wultra · banterCZ · Jul 29, 2024 · Jul 29, 2024 · Jul 29, 2024 · Jul 31, 2024
diff --git a/docs/Migration-Instructions.md b/docs/Migration-Instructions.md
@@ -2,6 +2,7 @@
 
 This page contains PowerAuth Web Flow migration instructions.
 
+- [PowerAuth Web Flow 1.9.0](./Web-Flow-1.9.0.md)
 - [PowerAuth Web Flow 1.8.0](./Web-Flow-1.8.0.md)
 - [PowerAuth Web Flow 1.7.0](./Web-Flow-1.7.0.md)
 - [PowerAuth Web Flow 1.6.0](./Web-Flow-1.6.0.md)

diff --git a/docs/Web-Flow-1.9.0.md b/docs/Web-Flow-1.9.0.md
@@ -0,0 +1,5 @@
+# Migration from 1.8.0 to 1.9.0
+
+This guide contains instructions for migration from PowerAuth WebFlow version `1.8.x` to version `1.9.0`.
+
+There are no database changes needed for this version.
diff --git a/pom.xml b/pom.xml
@@ -8,13 +8,13 @@
 
  <groupId>io.getlime.security</groupId>
  <artifactId>powerauth-webflow-parent</artifactId>
- <version>1.8.0</version>
+ <version>1.9.0-SNAPSHOT</version>
  <packaging>pom</packaging>
 
  <parent>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-parent</artifactId>
- <version>3.3.2</version>
+ <version>3.3.4</version>
  <relativePath/> <!-- lookup parent from repository -->
  </parent>
 
@@ -93,21 +93,21 @@
  <maven.compiler.target>17</maven.compiler.target>
  <bcprov-jdk18on.version>1.78.1</bcprov-jdk18on.version>
  <zxing.version>3.5.3</zxing.version>
- <passay.version>1.6.4</passay.version>
+ <passay.version>1.6.6</passay.version>
 
  <!-- Documentation Dependencies -->
  <springdoc-openapi-starter-webmvc-ui.version>2.6.0</springdoc-openapi-starter-webmvc-ui.version>
- <swagger-annotations-jakarta.version>2.2.22</swagger-annotations-jakarta.version>
+ <swagger-annotations-jakarta.version>2.2.25</swagger-annotations-jakarta.version>
 
  <moneta.version>1.4.4</moneta.version>
  <owasp-java-html-sanitizer.version>20240325.1</owasp-java-html-sanitizer.version>
- <logstash.version>7.4</logstash.version>
+ <logstash.version>8.0</logstash.version>
 
  <!-- Wultra dependencies -->
- <wultra-core.version>1.10.0</wultra-core.version>
- <powerauth.version>1.8.0</powerauth.version>
- <powerauth-crypto.version>1.8.0</powerauth-crypto.version>
- <powerauth-push.version>1.8.0</powerauth-push.version>
+ <wultra-core.version>1.11.0</wultra-core.version>
+ <powerauth.version>1.9.0-SNAPSHOT</powerauth.version>
+ <powerauth-crypto.version>1.9.0</powerauth-crypto.version>
+ <powerauth-push.version>1.9.0-SNAPSHOT</powerauth-push.version>
  </properties>
 
  <dependencyManagement>
@@ -345,7 +345,7 @@
  <dependency>
  <groupId>de.skuzzle.enforcer</groupId>
  <artifactId>restrict-imports-enforcer-rule</artifactId>
- <version>2.5.0</version>
+ <version>2.6.0</version>
  </dependency>
  </dependencies>
  <executions>

diff --git a/powerauth-data-adapter-client/pom.xml b/powerauth-data-adapter-client/pom.xml
@@ -28,7 +28,7 @@
  <parent>
  <artifactId>powerauth-webflow-parent</artifactId>
  <groupId>io.getlime.security</groupId>
- <version>1.8.0</version>
+ <version>1.9.0-SNAPSHOT</version>
  </parent>
 
  <dependencies>

diff --git a/powerauth-data-adapter-model/pom.xml b/powerauth-data-adapter-model/pom.xml
@@ -28,7 +28,7 @@
  <parent>
  <artifactId>powerauth-webflow-parent</artifactId>
  <groupId>io.getlime.security</groupId>
- <version>1.8.0</version>
+ <version>1.9.0-SNAPSHOT</version>
  </parent>
 
  <dependencies>

diff --git a/powerauth-mtoken-model/pom.xml b/powerauth-mtoken-model/pom.xml
@@ -27,7 +27,7 @@
  <parent>
  <artifactId>powerauth-webflow-parent</artifactId>
  <groupId>io.getlime.security</groupId>
- <version>1.8.0</version>
+ <version>1.9.0-SNAPSHOT</version>
  </parent>
 
  <dependencies>

diff --git a/powerauth-nextstep-client/pom.xml b/powerauth-nextstep-client/pom.xml
@@ -25,7 +25,7 @@
  <parent>
  <artifactId>powerauth-webflow-parent</artifactId>
  <groupId>io.getlime.security</groupId>
- <version>1.8.0</version>
+ <version>1.9.0-SNAPSHOT</version>
  </parent>
 
  <artifactId>powerauth-nextstep-client</artifactId>

diff --git a/powerauth-nextstep-model/pom.xml b/powerauth-nextstep-model/pom.xml
@@ -29,7 +29,7 @@
  <parent>
  <groupId>io.getlime.security</groupId>
  <artifactId>powerauth-webflow-parent</artifactId>
- <version>1.8.0</version>
+ <version>1.9.0-SNAPSHOT</version>
  </parent>
 
  <dependencies>

diff --git a/...va/io/getlime/security/powerauth/lib/nextstep/model/entity/enumeration/HashAlgorithm.java b/...va/io/getlime/security/powerauth/lib/nextstep/model/entity/enumeration/HashAlgorithm.java
@@ -17,11 +17,14 @@
  */
 package io.getlime.security.powerauth.lib.nextstep.model.entity.enumeration;
 
+import lombok.Getter;
+
 /**
  * Enumeration representing hashing algorithms.
  *
  * @author Roman Strobl, [email protected]
  */
+@Getter
 public enum HashAlgorithm {
 
  /**
@@ -37,35 +40,30 @@ public enum HashAlgorithm {
  /**
  * Algorithm argon2id.
  */
- ARGON_2ID("argon2id", 2);
+ ARGON_2ID("argon2id", 2),
+
+ BCRYPT("bcrypt");
 
  private final String name;
- private final int id;
+ private final Integer id;
 
  /**
  * Hash algorithm constructor.
- * @param name Algorithm name for Modular Crypt Format.
- * @param id Algorithm ID in Bouncy Castle library.
+ * @param name Algorithm name.
  */
- HashAlgorithm(String name, int id) {
+ HashAlgorithm(String name) {
  this.name = name;
- this.id = id;
+ this.id = null;
  }
 
  /**
- * Get algorithm name for Modular Crypt Format.
- * @return Algorithm name.
- */
- public String getName() {
- return name;
- }
-
- /**
- * Get algorithm ID in Bouncy Castle library.
- * @return Algorithm ID.
+ * Hash algorithm constructor for Argon family of algorithms.
+ * @param name Algorithm name for Modular Crypt Format.
+ * @param id Algorithm ID in Bouncy Castle library (Argon algorithms only).
  */
- public int getId() {
- return id;
+ HashAlgorithm(String name, int id) {
+ this.name = name;
+ this.id = id;
  }
 
 }
diff --git a/powerauth-nextstep/pom.xml b/powerauth-nextstep/pom.xml
@@ -28,7 +28,7 @@
  <parent>
  <groupId>io.getlime.security</groupId>
  <artifactId>powerauth-webflow-parent</artifactId>
- <version>1.8.0</version>
+ <version>1.9.0-SNAPSHOT</version>
  </parent>
 
  <dependencies>

diff --git a/.../java/io/getlime/security/powerauth/app/nextstep/service/CredentialProtectionService.java b/.../java/io/getlime/security/powerauth/app/nextstep/service/CredentialProtectionService.java
@@ -37,6 +37,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.crypto.bcrypt.BCrypt;
 import org.springframework.stereotype.Service;
 
 import java.io.IOException;
@@ -100,6 +101,10 @@ public CredentialValue protectCredential(String credentialValue, CredentialEntit
  final String hashedValue = argon2Hash.toString();
  return credentialValueConverter.toDBValue(hashedValue, userId, credentialDefinition);
  }
+ case BCRYPT -> {
+ String hashedValue = BCrypt.hashpw(credentialValue, BCrypt.gensalt());
+ return credentialValueConverter.toDBValue(hashedValue, userId, credentialDefinition);
+ }
  default -> throw new InvalidConfigurationException("Unsupported hashing algorithm: " + algorithm);
  }
  }
@@ -132,6 +137,13 @@ public boolean verifyCredential(String credentialValue, CredentialEntity credent
  }
  return succeeded;
  }
+ case BCRYPT -> {
+ boolean succeeded = BCrypt.checkpw(credentialValue, decryptedCredentialValue);
+ if (succeeded) {
+ updateStoredCredentialValueIfRequired(credentialValue, credential);
+ }
+ return succeeded;
+ }
  default -> throw new InvalidConfigurationException("Unsupported hashing algorithm: " + algorithm);
  }
  }
@@ -154,6 +166,7 @@ public boolean verifyCredentialHistory(String credentialValue, CredentialHistory
  final HashAlgorithm algorithm = hashingConfig.getAlgorithm();
  return switch (algorithm) {
  case ARGON_2I, ARGON_2D, ARGON_2ID -> verifyCredentialUsingArgon2(credentialValue, algorithm, decryptedCredentialValue);
+ case BCRYPT -> BCrypt.checkpw(credentialValue, decryptedCredentialValue);
  };
  }
 
@@ -335,7 +348,7 @@ private void updateStoredCredentialValueIfRequired(String credentialValue, Crede
  updateRequired = true;
  } else {
  // Check actual argon2 parameters from the hash in the database and compare them with credential definition
- updateRequired = updateRequired || !argon2ParamMatch(extractCredentialValue(credential), credentialDefinition.getHashingConfig().getAlgorithm(), credential.getHashingConfig().getParameters());
+ updateRequired = updateRequired || (credentialDefinition.getHashingConfig().getAlgorithm() != HashAlgorithm.BCRYPT && !argon2ParamMatch(extractCredentialValue(credential), credentialDefinition.getHashingConfig().getAlgorithm(), credential.getHashingConfig().getParameters()));
  }
  }
 

diff --git a/...a/io/getlime/security/powerauth/app/nextstep/service/CredentialProtectionServiceTest.java b/...a/io/getlime/security/powerauth/app/nextstep/service/CredentialProtectionServiceTest.java
@@ -0,0 +1,97 @@
+/*
+ * PowerAuth Web Flow and related software components
+ * Copyright (C) 2024 Wultra s.r.o.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published
+ * by the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+package io.getlime.security.powerauth.app.nextstep.service;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import io.getlime.security.powerauth.app.nextstep.NextStepTest;
+import io.getlime.security.powerauth.app.nextstep.repository.model.entity.CredentialDefinitionEntity;
+import io.getlime.security.powerauth.app.nextstep.repository.model.entity.CredentialEntity;
+import io.getlime.security.powerauth.app.nextstep.repository.model.entity.HashConfigEntity;
+import io.getlime.security.powerauth.app.nextstep.repository.model.entity.UserIdentityEntity;
+import io.getlime.security.powerauth.lib.nextstep.model.entity.CredentialValue;
+import io.getlime.security.powerauth.lib.nextstep.model.entity.enumeration.EncryptionAlgorithm;
+import io.getlime.security.powerauth.lib.nextstep.model.entity.enumeration.HashAlgorithm;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+
+import java.util.Map;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * Tests for password hashing.
+ *
+ * @author Roman Strobl, [email protected]
+ */
+class CredentialProtectionServiceTest extends NextStepTest {
+
+ @Autowired
+ private CredentialProtectionService credentialProtectionService;
+
+ @Test
+ void testBcrypt() throws Exception {
+ final CredentialEntity credentialEntity = new CredentialEntity();
+ final UserIdentityEntity user = new UserIdentityEntity();
+ final HashConfigEntity hashConfig = new HashConfigEntity();
+ final CredentialDefinitionEntity credentialDefinition = new CredentialDefinitionEntity();
+ credentialDefinition.setEncryptionAlgorithm(EncryptionAlgorithm.NO_ENCRYPTION);
+ credentialDefinition.setHashingConfig(hashConfig);
+ hashConfig.setAlgorithm(HashAlgorithm.BCRYPT);
+ hashConfig.setParameters("{}");
+ user.setUserId("test");
+ credentialEntity.setUser(user);
+ credentialEntity.setCredentialDefinition(credentialDefinition);
+ credentialEntity.setHashingConfig(hashConfig);
+ final CredentialValue hashed = credentialProtectionService.protectCredential("test", credentialEntity);
+ credentialEntity.setValue(hashed.getValue());
+ assertEquals(EncryptionAlgorithm.NO_ENCRYPTION, hashed.getEncryptionAlgorithm());
+ assertNotEquals("test", hashed.getValue());
+ assertTrue(hashed.getValue().startsWith("$2a$10$"));
+ assertTrue(credentialProtectionService.verifyCredential("test", credentialEntity));
+ }
+
+ @Test
+ void testArgon2() throws Exception {
+ final CredentialEntity credentialEntity = new CredentialEntity();
+ final UserIdentityEntity user = new UserIdentityEntity();
+ final HashConfigEntity hashConfig = new HashConfigEntity();
+ final CredentialDefinitionEntity credentialDefinition = new CredentialDefinitionEntity();
+ credentialDefinition.setEncryptionAlgorithm(EncryptionAlgorithm.NO_ENCRYPTION);
+ credentialDefinition.setHashingConfig(hashConfig);
+ hashConfig.setAlgorithm(HashAlgorithm.ARGON_2I);
+ final Map<String, String> params = Map.of(
+ "version", "19",
+ "iterations", "4",
+ "memory", "16",
+ "parallelism", "2",
+ "outputLength", "32"
+ );
+ hashConfig.setParameters(new ObjectMapper().writeValueAsString(params));
+ user.setUserId("test");
+ credentialEntity.setUser(user);
+ credentialEntity.setCredentialDefinition(credentialDefinition);
+ credentialEntity.setHashingConfig(hashConfig);
+ final CredentialValue hashed = credentialProtectionService.protectCredential("test", credentialEntity);
+ credentialEntity.setValue(hashed.getValue());
+ assertEquals(EncryptionAlgorithm.NO_ENCRYPTION, hashed.getEncryptionAlgorithm());
+ assertNotEquals("test", hashed.getValue());
+ assertTrue(hashed.getValue().startsWith("$argon2i$v=19$m=65536,t=4,p=2$"));
+ assertTrue(credentialProtectionService.verifyCredential("test", credentialEntity));
+ }
+
+}
diff --git a/powerauth-tpp-engine-client/pom.xml b/powerauth-tpp-engine-client/pom.xml
@@ -25,7 +25,7 @@
  <parent>
  <artifactId>powerauth-webflow-parent</artifactId>
  <groupId>io.getlime.security</groupId>
- <version>1.8.0</version>
+ <version>1.9.0-SNAPSHOT</version>
  </parent>
 
  <name>powerauth-tpp-engine-client</name>

diff --git a/powerauth-tpp-engine-model/pom.xml b/powerauth-tpp-engine-model/pom.xml
@@ -24,7 +24,7 @@
  <parent>
  <artifactId>powerauth-webflow-parent</artifactId>
  <groupId>io.getlime.security</groupId>
- <version>1.8.0</version>
+ <version>1.9.0-SNAPSHOT</version>
  </parent>
 
  <name>powerauth-tpp-engine-model</name>

diff --git a/powerauth-tpp-engine/pom.xml b/powerauth-tpp-engine/pom.xml
@@ -28,7 +28,7 @@
  <parent>
  <groupId>io.getlime.security</groupId>
  <artifactId>powerauth-webflow-parent</artifactId>
- <version>1.8.0</version>
+ <version>1.9.0-SNAPSHOT</version>
  </parent>
 
  <dependencies>

diff --git a/powerauth-webflow-authentication-approval-sca/pom.xml b/powerauth-webflow-authentication-approval-sca/pom.xml
@@ -25,7 +25,7 @@
  <parent>
  <artifactId>powerauth-webflow-parent</artifactId>
  <groupId>io.getlime.security</groupId>
- <version>1.8.0</version>
+ <version>1.9.0-SNAPSHOT</version>
  </parent>
 
  <name>powerauth-webflow-authentication-approval-sca</name>

diff --git a/powerauth-webflow-authentication-consent/pom.xml b/powerauth-webflow-authentication-consent/pom.xml
@@ -25,7 +25,7 @@
  <parent>
  <artifactId>powerauth-webflow-parent</artifactId>
  <groupId>io.getlime.security</groupId>
- <version>1.8.0</version>
+ <version>1.9.0-SNAPSHOT</version>
  </parent>
 
  <artifactId>powerauth-webflow-authentication-consent</artifactId>

diff --git a/powerauth-webflow-authentication-form/pom.xml b/powerauth-webflow-authentication-form/pom.xml
@@ -25,7 +25,7 @@
  <parent>
  <artifactId>powerauth-webflow-parent</artifactId>
  <groupId>io.getlime.security</groupId>
- <version>1.8.0</version>
+ <version>1.9.0-SNAPSHOT</version>
  </parent>
 
  <name>powerauth-webflow-authentication-form</name>

diff --git a/powerauth-webflow-authentication-init/pom.xml b/powerauth-webflow-authentication-init/pom.xml
@@ -25,7 +25,7 @@
  <parent>
  <artifactId>powerauth-webflow-parent</artifactId>
  <groupId>io.getlime.security</groupId>
- <version>1.8.0</version>
+ <version>1.9.0-SNAPSHOT</version>
  </parent>
 
  <name>powerauth-webflow-authentication-init</name>