From a3476dee46169d88d894935591056169f2facd64 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Roman=20=C5=A0trobl?= <roman.strobl@wultra.com>
Date: Tue, 15 Oct 2024 15:38:21 +0800
Subject: [PATCH] Fix #663: Enforce check for temporary keys in protocol
 version 3.3 (#664)

---
 .../encryptor/ecies/EciesRequestResponseValidator.java    | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/EciesRequestResponseValidator.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/EciesRequestResponseValidator.java
index 444942f9..f32ea909 100644
--- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/EciesRequestResponseValidator.java
+++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/EciesRequestResponseValidator.java
@@ -35,6 +35,10 @@ public class EciesRequestResponseValidator implements RequestResponseValidator {
      */
     private final static Set<String> supportedVersions = Set.of("3.3", "3.2", "3.1", "3.0");
 
+    /**
+     * Indicate that request must contain temporaryKeyId. This is valid for protocol V3.3+.
+     */
+    private final boolean useTemporaryKeys;
     /**
      * Indicate that request and response must contain timestamp and nonce. This is valid for protocol V3.2+.
      */
@@ -53,6 +57,7 @@ public EciesRequestResponseValidator(String protocolVersion) throws EncryptorExc
         if (!supportedVersions.contains(protocolVersion)) {
             throw new EncryptorException("Unsupported protocol version " + protocolVersion);
         }
+        this.useTemporaryKeys = "3.3".equals(protocolVersion);
         this.useTimestamp = "3.3".equals(protocolVersion) || "3.2".equals(protocolVersion);
         this.useNonceForRequest = "3.3".equals(protocolVersion) || "3.2".equals(protocolVersion) || "3.1".equals(protocolVersion);
     }
@@ -65,6 +70,9 @@ public boolean validateEncryptedRequest(EncryptedRequest request) {
         if (request.getEphemeralPublicKey() == null || request.getEncryptedData() == null || request.getMac() == null) {
             return false;
         }
+        if (useTemporaryKeys == (request.getTemporaryKeyId() == null)) {
+            return false;
+        }
         if (useNonceForRequest == (request.getNonce() == null)) {
             // Fails when nonce is missing in 3.1+
             // Fails when nonce is present in 3.0