Update ECIES implementation for crypto 3.2 (#935)

docs/PowerAuth-Server-1.5.0.md

@@ -87,6 +87,36 @@ ALTER TABLE PA_OPERATION ADD COLUMN TOTP_SEED VARCHAR2(24 CHAR);
 ALTER TABLE PA_OPERATION_TEMPLATE ADD COLUMN PROXIMITY_CHECK_ENABLED NUMBER(1, 0) DEFAULT 0 NOT NULL;
 ```
 
+### Added Table for Detecting Replay Attacks
+
+A new table `pa_unique_values` was added to store unique values sent in requests, so that replay attacks are prevented.
+
+#### PostgreSQL
+
+```sql
+CREATE TABLE pa_unique_value (
+    unique_value      VARCHAR(255) NOT NULL PRIMARY KEY,
+    type              INTEGER NOT NULL,
+    timestamp_expires TIMESTAMP NOT NULL
+);
+
+CREATE INDEX pa_unique_value_expiration ON pa_unique_value(timestamp_expires);
+```
+
+#### Oracle
+
+```sql
+--
+-- DDL for Table PA_UNIQUE_VALUE
+--
+CREATE TABLE PA_UNIQUE_VALUE (
+    unique_value      VARCHAR2(255 CHAR) NOT NULL PRIMARY KEY,
+    type              NUMBER(10,0) NOT NULL,
+    timestamp_expires TIMESTAMP NOT NULL
+);
+
+CREATE INDEX pa_unique_value_expiration ON pa_unique_value(timestamp_expires);
+```
 
 ### Drop MySQL Support
 

docs/WebServices-Methods.md

@@ -59,7 +59,7 @@ The following `v3` methods are published using the service:
     - [getCallbackUrlList](#method-getcallbackurllist)
     - [removeCallbackUrl](#method-removecallbackurl)
 - End-To-End Encryption
-    - [getEciesDecryptor](#method-geteciesdecryptor)
+  - [getEciesDecryptor](#method-geteciesdecryptor)
 - Activation Versioning
     - [startUpgrade](#method-startupgrade)
     - [commitUpgrade](#method-commitupgrade)

docs/db/changelog/changesets/powerauth-java-server/1.5.x/20230723-add-table-unique-value.xml

@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                   xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-4.9.xsd">
+
+    <!--  Create table pa_unique_value -->
+    <changeSet id="1" logicalFilePath="powerauth-java-server/1.5.x/20230723-add-table-unique-value.xml" author="Roman Strobl">
+        <preConditions onFail="MARK_RAN">
+            <not>
+                <tableExists tableName="pa_unique_value"/>
+            </not>
+        </preConditions>
+        <comment>Create a new table pa_unique_value</comment>
+        <createTable tableName="pa_unique_value">
+            <column name="unique_value" type="varchar(255)">
+                <constraints primaryKey="true"/>
+            </column>
+            <column name="type" type="integer">
+                <constraints nullable="false"/>
+            </column>
+            <column name="timestamp_expires" type="timestamp">
+                <constraints nullable="false"/>
+            </column>
+        </createTable>
+    </changeSet>
+
+    <changeSet id="2" logicalFilePath="powerauth-java-server/1.5.x/20230723-add-table-unique-value.xml" author="Roman Strobl">
+        <preConditions onFail="MARK_RAN">
+            <not>
+                <indexExists tableName="pa_unique_value" indexName="pa_unique_value_expiration" />
+            </not>
+        </preConditions>
+        <comment>Create a new index on pa_unique_value(timestamp_expires)</comment>
+        <createIndex tableName="pa_unique_value" indexName="pa_unique_value_expiration">
+            <column name="timestamp_expires" />
+        </createIndex>
+    </changeSet>
+
+</databaseChangeLog>

docs/db/changelog/changesets/powerauth-java-server/1.5.x/db.changelog-version.xml

@@ -5,5 +5,6 @@
 
     <include file="20230323-add-columns-signature-data.xml" relativeToChangelogFile="true" />
     <include file="20230426-add-column-totp-seed.xml" relativeToChangelogFile="true" />
+    <include file="20230723-add-table-unique-value.xml" relativeToChangelogFile="true" />
 
 </databaseChangeLog>

docs/sql/oracle/create_schema.sql

@@ -254,6 +254,17 @@ CREATE TABLE pa_operation_application (
     CONSTRAINT pa_operation_application_pk PRIMARY KEY ("APPLICATION_ID", "OPERATION_ID")
 );
 
+--
+-- DDL for Table PA_UNIQUE_VALUE
+--
+CREATE TABLE PA_UNIQUE_VALUE (
+    unique_value      VARCHAR2(255 CHAR) NOT NULL PRIMARY KEY,
+    type              NUMBER(10,0) NOT NULL,
+    timestamp_expires TIMESTAMP NOT NULL
+);
+
+CREATE INDEX pa_unique_value_expiration ON pa_unique_value(timestamp_expires);
+
 --
 -- DDL for Table SHEDLOCK
 --

docs/sql/oracle/delete_schema.sql

@@ -15,6 +15,7 @@ DROP TABLE "PA_RECOVERY_PUK" CASCADE CONSTRAINTS;
 DROP TABLE "PA_RECOVERY_CONFIG" CASCADE CONSTRAINTS;
 DROP TABLE "PA_OPERATION" CASCADE CONSTRAINTS;
 DROP TABLE "PA_OPERATION_TEMPLATE" CASCADE CONSTRAINTS;
+DROP TABLE "PA_UNIQUE_VALUE" CASCADE CONSTRAINTS;
 
 -- Optionally drop the shedlock table
 -- DROP TABLE "shedlock" CASCADE CONSTRAINTS;

docs/sql/postgresql/create_schema.sql

@@ -255,6 +255,15 @@ CREATE TABLE pa_operation_application (
     CONSTRAINT pa_operation_application_pk PRIMARY KEY (application_id, operation_id)
 );
 
+--
+-- DDL for Table PA_UNIQUE_VALUE
+--
+CREATE TABLE pa_unique_value (
+    unique_value      VARCHAR(255) NOT NULL PRIMARY KEY,
+    type              INTEGER NOT NULL,
+    timestamp_expires TIMESTAMP NOT NULL
+);
+
 --
 -- DDL for Table SHEDLOCK
 --
@@ -407,6 +416,8 @@ CREATE INDEX pa_operation_status_exp ON pa_operation(timestamp_expires, status);
 
 CREATE INDEX pa_operation_template_name_idx ON pa_operation_template(template_name);
 
+CREATE INDEX pa_unique_value_expiration ON pa_unique_value(timestamp_expires);
+
 --
 -- Auditing indexes.
 --

docs/sql/postgresql/delete_schema.sql

@@ -15,6 +15,7 @@ DROP TABLE IF EXISTS "pa_recovery_puk" CASCADE;
 DROP TABLE IF EXISTS "pa_recovery_code" CASCADE;
 DROP TABLE IF EXISTS "pa_operation" CASCADE;
 DROP TABLE IF EXISTS "pa_operation_template" CASCADE;
+DROP TABLE IF EXISTS "pa_unique_value" CASCADE;
 
 -- Optionally drop the shedlock table
 -- DROP TABLE IF EXISTS "shedlock" CASCADE;

powerauth-client-model/src/main/java/com/wultra/security/powerauth/client/PowerAuthClient.java

@@ -183,10 +183,13 @@ InitActivationResponse initActivation(String userId, String applicationId, Long
      * @param encryptedData                 Encrypted data for ECIES.
      * @param mac                           Mac of key and data for ECIES.
      * @param nonce                         Nonce for ECIES.
+     * @param protocolVersion               Crypto protocol version.
+     * @param timestamp                     Unix timestamp in milliseconds for ECIES.
      * @return {@link PrepareActivationResponse}
      * @throws PowerAuthClientException In case REST API call fails.
      */
-    PrepareActivationResponse prepareActivation(String activationCode, String applicationKey, boolean shouldGenerateRecoveryCodes, String ephemeralPublicKey, String encryptedData, String mac, String nonce) throws PowerAuthClientException;
+    PrepareActivationResponse prepareActivation(String activationCode, String applicationKey, boolean shouldGenerateRecoveryCodes, String ephemeralPublicKey,
+                                                String encryptedData, String mac, String nonce, String protocolVersion, Long timestamp) throws PowerAuthClientException;
 
     /**
      * Create a new activation directly, using the createActivation method of the PowerAuth Server
@@ -221,12 +224,14 @@ InitActivationResponse initActivation(String userId, String applicationId, Long
      * @param encryptedData             Encrypted data for ECIES.
      * @param mac                       Mac of key and data for ECIES.
      * @param nonce                     Nonce for ECIES.
+     * @param protocolVersion           Crypto protocol version.
+     * @param timestamp                 Unix timestamp in milliseconds for ECIES.
      * @return {@link CreateActivationResponse}
      * @throws PowerAuthClientException In case REST API call fails.
      */
     CreateActivationResponse createActivation(String userId, Date timestampActivationExpire, Long maxFailureCount,
                                               String applicationKey, String ephemeralPublicKey, String encryptedData,
-                                              String mac, String nonce) throws PowerAuthClientException;
+                                              String mac, String nonce, String protocolVersion, Long timestamp) throws PowerAuthClientException;
 
     /**
      * Call the updateActivationOtp method of PowerAuth 3.1 Server interface.
@@ -639,12 +644,14 @@ CreateActivationResponse createActivation(String userId, Date timestampActivatio
      * @param encryptedData      Encrypted data for ECIES.
      * @param mac                MAC of key and data for ECIES.
      * @param nonce              Nonce for ECIES.
+     * @param timestamp          Unix timestamp in milliseconds for ECIES.
      * @return {@link VaultUnlockResponse}
      * @throws PowerAuthClientException In case REST API call fails.
      */
     VaultUnlockResponse unlockVault(String activationId, String applicationKey, String signature,
                                     SignatureType signatureType, String signatureVersion, String signedData,
-                                    String ephemeralPublicKey, String encryptedData, String mac, String nonce) throws PowerAuthClientException;
+                                    String ephemeralPublicKey, String encryptedData, String mac, String nonce,
+                                    Long timestamp) throws PowerAuthClientException;
 
     /**
      * Call the verifyECDSASignature method of the PowerAuth 3.0 Server interface.
@@ -1232,12 +1239,15 @@ VaultUnlockResponse unlockVault(String activationId, String applicationKey, Stri
      * @param encryptedData      Encrypted request data.
      * @param mac                MAC computed for request key and data.
      * @param nonce              Nonce for ECIES.
+     * @param protocolVersion    Crypto protocol version.
+     * @param timestamp          Unix timestamp in milliseconds for ECIES.
      * @param signatureType      Type of the signature used for validating the create request.
      * @return Response with created token.
      * @throws PowerAuthClientException In case REST API call fails.
      */
     CreateTokenResponse createToken(String activationId, String applicationKey, String ephemeralPublicKey,
-                                    String encryptedData, String mac, String nonce, SignatureType signatureType) throws PowerAuthClientException;
+                                    String encryptedData, String mac, String nonce, String protocolVersion,
+                                    Long timestamp, SignatureType signatureType) throws PowerAuthClientException;
 
     /**
      * Validate credentials used for basic token-based authentication.
@@ -1326,11 +1336,15 @@ CreateTokenResponse createToken(String activationId, String applicationKey, Stri
      *
      * @param activationId       Activation ID.
      * @param applicationKey     Application key.
-     * @param ephemeralPublicKey Ephemeral key for ECIES.
+     * @param ephemeralPublicKey Ephemeral public key for ECIES.
+     * @param nonce              ECIES nonce.
+     * @param protocolVersion    Crypto protocol version.
+     * @param timestamp          Unix timestamp in milliseconds for ECIES.
      * @return ECIES decryptor parameters.
      * @throws PowerAuthClientException In case REST API call fails.
      */
-    GetEciesDecryptorResponse getEciesDecryptor(String activationId, String applicationKey, String ephemeralPublicKey) throws PowerAuthClientException;
+    GetEciesDecryptorResponse getEciesDecryptor(String activationId, String applicationKey, String ephemeralPublicKey,
+                                                String nonce, String protocolVersion, Long timestamp) throws PowerAuthClientException;
 
     /**
      * Start upgrade of activations to version 3.
@@ -1361,11 +1375,14 @@ CreateTokenResponse createToken(String activationId, String applicationKey, Stri
      * @param encryptedData      Encrypted request data.
      * @param mac                MAC computed for request key and data.
      * @param nonce              Nonce for ECIES.
+     * @param protocolVersion    Crypto protocol version.
+     * @param timestamp          Unix timestamp in milliseconds for ECIES.
      * @return Start upgrade response.
      * @throws PowerAuthClientException In case REST API call fails.
      */
     StartUpgradeResponse startUpgrade(String activationId, String applicationKey, String ephemeralPublicKey,
-                                      String encryptedData, String mac, String nonce) throws PowerAuthClientException;
+                                      String encryptedData, String mac, String nonce,
+                                      String protocolVersion, Long timestamp) throws PowerAuthClientException;
 
     /**
      * Commit upgrade of activations to version 3.
@@ -1455,11 +1472,14 @@ StartUpgradeResponse startUpgrade(String activationId, String applicationKey, St
      * @param encryptedData      Encrypted data for ECIES.
      * @param mac                MAC of key and data for ECIES.
      * @param nonce              Nonce for ECIES.
+     * @param protocolVersion    Crypto protocol version.
+     * @param timestamp          Unix timestamp in milliseconds for ECIES.
      * @return Confirm recovery code response.
      * @throws PowerAuthClientException In case REST API call fails.
      */
     ConfirmRecoveryCodeResponse confirmRecoveryCode(String activationId, String applicationKey, String ephemeralPublicKey,
-                                                    String encryptedData, String mac, String nonce) throws PowerAuthClientException;
+                                                    String encryptedData, String mac, String nonce,
+                                                    String protocolVersion, Long timestamp) throws PowerAuthClientException;
 
     /**
      * Lookup recovery codes.
@@ -1552,12 +1572,15 @@ LookupRecoveryCodesResponse lookupRecoveryCodes(String userId, String activation
      * @param ephemeralPublicKey Ephemeral key for ECIES.
      * @param encryptedData      Encrypted data for ECIES.
      * @param mac                MAC of key and data for ECIES.
-     * @param nonce              nonce for ECIES.
+     * @param nonce              Nonce for ECIES.
+     * @param protocolVersion    Crypto protocol version.
+     * @param timestamp          Unix timestamp in milliseconds for ECIES.
      * @return Create activation using recovery code response.
      * @throws PowerAuthClientException In case REST API call fails.
      */
     RecoveryCodeActivationResponse createActivationUsingRecoveryCode(String recoveryCode, String puk, String applicationKey, Long maxFailureCount,
-                                                                     String ephemeralPublicKey, String encryptedData, String mac, String nonce) throws PowerAuthClientException;
+                                                                     String ephemeralPublicKey, String encryptedData, String mac, String nonce,
+                                                                     String protocolVersion, Long timestamp) throws PowerAuthClientException;
 
     /**
      * Get recovery configuration.

powerauth-client-model/src/main/java/com/wultra/security/powerauth/client/model/request/ConfirmRecoveryCodeRequest.java

@@ -36,5 +36,7 @@ public class ConfirmRecoveryCodeRequest {
     private String mac;
     @ToString.Exclude
     private String nonce;
+    private Long timestamp;
+    private String protocolVersion;
 
 }

powerauth-client-model/src/main/java/com/wultra/security/powerauth/client/model/request/CreateActivationRequest.java

@@ -43,5 +43,7 @@ public class CreateActivationRequest {
     private String nonce;
     @ToString.Exclude
     private String activationOtp;
+    private String protocolVersion;
+    private Long timestamp;
 
 }

powerauth-client-model/src/main/java/com/wultra/security/powerauth/client/model/request/CreateTokenRequest.java

@@ -38,5 +38,7 @@ public class CreateTokenRequest {
     @ToString.Exclude
     private String nonce;
     private SignatureType signatureType;
+    private String protocolVersion;
+    private Long timestamp;
 
 }

powerauth-client-model/src/main/java/com/wultra/security/powerauth/client/model/request/GetEciesDecryptorRequest.java

@@ -19,6 +19,7 @@
 package com.wultra.security.powerauth.client.model.request;
 
 import lombok.Data;
+import lombok.ToString;
 
 /**
  * Model class representing request for ECIES decryptor initialization.
@@ -31,5 +32,9 @@ public class GetEciesDecryptorRequest {
     private String activationId;
     private String applicationKey;
     private String ephemeralPublicKey;
+    @ToString.Exclude
+    private String nonce;
+    private String protocolVersion;
+    private Long timestamp;
 
 }

powerauth-client-model/src/main/java/com/wultra/security/powerauth/client/model/request/PrepareActivationRequest.java

@@ -37,5 +37,7 @@ public class PrepareActivationRequest {
     private String mac;
     @ToString.Exclude
     private String nonce;
+    private String protocolVersion;
+    private Long timestamp;
 
 }

powerauth-client-model/src/main/java/com/wultra/security/powerauth/client/model/request/RecoveryCodeActivationRequest.java

@@ -42,5 +42,7 @@ public class RecoveryCodeActivationRequest {
     private String nonce;
     @ToString.Exclude
     private String activationOtp;
+    private String protocolVersion;
+    private Long timestamp;
 
 }

powerauth-client-model/src/main/java/com/wultra/security/powerauth/client/model/request/StartUpgradeRequest.java

@@ -36,5 +36,7 @@ public class StartUpgradeRequest {
     private String mac;
     @ToString.Exclude
     private String nonce;
+    private String protocolVersion;
+    private Long timestamp;
 
 }

powerauth-client-model/src/main/java/com/wultra/security/powerauth/client/model/request/VaultUnlockRequest.java

@@ -42,5 +42,6 @@ public class VaultUnlockRequest {
     private String mac;
     @ToString.Exclude
     private String nonce;
+    private Long timestamp;
 
 }

powerauth-client-model/src/main/java/com/wultra/security/powerauth/client/model/response/ConfirmRecoveryCodeResponse.java

@@ -19,6 +19,7 @@
 package com.wultra.security.powerauth.client.model.response;
 
 import lombok.Data;
+import lombok.ToString;
 
 /**
  * Model class representing response with recovery code confirmation.
@@ -32,5 +33,9 @@ public class ConfirmRecoveryCodeResponse {
     private String userId;
     private String encryptedData;
     private String mac;
+    private String ephemeralPublicKey;
+    @ToString.Exclude
+    private String nonce;
+    private Long timestamp;
 
 }

powerauth-client-model/src/main/java/com/wultra/security/powerauth/client/model/response/CreateActivationResponse.java

@@ -20,6 +20,7 @@
 
 import com.wultra.security.powerauth.client.model.enumeration.ActivationStatus;
 import lombok.Data;
+import lombok.ToString;
 
 /**
  * Model class representing response with created activation.
@@ -34,6 +35,10 @@ public class CreateActivationResponse {
     private String applicationId;
     private String encryptedData;
     private String mac;
+    private String ephemeralPublicKey;
+    @ToString.Exclude
+    private String nonce;
+    private Long timestamp;
     private ActivationStatus activationStatus;
 
 }