SEBSERV-335 encrypted ASK with no added salt expected

This commit is contained in:
anhefti 2023-01-31 09:28:51 +01:00
parent a078d1d421
commit 715c28d835
3 changed files with 39 additions and 7 deletions

View file

@ -66,7 +66,10 @@ public interface SecurityKeyService {
* @param appSignatureKey The encrypted App Signature Key sent by a SEB client * @param appSignatureKey The encrypted App Signature Key sent by a SEB client
* @param connectionToken The connection token of the SEB client connection * @param connectionToken The connection token of the SEB client connection
* @return Result refer to the App Signature Key hash for given App Signature Key or to an error when happened */ * @return Result refer to the App Signature Key hash for given App Signature Key or to an error when happened */
Result<String> getAppSignatureKeyHash(String appSignatureKey, String connectionToken); Result<String> getAppSignatureKeyHash(
String appSignatureKey,
String connectionToken,
CharSequence salt);
/** Use this to update an App Signature Key grant for a particular SEB connection. This will /** Use this to update an App Signature Key grant for a particular SEB connection. This will
* apply the security check again and mark the connection regarding to the security check. * apply the security check again and mark the connection regarding to the security check.

View file

@ -167,14 +167,25 @@ public class SecurityKeyServiceImpl implements SecurityKeyService {
} }
@Override @Override
public Result<String> getAppSignatureKeyHash(final String appSignatureKey, final String connectionToken) { public Result<String> getAppSignatureKeyHash(
final String appSignatureKey,
final String connectionToken,
final CharSequence salt) {
if (StringUtils.isBlank(appSignatureKey)) { if (StringUtils.isBlank(appSignatureKey)) {
return Result.ofEmpty(); return Result.ofEmpty();
} }
// TODO if certificate encryption is available check if exam has defined certificate for decryption // TODO if certificate encryption is available check if exam has defined certificate for decryption
return Cryptor.decrypt(appSignatureKey, connectionToken) return Cryptor
.decrypt(appSignatureKey + salt, connectionToken)
.onErrorDo(error -> {
log.warn(
"Failed to decrypt ASK with added salt value. Try to decrypt without added salt. Error: {}",
error.getMessage());
return Cryptor.decrypt(appSignatureKey, connectionToken).get();
})
.map(signature -> createSignatureHash(signature)); .map(signature -> createSignatureHash(signature));
} }

View file

@ -278,7 +278,10 @@ public class SEBClientConnectionServiceImpl implements SEBClientConnectionServic
null, null,
null, null,
null, null,
getSignatureHash(appSignatureKey, connectionToken))) getSignatureHash(
appSignatureKey,
connectionToken,
clientConnection.examId != null ? clientConnection.examId : examId)))
.getOrThrow(); .getOrThrow();
// initialize distributed indicator value caches if possible and needed // initialize distributed indicator value caches if possible and needed
@ -400,7 +403,10 @@ public class SEBClientConnectionServiceImpl implements SEBClientConnectionServic
null, null,
proctoringEnabled, proctoringEnabled,
null, null,
getSignatureHash(appSignatureKey, connectionToken)); getSignatureHash(
appSignatureKey,
connectionToken,
clientConnection.examId != null ? clientConnection.examId : examId));
// ClientConnection integrity check // ClientConnection integrity check
// institutionId, connectionToken and clientAddress must be set // institutionId, connectionToken and clientAddress must be set
@ -813,9 +819,21 @@ public class SEBClientConnectionServiceImpl implements SEBClientConnectionServic
return this.examSessionService.getConnectionDataInternal(connectionToken); return this.examSessionService.getConnectionDataInternal(connectionToken);
} }
private String getSignatureHash(final String appSignatureKey, final String connectionToken) { private String getSignatureHash(
final String appSignatureKey,
final String connectionToken,
final Long examId) {
if (examId == null) {
return null;
}
final String salt = this.examSessionService
.getAppSignatureKeySalt(examId)
.getOr(null);
return this.securityKeyService return this.securityKeyService
.getAppSignatureKeyHash(appSignatureKey, connectionToken) .getAppSignatureKeyHash(appSignatureKey, connectionToken, salt)
.onError(error -> log.error("Failed to get hash signature from sent app signature key: ", error)) .onError(error -> log.error("Failed to get hash signature from sent app signature key: ", error))
.getOr(null); .getOr(null);
} }