES data. Use the requestType parameter to specify
 * the type of decrypted object.
 *
 * @param request HTTP request.
 * @param requestType Class of request object.
 * @param eciesScope ECIES scope.
 * @return Object with ECIES data.
 * @throws PowerAuthEncryptionException In case request decryption fails.
 */
@Nonnull
public PowerAuthEciesEncryption decryptRequest(@Nonnull HttpServletRequest request, @Nonnull Type requestType, @Nonnull EciesScope eciesScope) throws PowerAuthEncryptionException {
    // Only POST HTTP method is supported for ECIES
    if (!"POST".equals(request.getMethod())) {
        logger.warn("Invalid HTTP method: {}", request.getMethod());
        throw new PowerAuthEncryptionException();
    }
    // Resolve either signature or encryption HTTP header for ECIES
    final EciesEncryptionContext encryptionContext = extractEciesEncryptionContext(request);
    // Construct ECIES encryption object from HTTP header
    final PowerAuthEciesEncryption eciesEncryption = new PowerAuthEciesEncryption(encryptionContext);
    // Save ECIES scope in context
    eciesEncryption.getContext().setEciesScope(eciesScope);
    try {
        // Parse ECIES cryptogram from request body
        final PowerAuthRequestBody requestBody = ((PowerAuthRequestBody) request.getAttribute(PowerAuthRequestObjects.REQUEST_BODY));
        if (requestBody == null) {
            logger.warn("The X-PowerAuth-Request-Body request attribute is missing. Register the PowerAuthRequestFilter to fix this error.");
            throw new PowerAuthEncryptionException();
        }
        final byte[] requestBodyBytes = requestBody.getRequestBytes();
        if (requestBodyBytes == null || requestBodyBytes.length == 0) {
            logger.warn("Invalid HTTP request");
            throw new PowerAuthEncryptionException();
        }
        final EciesEncryptedRequest eciesRequest = objectMapper.readValue(requestBodyBytes, EciesEncryptedRequest.class);
        if (eciesRequest == null) {
            logger.warn("Invalid ECIES request data");
            throw new PowerAuthEncryptionException();
        }
        // Prepare ephemeral public key
        final String ephemeralPublicKey = eciesRequest.getEphemeralPublicKey();
        final String encryptedData = eciesRequest.getEncryptedData();
        final String mac = eciesRequest.getMac();
        final String nonce = eciesRequest.getNonce();
        // Verify ECIES request data. Nonce is required for protocol 3.1+
        if (ephemeralPublicKey == null || encryptedData == null || mac == null) {
            logger.warn("Invalid ECIES request data");
            throw new PowerAuthEncryptionException();
        }
        if (nonce == null && !"3.0".equals(encryptionContext.getVersion())) {
            logger.warn("Missing nonce in ECIES request data");
            throw new PowerAuthEncryptionException();
        }
        final byte[] ephemeralPublicKeyBytes = BaseEncoding.base64().decode(ephemeralPublicKey);
        final byte[] encryptedDataBytes = BaseEncoding.base64().decode(encryptedData);
        final byte[] macBytes = BaseEncoding.base64().decode(mac);
        final byte[] nonceBytes = nonce != null ? BaseEncoding.base64().decode(nonce) : null;
        final String applicationKey = eciesEncryption.getContext().getApplicationKey();
        final PowerAuthEciesDecryptorParameters decryptorParameters;
        // Obtain ECIES decryptor parameters from PowerAuth server
        switch(eciesScope) {
            case ACTIVATION_SCOPE:
                final String activationId = eciesEncryption.getContext().getActivationId();
                if (activationId == null) {
                    logger.warn("Activation ID is required in ECIES activation scope");
                    throw new PowerAuthEncryptionException();
                }
                decryptorParameters = getEciesDecryptorParameters(activationId, applicationKey, ephemeralPublicKey);
                break;
            case APPLICATION_SCOPE:
                decryptorParameters = getEciesDecryptorParameters(null, applicationKey, ephemeralPublicKey);
                break;
            default:
                logger.warn("Unsupported ECIES scope: {}", eciesScope);
                throw new PowerAuthEncryptionException();
        }
        // Prepare envelope key and sharedInfo2 parameter for decryptor
        final byte[] secretKey = BaseEncoding.base64().decode(decryptorParameters.getSecretKey());
        final EciesEnvelopeKey envelopeKey = new EciesEnvelopeKey(secretKey, ephemeralPublicKeyBytes);
        final byte[] sharedInfo2 = BaseEncoding.base64().decode(decryptorParameters.getSharedInfo2());
        // Construct decryptor and set it to the request for later encryption of response
        final EciesDecryptor eciesDecryptor = eciesFactory.getEciesDecryptor(envelopeKey, sharedInfo2);
        eciesEncryption.setEciesDecryptor(eciesDecryptor);
        // Decrypt request data
        final EciesCryptogram cryptogram = new EciesCryptogram(ephemeralPublicKeyBytes, macBytes, encryptedDataBytes, nonceBytes);
        final byte[] decryptedData = eciesDecryptor.decryptRequest(cryptogram);
        eciesEncryption.setEncryptedRequest(encryptedDataBytes);
        eciesEncryption.setDecryptedRequest(decryptedData);
        // Set the request object only in case when request data is sent
        if (decryptedData.length != 0) {
            eciesEncryption.setRequestObject(deserializeRequestData(decryptedData, requestType));
        }
        // Set encryption object in HTTP servlet request
        request.setAttribute(PowerAuthRequestObjects.ENCRYPTION_OBJECT, eciesEncryption);
    } catch (Exception ex) {
        logger.debug("Request decryption failed, error: " + ex.getMessage(), ex);
        throw new PowerAuthEncryptionException();
    }
    return eciesEncryption;
}
Also used : EciesCryptogram(io.getlime.security.powerauth.crypto.lib.encryptor.ecies.model.EciesCryptogram) PowerAuthEciesEncryption(io.getlime.security.powerauth.rest.api.spring.encryption.PowerAuthEciesEncryption) PowerAuthEncryptionException(io.getlime.security.powerauth.rest.api.spring.exception.PowerAuthEncryptionException) EciesEncryptedRequest(io.getlime.security.powerauth.rest.api.model.request.v3.EciesEncryptedRequest) PowerAuthRequestBody(io.getlime.security.powerauth.rest.api.spring.model.PowerAuthRequestBody) EciesEnvelopeKey(io.getlime.security.powerauth.crypto.lib.encryptor.ecies.EciesEnvelopeKey) EciesDecryptor(io.getlime.security.powerauth.crypto.lib.encryptor.ecies.EciesDecryptor) PowerAuthEncryptionException(io.getlime.security.powerauth.rest.api.spring.exception.PowerAuthEncryptionException) InvalidPowerAuthHttpHeaderException(io.getlime.security.powerauth.http.validator.InvalidPowerAuthHttpHeaderException) JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException) IOException(java.io.IOException) EciesEncryptionContext(io.getlime.security.powerauth.rest.api.spring.encryption.EciesEncryptionContext) PowerAuthEciesDecryptorParameters(io.getlime.security.powerauth.rest.api.spring.encryption.PowerAuthEciesDecryptorParameters) Nonnull(javax.annotation.Nonnull)

Example 2 with PowerAuthRequestBody

use of io.getlime.security.powerauth.rest.api.spring.model.PowerAuthRequestBody in project powerauth-restful-integration by lime-company.

the class PowerAuthRequestFilterBase method filterRequest.

/**
 * Extract request body from HTTP servlet request. Different logic is used for GET and for all other HTTP methods.
 *
 * @param httpRequest HTTP servlet request.
 * @return Resettable HTTP servlet request.
 * @throws IOException In case request body extraction fails.
 */
public static ResettableStreamHttpServletRequest filterRequest(HttpServletRequest httpRequest) throws IOException {
    final ResettableStreamHttpServletRequest resettableRequest = new ResettableStreamHttpServletRequest(httpRequest);
    if (httpRequest.getHeader(PowerAuthSignatureHttpHeader.HEADER_NAME) == null && httpRequest.getHeader(PowerAuthEncryptionHttpHeader.HEADER_NAME) == null) {
        // PowerAuth HTTP headers are not present, store empty request body in request attribute
        resettableRequest.setAttribute(PowerAuthRequestObjects.REQUEST_BODY, new PowerAuthRequestBody());
        return resettableRequest;
    }
    if (httpRequest.getMethod().equalsIgnoreCase("GET")) {
        // Parse the query parameters
        String queryString = httpRequest.getQueryString();
        if (queryString != null && queryString.length() > 0) {
            // Decode the query string
            queryString = URLDecoder.decode(queryString, "UTF-8");
            // Get the canonized form
            final String signatureBaseStringData = PowerAuthRequestCanonizationUtils.canonizeGetParameters(queryString);
            // Pass the signature base string as the request attribute
            if (signatureBaseStringData != null) {
                resettableRequest.setAttribute(PowerAuthRequestObjects.REQUEST_BODY, new PowerAuthRequestBody(signatureBaseStringData.getBytes(StandardCharsets.UTF_8)));
            } else {
                // Store empty request body in request attribute
                resettableRequest.setAttribute(PowerAuthRequestObjects.REQUEST_BODY, new PowerAuthRequestBody());
            }
        } else {
            // Store empty request body in request attribute
            resettableRequest.setAttribute(PowerAuthRequestObjects.REQUEST_BODY, new PowerAuthRequestBody());
        }
    } else {
        // ... handle POST, PUT, DELETE, ... method
        // Get the request body and pass it as the signature base string as the request attribute
        final byte[] body = resettableRequest.getRequestBody();
        if (body != null) {
            resettableRequest.setAttribute(PowerAuthRequestObjects.REQUEST_BODY, new PowerAuthRequestBody(body));
        } else {
            // Store empty request body in request attribute
            resettableRequest.setAttribute(PowerAuthRequestObjects.REQUEST_BODY, new PowerAuthRequestBody());
        }
    }
    return resettableRequest;
}
Also used : PowerAuthRequestBody(io.getlime.security.powerauth.rest.api.spring.model.PowerAuthRequestBody)

Aggregations

PowerAuthRequestBody (io.getlime.security.powerauth.rest.api.spring.model.PowerAuthRequestBody)2 JsonProcessingException (com.fasterxml.jackson.core.JsonProcessingException)1 EciesDecryptor (io.getlime.security.powerauth.crypto.lib.encryptor.ecies.EciesDecryptor)1 EciesEnvelopeKey (io.getlime.security.powerauth.crypto.lib.encryptor.ecies.EciesEnvelopeKey)1 EciesCryptogram (io.getlime.security.powerauth.crypto.lib.encryptor.ecies.model.EciesCryptogram)1 InvalidPowerAuthHttpHeaderException (io.getlime.security.powerauth.http.validator.InvalidPowerAuthHttpHeaderException)1 EciesEncryptedRequest (io.getlime.security.powerauth.rest.api.model.request.v3.EciesEncryptedRequest)1 EciesEncryptionContext (io.getlime.security.powerauth.rest.api.spring.encryption.EciesEncryptionContext)1 PowerAuthEciesDecryptorParameters (io.getlime.security.powerauth.rest.api.spring.encryption.PowerAuthEciesDecryptorParameters)1 PowerAuthEciesEncryption (io.getlime.security.powerauth.rest.api.spring.encryption.PowerAuthEciesEncryption)1 PowerAuthEncryptionException (io.getlime.security.powerauth.rest.api.spring.exception.PowerAuthEncryptionException)1 IOException (java.io.IOException)1 Nonnull (javax.annotation.Nonnull)1