aliquot-pay 0.10.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1f10cb5f87859a89e6be2cd9c7b44755d055d53316e4a306a9efc5cff4b973cc
-  data.tar.gz: '043648edcd44e8984ace19066bcca9941d70ac8c79bc7c148cc92cc4fb8b6758'
+  metadata.gz: 3b09f20a26a4ba4bd85ef274044bca8f84fd5471c4393b7e14e3aae8a8ee9e48
+  data.tar.gz: aa5e97d77be4ce999063378eb5bce12f4bbd6e7509fbd3f100388281197175cd
 SHA512:
-  metadata.gz: 3f7ccb1a31f5138835613f43b56f0ebd740c257496ff435c35c250c23acc860628326656b7159522867d08e574105fc6cc58c1c6ff75cfbbe2a5d85b3efff77e
-  data.tar.gz: 0e107069afffbef7ef490bf2f48863f13ec0c6afdd425e909d2a4318f4d96dff0b90aaadd755a3daa627654724b4bcb7be024b6dc511c08f7a81152dc77e832c
+  metadata.gz: 1b0747731b0320552cc308b76a32c2786358a9ddd74136498da0b3145981f9584ae184d06fe903cede3b815fc6dc5f82fbccf24dde754aebb3a35961d5df4db9
+  data.tar.gz: 71018fd9c9885e435a298bd8138f471494bba598a0608c7e52f73d85625b597d4f2993df82cae1c4448dfa6bdd14682864d10692e855433cc14010d7cf032a5e

data/lib/aliquot-pay.rb

@@ -4,27 +4,79 @@ require 'json'
 
 require 'aliquot-pay/util'
 
-module AliquotPay
+class AliquotPay
   class Error < StandardError; end
 
   EC_CURVE = 'prime256v1'.freeze
 
   DEFAULTS = {
     info: 'Google',
-    merchant_id: '0123456789',
+    recipient_id: 'merchant:0123456789',
   }.freeze
 
-  def self.sign(key, message)
+  attr_accessor :signature, :intermediate_signing_key, :signed_message
+  attr_accessor :signed_key, :signatures
+  attr_accessor :key_expiration, :key_value
+  attr_accessor :encrypted_message, :cleartext_message, :ephemeral_public_key, :tag
+  attr_accessor :message_expiration, :message_id, :payment_method, :payment_method_details
+  attr_accessor :pan, :expiration_month, :expiration_year, :auth_method
+  attr_accessor :cryptogram, :eci_indicator
+
+  attr_accessor :recipient, :info, :root_key, :intermediate_key
+  attr_writer   :recipient_id, :shared_secret, :token, :signed_key_string
+
+  def initialize(protocol_version = :ECv2)
+    @protocol_version = protocol_version
+  end
+
+  def token
+    build_token
+  end
+
+  def extract_root_signing_keys
+    key = Base64.strict_encode64(eckey_to_public(ensure_root_key).to_der)
+    {
+      'keys' => [
+        'protocolVersion' => @protocol_version,
+        'keyValue'        => key,
+      ]
+    }.to_json
+  end
+
+  def eckey_to_public(key)
+    p = OpenSSL::PKey::EC.new(EC_CURVE)
+
+    p.public_key = key.public_key
+
+    p
+  end
+
+  #private
+
+  def sign(key, message)
     d = OpenSSL::Digest::SHA256.new
     def key.private?; private_key?; end
     Base64.strict_encode64(key.sign(d, message))
   end
 
-  def self.encrypt(cleartext_message, recipient, cipher, info = 'Google')
+  def encrypt(cleartext_message)
+    @recipient ||= OpenSSL::PKey::EC.new('prime256v1').generate_key
+    @info ||= 'Google'
+
     eph = AliquotPay::Util.generate_ephemeral_key
-    ss  = AliquotPay::Util.generate_shared_secret(eph, recipient.public_key)
+    @shared_secret ||= AliquotPay::Util.generate_shared_secret(eph, @recipient.public_key)
+    ss  = @shared_secret
+
+    case @protocol_version
+    when :ECv1
+      cipher = OpenSSL::Cipher::AES128.new(:CTR)
+    when :ECv2
+      cipher = OpenSSL::Cipher::AES256.new(:CTR)
+    else
+      raise StandardError, "Invalid protocol_version #{protocol_version}"
+    end
 
-    keys = AliquotPay::Util.derive_keys(eph.public_key.to_bn.to_s(2), ss, info, length: cipher.key_len)
+    keys = AliquotPay::Util.derive_keys(eph.public_key.to_bn.to_s(2), ss, @info, @protocol_version)
 
     cipher.encrypt
     cipher.key = keys[:aes_key]
@@ -34,101 +86,149 @@ module AliquotPay
     tag = AliquotPay::Util.calculate_tag(keys[:mac_key], encrypted_message)
 
     {
-      encryptedMessage: Base64.strict_encode64(encrypted_message),
-      ephemeralPublicKey: Base64.strict_encode64(eph.public_key.to_bn.to_s(2)),
-      tag: Base64.strict_encode64(tag),
+      'encryptedMessage'   => Base64.strict_encode64(encrypted_message),
+      'ephemeralPublicKey' => Base64.strict_encode64(eph.public_key.to_bn.to_s(2)),
+      'tag'                => Base64.strict_encode64(tag),
     }
   end
 
-  # Return a default payment
-  def self.payment(
-    auth_method: :PAN_ONLY,
-    expiration: ((Time.now.to_f + 60 * 5) * 1000).round.to_s
-  )
-    id = Base64.strict_encode64(OpenSSL::Random.random_bytes(24))
-    p = {
-      'messageExpiration'    => expiration,
-      'messageId'            => id,
-      'paymentMethod'        => 'CARD',
-      'paymentMethodDetails' => {
-        'expirationYear'  => 2023,
-        'expirationMonth' => 12,
-        'pan'             => '4111111111111111',
-        'authMethod'      => 'PAN_ONLY',
-      },
+  def build_payment_method_details
+    return @payment_method_details if @payment_method_details
+    value = {
+      'pan'             => @pan              || '4111111111111111',
+      'expirationYear'  => @expiration_year  || 2023,
+      'expirationMonth' => @expiration_month || 12,
+      'authMethod'      => @auth_method      || 'PAN_ONLY',
     }
 
-    if auth_method == :CRYPTOGRAM_3DS
-      p['paymentMethodDetails']['authMethod']   = 'CRYPTOGRAM_3DS'
-      p['paymentMethodDetails']['cryptogram']   = 'SOME CRYPTOGRAM'
-      p['paymentMethodDetails']['eciIndicator'] = '05'
+    if @auth_method == 'CRYPTOGRAM_3DS'
+      value.merge!(
+        'cryptogram'   => @cryptogram    || 'SOME CRYPTOGRAM',
+        'eciIndicator' => @eci_indicator || '05'
+      )
     end
 
-    p
+    value
   end
 
-  # Return a string length as a 4byte little-endian integer, as a string
-  def self.four_byte_length(str)
-    [str.length].pack('V')
-  end
+  def build_cleartext_message
+    return @cleartext_message if @cleartext_message
+    default_message_id = Base64.strict_encode64(OpenSSL::Random.random_bytes(24))
+    default_message_expiration = ((Time.now.to_f + 60 * 5) * 1000).round.to_s
 
-  def self.generate_signature(*args)
-    args.map do |s|
-      four_byte_length(s) + s
-    end.join('')
+    @cleartext_message = {
+      'messageExpiration'    => @message_expiration || default_message_expiration,
+      'messageId'            => @message_id || default_message_id,
+      'paymentMethod'        => @payment_method || 'CARD',
+      'paymentMethodDetails' => build_payment_method_details
+    }
   end
 
-  def self.signature_string(
-    message,
-    recipient_id:     DEFAULTS[:merchant_id],
-    sender_id:        DEFAULTS[:info],
-    protocol_version: 'ECv1'
-  )
+  def build_signed_message
+    return @signed_message if @signed_message
+
+    signed_message = encrypt(build_cleartext_message.to_json)
+    signed_message['encryptedMessage']   = @encrypted_message if @encrypted_message
+    signed_message['ephemeralPublicKey'] = @ephemeral_public_key if @ephemeral_public_key
+    signed_message['tag']                = @tag if @tag
+
+    @signed_message = signed_message
+  end
 
-    generate_signature(sender_id, recipient_id, protocol_version, message)
+  def signed_message_string
+    @signed_message_string ||= build_signed_message.to_json
   end
 
-  # payment::        Google Pay token as a ruby Hash
-  # signing_key::    OpenSSL::PKEY::EC
-  # recipient::      OpenSSL::PKey::EC
-  # signed_message:: Pass a customized message to sign as signed messaged.
-  def self.generate_token_ecv1(payment, signing_key, recipient, signed_message = nil)
-    cipher = OpenSSL::Cipher::AES128.new(:CTR)
-    signed_message ||= JSON.unparse(encrypt(JSON.unparse(payment), recipient, cipher))
-    signature_string = signature_string(signed_message)
+  def build_signed_key
+    return @signed_key if @signed_key
+    ensure_intermediate_key
 
-    {
-      'protocolVersion' => 'ECv1',
-      'signature' =>       sign(signing_key, signature_string),
-      'signedMessage' =>   signed_message,
+    if @intermediate_key.private_key? || @intermediate_key.public_key?
+      public_key = eckey_to_public(@intermediate_key)
+    else
+      fail 'Intermediate key must be public and private key'
+    end
+
+    default_key_value      = Base64.strict_encode64(public_key.to_der)
+    default_key_expiration = "#{Time.now.to_i + 3600}000"
+
+    @signed_key = {
+      'keyExpiration' => @key_expiration || default_key_expiration,
+      'keyValue'      => @key_value || default_key_value,
     }
   end
 
-  def self.generate_token_ecv2(payment, signing_key, intermediate_key, recipient,
-                               signed_message: nil, expire_time:  "#{Time.now.to_i + 3600}000")
-    cipher = OpenSSL::Cipher::AES256.new(:CTR)
-    signed_message ||= JSON.unparse(encrypt(JSON.unparse(payment), recipient, cipher))
-    sig = signature_string(signed_message, protocol_version: 'ECv2')
+  def signed_key_string
+    @signed_key_string ||= build_signed_key.to_json
+  end
 
-    intermediate_pub = OpenSSL::PKey::EC.new(EC_CURVE)
-    intermediate_pub.public_key = intermediate_key.public_key
+  def ensure_root_key
+    @root_key ||= OpenSSL::PKey::EC.new(EC_CURVE).generate_key
+  end
 
-    signed_key = JSON.unparse(
-      'keyExpiration' => expire_time,
-      'keyValue'      => Base64.strict_encode64(intermediate_pub.to_der)
-    )
+  def ensure_intermediate_key
+    @intermediate_key ||= OpenSSL::PKey::EC.new(EC_CURVE).generate_key
+  end
 
-    ik_signature_string = generate_signature('Google', 'ECv2', signed_key)
-    signatures = [sign(signing_key, ik_signature_string)]
+  def build_signature
+    return @signature if @signature
+    key = case @protocol_version
+          when :ECv1
+            ensure_root_key
+          when :ECv2
+            ensure_intermediate_key
+          end
+
+    signature_string =
+      signed_string_message = ['Google',
+                               recipient_id,
+                               @protocol_version.to_s,
+                               signed_message_string].map do |str|
+        [str.length].pack('V') + str
+      end.join
+    @signature = sign(key, signature_string)
+  end
 
-    {
-      'protocolVersion' => 'ECv2',
-      'signature' =>       sign(intermediate_key, sig),
-      'signedMessage' =>   signed_message,
-      'intermediateSigningKey' => {
-        'signedKey'  => signed_key,
-        'signatures' => signatures,
-      },
+  def build_signatures
+    return @signatures if @signatures
+
+    signature_string =
+      signed_key_signature = ['Google', 'ECv2', signed_key_string].map do |str|
+        [str.to_s.length].pack('V') + str.to_s
+      end.join
+
+    @signatures = [sign(ensure_root_key, signature_string)]
+  end
+
+  def build_token
+    return @token if @token
+    res = {
+      'protocolVersion' => @protocol_version.to_s,
+      'signedMessage'   => @signed_message || signed_message_string,
+      'signature'       => build_signature,
     }
+
+    if @protocol_version == :ECv2
+      intermediate = {
+        'intermediateSigningKey' => @intermediate_signing_key || {
+          'signedKey'  => signed_key_string,
+          'signatures' => build_signatures,
+        }
+      }
+
+      res.merge!(intermediate)
+    end
+
+    @token = res
+  end
+
+  def recipient_id
+    @recipient_id ||= DEFAULTS[:recipient_id]
+  end
+
+  def shared_secret
+    return Base64.strict_encode64(@shared_secret) if @shared_secret
+    @shared_secret ||= Random.new.bytes(32)
+    shared_secret
   end
 end

data/lib/aliquot-pay/util.rb

@@ -1,7 +1,7 @@
 require 'openssl'
 require 'hkdf'
 
-module AliquotPay
+class AliquotPay
   class Util
     def self.generate_ephemeral_key
       OpenSSL::PKey::EC.new(AliquotPay::EC_CURVE).generate_key
@@ -11,18 +11,27 @@ module AliquotPay
       private_key.dh_compute_key(public_key)
     end
 
-    def self.derive_keys(ephemeral_public_key, shared_secret, info, length: 32)
+    def self.derive_keys(ephemeral_public_key, shared_secret, info, protocol_version = :ECv2)
+      case protocol_version
+      when :ECv1
+        key_length = 16
+      when :ECv2
+        key_length = 32
+      else
+        raise StandardError, "invalid protocol_version #{protocol_version}"
+      end
+
       input_keying_material = ephemeral_public_key + shared_secret
       if OpenSSL.const_defined?(:KDF) && OpenSSL::KDF.respond_to?(:hkdf)
         h = OpenSSL::Digest::SHA256.new
-        hbytes = OpenSSL::KDF.hkdf(input_keying_material, hash: h, salt: '', length: length * 2, info: info)
+        hbytes = OpenSSL::KDF.hkdf(input_keying_material, hash: h, salt: '', length: key_length * 2, info: info)
       else
-        hbytes = HKDF.new(input_keying_material, algorithm: 'SHA256', info: info).next_bytes(length * 2)
+        hbytes = HKDF.new(input_keying_material, algorithm: 'SHA256', info: info).next_bytes(key_length * 2)
       end
 
       {
-        aes_key: hbytes[0..length - 1],
-        mac_key: hbytes[length..2 * length],
+        aes_key: hbytes[0, key_length],
+        mac_key: hbytes[key_length, key_length],
       }
     end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aliquot-pay
 version: !ruby/object:Gem::Version
-  version: 0.10.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Clearhaus
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-01-11 00:00:00.000000000 Z
+date: 2020-09-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: hkdf
@@ -24,6 +24,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.3'
+- !ruby/object:Gem::Dependency
+  name: aliquot
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.0.0
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -38,7 +52,7 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3'
-description: 
+description:
 email: hello@clearhaus.com
 executables: []
 extensions: []
@@ -50,7 +64,7 @@ homepage: https://github.com/clearhaus/aliquot-pay
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -65,9 +79,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.7
-signing_key: 
+rubygems_version: 3.1.4
+signing_key:
 specification_version: 4
 summary: Generates Google Pay test dummy tokens
 test_files: []