Merge develop to master

.github/dependabot.yml

@@ -9,3 +9,8 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+  - package-ecosystem: "github-actions"
+    # Workflow files stored in the default location of `.github/workflows`. (You don't need to specify `/.github/workflows` for `directory`. You can use `directory: "/"`.)
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/codeql-analysis.yml

@@ -4,9 +4,6 @@ on:
   workflow_dispatch:
   push:
     branches: [ 'develop', 'master', 'releases/**' ]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [ 'develop', 'master', 'releases/**' ]
   schedule:
     - cron: '0 2 * * 4'
 
@@ -19,4 +16,5 @@ jobs:
       # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
       # Use only 'java' to analyze code written in Java, Kotlin or both
       # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
-      # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+      # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+      java_version: 21

.github/workflows/maven-deploy.yml

@@ -32,6 +32,7 @@ jobs:
     with:
       environment: internal-publish
       release_type: snapshot
+      java_version: 21
     secrets:
       username: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
       password: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
@@ -43,6 +44,7 @@ jobs:
     with:
       environment: ${{ inputs.environment }}
       release_type: ${{ inputs.release_type }}
+      java_version: 21
     secrets:
       username: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
       password: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}

.github/workflows/maven-test.yml

@@ -15,4 +15,6 @@ on:
 jobs:
   maven-tests:
     uses: wultra/wultra-infrastructure/.github/workflows/maven-test.yml@develop
-    secrets: inherit
+    secrets: inherit
+    with:
+      java_version: 21

.gitignore

@@ -18,4 +18,5 @@
 ## Directory-based project format:
 .idea/
 .mvn
+.vscode/
 dist/

docs/.gitignore

@@ -18,4 +18,5 @@
 ## Directory-based project format:
 .idea/
 .mvn
+.vscode/
 dist/

docs/Activation-Status.md

@@ -1,6 +1,6 @@
 # Activation Status
 
-PowerAuth Client may need to check for an activation status, so that it can determine if it should display UI for non-activated state (registration form), blocked state (how to unblock tutorial) or active state (login screen). To facilitate this use-case, PowerAuth Standard RESTful API publishes a [/pa/v3/activation/status](./Standard-RESTful-API#post-pav3activationstatus) endpoint.
+PowerAuth Client may need to check for an activation status, so that it can determine if it should display UI for non-activated state (registration form), blocked state (how to unblock tutorial) or active state (login screen). To facilitate this use-case, PowerAuth Standard RESTful API publishes a [/pa/v3/activation/status](./Standard-RESTful-API#activation-status) endpoint.
 
 Checking for an activation status is simple. Client needs to prepare a HTTP request with an activation ID and random `STATUS_CHALLENGE`. Server processes the request and sends back the response with activation status blob and random `STATUS_NONCE`. Activation status blob is an encrypted binary blob that encodes the activation status. Key `KEY_TRANSPORT` and `STATUS_IV` is used to encrypt the activation blob.
 

docs/Activation-via-Recovery-Code.md

@@ -111,7 +111,7 @@ After this step, PowerAuth Client performs Key Exchange with the PowerAuth Serve
 
 ### Key Exchange
 
-Following diagram shows how public keys are exchanged between PowerAuth Client and PowerAuth Server, and how master shared secret and PowerAuth Standard Keys are derived. The process is very similar to [Key Exchange](Activation.md#key-exchange) from a regular [Activation](Activation.md).
+Following diagram shows how public keys are exchanged between PowerAuth Client and PowerAuth Server, and how master shared secret and PowerAuth Standard Keys are derived. The process is very similar to [Key Derivation](Activation.md#key-derivation) from a regular [Activation](Activation.md).
 
 ![Activation via Recovery Code](resources/images/sequence_activation_recovery.png)
 

docs/Activation.md

@@ -45,7 +45,7 @@ The first layer of encryption protects the data transfer between the mobile app
 
 Detailed documentation of [End-to-End Encryption](./End-To-End-Encryption.md) is available in a dedicated chapter.
 
-A good place to review the exact request and response payload structure is in the [PowerAuth Standard RESTful API documentation](./Standard-RESTful-API.md#post-pav3activationcreate).
+A good place to review the exact request and response payload structure is in the [PowerAuth Standard RESTful API documentation](./Standard-RESTful-API.md#initiate-activation).
 
 ## Key Derivation
 

docs/List-of-used-keys.md

@@ -2,14 +2,24 @@
 
 The following keys are used in the PowerAuth cryptography scheme.
 
+## Application Scoped Keys
+
+| name                        | created as                               | purpose                                                                                                                                                             |
+|-----------------------------|------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `KEY_SERVER_MASTER_PRIVATE` | ECDH - private key                       | Embedded on server, used to assure authenticity of data during the transfer from server to client during application scoped use-cases (i.e., device activation).    |
+| `KEY_SERVER_MASTER_PUBLIC`  | ECDH - public key                        | Embedded in client app, used to verify authenticity of data while transferring from server to client during application scoped use-cases (i.e., device activation). |
+| `APP_KEY`                   | Application version key                  | Shared random ID between the server and client app, used to identify specific application version. The value travels in plain form over HTTPS channel.              |
+| `APP_SECRET`                | Application version secret               | Shared random secret key between the server and client app, used to authenticate specific application version. Used in digest and MAC values.                       |
+
+
+## Activation Scoped Keys
+
 | name                        | created as                               | purpose                                                                                                                                                                                                                              |
 |-----------------------------|------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `KEY_DEVICE_PRIVATE`        | ECDH - private key                       | Generated on client to allow construction of `KEY_MASTER_SECRET`.                                                                                                                                                                    |
 | `KEY_DEVICE_PUBLIC`         | ECDH - public key                        | Generated on client to allow construction of `KEY_MASTER_SECRET`.                                                                                                                                                                    |
 | `KEY_SERVER_PRIVATE`        | ECDH - private key                       | Generated on server to allow construction of `KEY_MASTER_SECRET`.                                                                                                                                                                    |
 | `KEY_SERVER_PUBLIC`         | ECDH - public key                        | Generated on server to allow construction of `KEY_MASTER_SECRET`.                                                                                                                                                                    |
-| `KEY_SERVER_MASTER_PRIVATE` | ECDH - private key                       | Stored on server, used to assure authenticity of `KEY_DEVICE_PUBLIC` while transferring from server to client                                                                                                                        |
-| `KEY_SERVER_MASTER_PUBLIC`  | ECDH - public key                        | Stored on client, used to assure authenticity of `KEY_DEVICE_PUBLIC` while transferring from server to client                                                                                                                        |
 | `KEY_MASTER_SECRET`         | ECDH - pre-shared                        | A key deduced using ECDH derivation, `KEY_MASTER_SECRET = ECDH.phase(KEY_DEVICE_PRIVATE, KEY_SERVER_PUBLIC) = ECDH.phase(KEY_SERVER_PRIVATE, KEY_DEVICE_PUBLIC)` and then reduced with `ByteUtils.convert32Bto16B()`.                |
 | `KEY_SIGNATURE_POSSESSION`  | KDF derived key from `KEY_MASTER_SECRET` | A signing key associated with the possession, factor deduced using KDF derivation with `INDEX = 1`, `KEY_SIGNATURE_POSSESSION = KDF.derive(KEY_MASTER_SECRET, 1)`, used for subsequent request signing.                              |
 | `KEY_SIGNATURE_KNOWLEDGE`   | KDF derived key from `KEY_MASTER_SECRET` | A key associated with the knowledge factor, deduced using KDF derivation with `INDEX = 2`, `KEY_SIGNATURE_KNOWLEDGE = KDF.derive(KEY_MASTER_SECRET, 2)`, used for subsequent request signing.                                        |

docs/_Sidebar.md

@@ -30,8 +30,8 @@
 
 **Tutorials**
 
-- [Authentication in Mobile Banking Apps (SCA)](https://developers.wultra.com/products/mobile-security-suite/develop/tutorials/Authentication-in-Mobile-Apps)
-- [Verifying PowerAuth Signatures On The Server](https://developers.wultra.com/products/mobile-security-suite/develop/tutorials/Manual-Signature-Verification)
+- [Authentication in Mobile Banking Apps (SCA)](https://developers.wultra.com/tutorials/posts/Mobile-First-Authentication/)
+- [Verifying PowerAuth Signatures On The Server](https://developers.wultra.com/tutorials/posts/Manual-Signature-Verification/)
 
 **API Reference**
 

pom.xml

@@ -25,7 +25,7 @@
 
     <groupId>io.getlime.security</groupId>
     <artifactId>powerauth-crypto-parent</artifactId>
-    <version>1.7.0</version>
+    <version>1.8.0-SNAPSHOT</version>
     <packaging>pom</packaging>
 
     <inceptionYear>2016</inceptionYear>
@@ -74,13 +74,13 @@
         <java.version>17</java.version>
         <maven.compiler.release>${java.version}</maven.compiler.release>
 
-        <maven-jar-plugin.version>3.3.0</maven-jar-plugin.version>
-        <maven-compiler-plugin.version>3.12.1</maven-compiler-plugin.version>
-        <maven-deploy-plugin.version>3.1.1</maven-deploy-plugin.version>
-        <maven-javadoc-plugin.version>3.6.3</maven-javadoc-plugin.version>
-        <maven-source-plugin.version>3.3.0</maven-source-plugin.version>
-        <maven-surefire-plugin.version>3.2.5</maven-surefire-plugin.version>
-        <slf4j.version>2.0.12</slf4j.version>
+        <maven-jar-plugin.version>3.4.2</maven-jar-plugin.version>
+        <maven-compiler-plugin.version>3.13.0</maven-compiler-plugin.version>
+        <maven-deploy-plugin.version>3.1.2</maven-deploy-plugin.version>
+        <maven-javadoc-plugin.version>3.7.0</maven-javadoc-plugin.version>
+        <maven-source-plugin.version>3.3.1</maven-source-plugin.version>
+        <maven-surefire-plugin.version>3.3.0</maven-surefire-plugin.version>
+        <slf4j.version>2.0.13</slf4j.version>
         <junit.version>5.10.2</junit.version>
     </properties>
 

powerauth-java-crypto/pom.xml

@@ -26,7 +26,7 @@
 	<parent>
 		<groupId>io.getlime.security</groupId>
 		<artifactId>powerauth-crypto-parent</artifactId>
-		<version>1.7.0</version>
+		<version>1.8.0-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
@@ -47,7 +47,7 @@
 		<dependency>
 			<groupId>com.fasterxml.jackson.core</groupId>
 			<artifactId>jackson-databind</artifactId>
-			<version>2.16.1</version>
+			<version>2.17.1</version>
 			<scope>test</scope>
 		</dependency>
 		<dependency>
@@ -59,13 +59,12 @@
 		<dependency>
 			<groupId>org.bouncycastle</groupId>
 			<artifactId>bcprov-jdk18on</artifactId>
-			<version>1.77</version>
-			<scope>provided</scope>
+			<version>1.78.1</version>
 		</dependency>
 		<dependency>
 			<groupId>org.projectlombok</groupId>
 			<artifactId>lombok</artifactId>
-			<version>1.18.30</version>
+			<version>1.18.32</version>
 			<scope>provided</scope>
 		</dependency>
 	</dependencies>

powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/EciesUtils.java

@@ -109,8 +109,8 @@ public static byte[] deriveSharedInfo2Base(EncryptorScope scope, String applicat
             }
             try {
                 return new HMACHashUtilities().hash(transportKey, applicationSecretBytes);
-            } catch (Throwable t) {
-                throw new EciesException("HMAC calculation failed", t);
+            } catch (Exception e) {
+                throw new EciesException("HMAC calculation failed", e);
             }
         }
     }

powerauth-java-http/pom.xml

@@ -28,7 +28,7 @@
 	<parent>
 		<groupId>io.getlime.security</groupId>
 		<artifactId>powerauth-crypto-parent</artifactId>
-		<version>1.7.0</version>
+		<version>1.8.0-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>