We should investigate Spring Vault project in scope of deploying PowerAuth stack:

http://projects.spring.io/spring-vault

The typical use case for Vault is securing all plain text passwords and keys from application.properties. This could improve resilience of PowerAuth against internal attacks.

HHH000444: Encountered request for locking however dialect reports that database prefers locking be done in a separate select (follow-on locking); results will be locked after initial query executes

Currently, we do not have any good use-case for following signature types:

• KNOWLEDGE
• BIOMETRY
• POSSESSION_KNOWLEDGE_BIOMETRY

I believe we should remove these values accordingly.

We currently have a logging issue with Axis2 client project. However, we are not able to fix it at the moment - we must postpone this until the issue in Maven plugin is fixed. See AXIS2-5827 for details.

Currently, if client asks for application with ID that does not exist, we return SOAP fault with NPE.

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    <SOAP-ENV:Header/>
    <SOAP-ENV:Body>
        <SOAP-ENV:Fault>
            <faultcode>SOAP-ENV:Server</faultcode>
            <faultstring xml:lang="en">java.lang.NullPointerException</faultstring>
        </SOAP-ENV:Fault>
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

We should add logging messages to PowerAuth server with levels WARNING, INFO and FINE.

When adding log messages we should be careful not to flood the logs on default level (INFO).

... so that we can see that activation was removed during activation (expired), or removed manually.

There are three JavaDoc warnings during compilation caused by broken links to nested classes.

In the Oracle DDL, blockedReason and additionalInfo columns are required to be not null. This is incorrect:
https://github.com/lime-company/powerauth-server/blob/develop/docs/sql/oracle/create_schema.sql

We currently have no documentation for Oracle in regards to token based auth.

Here is schema for My SQL:

https://github.com/lime-company/powerauth-server/blob/features/20-tokens/docs/sql/mysql/create_schema.sql

It would be useful to see version and buildTime in the status endpoint.

Currently, the initActivation method attempts to fetch master key pair from the database based on applicationId. In case no app with provided applicationId exists, we throw error about missing key pair. As a result, the issue with invalid applicationId is hard to debug.

We should check if given application exists first...

We currently have non-consistent naming.

We should distinguish two modes of operation for createOfflineSignaturePayload:

• personalized - uses activationId to obtain KEY_SERVER_PRIVATE which is used in ECDSA signature
• non-personalized - uses applicationId to obtain KEY_SERVER_MASTER_PRIVATE which is used in ECDSA signature

Furthermore, we should remove message from offline signatures, the message should be already present in signed data. We should also deprecate usage of dataHash in favor of data (in future data size can be decreased if required, so data in offline signature payload response may differ from data in offline signature request).

Currently, we do not store activation status changes. We should have some log of activation status changes.

Comma is missing in table definition for table pa_token before PRIMARY KEY in script:
https://github.com/lime-company/powerauth-server/blob/develop/docs/sql/mysql/create_schema.sql

timestamp_created DATETIME NOT NULL [missing_comma] PRIMARY KEY (token_id`),

Older versions of PowerAuth were using lowercased String to store signature type. Now, we have migrated the String type to Enum, which is more appropriate, but uses uppercase under the hood.

This causes issues when loading data from database created previously - lowercase items are incorrectly converted to Enums...

When our mobile client is trying to create (/pa/token/create) a multiple tokens at the same time (for the same activation), then some of the requests ends with an unknown error:

{"status":"ERROR","responseObject":{"code":"ERROR_GENERIC","message":"error.unknown"}}

After a small investigation in the logs, we found out a database deadlock on the PA server:

2017-12-07 14:09:48.802  WARN 1 --- [nio-8080-exec-7] o.h.engine.jdbc.spi.SqlExceptionHelper   : SQL Error: 1213, SQLState: 40001
2017-12-07 14:09:48.802 ERROR 1 --- [nio-8080-exec-7] o.h.engine.jdbc.spi.SqlExceptionHelper   : Deadlock found when trying to get lock; try restarting transaction
2017-12-07 14:09:48.802  INFO 1 --- [nio-8080-exec-7] o.h.e.j.b.internal.AbstractBatchImpl     : HHH000010: On release of batch it still contained JDBC statements

UPDATE

The actual problem is not related to the tokens at all. Look for discussion below.

PowerAuth Server currently accepts offline signatures in following format: AAAABBBB-CCCCDDDD. For readability reasons, we render it as AAAA-BBBB-CCCC-DDDD and this is what user rewrites to the screen. We should consider ignoring dashes when validating off-line signatures.

Currently, application is identified by a Long id, which is not very handy in a multi-environment infrastructure (since the same application may have multiple ID).

We should introduce some unique app identifier specified upon application creation, so that deployer can specify IDs such as "MOB_BANK" - for example, we can add method to lookup application by name (applicationName).

Application can then use codes as a name to lookup application and assign it to application name / icon / description / other attributes that have nothing to do with PowerAuth protocol and software stack.

When user blocks the device, we should be able to assign a reason. Also, we should have a flag to indicate that the device was blocked by the bank and therefore cannot be unblocked by the user.

At the moment, we store device related server private key as a plain text in the database. This is not a big issue in some scenarios, since back-ends are in a secure infrastructure with very limited access, however we could still improve security of the key by:

1. Introducing a new property (in case the property is not set, no encryption is used):

powerauth.server.db.master.encryption.key=MTIzNDU2Nzg5MDEyMzQ1Ng==

2. Using conversion mechanism whenever loading a serverPrivateKey value for the activation entity.

Note that since there is the good old rule "Same data should result in different encrypted values", we should introduce IV value for the encryption that should be stored with the value, such as (pseudo-code):

public byte[] encrypt(byte[] orig, SecretKey key) {
    byte[] iv = Bytes.random(16);
    byte[] encrypted = aes.encrypt(orig, iv, key);
    byte[] record = iv.append(encrypted)
    return record;
}

public byte[] decrypt(byte[] record, SecretKey key) {
    byte[] iv = record.byteRange(0, 16); // offset, length
    byte[] encrypted = record.byteRange(16, -1); // offset, remaining
    byte[] orig = aes.decrypt(encrypted, iv, key);
    return orig;
}

Also, in order to achieve consistency between activation record and encrypted server private key (to avoid partial record swap), we should pay attention to how we construct the encryption key. It should be derived from the master DB encryption key using KDF_INTERNAL with user ID and activation ID derivate as a base, like so:

public SecretKey deriveSecretKey(SecretKey masterDbEncryptionKey, String userId, String activationId) {
    String base = activationId.getBytes("UTF-8");
    String salt = userId.getBytes("UTF-8");
    byte[] index = PBKDF2.expand(base, salt, iterations, lengthInBits);
    return KDF_INTERNAL.derive(masterDbEncryptionKey, index);
}

Since we need entity context in order to achieve this, we very likely aren't able to use (aspect / annotation based) converter...

The service behavior sometimes assumes it receives correct attribute values from our integration libraries. We should implement more bulletproof parameter checking.

This issue does not have a large impact, since it assumes incorrect deployment or invalid server setup.

In order to be able to configure PowerAuth 2.0 Server JDBC properties globally (not for a given context), it would be nice to allow configuration using other than Spring default properties.

Following new properties should be introduced:

spring.datasource.url=${powerauth.datasource.url}
spring.datasource.username=${powerauth.datasource.username}
spring.datasource.password=${powerauth.datasource.password}
spring.datasource.driver-class-name=${powerauth.datasource.driver-class-name}
spring.jpa.properties.hibernate.default_schema=${powerauth.jpa.properties.hibernate.default_schema}

Following changes are required (based on what we currently know):

1. Upgrade maven versions as follows:
   <maven-jar-plugin.version>3.0.2</maven-jar-plugin.version>
   <maven-javadoc-plugin.version>3.0.0</maven-javadoc-plugin.version>
   <maven-war-plugin.version>3.1.0</maven-war-plugin.version>
2. Resolve Java EE compilation dependencies (deprecated libraries which are going to be removed in JDK 11)
3. Prepare list of Java EE libraries required to be deployed externally
4. Remove Bouncy Castle provider from all war files, the library should be placed into Tomcat lib folder instead
5. Write documentation

We need to refactor SignatureServiceBehavior to split verifySignature() method into smaller methods.

We also need to prepare XSD definition for offline signature requests/responses and prepare REST and SOAP endpoints for offline signature.

Following methods are required for offline signature:

• createOfflineSignaturePayload
• verifyOfflineSignature

Related issues:
https://github.com/lime-company/mtoken-ios/issues/22
wultra/powerauth-webflow#33

While migrating to Spring boot 2.0.0 we replaced the AsyncRestTemplate with WebClient.

Althrough current implementation of callbacks works fine, its thread usage can be improved by leveraging a completely reactive WebClient instead of blocking in asynchronous code.

So instead of using the @Async annotation and WebClient.block() we should use WebClient.subscribe().

We should introduce expiration for activations. The expiration time should be configurable. We should also consider whether expiration should be tied to the number of signature verifications. We also need to implement a workflow for reactivation - the user needs to be informed about expired activation and a new activation work flow should be initiated.

It seems it is better not to force this setting and allow clients to migrate to enabled expiration at their own pace because it may have impact on the client application which enables activation (e.g. internet banking).

The reason for expiration of activations is increasing resistance against brute force attacks, and should remain optional only for clients who want such extra level of security.

Currently, any format is accepted as URL when creating callback via the SOAL service call - we should at least check that the URL is valid.

Note: Since this is a part of the administrative interface, this is not such a big deal.

The following exception occurs when creating an activation on Oracle database:

org.springframework.ws.soap.client.SoapFaultClientException: org.hibernate.TransientPropertyValueException: object references an unsaved transient instance - save the transient instance before flushing : io.getlime.security.powerauth.app.server.database.model.entity.ActivationHistoryEntity.activation -> io.getlime.security.powerauth.app.server.database.model.entity.ActivationRecordEntity; nested exception is java.lang.IllegalStateException: org.hibernate.TransientPropertyValueException: object references an unsaved transient instance - save the transient instance before flushing : io.getlime.security.powerauth.app.server.database.model.entity.ActivationHistoryEntity.activation -> io.getlime.security.powerauth.app.server.database.model.entity.ActivationRecordEntity

Currently empty string causes en error, it should be handled same way as null value.

Currently, there is a collection of MASTER_KEY_PAIRs associated with every application. For the purpose of activation, the one that is the newest (ordered by timestamp_created) is used. We should add a better support for the lifecycle to the PA2.0 SW stack, namely:

• Add a method to generate a new "replacement key pair" for an application in SOAP interface.
• Add a method to make the replacement key pair active (disable the old key, enable the new one) in SOAP interface.
• Add UI update to the PowerAuth 2.0 Admin in order to display the new replacement key pair's public key.

In order to have multiple sequences under Oracle DB, a SequenceGenerator annotation should be present with the GeneratedValue annotation.

Exception occurs when PowerAuth server starts on Wildfly:

Convertor mustn't be null! Set convertor by calling PowerAuthConfiguration.INSTANCE.setConvertor()

Stack trace:

Convertor mustn't be null! Set convertor by calling PowerAuthConfiguration.INSTANCE.setConvertor().
	at io.getlime.security.powerauth.crypto.lib.config.PowerAuthConfiguration.getKeyConvertor(PowerAuthConfiguration.java:52)
	at io.getlime.security.powerauth.app.server.converter.ServerPrivateKeyConverter.<init>(ServerPrivateKeyConverter.java:64)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:170)
	... 40 more

It seems that the class instantiation order is different on Wildfly than on Tomcat. The setKeyConverter() method is called in class PowerAuthServiceImpl in a static block.

Currently, we just enable vault unlock. However, we should be able to specify the vault unlock reason for the auditing purposes. There are several reasons why user may need to use vault unlock:

• Enabling Touch ID / Biometry
• Signing a document
• Retrieving an encryption key

Log messages are duplicated in PowerAuth server in default configuration. Perhaps it is caused by multiple logging libraries.

See screenshot.

At this moment, we have several signatureType fields of a String type. These should in fact be enum values, similar to this one:

https://github.com/lime-company/lime-security-powerauth/blob/09313ae305fde0a7433c4bbfe78dc15612781dae/powerauth-java/src/main/java/io/getlime/security/powerauth/lib/enums/PowerAuthSignatureTypes.java

Currently, we use some extremely long names in repository interfaces, such as:

• findByActivation_UserIdAndTimestampCreatedBetweenOrderByTimestampCreatedDescIdDesc
• findByActivation_ApplicationIdAndActivation_UserIdAndTimestampCreatedBetweenOrderByTimestampCreatedDescIdDesc