Merge pull request #353 from wultra/develop

Prepare release 1.0.0

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,71 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+name: "CodeQL"
+
+on:
+  push:
+    branches: [develop, master]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [develop]
+  schedule:
+    - cron: '0 2 * * 4'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        # Override automatic language detection by changing the below list
+        # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
+        language: ['java']
+        # Learn more...
+        # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+      with:
+        # We must fetch at least the immediate parents so that if this is
+        # a pull request then we can checkout the head.
+        fetch-depth: 2
+
+    # If this run was triggered by a pull request event, then checkout
+    # the head of the pull request instead of the merge commit.
+    - run: git checkout HEAD^2
+      if: ${{ github.event_name == 'pull_request' }}
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file. 
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1

docs/Activation.md

@@ -132,7 +132,7 @@ To describe the steps more precisely, the activation process is performed in fol
    byte[] truncatedBytes = ByteUtils.truncate(Hash.sha256(KeyConversion.getBytes(fingerprintBytes), 4)
    int H_K_DEVICE_PUBLIC = ByteUtils.getInt(truncatedBytes) & 0x7FFFFFFF) % (10 ^ 8)
    ```
-   _Note: Client and server should check the client's public key fingerprint before the shared secret established by the key exchange is considered active. This is necessary so that user can verify the exchanged information in order to detect the MITM attack. (Displaying fingerprint of the server key is not necessary, since the server's public key is signed using server's private master key and encrypted with activation OTP and server public key)._
+   _Note: Client and server should check the client's public key fingerprint before the shared secret established by the key exchange is considered active. This is necessary so that user can verify the exchanged information in order to detect the MITM attack._
 
 1. PowerAuth Client uses `KEY_DEVICE_PRIVATE` and `KEY_SERVER_PUBLIC` to deduce `KEY_MASTER_SECRET` using ECDH.
    ```java

docs/Implementation-notes.md

@@ -4,15 +4,15 @@ Following implementation notes use simplified Java code with definitions from th
 
 ## Used Cryptography
 
-A PowerAuth key exchange mechanism is based on **ECDH** key exchange algorithm with **P256r1 curve**. Additionally, an **ECDSA** (more specifically, **SHA256withECDSA** algorighm) is used for signing data sent from the service provider using a provider's Master Private Key. After a successful key exchange, both client and server have a shared master secret and they establish a shared counter initialized on 0 (later on, each signature attempt increments this counter). The PowerAuth signature is computed using data, shared master secret and counter using the **HMAC** algorithm.
+A PowerAuth key exchange mechanism is based on **ECDH** key exchange algorithm with **P256r1 curve**. Additionally, an **ECDSA** (more specifically, **SHA256withECDSA** algorighm) is used for signing data sent from the service provider using a provider's Master Private Key. After a successful key exchange, both client and server have a shared master secret and they establish a shared counter initialized on 0. Later on, each signature attempt increments this counter. A related hash-based counter is initialized as well with a random value and it is updated with each signature attempt. The PowerAuth signature is computed using data, shared master secret and counter using the **HMAC** algorithm.
 
 ## Key Derivation Functions
 
 KDF (Key Derivation Function) is an algorithm used for deriving a secret key from a master secret key using a pseudo-random function. PowerAuth uses three types of functions for KDF:
 
 - **KDF** - AES-based KDF function. Works by encrypting fixed `long` index with a random secret master key. This function is handy for situations where developer selects the function index. A human readable index, such as "1", "2", or "1000" can be selected for key derivation.
 - **KDF_INTERNAL** - HMAC-SHA256-based KDF function. Works by computing HMAC-SHA256 of provided `byte[]` index with a random secret master key. This function is used in internal algorithm workings, in situations where readability of the index is not important at all.
-- **PBKDF2** - Standard algorithm for deriving long keys from short passwords. This function is considered a standard KDF and it is used only for deriving base key from the user entered password. Since it has no major impact on PowerAuth cryptography, we will not elaborate about this KFD in more details.
+- **PBKDF2** - Standard algorithm for deriving long keys from short passwords. This function is considered a standard KDF and it is used only for deriving base key from the user entered password. Since it has no major impact on PowerAuth cryptography, we will not elaborate about this KDF in more details.
 
 ### KDF Description
 

docs/List-of-used-keys.md

@@ -10,7 +10,7 @@ Following keys are used in the PowerAuth cryptography scheme.
 | `KEY_SERVER_PUBLIC`  | ECDH - public key  | Generated on server to allow construction of `KEY_MASTER_SECRET` |
 | `KEY_SERVER_MASTER_PRIVATE` | ECDH - private key | Stored on server, used to assure authenticity of `KEY_DEVICE_PUBLIC` while transferring from server to client |
 | `KEY_SERVER_MASTER_PUBLIC`  | ECDH - public key  | Stored on client, used to assure authenticity of `KEY_DEVICE_PUBLIC` while transferring from server to client |
-| `KEY_MASTER_SECRET`         | ECDH - pre-shared  | A key deduced using ECDH derivation, `KEY_MASTER_SECRET = ECDH.phase(KEY_DEVICE_PRIVATE,KEY_SERVER_PUBLIC) = ECDH.phase(KEY_SERVER_PRIVATE,KEY_DEVICE_PUBLIC)` |
+| `KEY_MASTER_SECRET`         | ECDH - pre-shared  | A key deduced using ECDH derivation, `KEY_MASTER_SECRET = ECDH.phase(KEY_DEVICE_PRIVATE, KEY_SERVER_PUBLIC) = ECDH.phase(KEY_SERVER_PRIVATE, KEY_DEVICE_PUBLIC)` |
 | `KEY_SIGNATURE_POSSESSION`  | KDF derived key from `KEY_MASTER_SECRET` | A signing key associated with the possession, factor deduced using KDF derivation with `INDEX = 1`, `KEY_SIGNATURE_POSSESSION = KDF.expand(KEY_MASTER_SECRET, 1)`, used for subsequent request signing |
 | `KEY_SIGNATURE_KNOWLEDGE`   | KDF derived key from `KEY_MASTER_SECRET` | A key associated with the knowledge factor, deduced using KDF derivation with `INDEX = 2`, `KEY_SIGNATURE_KNOWLEDGE = KDF.expand(KEY_MASTER_SECRET, 2)`, used for subsequent request signing |
 | `KEY_SIGNATURE_BIOMETRY`    | KDF derived key from `KEY_MASTER_SECRET` | A key associated with the biometry factor, deduced using KDF derivation with `INDEX = 3`, `KEY_SIGNATURE_BIOMETRY = KDF.derive(KEY_MASTER_SECRET, 3)`, used for subsequent request signing |

docs/PowerAuth-2019.05.md

@@ -15,7 +15,7 @@ For updating to 2019.05, please follow these migration guides:
 
 | Component | Application Name | Version | Description |
 |---|---|---|---|
-| PowerAuth Server | `powerauth-java-server.war` | 0.22.2 | Core back-end component for PowerAuth stack. |
+| PowerAuth Server | `powerauth-java-server.war` | 0.22.4 | Core back-end component for PowerAuth stack. |
 | PowerAuth Admin | `powerauth-admin.war` | 0.22.0 | Administration console for PowerAuth Server. |
 | PowerAuth Push Server | `powerauth-push-server.war` | 0.22.0 | Simple to deploy push server for APNS and FCM. |
 | PowerAuth Web Flow | `powerauth-webflow.war` | 0.22.2 | Central web authentication page. |
@@ -46,8 +46,8 @@ _Note: Libraries with version `0.20.x` support PowerAuth protocol version `2`. L
 | PowerAuth RESTful Model | `powerauth-restful-model.jar` | 0.22.4 | Model classes for request and response objects used in PowerAuth Standard RESTful API. |
 | PowerAuth RESTful API Security for Spring | `powerauth-restful-security-spring.jar` | 0.22.4 | High-level integration libraries for RESTful API security, build for Spring MVC. |
 | PowerAuth RESTful API Security for JAX-RS | `powerauth-restful-security-javaee.jar` | 0.22.4 | High-level integration libraries for RESTful API security, build for Java EE (JAX-RS). |
-| PowerAuth SOAP Client for Spring WS | `powerauth-java-client-spring.jar` | 0.22.2 | SOAP service client for PowerAuth Server service, built using Spring WS. |
-| PowerAuth SOAP Client for Axis2 | `powerauth-java-client-axis.jar` | 0.22.2 | SOAP service client for PowerAuth Server service, built using Axis2. |
+| PowerAuth SOAP Client for Spring WS | `powerauth-java-client-spring.jar` | 0.22.4 | SOAP service client for PowerAuth Server service, built using Spring WS. |
+| PowerAuth SOAP Client for Axis2 | `powerauth-java-client-axis.jar` | 0.22.4 | SOAP service client for PowerAuth Server service, built using Axis2. |
 | PowerAuth Push Server RESTful Model | `powerauth-push-model.jar` | 0.22.0 | Model classes for request and response objects used in PowerAuth Push Server. |
 | PowerAuth Push Server RESTful Client | `powerauth-push-client.jar` | 0.22.0 | Client implementation that simplifies integration with PowerAuth Push Server service. |
 | PowerAuth Data Adapter RESTful Model | `powerauth-data-adapter-model.jar` | 0.22.2 | Model classes for request and response objects used in PowerAuth Data Adapter component. |

docs/PowerAuth-2019.11.md

@@ -16,7 +16,7 @@ For updating to 2019.11, please follow these migration guides:
 
 | Component | Application Name | Version | Description |
 |---|---|---|---|
-| PowerAuth Server | `powerauth-java-server.war` | 0.23.2 | Core back-end component for PowerAuth stack. |
+| PowerAuth Server | `powerauth-java-server.war` | 0.23.3 | Core back-end component for PowerAuth stack. |
 | PowerAuth Admin | `powerauth-admin.war` | 0.23.0 | Administration console for PowerAuth Server. |
 | PowerAuth Push Server | `powerauth-push-server.war` | 0.23.1 | Simple to deploy push server for APNS and FCM. |
 | PowerAuth Web Flow | `powerauth-webflow.war` | 0.23.2 | Central web authentication page. |
@@ -47,8 +47,8 @@ _Note: Libraries with version `1.2.x` support PowerAuth protocol version `3`. Li
 | PowerAuth RESTful Model | `powerauth-restful-model.jar` | 0.23.1 | Model classes for request and response objects used in PowerAuth Standard RESTful API. |
 | PowerAuth RESTful API Security for Spring | `powerauth-restful-security-spring.jar` | 0.23.1 | High-level integration libraries for RESTful API security, build for Spring MVC. |
 | PowerAuth RESTful API Security for JAX-RS | `powerauth-restful-security-javaee.jar` | 0.23.1 | High-level integration libraries for RESTful API security, build for Java EE (JAX-RS). |
-| PowerAuth SOAP Client for Spring WS | `powerauth-java-client-spring.jar` | 0.23.1 | SOAP service client for PowerAuth Server service, built using Spring WS. |
-| PowerAuth SOAP Client for Axis2 | `powerauth-java-client-axis.jar` | 0.23.1 | SOAP service client for PowerAuth Server service, built using Axis2. |
+| PowerAuth SOAP Client for Spring WS | `powerauth-java-client-spring.jar` | 0.23.3 | SOAP service client for PowerAuth Server service, built using Spring WS. |
+| PowerAuth SOAP Client for Axis2 | `powerauth-java-client-axis.jar` | 0.23.3 | SOAP service client for PowerAuth Server service, built using Axis2. |
 | PowerAuth Push Server RESTful Model | `powerauth-push-model.jar` | 0.23.1 | Model classes for request and response objects used in PowerAuth Push Server. |
 | PowerAuth Push Server RESTful Client | `powerauth-push-client.jar` | 0.23.1 | Client implementation that simplifies integration with PowerAuth Push Server service. |
 | PowerAuth Data Adapter RESTful Model | `powerauth-data-adapter-model.jar` | 0.23.2 | Model classes for request and response objects used in PowerAuth Data Adapter component. |

docs/PowerAuth-2020.05.md

@@ -15,7 +15,7 @@ For updating to 2020.05, please follow these migration guides:
 
 | Component | Application Name | Version | Description |
 |---|---|---|---|
-| PowerAuth Server | `powerauth-java-server.war` | 0.24.0 | Core back-end component for PowerAuth stack. |
+| PowerAuth Server | `powerauth-java-server.war` | 0.24.2 | Core back-end component for PowerAuth stack. |
 | PowerAuth Admin | `powerauth-admin.war` | 0.24.0 | Administration console for PowerAuth Server. |
 | PowerAuth Push Server | `powerauth-push-server.war` | 0.24.0 | Simple to deploy push server for APNS and FCM. |
 | PowerAuth Web Flow | `powerauth-webflow.war` | 0.24.0 | Central web authentication page. |
@@ -44,8 +44,8 @@ For updating to 2020.05, please follow these migration guides:
 | PowerAuth RESTful Model | `powerauth-restful-model.jar` | 0.24.0 | Model classes for request and response objects used in PowerAuth Standard RESTful API. |
 | PowerAuth RESTful API Security for Spring | `powerauth-restful-security-spring.jar` | 0.24.0 | High-level integration libraries for RESTful API security, build for Spring MVC. |
 | PowerAuth RESTful API Security for JAX-RS | `powerauth-restful-security-javaee.jar` | 0.24.0 | High-level integration libraries for RESTful API security, build for Java EE (JAX-RS). |
-| PowerAuth SOAP Client for Spring WS | `powerauth-java-client-spring.jar` | 0.24.0 | SOAP service client for PowerAuth Server service, built using Spring WS. |
-| PowerAuth SOAP Client for Axis2 | `powerauth-java-client-axis.jar` | 0.24.0 | SOAP service client for PowerAuth Server service, built using Axis2. |
+| PowerAuth SOAP Client for Spring WS | `powerauth-java-client-spring.jar` | 0.24.2 | SOAP service client for PowerAuth Server service, built using Spring WS. |
+| PowerAuth SOAP Client for Axis2 | `powerauth-java-client-axis.jar` | 0.24.2 | SOAP service client for PowerAuth Server service, built using Axis2. |
 | PowerAuth Push Server RESTful Model | `powerauth-push-model.jar` | 0.24.0 | Model classes for request and response objects used in PowerAuth Push Server. |
 | PowerAuth Push Server RESTful Client | `powerauth-push-client.jar` | 0.24.0 | Client implementation that simplifies integration with PowerAuth Push Server service. |
 | PowerAuth Data Adapter RESTful Model | `powerauth-data-adapter-model.jar` | 0.24.0 | Model classes for request and response objects used in PowerAuth Data Adapter component. |