From 715c28d835c03d93b5f79ffd5741721805b82021 Mon Sep 17 00:00:00 2001
From: anhefti <andreas.hefti@let.ethz.ch>
Date: Tue, 31 Jan 2023 09:28:51 +0100
Subject: [PATCH] SEBSERV-335 encrypted ASK with no added salt expected

---
 .../institution/SecurityKeyService.java       |  5 +++-
 .../impl/SecurityKeyServiceImpl.java          | 15 +++++++++--
 .../impl/SEBClientConnectionServiceImpl.java  | 26 ++++++++++++++++---
 3 files changed, 39 insertions(+), 7 deletions(-)

diff --git a/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/institution/SecurityKeyService.java b/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/institution/SecurityKeyService.java
index e8ba09d9..514e7a62 100644
--- a/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/institution/SecurityKeyService.java
+++ b/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/institution/SecurityKeyService.java
@@ -66,7 +66,10 @@ public interface SecurityKeyService {
      * @param appSignatureKey The encrypted App Signature Key sent by a SEB client
      * @param connectionToken The connection token of the SEB client connection
      * @return Result refer to the App Signature Key hash for given App Signature Key or to an error when happened */
-    Result<String> getAppSignatureKeyHash(String appSignatureKey, String connectionToken);
+    Result<String> getAppSignatureKeyHash(
+            String appSignatureKey,
+            String connectionToken,
+            CharSequence salt);
 
     /** Use this to update an App Signature Key grant for a particular SEB connection. This will
      * apply the security check again and mark the connection regarding to the security check.
diff --git a/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/institution/impl/SecurityKeyServiceImpl.java b/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/institution/impl/SecurityKeyServiceImpl.java
index 105753be..2ca615b8 100644
--- a/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/institution/impl/SecurityKeyServiceImpl.java
+++ b/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/institution/impl/SecurityKeyServiceImpl.java
@@ -167,14 +167,25 @@ public class SecurityKeyServiceImpl implements SecurityKeyService {
     }
 
     @Override
-    public Result<String> getAppSignatureKeyHash(final String appSignatureKey, final String connectionToken) {
+    public Result<String> getAppSignatureKeyHash(
+            final String appSignatureKey,
+            final String connectionToken,
+            final CharSequence salt) {
+
         if (StringUtils.isBlank(appSignatureKey)) {
             return Result.ofEmpty();
         }
 
         // TODO if certificate encryption is available check if exam has defined certificate for decryption
 
-        return Cryptor.decrypt(appSignatureKey, connectionToken)
+        return Cryptor
+                .decrypt(appSignatureKey + salt, connectionToken)
+                .onErrorDo(error -> {
+                    log.warn(
+                            "Failed to decrypt ASK with added salt value. Try to decrypt without added salt. Error: {}",
+                            error.getMessage());
+                    return Cryptor.decrypt(appSignatureKey, connectionToken).get();
+                })
                 .map(signature -> createSignatureHash(signature));
 
     }
diff --git a/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/session/impl/SEBClientConnectionServiceImpl.java b/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/session/impl/SEBClientConnectionServiceImpl.java
index fb03ae40..d4c36b6b 100644
--- a/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/session/impl/SEBClientConnectionServiceImpl.java
+++ b/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/session/impl/SEBClientConnectionServiceImpl.java
@@ -278,7 +278,10 @@ public class SEBClientConnectionServiceImpl implements SEBClientConnectionServic
                             null,
                             null,
                             null,
-                            getSignatureHash(appSignatureKey, connectionToken)))
+                            getSignatureHash(
+                                    appSignatureKey,
+                                    connectionToken,
+                                    clientConnection.examId != null ? clientConnection.examId : examId)))
                     .getOrThrow();
 
             // initialize distributed indicator value caches if possible and needed
@@ -400,7 +403,10 @@ public class SEBClientConnectionServiceImpl implements SEBClientConnectionServic
                     null,
                     proctoringEnabled,
                     null,
-                    getSignatureHash(appSignatureKey, connectionToken));
+                    getSignatureHash(
+                            appSignatureKey,
+                            connectionToken,
+                            clientConnection.examId != null ? clientConnection.examId : examId));
 
             // ClientConnection integrity check
             // institutionId, connectionToken and clientAddress must be set
@@ -813,9 +819,21 @@ public class SEBClientConnectionServiceImpl implements SEBClientConnectionServic
         return this.examSessionService.getConnectionDataInternal(connectionToken);
     }
 
-    private String getSignatureHash(final String appSignatureKey, final String connectionToken) {
+    private String getSignatureHash(
+            final String appSignatureKey,
+            final String connectionToken,
+            final Long examId) {
+
+        if (examId == null) {
+            return null;
+        }
+
+        final String salt = this.examSessionService
+                .getAppSignatureKeySalt(examId)
+                .getOr(null);
+
         return this.securityKeyService
-                .getAppSignatureKeyHash(appSignatureKey, connectionToken)
+                .getAppSignatureKeyHash(appSignatureKey, connectionToken, salt)
                 .onError(error -> log.error("Failed to get hash signature from sent app signature key: ", error))
                 .getOr(null);
     }