Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introduce endpoint for removing pending activation client-side #468

Open
petrdvorak opened this issue Apr 20, 2023 · 1 comment
Open

Introduce endpoint for removing pending activation client-side #468

petrdvorak opened this issue Apr 20, 2023 · 1 comment

Comments

@petrdvorak
Copy link
Member

If the user cancels the activation on the device after it has been committed on the client, the server has no way of learning that the registration has been canceled.

We could provide an endpoint to remove such registration. The endpoint would allow modifications only for CREATED and PENDING_COMMIT activations. As the activation ID is sufficiently random and the new endpoint would have no effect on ACTIVE, BLOCKED or REMOVED activations, we should evaluate if we need to authenticate the endpoint or if we can simply rely on the time window.

If the authentication is omitted, the server should always return a blank success response, to provide minimum information about if such activation exists (this should also remove any motivation to just send requests to the endpoint).

Endpoint

POST /pa/v3/activation/pending/remove

Request

{
    "requestObject": {
        "activationId": "12...fe",
    }
}

Response 200 - OK

{
    "status": "OK"
}
@hvge
Copy link
Member

hvge commented Aug 23, 2023

What about to provide a H_K_DEVICE_PUBLIC as a proof of authenticity? It should be already calculated on both sides. It will work for PENDING_COMMIT only, but activation in CREATED state is irrelevant for the mobile device (it should never happen)

We can modify H_K_DEVICE_PUBLIC calculation a little by replacing SHA256 with HMAC_SHA256 with using KEY_TRANSPORT for the derivation. For example:

byte[] activationIdBytes = ACTIVATION_ID.getBytes("UTF-8");
byte[] fingerprintBytes = ByteUtils.concat(K_DEVICE_PUBLIC_BYTES, ByteUtils.concat(activationIdBytes, K_SERVER_PUBLIC_BYTES));
byte[] truncatedBytes = ByteUtils.truncate(Mac.hmacSha256(KEY_TRANSPORT, fingerprintBytes), 4);
int H_K_DEVICE_PUBLIC = ByteUtils.getInt(truncatedBytes) & 0x7FFFFFFF);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants