Merge pull request #389 from wultra/develop

Prepare release 1.2.0

docs/PowerAuth-2021.05.md

@@ -4,9 +4,9 @@
 
 For updating to 2021.05, please follow these migration guides:
 
-- [PowerAuth Server - Migration from version 1.1.0 to version 1.1.0](https://github.com/wultra/powerauth-server/blob/develop/docs/PowerAuth-Server-1.1.0.md)
-- [PowerAuth Push Server - Migration from version 1.1.0 to version 1.1.0](https://github.com/wultra/powerauth-push-server/blob/develop/docs/PowerAuth-Push-Server-1.1.0.md)
-- [PowerAuth Web Flow - Migration from version 1.1.0 to version 1.1.0](https://github.com/wultra/powerauth-webflow/blob/develop/docs/Web-Flow-1.1.0.md)
+- [PowerAuth Server - Migration from version 1.0.0 to version 1.1.0](https://github.com/wultra/powerauth-server/blob/develop/docs/PowerAuth-Server-1.1.0.md)
+- [PowerAuth Push Server - Migration from version 1.0.0 to version 1.1.0](https://github.com/wultra/powerauth-push-server/blob/develop/docs/PowerAuth-Push-Server-1.1.0.md)
+- [PowerAuth Web Flow - Migration from version 1.0.0 to version 1.1.0](https://github.com/wultra/powerauth-webflow/blob/develop/docs/Web-Flow-1.1.0.md)
 - [PowerAuth Mobile SDK - Migration from version 1.5.0 to version 1.6.0](https://github.com/wultra/powerauth-mobile-sdk/blob/develop/docs/Migration-from-1.5-to-1.6.md)
 
 ## Components for version 2021.05
@@ -66,4 +66,4 @@ For updating to 2021.05, please follow these migration guides:
 
 ## Known Issues When Updating From Older Versions
 
-_No known issues so far._
+_No known issues so far._

docs/PowerAuth-2021.11.md

@@ -0,0 +1,69 @@
+# PowerAuth 2021.11
+
+## Migration guides
+
+For updating to 2021.11, please follow these migration guides:
+
+- [PowerAuth Server - Migration from version 1.1.0 to version 1.2.0](https://github.com/wultra/powerauth-server/blob/develop/docs/PowerAuth-Server-1.2.0.md)
+- [PowerAuth Push Server - Migration from version 1.1.0 to version 1.2.0](https://github.com/wultra/powerauth-push-server/blob/develop/docs/PowerAuth-Push-Server-1.2.0.md)
+- [PowerAuth Web Flow - Migration from version 1.1.0 to version 1.2.0](https://github.com/wultra/powerauth-webflow/blob/develop/docs/Web-Flow-1.2.0.md)
+- [PowerAuth Mobile SDK - Migration from version 1.5.0 to version 1.6.0](https://github.com/wultra/powerauth-mobile-sdk/blob/develop/docs/Migration-from-1.5-to-1.6.md)
+
+## Components for version 2021.11
+
+### Back-End Applications
+
+| Component | Application Name | Version | Description |
+|---|---|---|---|
+| PowerAuth Server | `powerauth-java-server.war` | 1.2.0 | Core back-end component for PowerAuth stack. |
+| PowerAuth Admin | `powerauth-admin.war` | 1.2.0 | Administration console for PowerAuth Server. |
+| PowerAuth Push Server | `powerauth-push-server.war` | 1.2.0 | Simple to deploy push server for APNS and FCM. |
+| PowerAuth Web Flow | `powerauth-webflow.war` | 1.2.0 | Central web authentication page. |
+| PowerAuth Next Step | `powerauth-next-step.war` | 1.2.0 | Authorization server used for PowerAuth Web Flow component. |
+| PowerAuth Data Adapter | `powerauth-data-adapter.war` | 1.2.0 | Customization component for PowerAuth Web Flow. |
+| PowerAuth Tpp Engine | `powerauth-tpp-engine.war` | 1.2.0 | Third party provider registry and consent engine. |
+
+### Utilities
+
+| Component | Application Name | Version | Description |
+|---|---|---|---|
+| PowerAuth Command Line Tool | `powerauth-java-cmd.jar` | 1.2.0 | Command line tool for integration testing. |
+
+### Mobile Libraries
+
+| Platform | Package Name | Version | Description |
+|---|---|---|---|
+| iOS | `PowerAuth2` | 1.6.2 | A client library for iOS. |
+| watchOS | `PowerAuth2ForWatch` | 1.6.2 | A limited library for watchOS. |
+| iOS App Extensions | `PowerAuth2ForExtensions` | 1.6.2 | A limited library for iOS App Extensions. |
+| Android | `com.wultra.android.powerauth:powerauth-sdk` | 1.6.2 | A client library for Android. |
+
+### Back-End Integration Libraries
+
+| Component | Library Name |  Version | Description |
+|---|---|---|---|
+| PowerAuth RESTful Model | `powerauth-restful-model.jar` | 1.2.0 | Model classes for request and response objects used in PowerAuth Standard RESTful API. |
+| PowerAuth RESTful API Security for Spring | `powerauth-restful-security-spring.jar` | 1.2.0 | High-level integration libraries for RESTful API security, build for Spring MVC. |
+| PowerAuth SOAP Client for Spring WS | `powerauth-java-client-spring.jar` | 1.2.0 | SOAP service client for PowerAuth Server service, built using Spring WS. |
+| PowerAuth Push Server RESTful Model | `powerauth-push-model.jar` | 1.2.0 | Model classes for request and response objects used in PowerAuth Push Server. |
+| PowerAuth Push Server RESTful Client | `powerauth-push-client.jar` | 1.2.0 | Client implementation that simplifies integration with PowerAuth Push Server service. |
+| PowerAuth Data Adapter RESTful Model | `powerauth-data-adapter-model.jar` | 1.2.0 | Model classes for request and response objects used in PowerAuth Data Adapter component. |
+| PowerAuth Data Adapter Client | `powerauth-data-adapter-client.jar` | 1.2.0 | Client implementation that simplifies integration with PowerAuth Data Adapter custom component. |
+| PowerAuth Next Step RESTful Model | `powerauth-nextstep-model.jar` | 1.2.0 | Model classes for request and response objects used in PowerAuth Next Step service. |
+| PowerAuth Next Step Client | `powerauth-nextstep-client.jar` | 1.2.0 | Client implementation that simplifies integration with PowerAuth Next Step service. |
+| PowerAuth Mobile Token Model | `powerauth-mtoken-model.jar` | 1.2.0 | Model classes for request and response objects used in PowerAuth Mobile Token. |
+
+### Technical Dependencies
+
+| Component | Library Name | Version | Description |
+|---|---|---|---|
+| PowerAuth Cryptography | `powerauth-java-crypto.jar` | 1.2.0 | Core cryptography implementation of the PowerAuth protocol. |
+| PowerAuth HTTP Utilities | `powerauth-java-http.jar` | 1.2.0 | Utilities used for binding PowerAuth cryptography to HTTP technology. |
+| PowerAuth Command-Line Tool Library | `powerauth-java-cmd-lib.jar` | 1.2.0 | Library used for implementation of the PowerAuth Command-Line Tool app, useful for unit testing. |
+| PowerAuth RESTful Security Base Support | `powerauth-restful-security-base.jar` | 1.2.0 | Base classes for RESTful API security. |
+| Wultra Java Networking Objects | `rest-model-base.jar` | 1.4.0 | Base classes for RESTful API networking, shared across all Wultra back-end projects. |
+| Wultra REST Client | `rest-client-base.jar` | 1.4.0 | Base RESTful client implementation, shared across all Wultra back-end projects. |
+
+## Known Issues When Updating From Older Versions
+
+_No known issues so far._

docs/Releases.md

@@ -12,11 +12,13 @@ In order to consolidate the information about the current versions, we have intr
 
 ## List of Releases
 
+- [PowerAuth 2021.11](./PowerAuth-2021.11.md)
+- [PowerAuth 2021.05](./PowerAuth-2021.05.md)
 - [PowerAuth 2020.11](./PowerAuth-2020.11.md)
 - [PowerAuth 2020.05](./PowerAuth-2020.05.md)
 - [PowerAuth 2019.11](./PowerAuth-2019.11.md)
 - [PowerAuth 2019.05](./PowerAuth-2019.05.md)
 - [PowerAuth 2018.12](./PowerAuth-2018.12.md)
 - [PowerAuth 2018.06](./PowerAuth-2018.06.md)
 - [PowerAuth 2018.03](./PowerAuth-2018.03.md)
-- [PowerAuth 2017.11](./PowerAuth-2017.11.md)
+- [PowerAuth 2017.11](./PowerAuth-2017.11.md)

pom.xml

@@ -25,7 +25,7 @@
 
     <groupId>io.getlime.security</groupId>
     <artifactId>powerauth-crypto-parent</artifactId>
-    <version>1.1.0</version>
+    <version>1.2.0</version>
     <packaging>pom</packaging>
 
     <inceptionYear>2016</inceptionYear>
@@ -136,13 +136,11 @@
             <build>
                 <plugins>
                     <plugin>
-                        <groupId>org.apache.maven.plugins</groupId>
-                        <artifactId>maven-gpg-plugin</artifactId>
-                        <version>3.0.1</version>
+                        <groupId>org.kohsuke</groupId>
+                        <artifactId>pgp-maven-plugin</artifactId>
+                        <version>1.1</version>
                         <executions>
                             <execution>
-                                <id>sign-artifacts</id>
-                                <phase>verify</phase>
                                 <goals>
                                     <goal>sign</goal>
                                 </goals>

powerauth-java-crypto/pom.xml

@@ -21,50 +21,50 @@
 	<modelVersion>4.0.0</modelVersion>
 
 	<artifactId>powerauth-java-crypto</artifactId>
-	<version>1.1.0</version>
+	<version>1.2.0</version>
 	<packaging>jar</packaging>
 
 	<parent>
 		<groupId>io.getlime.security</groupId>
 		<artifactId>powerauth-crypto-parent</artifactId>
-		<version>1.1.0</version>
+		<version>1.2.0</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>
 
 	<dependencies>
 		<dependency>
 			<groupId>com.google.guava</groupId>
 			<artifactId>guava</artifactId>
-			<version>30.1.1-jre</version>
+			<version>31.0.1-jre</version>
 		</dependency>
 		<dependency>
 			<groupId>org.slf4j</groupId>
 			<artifactId>slf4j-api</artifactId>
-			<version>1.7.30</version>
+			<version>1.7.32</version>
 		</dependency>
 		<dependency>
-			<groupId>junit</groupId>
-			<artifactId>junit</artifactId>
-			<version>4.13.2</version>
+			<groupId>org.junit.jupiter</groupId>
+			<artifactId>junit-jupiter-engine</artifactId>
+			<version>5.7.2</version>
 			<scope>test</scope>
 		</dependency>
 		<dependency>
 			<groupId>com.fasterxml.jackson.core</groupId>
 			<artifactId>jackson-databind</artifactId>
-			<version>2.12.3</version>
+			<version>2.13.0</version>
 			<scope>test</scope>
 		</dependency>
 		<dependency>
 			<groupId>org.slf4j</groupId>
 			<artifactId>slf4j-simple</artifactId>
-			<version>1.7.30</version>
+			<version>1.7.32</version>
 			<scope>test</scope>
 		</dependency>
 
 		<dependency>
 			<groupId>org.bouncycastle</groupId>
 			<artifactId>bcprov-jdk15on</artifactId>
-			<version>1.68</version>
+			<version>1.69</version>
 			<scope>provided</scope>
 		</dependency>
 	</dependencies>

powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/EciesDecryptor.java

@@ -24,14 +24,14 @@
 import io.getlime.security.powerauth.crypto.lib.util.AESEncryptionUtils;
 import io.getlime.security.powerauth.crypto.lib.util.HMACHashUtilities;
 import io.getlime.security.powerauth.crypto.lib.util.KeyConvertor;
+import io.getlime.security.powerauth.crypto.lib.util.SideChannelUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import javax.crypto.SecretKey;
 import java.security.InvalidKeyException;
 import java.security.PrivateKey;
 import java.security.interfaces.ECPrivateKey;
-import java.util.Arrays;
 
 /**
  * Class implementing an ECIES decryptor.
@@ -222,7 +222,7 @@ private byte[] decrypt(EciesCryptogram cryptogram, boolean requireIv) throws Eci
             // Validate data MAC value
             final byte[] macData = (sharedInfo2 == null ? cryptogram.getEncryptedData() : Bytes.concat(cryptogram.getEncryptedData(), sharedInfo2));
             final byte[] mac = hmac.hash(envelopeKey.getMacKey(), macData);
-            if (!Arrays.equals(mac, cryptogram.getMac())) {
+            if (!SideChannelUtils.constantTimeAreEqual(mac, cryptogram.getMac())) {
                 throw new EciesException("Invalid MAC");
             }
 

powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/EciesEncryptor.java

@@ -25,14 +25,14 @@
 import io.getlime.security.powerauth.crypto.lib.util.AESEncryptionUtils;
 import io.getlime.security.powerauth.crypto.lib.util.HMACHashUtilities;
 import io.getlime.security.powerauth.crypto.lib.util.KeyConvertor;
+import io.getlime.security.powerauth.crypto.lib.util.SideChannelUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import javax.crypto.SecretKey;
 import java.security.InvalidKeyException;
 import java.security.PublicKey;
 import java.security.interfaces.ECPublicKey;
-import java.util.Arrays;
 
 /**
  * Class implementing an ECIES encryptor.
@@ -232,7 +232,7 @@ private byte[] decrypt(EciesCryptogram cryptogram) throws EciesException {
             // Validate data MAC value
             final byte[] macData = (sharedInfo2 == null ? cryptogram.getEncryptedData() : Bytes.concat(cryptogram.getEncryptedData(), sharedInfo2));
             final byte[] mac = hmac.hash(envelopeKey.getMacKey(), macData);
-            if (!Arrays.equals(mac, cryptogram.getMac())) {
+            if (!SideChannelUtils.constantTimeAreEqual(mac, cryptogram.getMac())) {
                 throw new EciesException("Invalid MAC");
             }
 

powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/model/Argon2Hash.java

@@ -17,6 +17,7 @@
 package io.getlime.security.powerauth.crypto.lib.model;
 
 import com.google.common.io.BaseEncoding;
+import io.getlime.security.powerauth.crypto.lib.util.SideChannelUtils;
 
 import java.io.IOException;
 import java.util.*;
@@ -231,7 +232,7 @@ public boolean hashEquals(Argon2Hash other) {
         if (digest == null || other.digest == null) {
             return false;
         }
-        return Arrays.equals(digest, other.digest);
+        return SideChannelUtils.constantTimeAreEqual(digest, other.digest);
     }
 
     /**

powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/HashBasedCounterUtils.java

@@ -104,6 +104,6 @@ public boolean verifyHashForHashBasedCounter(byte[] receivedCtrDataHash, byte[]
         // Calculate hash from current hash based counter
         final byte[] expectedCtrDataHash = calculateHashFromHashBasedCounter(expectedCtrData, transportKey);
         // Compare both hashed values
-        return Arrays.equals(expectedCtrDataHash, receivedCtrDataHash);
+        return SideChannelUtils.constantTimeAreEqual(expectedCtrDataHash, receivedCtrDataHash);
     }
 }

powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/SideChannelUtils.java

@@ -0,0 +1,41 @@
+/*
+ * PowerAuth Crypto Library
+ * Copyright 2021 Wultra s.r.o.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.getlime.security.powerauth.crypto.lib.util;
+
+import org.bouncycastle.util.Arrays;
+
+/**
+ * Utilities for preventing side channel attacks.
+ *
+ * @author Roman Strobl, [email protected]
+ */
+public class SideChannelUtils {
+
+    private SideChannelUtils() {
+
+    }
+
+    /**
+     * Compare two byte arrays in constant time.
+     * @param bytes1 First byte array.
+     * @param bytes2 Second byte array.
+     * @return Whether byte arrays are equal.
+     */
+    public static boolean constantTimeAreEqual(byte[] bytes1, byte[] bytes2) {
+        return Arrays.constantTimeAreEqual(bytes1, bytes2);
+    }
+}

powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/TokenUtils.java

@@ -116,7 +116,7 @@ public byte[] computeTokenDigest(byte[] nonce, byte[] timestamp, byte[] tokenSec
      * @throws CryptoProviderException In case cryptography provider is incorrectly initialized.
      */
     public boolean validateTokenDigest(byte[] nonce, byte[] timestamp, byte[] tokenSecret, byte[] tokenDigest) throws GenericCryptoException, CryptoProviderException {
-        return Arrays.equals(computeTokenDigest(nonce, timestamp, tokenSecret), tokenDigest);
+        return SideChannelUtils.constantTimeAreEqual(computeTokenDigest(nonce, timestamp, tokenSecret), tokenDigest);
     }
 
 }

powerauth-java-crypto/src/test/java/io/getlime/security/powerauth/crypto/activation/ActivationStatusBlobInfoTest.java

@@ -26,8 +26,8 @@
 import io.getlime.security.powerauth.crypto.server.activation.PowerAuthServerActivation;
 import io.getlime.security.powerauth.crypto.server.keyfactory.PowerAuthServerKeyFactory;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
 
 import javax.crypto.SecretKey;
 import java.nio.ByteBuffer;
@@ -36,7 +36,7 @@
 import java.security.Security;
 import java.util.Arrays;
 
-import static org.junit.Assert.*;
+import static org.junit.jupiter.api.Assertions.*;
 
 /**
  * Test activation status blob.
@@ -48,8 +48,8 @@ public class ActivationStatusBlobInfoTest {
     /**
      * Add crypto providers.
      */
-    @Before
-    public void setUp() {
+    @BeforeAll
+    public static void setUp() {
         // Add Bouncy Castle Security Provider
         Security.addProvider(new BouncyCastleProvider());
     }

powerauth-java-crypto/src/test/java/io/getlime/security/powerauth/crypto/activation/PowerAuthActivationTest.java

@@ -24,16 +24,16 @@
 import io.getlime.security.powerauth.crypto.lib.util.KeyConvertor;
 import io.getlime.security.powerauth.crypto.server.activation.PowerAuthServerActivation;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
 
 import javax.crypto.SecretKey;
 import java.security.KeyPair;
 import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.security.Security;
 
-import static org.junit.Assert.*;
+import static org.junit.jupiter.api.Assertions.*;
 
 /**
  * @author petrdvorak
@@ -45,8 +45,8 @@ public class PowerAuthActivationTest {
     /**
      * Add crypto providers.
      */
-    @Before
-    public void setUp() {
+    @BeforeAll
+    public static void setUp() {
         // Add Bouncy Castle Security Provider
         Security.addProvider(new BouncyCastleProvider());
     }