io.getlime.security.powerauth.server.activation

Class PowerAuthServerActivation

java.lang.Object

io.getlime.security.powerauth.server.activation.PowerAuthServerActivation

public class PowerAuthServerActivation
extends Object

Class implementing cryptography used on a server side in order to assure PowerAuth Server activation related processes.

Author:

Petr Dvorak

Constructor Summary

Constructors

Constructor and Description
PowerAuthServerActivation()

Method Summary

Modifier and Type	Method and Description
int	computeDevicePublicKeyFingerprint(PublicKey devicePublicKey) Compute a fingerprint of the device public key.
byte[]	computeServerDataSignature(String activationId, byte[] C_serverPublicKey, PrivateKey masterPrivateKey) Compute an activation ID and encrypted server public key signature using the Master Private Key.
PublicKey	decryptDevicePublicKey(byte[] C_devicePublicKey, String activationIdShort, PrivateKey masterPrivateKey, PublicKey ephemeralPublicKey, String activationOTP, byte[] activationNonce) Decrypt the device public key using activation OTP.
byte[]	encryptedStatusBlob(byte statusByte, long counter, byte failedAttempts, byte maxFailedAttempts, SecretKey transportKey) Returns an encrypted status blob as described in PowerAuth 2.0 Specification.
byte[]	encryptServerPublicKey(PublicKey serverPublicKey, PublicKey devicePublicKey, PrivateKey ephemeralPrivateKey, String activationOTP, String activationIdShort, byte[] activationNonce) Encrypt the server public key using activation OTP and device public key.
String	generateActivationId() Generate a pseudo-unique activation ID.
String	generateActivationIdShort() Generate a pseudo-unique short activation ID.
byte[]	generateActivationNonce() Generate a new server activation nonce.
String	generateActivationOTP() Generate a pseudo-unique activation OTP.
byte[]	generateActivationSignature(String activationIdShort, String activationOTP, PrivateKey masterPrivateKey) Generate signature for the activation data.
KeyPair	generateServerKeyPair() Generate a server related activation key pair.
boolean	validateApplicationSignature(String activationIdShort, byte[] activationNonce, byte[] encryptedDevicePublicKey, byte[] applicationKey, byte[] applicationSecret, byte[] signature) Method validates the signature of the activation data in order to prove that a correct client application is attempting to complete the activation.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

PowerAuthServerActivation

public PowerAuthServerActivation()

Method Detail

generateActivationId

public String generateActivationId()

Generate a pseudo-unique activation ID. Technically, this is UUID level 4 identifier. PowerAuth Server implementation should validate uniqueness in database, for the very unlikely case of collision.

Returns:

A new activation ID (UUID level 4).

generateActivationIdShort

public String generateActivationIdShort()

Generate a pseudo-unique short activation ID. Technically, the result is a string with 5+5 random Base32 characters (separated with the "-" character). PowerAuth Server implementation should validate that this identifier is unique among all activation records in CREATED or OTP_USED states, so that there are no collisions in activations.

Returns:

A new short activation ID.

generateActivationOTP

public String generateActivationOTP()

Generate a pseudo-unique activation OTP. Technically, the result is a string with 5+5 random Base32 characters (separated with the "-" character).

Returns:

A new activation OTP.

generateServerKeyPair

public KeyPair generateServerKeyPair()

Generate a server related activation key pair.

Returns:

A new server key pair.

generateActivationSignature

public byte[] generateActivationSignature(String activationIdShort,
                                          String activationOTP,
                                          PrivateKey masterPrivateKey)
                                   throws InvalidKeyException

Generate signature for the activation data. Activation data are constructed as a concatenation of activationIdShort and activationOTP, both values are separated with the "-" character: activationData = activationIdShort + "_" + activationOTP Signature is then computed using the master private key.

Parameters:

activationIdShort - Short activation ID.

activationOTP - Activation OTP value.

masterPrivateKey - Master Private Key.

Returns:

Signature of activation data using Master Private Key.

Throws:

InvalidKeyException - In case Master Private Key is invalid.

generateActivationNonce

public byte[] generateActivationNonce()

Generate a new server activation nonce.

Returns:

A new server activation nonce.

validateApplicationSignature

public boolean validateApplicationSignature(String activationIdShort,
                                            byte[] activationNonce,
                                            byte[] encryptedDevicePublicKey,
                                            byte[] applicationKey,
                                            byte[] applicationSecret,
                                            byte[] signature)

Method validates the signature of the activation data in order to prove that a correct client application is attempting to complete the activation.

Parameters:

activationIdShort - Short activation ID.

activationNonce - Client activation nonce.

encryptedDevicePublicKey - Encrypted device public key.

applicationKey - Application identifier.

applicationSecret - Application secret.

signature - Signature to be checked against.

Returns:

True if the signature is correct, false otherwise.

decryptDevicePublicKey

public PublicKey decryptDevicePublicKey(byte[] C_devicePublicKey,
                                        String activationIdShort,
                                        PrivateKey masterPrivateKey,
                                        PublicKey ephemeralPublicKey,
                                        String activationOTP,
                                        byte[] activationNonce)

Decrypt the device public key using activation OTP.

Parameters:

C_devicePublicKey - Encrypted device public key.

activationIdShort - Short activation ID.

masterPrivateKey - Server master private key.

ephemeralPublicKey - Ephemeral public key.

activationOTP - Activation OTP value.

activationNonce - Activation nonce, used as an initialization vector for AES encryption.

Returns:

A decrypted public key.

encryptServerPublicKey

public byte[] encryptServerPublicKey(PublicKey serverPublicKey,
                                     PublicKey devicePublicKey,
                                     PrivateKey ephemeralPrivateKey,
                                     String activationOTP,
                                     String activationIdShort,
                                     byte[] activationNonce)
                              throws InvalidKeyException

Encrypt the server public key using activation OTP and device public key. As a technical component for public key encryption, an ephemeral private key is used (in order to deduce ephemeral symmetric key using ECDH).

Parameters:

serverPublicKey - Server public key to be encrypted.

devicePublicKey - Device public key used for encryption.

ephemeralPrivateKey - Ephemeral private key.

activationOTP - Activation OTP value.

activationIdShort - Short activation ID.

activationNonce - Activation nonce, used as an initialization vector for AES encryption.

Returns:

Encrypted server public key.

Throws:

InvalidKeyException - In case some of the provided keys is invalid.

encryptedStatusBlob

public byte[] encryptedStatusBlob(byte statusByte,
                                  long counter,
                                  byte failedAttempts,
                                  byte maxFailedAttempts,
                                  SecretKey transportKey)
                           throws InvalidKeyException

Returns an encrypted status blob as described in PowerAuth 2.0 Specification.

Parameters:

statusByte - Byte determining the status of the activation.

counter - Bytes with a counter information.

failedAttempts - Number of failed attempts at the moment.

maxFailedAttempts - Number of allowed failed attempts.

transportKey - A key used to protect the transport.

Returns:

Encrypted status blob

Throws:

InvalidKeyException - When invalid key is provided.

computeServerDataSignature

public byte[] computeServerDataSignature(String activationId,
                                         byte[] C_serverPublicKey,
                                         PrivateKey masterPrivateKey)
                                  throws InvalidKeyException,
                                         UnsupportedEncodingException

Compute an activation ID and encrypted server public key signature using the Master Private Key.

Parameters:

activationId - Activation ID

C_serverPublicKey - Encrypted server public key.

masterPrivateKey - Master Private Key.

Returns:

Signature of the encrypted server public key.

Throws:

InvalidKeyException - If master private key is invalid.

UnsupportedEncodingException - In case UTF-8 is not supported on the system.

computeDevicePublicKeyFingerprint

public int computeDevicePublicKeyFingerprint(PublicKey devicePublicKey)

Compute a fingerprint of the device public key. The fingerprint can be used for visual validation of an exchanged public key.

Parameters:

devicePublicKey - Public key for computing fingerprint.

Returns:

Fingerprint of the public key.