use of io.getlime.security.powerauth.rest.api.spring.model.PowerAuthRequestBody in project powerauth-restful-integration by lime-company.
the class PowerAuthEncryptionProviderBase method decryptRequest.
/**
* Decrypt HTTP request body and construct object with ECIES data. Use the requestType parameter to specify
* the type of decrypted object.
*
* @param request HTTP request.
* @param requestType Class of request object.
* @param eciesScope ECIES scope.
* @return Object with ECIES data.
* @throws PowerAuthEncryptionException In case request decryption fails.
*/
@Nonnull
public PowerAuthEciesEncryption decryptRequest(@Nonnull HttpServletRequest request, @Nonnull Type requestType, @Nonnull EciesScope eciesScope) throws PowerAuthEncryptionException {
// Only POST HTTP method is supported for ECIES
if (!"POST".equals(request.getMethod())) {
logger.warn("Invalid HTTP method: {}", request.getMethod());
throw new PowerAuthEncryptionException();
}
// Resolve either signature or encryption HTTP header for ECIES
final EciesEncryptionContext encryptionContext = extractEciesEncryptionContext(request);
// Construct ECIES encryption object from HTTP header
final PowerAuthEciesEncryption eciesEncryption = new PowerAuthEciesEncryption(encryptionContext);
// Save ECIES scope in context
eciesEncryption.getContext().setEciesScope(eciesScope);
try {
// Parse ECIES cryptogram from request body
final PowerAuthRequestBody requestBody = ((PowerAuthRequestBody) request.getAttribute(PowerAuthRequestObjects.REQUEST_BODY));
if (requestBody == null) {
logger.warn("The X-PowerAuth-Request-Body request attribute is missing. Register the PowerAuthRequestFilter to fix this error.");
throw new PowerAuthEncryptionException();
}
final byte[] requestBodyBytes = requestBody.getRequestBytes();
if (requestBodyBytes == null || requestBodyBytes.length == 0) {
logger.warn("Invalid HTTP request");
throw new PowerAuthEncryptionException();
}
final EciesEncryptedRequest eciesRequest = objectMapper.readValue(requestBodyBytes, EciesEncryptedRequest.class);
if (eciesRequest == null) {
logger.warn("Invalid ECIES request data");
throw new PowerAuthEncryptionException();
}
// Prepare ephemeral public key
final String ephemeralPublicKey = eciesRequest.getEphemeralPublicKey();
final String encryptedData = eciesRequest.getEncryptedData();
final String mac = eciesRequest.getMac();
final String nonce = eciesRequest.getNonce();
// Verify ECIES request data. Nonce is required for protocol 3.1+
if (ephemeralPublicKey == null || encryptedData == null || mac == null) {
logger.warn("Invalid ECIES request data");
throw new PowerAuthEncryptionException();
}
if (nonce == null && !"3.0".equals(encryptionContext.getVersion())) {
logger.warn("Missing nonce in ECIES request data");
throw new PowerAuthEncryptionException();
}
final byte[] ephemeralPublicKeyBytes = BaseEncoding.base64().decode(ephemeralPublicKey);
final byte[] encryptedDataBytes = BaseEncoding.base64().decode(encryptedData);
final byte[] macBytes = BaseEncoding.base64().decode(mac);
final byte[] nonceBytes = nonce != null ? BaseEncoding.base64().decode(nonce) : null;
final String applicationKey = eciesEncryption.getContext().getApplicationKey();
final PowerAuthEciesDecryptorParameters decryptorParameters;
// Obtain ECIES decryptor parameters from PowerAuth server
switch(eciesScope) {
case ACTIVATION_SCOPE:
final String activationId = eciesEncryption.getContext().getActivationId();
if (activationId == null) {
logger.warn("Activation ID is required in ECIES activation scope");
throw new PowerAuthEncryptionException();
}
decryptorParameters = getEciesDecryptorParameters(activationId, applicationKey, ephemeralPublicKey);
break;
case APPLICATION_SCOPE:
decryptorParameters = getEciesDecryptorParameters(null, applicationKey, ephemeralPublicKey);
break;
default:
logger.warn("Unsupported ECIES scope: {}", eciesScope);
throw new PowerAuthEncryptionException();
}
// Prepare envelope key and sharedInfo2 parameter for decryptor
final byte[] secretKey = BaseEncoding.base64().decode(decryptorParameters.getSecretKey());
final EciesEnvelopeKey envelopeKey = new EciesEnvelopeKey(secretKey, ephemeralPublicKeyBytes);
final byte[] sharedInfo2 = BaseEncoding.base64().decode(decryptorParameters.getSharedInfo2());
// Construct decryptor and set it to the request for later encryption of response
final EciesDecryptor eciesDecryptor = eciesFactory.getEciesDecryptor(envelopeKey, sharedInfo2);
eciesEncryption.setEciesDecryptor(eciesDecryptor);
// Decrypt request data
final EciesCryptogram cryptogram = new EciesCryptogram(ephemeralPublicKeyBytes, macBytes, encryptedDataBytes, nonceBytes);
final byte[] decryptedData = eciesDecryptor.decryptRequest(cryptogram);
eciesEncryption.setEncryptedRequest(encryptedDataBytes);
eciesEncryption.setDecryptedRequest(decryptedData);
// Set the request object only in case when request data is sent
if (decryptedData.length != 0) {
eciesEncryption.setRequestObject(deserializeRequestData(decryptedData, requestType));
}
// Set encryption object in HTTP servlet request
request.setAttribute(PowerAuthRequestObjects.ENCRYPTION_OBJECT, eciesEncryption);
} catch (Exception ex) {
logger.debug("Request decryption failed, error: " + ex.getMessage(), ex);
throw new PowerAuthEncryptionException();
}
return eciesEncryption;
}
use of io.getlime.security.powerauth.rest.api.spring.model.PowerAuthRequestBody in project powerauth-restful-integration by lime-company.
the class PowerAuthRequestFilterBase method filterRequest.
/**
* Extract request body from HTTP servlet request. Different logic is used for GET and for all other HTTP methods.
*
* @param httpRequest HTTP servlet request.
* @return Resettable HTTP servlet request.
* @throws IOException In case request body extraction fails.
*/
public static ResettableStreamHttpServletRequest filterRequest(HttpServletRequest httpRequest) throws IOException {
final ResettableStreamHttpServletRequest resettableRequest = new ResettableStreamHttpServletRequest(httpRequest);
if (httpRequest.getHeader(PowerAuthSignatureHttpHeader.HEADER_NAME) == null && httpRequest.getHeader(PowerAuthEncryptionHttpHeader.HEADER_NAME) == null) {
// PowerAuth HTTP headers are not present, store empty request body in request attribute
resettableRequest.setAttribute(PowerAuthRequestObjects.REQUEST_BODY, new PowerAuthRequestBody());
return resettableRequest;
}
if (httpRequest.getMethod().equalsIgnoreCase("GET")) {
// Parse the query parameters
String queryString = httpRequest.getQueryString();
if (queryString != null && queryString.length() > 0) {
// Decode the query string
queryString = URLDecoder.decode(queryString, "UTF-8");
// Get the canonized form
final String signatureBaseStringData = PowerAuthRequestCanonizationUtils.canonizeGetParameters(queryString);
// Pass the signature base string as the request attribute
if (signatureBaseStringData != null) {
resettableRequest.setAttribute(PowerAuthRequestObjects.REQUEST_BODY, new PowerAuthRequestBody(signatureBaseStringData.getBytes(StandardCharsets.UTF_8)));
} else {
// Store empty request body in request attribute
resettableRequest.setAttribute(PowerAuthRequestObjects.REQUEST_BODY, new PowerAuthRequestBody());
}
} else {
// Store empty request body in request attribute
resettableRequest.setAttribute(PowerAuthRequestObjects.REQUEST_BODY, new PowerAuthRequestBody());
}
} else {
// ... handle POST, PUT, DELETE, ... method
// Get the request body and pass it as the signature base string as the request attribute
final byte[] body = resettableRequest.getRequestBody();
if (body != null) {
resettableRequest.setAttribute(PowerAuthRequestObjects.REQUEST_BODY, new PowerAuthRequestBody(body));
} else {
// Store empty request body in request attribute
resettableRequest.setAttribute(PowerAuthRequestObjects.REQUEST_BODY, new PowerAuthRequestBody());
}
}
return resettableRequest;
}
Aggregations