RubyGems - aliquot - Versions diffs - 0.9.1 → 0.10.0 - Mend

aliquot 0.9.1 → 0.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a5a6e9478205fe70ed71491c1988b4a67fc01009b095be55a7f4746dbbc342cd
-  data.tar.gz: 8f2f91c7c87e730f7753970a5ec5ed2caecdef5f3095c87b76762c100a245012
+  metadata.gz: 80203d2d0e3ce4ee09bc59e1e784ea432c1716573187c1fd8ff9822a59a48e48
+  data.tar.gz: 7b07ed3fcaad21506b32e3f9cd78f5424ac3ab9f71d920f2f36e32dd1fb21b31
 SHA512:
-  metadata.gz: 8df3da2fe45775b50d714059419dd5720ed9a0d929daf14463a1b4872d9505e264dd700a11adf1b738a416d8edda93b14cfa97471242f47a744498e4b22c037c
-  data.tar.gz: 547802ae6e59db8c65dd40d9bada6142d89f98ded4b63b9ea62f22765d303b88ec1fff51f33b887b8b4c805e4ae14afbcd40a5afa4c548132bc21cd9e1677c2c
+  metadata.gz: b4c7699b95ea4af8ce4b30cebebdd530acd3139835c7cd3833953498181ee737bf3db4737f36b759eb58c085770e5d6b104000f7bcaa7e2f74a2a8074f07ffec
+  data.tar.gz: 3b3ade2e3c20127c49e33f5957cd502ba6f6e2b0f4388c2f0f924b0ed5dc1830bd04618949b103683ff74b105fd897499330409a9f5e97c1f43cd704d0ddaaf1

data/lib/aliquot/payment.rb ADDED Viewed

@@ -0,0 +1,141 @@
+require 'json'
+require 'base64'
+require 'hkdf'
+require 'openssl'
+require 'aliquot/error'
+require 'aliquot/validator'
+module Aliquot
+  ##
+  # A Payment represents a single payment using Google Pay.
+  # It is used to verify/decrypt the supplied token by using the shared secret,
+  # thus avoiding having knowledge of merchant primary keys.
+  class Payment
+    ##
+    # Parameters:
+    # token_string::  Google Pay token (JSON string)
+    # shared_secret:: Base64 encoded shared secret
+    # merchant_id::   Google Pay merchant ID ("merchant:<SOMETHING>")
+    # signing_keys::  Signing keys fetched from Google
+    def initialize(token_string, shared_secret, merchant_id,
+                   signing_keys: ENV['GOOGLE_SIGNING_KEYS'])
+      validation = Aliquot::Validator::Token.new(JSON.parse(token_string))
+      validation.validate
+      @token = validation.output
+      @shared_secret = shared_secret
+      @merchant_id   = merchant_id
+      @signing_keys  = signing_keys
+    end
+    ##
+    # Validate and decrypt the token.
+    def process
+      unless valid_protocol_version?
+        raise Error, 'only ECv1 protocolVersion is supported'
+      end
+      raise InvalidSignatureError unless valid_signature?
+      validator = Aliquot::Validator::SignedMessage.new(JSON.parse(@token[:signedMessage]))
+      validator.validate
+      signed_message = validator.output
+      aes_key, mac_key = derive_keys(signed_message[:ephemeralPublicKey], @shared_secret, 'Google')
+      unless self.class.valid_mac?(mac_key, signed_message[:encryptedMessage], signed_message[:tag])
+        raise InvalidMacError
+      end
+      @message = JSON.parse(self.class.decrypt(aes_key, signed_message[:encryptedMessage]))
+      message_validator = Aliquot::Validator::EncryptedMessageValidator.new(@message)
+      message_validator.validate
+      # Output is hashed with symbolized keys.
+      @message = message_validator.output
+      raise ExpiredException if expired?
+      @message
+    end
+    def protocol_version
+      @token[:protocolVersion]
+    end
+    def valid_protocol_version?
+      protocol_version == 'ECv1'
+    end
+    ##
+    # Check if the token is expired, according to the messageExpiration included
+    # in the token.
+    def expired?
+      @message[:messageExpiration].to_f / 1000.0 <= Time.now.to_f
+    end
+    def valid_signature?
+      signed_string = ['Google', @merchant_id, protocol_version, @token[:signedMessage]].map do |str|
+        [str.length].pack('V') + str
+      end.join
+      keys = JSON.parse(@signing_keys)['keys']
+      # Check if signature was performed with any possible key.
+      keys.map do |key|
+        next if key['protocolVersion'] != protocol_version
+        ec = OpenSSL::PKey::EC.new(Base64.strict_decode64(key['keyValue']))
+        ec.verify(OpenSSL::Digest::SHA256.new, Base64.strict_decode64(@token[:signature]), signed_string)
+      end.any?
+    end
+    def self.decrypt(key, encrypted)
+      c = OpenSSL::Cipher::AES128.new(:CTR)
+      c.key = key
+      c.decrypt
+      c.update(Base64.strict_decode64(encrypted)) + c.final
+    end
+    def self.valid_mac?(mac_key, data, tag)
+      digest = OpenSSL::Digest::SHA256.new
+      mac = OpenSSL::HMAC.digest(digest, mac_key, Base64.strict_decode64(data))
+      compare(Base64.strict_encode64(mac), tag)
+    end
+    def self.compare(a, b)
+      return false unless a.length == b.length
+      diffs = 0
+      ys = b.unpack('C*')
+      a.each_byte do |x|
+        diffs |= x ^ ys.shift
+      end
+      diffs.zero?
+    end
+    private
+    # Keys are derived according to the Google Pay specification.
+    def derive_keys(ephemeral_public_key, shared_secret, info)
+      input_keying_material = Base64.strict_decode64(ephemeral_public_key) + Base64.strict_decode64(shared_secret)
+      if OpenSSL.const_defined?(:KDF) && OpenSSL::KDF.respond_to?(:hkdf)
+        h = OpenSSL::Digest::SHA256.new
+        key_bytes = OpenSSL::KDF.hkdf(input_keying_material, hash: h, salt: '', length: 32, info: info)
+      else
+        key_bytes = HKDF.new(input_keying_material, algorithm: 'SHA256', info: info).next_bytes(32)
+      end
+      [key_bytes[0..15], key_bytes[16..32]]
+    end
+  end
+end

data/lib/aliquot/validator.rb CHANGED Viewed

@@ -83,7 +83,7 @@ module Aliquot
     # DRY-Validation schema for signedMessage component Google Pay token
     SignedMessageSchema = Dry::Validation.Schema(BaseSchema) do
       required(:encryptedMessage).filled(:str?, :base64?)
-      required(:ephemeralPublicKey).filled(:str?, :base64?)
+      required(:ephemeralPublicKey).filled(:str?, :base64?).value(size?: 44)
       required(:tag).filled(:str?, :base64?)
     end

data/lib/aliquot.rb CHANGED Viewed

@@ -1,209 +1,3 @@
-require 'json'
-require 'base64'
-require 'excon'
-require 'hkdf'
 require 'aliquot/validator'
 require 'aliquot/error'
-$key_updater_semaphore = Mutex.new
-$key_updater_thread = nil
-module Aliquot
-  ##
-  # Constant-time comparison function
-  def self.compare(a, b)
-    err = 0
-    y = b.unpack('C*')
-    a.each_byte do |x|
-      err |= x ^ y.shift
-    end
-    err.zero?
-  end
-  ##
-  # Keys used for signing in production
-  SIGNING_KEY_URL = 'https://payments.developers.google.com/paymentmethodtoken/keys.json'.freeze
-  ##
-  # Keys used for signing in a testing environment
-  TEST_SIGNING_KEY_URL = 'https://payments.developers.google.com/paymentmethodtoken/test/keys.json'.freeze
-  ##
-  # Start a thread that keeps the Google signing keys updated.
-  def self.start_key_updater(logger)
-    source = if ENV['ENVIRONMENT'] == 'production'
-               SIGNING_KEY_URL
-             else
-               TEST_SIGNING_KEY_URL
-             end
-    $key_updater_semaphore.synchronize do
-      # Another thread might have been waiting for on the mutex
-      break unless $key_updater_thread.nil?
-      new_thread = Thread.new do
-        loop do
-          begin
-            timeout = 0
-            conn = Excon.new(source)
-            resp = conn.get
-            raise 'Unable to update keys: ' + resp.data[:status_line] unless resp.status == 200
-            cache_control = resp.headers['Cache-Control'].split(/,\s*/)
-            h = cache_control.map { |x| /\Amax-age=(?<timeout>\d+)\z/ =~ x; timeout }.compact
-            timeout = h.first.to_i if h.length == 1
-            timeout = 86400 if timeout.nil? || !timeout.positive?
-            Thread.current.thread_variable_set('keys', resp.body)
-            # Supposedly recommended by Tink library
-            sleep_time = timeout / 2
-            logger.info('Updated Google signing keys. Sleeping for: ' + (sleep_time / 86400.0).to_s + ' days')
-            sleep sleep_time
-          rescue Interrupt => e
-            # When interrupted
-            logger.fatal('Quitting: ' + e.message)
-            return
-          rescue => e
-            # Don't retry excessively.
-            logger.error('Exception updating Google signing keys: ' + e.message)
-            sleep 1
-          end
-        end
-      end
-      sleep 0.2 while new_thread.thread_variable_get('keys').nil?
-      # Body has now been set.
-      # Let other clients through.
-      $key_updater_thread = new_thread
-    end
-  end
-  ##
-  # A Payment represents a single payment using Google Pay.
-  # It is used to verify/decrypt the supplied token by using the shared secret,
-  # thus avoiding having knowledge of merchant primary keys.
-  class Payment
-    ##
-    # Parameters:
-    # token_string::  Google Pay token (JSON string)
-    # shared_secret:: Base64 encoded shared secret
-    # merchant_id::   Google Pay merchant ID ("merchant:<SOMETHING>")
-    # logger::        The logger to use. Default: Logger.new($stdout)
-    # signing_keys::  Formatted list of signing keys used to sign token contents.
-    #                 Otherwise a thread continuously updating google signing
-    #                 keys will be started.
-    def initialize(token_string, shared_secret, merchant_id,
-                   logger: Logger.new($stdout), signing_keys: ENV['GOOGLE_SIGNING_KEYS'])
-      Aliquot.start_key_updater(logger) if $key_updater_thread.nil? && signing_keys.nil?
-      @signing_keys = signing_keys
-      @shared_secret = shared_secret
-      @merchant_id = merchant_id
-      @token_string = token_string
-    end
-    ##
-    # Validate and decrypt the token.
-    def process
-      @token = JSON.parse(@token_string)
-      validate(Aliquot::Validator::Token, @token)
-      @protocol_version = @token['protocolVersion']
-      raise Error, 'only ECv1 protocolVersion is supported' unless @protocol_version == 'ECv1'
-      raise InvalidSignatureError unless valid_signature?(@token['signedMessage'],
-                                                          @token['signature'])
-      @signed_message = JSON.parse(@token['signedMessage'])
-      validate(Aliquot::Validator::SignedMessage, @signed_message)
-      aes_key, mac_key = derive_keys(@signed_message['ephemeralPublicKey'],
-                                     @shared_secret,
-                                     'Google')
-      raise InvalidMacError unless valid_mac?(mac_key,
-                                              @signed_message['encryptedMessage'],
-                                              @signed_message['tag'])
-      @message = decrypt(aes_key, @signed_message['encryptedMessage'])
-      validate(Aliquot::Validator::EncryptedMessageValidator, @message)
-      raise ExpiredException if expired?
-      @message
-    end
-    ##
-    # Check if the token is expired, according to the messageExpiration included
-    # in the token.
-    def expired?
-      @message['messageExpiration'].to_f / 1000.0 <= Time.now.to_f
-    end
-    private
-    def validate(klass, data)
-      validator = klass.new(data)
-      validator.validate
-    end
-    def derive_keys(ephemeral_public_key, shared_secret, info)
-      ikm = Base64.strict_decode64(ephemeral_public_key) +
-            Base64.strict_decode64(shared_secret)
-      hbytes = HKDF.new(ikm, algorithm: 'SHA256', info: info).next_bytes(32)
-      [hbytes[0..15], hbytes[16..32]]
-    end
-    def decrypt(key, encrypted)
-      c = OpenSSL::Cipher::AES128.new(:CTR)
-      c.key = key
-      c.decrypt
-      plain = c.update(Base64.strict_decode64(encrypted)) + c.final
-      JSON.parse(plain)
-    end
-    def valid_signature?(message, signature)
-      # Generate the string that was signed.
-      signed_string = ['Google', @merchant_id, @protocol_version, message].map do |str|
-        [str.length].pack('V') + str
-      end.join
-      keys = JSON.parse(signing_keys)['keys']
-      # Check if signature was performed with any possible key.
-      keys.map do |e|
-        next if e['protocolVersion'] != @protocol_version
-        ec = OpenSSL::PKey::EC.new(Base64.strict_decode64(e['keyValue']))
-        d  = OpenSSL::Digest::SHA256.new
-        ec.verify(d, Base64.strict_decode64(signature), signed_string)
-      end.any?
-    end
-    def valid_mac?(mac_key, data, tag)
-      d = OpenSSL::Digest::SHA256.new
-      mac = OpenSSL::HMAC.digest(d, mac_key, Base64.strict_decode64(data))
-      mac = Base64.strict_encode64(mac)
-      return false if mac.length != tag.length
-      Aliquot.compare(mac, tag)
-    end
-    def signing_keys
-      # Prefer static signing keys, otherwise fetch from updating thread.
-      @signing_keys || $key_updater_thread.thread_variable_get('keys')
-    end
-  end
-end
+require 'aliquot/payment'

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aliquot
 version: !ruby/object:Gem::Version
-  version: 0.9.1
+  version: 0.10.0
 platform: ruby
 authors:
 - Clearhaus
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-10-09 00:00:00.000000000 Z
+date: 2019-01-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dry-validation
@@ -66,6 +66,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -88,6 +102,7 @@ extra_rdoc_files: []
 files:
 - lib/aliquot.rb
 - lib/aliquot/error.rb
+- lib/aliquot/payment.rb
 - lib/aliquot/validator.rb
 homepage: https://github.com/clearhaus/aliquot
 licenses: