RubyGems - aliquot - Versions diffs - 0.9.1 → 0.10.0 - Mend

aliquot 0.9.1 → 0.10.0

Files changed (5) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a5a6e9478205fe70ed71491c1988b4a67fc01009b095be55a7f4746dbbc342cd
-  data.tar.gz: 8f2f91c7c87e730f7753970a5ec5ed2caecdef5f3095c87b76762c100a245012
+  metadata.gz: 80203d2d0e3ce4ee09bc59e1e784ea432c1716573187c1fd8ff9822a59a48e48
+  data.tar.gz: 7b07ed3fcaad21506b32e3f9cd78f5424ac3ab9f71d920f2f36e32dd1fb21b31
 SHA512:
-  metadata.gz: 8df3da2fe45775b50d714059419dd5720ed9a0d929daf14463a1b4872d9505e264dd700a11adf1b738a416d8edda93b14cfa97471242f47a744498e4b22c037c
-  data.tar.gz: 547802ae6e59db8c65dd40d9bada6142d89f98ded4b63b9ea62f22765d303b88ec1fff51f33b887b8b4c805e4ae14afbcd40a5afa4c548132bc21cd9e1677c2c
+  metadata.gz: b4c7699b95ea4af8ce4b30cebebdd530acd3139835c7cd3833953498181ee737bf3db4737f36b759eb58c085770e5d6b104000f7bcaa7e2f74a2a8074f07ffec
+  data.tar.gz: 3b3ade2e3c20127c49e33f5957cd502ba6f6e2b0f4388c2f0f924b0ed5dc1830bd04618949b103683ff74b105fd897499330409a9f5e97c1f43cd704d0ddaaf1

data/lib/aliquot/payment.rb ADDED Viewed

@@ -0,0 +1,141 @@
+require 'json'
+require 'base64'
+require 'hkdf'
+require 'openssl'
+require 'aliquot/error'
+require 'aliquot/validator'
+module Aliquot
+  ##
+  # A Payment represents a single payment using Google Pay.
+  # It is used to verify/decrypt the supplied token by using the shared secret,
+  # thus avoiding having knowledge of merchant primary keys.
+  class Payment
+    ##
+    # Parameters:
+    # token_string::  Google Pay token (JSON string)
+    # shared_secret:: Base64 encoded shared secret
+    # merchant_id::   Google Pay merchant ID ("merchant:<SOMETHING>")
+    # signing_keys::  Signing keys fetched from Google
+    def initialize(token_string, shared_secret, merchant_id,
+                   signing_keys: ENV['GOOGLE_SIGNING_KEYS'])
+      validation = Aliquot::Validator::Token.new(JSON.parse(token_string))
+      validation.validate
+      @token = validation.output
+      @shared_secret = shared_secret
+      @merchant_id   = merchant_id
+      @signing_keys  = signing_keys
+    end
+    ##
+    # Validate and decrypt the token.
+    def process
+      unless valid_protocol_version?
+        raise Error, 'only ECv1 protocolVersion is supported'
+      end
+      raise InvalidSignatureError unless valid_signature?
+      validator = Aliquot::Validator::SignedMessage.new(JSON.parse(@token[:signedMessage]))
+      validator.validate
+      signed_message = validator.output
+      aes_key, mac_key = derive_keys(signed_message[:ephemeralPublicKey], @shared_secret, 'Google')
+      unless self.class.valid_mac?(mac_key, signed_message[:encryptedMessage], signed_message[:tag])
+        raise InvalidMacError
+      end
+      @message = JSON.parse(self.class.decrypt(aes_key, signed_message[:encryptedMessage]))
+      message_validator = Aliquot::Validator::EncryptedMessageValidator.new(@message)
+      message_validator.validate
+      # Output is hashed with symbolized keys.
+      @message = message_validator.output
+      raise ExpiredException if expired?
+      @message
+    end
+    def protocol_version
+      @token[:protocolVersion]
+    end
+    def valid_protocol_version?
+      protocol_version == 'ECv1'
+    end
+    ##
+    # Check if the token is expired, according to the messageExpiration included
+    # in the token.
+    def expired?
+      @message[:messageExpiration].to_f / 1000.0 <= Time.now.to_f
+    end
+    def valid_signature?
+      signed_string = ['Google', @merchant_id, protocol_version, @token[:signedMessage]].map do |str|
+        [str.length].pack('V') + str
+      end.join
+      keys = JSON.parse(@signing_keys)['keys']
+      # Check if signature was performed with any possible key.
+      keys.map do |key|
+        next if key['protocolVersion'] != protocol_version
+        ec = OpenSSL::PKey::EC.new(Base64.strict_decode64(key['keyValue']))
+        ec.verify(OpenSSL::Digest::SHA256.new, Base64.strict_decode64(@token[:signature]), signed_string)
+      end.any?
+    end
+    def self.decrypt(key, encrypted)
+      c = OpenSSL::Cipher::AES128.new(:CTR)
+      c.key = key
+      c.decrypt
+      c.update(Base64.strict_decode64(encrypted)) + c.final
+    end
+    def self.valid_mac?(mac_key, data, tag)
+      digest = OpenSSL::Digest::SHA256.new
+      mac = OpenSSL::HMAC.digest(digest, mac_key, Base64.strict_decode64(data))
+      compare(Base64.strict_encode64(mac), tag)
+    end
+    def self.compare(a, b)
+      return false unless a.length == b.length
+      diffs = 0
+      ys = b.unpack('C*')
+      a.each_byte do |x|
+        diffs |= x ^ ys.shift
+      end
+      diffs.zero?
+    end
+    private
+    # Keys are derived according to the Google Pay specification.
+    def derive_keys(ephemeral_public_key, shared_secret, info)
+      input_keying_material = Base64.strict_decode64(ephemeral_public_key) + Base64.strict_decode64(shared_secret)
+      if OpenSSL.const_defined?(:KDF) && OpenSSL::KDF.respond_to?(:hkdf)
+        h = OpenSSL::Digest::SHA256.new
+        key_bytes = OpenSSL::KDF.hkdf(input_keying_material, hash: h, salt: '', length: 32, info: info)
+      else
+        key_bytes = HKDF.new(input_keying_material, algorithm: 'SHA256', info: info).next_bytes(32)
+      end
+      [key_bytes[0..15], key_bytes[16..32]]
+    end
+  end
+end

data/lib/aliquot/validator.rb CHANGED Viewed

@@ -83,7 +83,7 @@ module Aliquot
     # DRY-Validation schema for signedMessage component Google Pay token
     SignedMessageSchema = Dry::Validation.Schema(BaseSchema) do
       required(:encryptedMessage).filled(:str?, :base64?)
-      required(:ephemeralPublicKey).filled(:str?, :base64?)
+      required(:ephemeralPublicKey).filled(:str?, :base64?).value(size?: 44)
       required(:tag).filled(:str?, :base64?)
     end

data/lib/aliquot.rb CHANGED Viewed

@@ -1,209 +1,3 @@
-require 'json'
-require 'base64'
-require 'excon'
-require 'hkdf'
 require 'aliquot/validator'
 require 'aliquot/error'
-$key_updater_semaphore = Mutex.new
-$key_updater_thread = nil
-module Aliquot
-  ##
-  # Constant-time comparison function
-  def self.compare(a, b)
-    err = 0
-    y = b.unpack('C*')
-    a.each_byte do |x|
-      err |= x ^ y.shift
-    end
-    err.zero?
-  end
-  ##
-  # Keys used for signing in production
-  SIGNING_KEY_URL = 'https://payments.developers.google.com/paymentmethodtoken/keys.json'.freeze
-  ##
-  # Keys used for signing in a testing environment
-  TEST_SIGNING_KEY_URL = 'https://payments.developers.google.com/paymentmethodtoken/test/keys.json'.freeze
-  ##
-  # Start a thread that keeps the Google signing keys updated.
-  def self.start_key_updater(logger)
-    source = if ENV['ENVIRONMENT'] == 'production'
-               SIGNING_KEY_URL
-             else
-               TEST_SIGNING_KEY_URL
-             end
-    $key_updater_semaphore.synchronize do
-      # Another thread might have been waiting for on the mutex
-      break unless $key_updater_thread.nil?
-      new_thread = Thread.new do
-        loop do
-          begin
-            timeout = 0
-            conn = Excon.new(source)
-            resp = conn.get
-            raise 'Unable to update keys: ' + resp.data[:status_line] unless resp.status == 200
-            cache_control = resp.headers['Cache-Control'].split(/,\s*/)
-            h = cache_control.map { |x| /\Amax-age=(?<timeout>\d+)\z/ =~ x; timeout }.compact
-            timeout = h.first.to_i if h.length == 1
-            timeout = 86400 if timeout.nil? || !timeout.positive?
-            Thread.current.thread_variable_set('keys', resp.body)
-            # Supposedly recommended by Tink library
-            sleep_time = timeout / 2
-            logger.info('Updated Google signing keys. Sleeping for: ' + (sleep_time / 86400.0).to_s + ' days')
-            sleep sleep_time
-          rescue Interrupt => e
-            # When interrupted
-            logger.fatal('Quitting: ' + e.message)
-            return
-          rescue => e
-            # Don't retry excessively.
-            logger.error('Exception updating Google signing keys: ' + e.message)
-            sleep 1
-          end
-        end
-      end
-      sleep 0.2 while new_thread.thread_variable_get('keys').nil?
-      # Body has now been set.
-      # Let other clients through.
-      $key_updater_thread = new_thread
-    end
-  end
-  ##
-  # A Payment represents a single payment using Google Pay.
-  # It is used to verify/decrypt the supplied token by using the shared secret,
-  # thus avoiding having knowledge of merchant primary keys.
-  class Payment
-    ##
-    # Parameters:
-    # token_string::  Google Pay token (JSON string)
-    # shared_secret:: Base64 encoded shared secret
-    # merchant_id::   Google Pay merchant ID ("merchant:<SOMETHING>")
-    # logger::        The logger to use. Default: Logger.new($stdout)
-    # signing_keys::  Formatted list of signing keys used to sign token contents.
-    #                 Otherwise a thread continuously updating google signing
-    #                 keys will be started.
-    def initialize(token_string, shared_secret, merchant_id,
-                   logger: Logger.new($stdout), signing_keys: ENV['GOOGLE_SIGNING_KEYS'])
-      Aliquot.start_key_updater(logger) if $key_updater_thread.nil? && signing_keys.nil?
-      @signing_keys = signing_keys
-      @shared_secret = shared_secret
-      @merchant_id = merchant_id
-      @token_string = token_string
-    end
-    ##
-    # Validate and decrypt the token.
-    def process
-      @token = JSON.parse(@token_string)
-      validate(Aliquot::Validator::Token, @token)
-      @protocol_version = @token['protocolVersion']
-      raise Error, 'only ECv1 protocolVersion is supported' unless @protocol_version == 'ECv1'
-      raise InvalidSignatureError unless valid_signature?(@token['signedMessage'],
-                                                          @token['signature'])
-      @signed_message = JSON.parse(@token['signedMessage'])
-      validate(Aliquot::Validator::SignedMessage, @signed_message)
-      aes_key, mac_key = derive_keys(@signed_message['ephemeralPublicKey'],
-                                     @shared_secret,
-                                     'Google')
-      raise InvalidMacError unless valid_mac?(mac_key,
-                                              @signed_message['encryptedMessage'],
-                                              @signed_message['tag'])
-      @message = decrypt(aes_key, @signed_message['encryptedMessage'])
-      validate(Aliquot::Validator::EncryptedMessageValidator, @message)
-      raise ExpiredException if expired?
-      @message
-    end
-    ##
-    # Check if the token is expired, according to the messageExpiration included
-    # in the token.
-    def expired?
-      @message['messageExpiration'].to_f / 1000.0 <= Time.now.to_f
-    end
-    private
-    def validate(klass, data)
-      validator = klass.new(data)
-      validator.validate
-    end
-    def derive_keys(ephemeral_public_key, shared_secret, info)
-      ikm = Base64.strict_decode64(ephemeral_public_key) +
-            Base64.strict_decode64(shared_secret)
-      hbytes = HKDF.new(ikm, algorithm: 'SHA256', info: info).next_bytes(32)
-      [hbytes[0..15], hbytes[16..32]]
-    end
-    def decrypt(key, encrypted)
-      c = OpenSSL::Cipher::AES128.new(:CTR)
-      c.key = key
-      c.decrypt
-      plain = c.update(Base64.strict_decode64(encrypted)) + c.final
-      JSON.parse(plain)
-    end
-    def valid_signature?(message, signature)
-      # Generate the string that was signed.
-      signed_string = ['Google', @merchant_id, @protocol_version, message].map do |str|
-        [str.length].pack('V') + str
-      end.join
-      keys = JSON.parse(signing_keys)['keys']
-      # Check if signature was performed with any possible key.
-      keys.map do |e|
-        next if e['protocolVersion'] != @protocol_version
-        ec = OpenSSL::PKey::EC.new(Base64.strict_decode64(e['keyValue']))
-        d  = OpenSSL::Digest::SHA256.new
-        ec.verify(d, Base64.strict_decode64(signature), signed_string)
-      end.any?
-    end
-    def valid_mac?(mac_key, data, tag)
-      d = OpenSSL::Digest::SHA256.new
-      mac = OpenSSL::HMAC.digest(d, mac_key, Base64.strict_decode64(data))
-      mac = Base64.strict_encode64(mac)
-      return false if mac.length != tag.length
-      Aliquot.compare(mac, tag)
-    end
-    def signing_keys
-      # Prefer static signing keys, otherwise fetch from updating thread.
-      @signing_keys || $key_updater_thread.thread_variable_get('keys')
-    end
-  end
-end
+require 'aliquot/payment'

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aliquot
 version: !ruby/object:Gem::Version
-  version: 0.9.1
+  version: 0.10.0
 platform: ruby
 authors:
 - Clearhaus
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-10-09 00:00:00.000000000 Z
+date: 2019-01-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dry-validation
@@ -66,6 +66,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -88,6 +102,7 @@ extra_rdoc_files: []
 files:
 - lib/aliquot.rb
 - lib/aliquot/error.rb
+- lib/aliquot/payment.rb
 - lib/aliquot/validator.rb
 homepage: https://github.com/clearhaus/aliquot
 licenses: