apple_pay 0.0.1 → 0.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2e2d670b4b42468a1fd808f6def948711705cc64
-  data.tar.gz: ae5ed92e30f238e36e9e561dfc80d51fcd62e046
+  metadata.gz: 872eee631d7a4283f5db260d42e8c8d7ec74374b
+  data.tar.gz: 37de100fe240ee997d2fbc651cde5556c6a1be14
 SHA512:
-  metadata.gz: 1f0a8132576548e9c84671c47e680e40fed322fc0e036897f5a3e3f7d07e9c8b52d4fae6225be7649b2277e59e60282dc661b5a4639c4392726cdd39bcc0b9ab
-  data.tar.gz: 248f63fa443c0c73d40b1035146b6254943d041d75dba31edf5b8a72819886c5675cd3833a92c105a0a0a64f72d1e8d3759eef1adc752b5a0b1c9e4639899f21
+  metadata.gz: 4d65c58543c27b2479c0ce62f2645306223a2702b19a7462c744df3be5b4427e446c1ffd368ba86cdea8a5675b6889d619c72cbd75833b5360dbaaabeea04f19
+  data.tar.gz: 2983387b72c306189db5407a1654006ba45547423ccb36cc4e7e1ecbaeb665c483e19cd3f903effe2138e9485bc2a63254770aebebe37b846f7ac8db933f8b85

data/VERSION

@@ -1 +1 @@
-0.0.1
+0.0.2

data/apple_pay.gemspec

@@ -4,8 +4,8 @@ Gem::Specification.new do |spec|
   spec.authors = ['Nov Matake']
   spec.email = ['nov@matake.jp']
 
-  spec.summary = %q{Apple Pay Merchant Backend}
-  spec.description = %q{Apple Pay Merchant Backend}
+  spec.summary = %q{Apple Pay Merchant Backend}
+  spec.description = %q{Apple Pay Merchant Backend}
   spec.homepage = 'https://github.com/nov/apple_pay.git'
   spec.license = 'MIT'
   spec.files = `git ls-files -z`.split("\x0").reject do |f|

data/lib/apple_pay.rb

@@ -7,7 +7,7 @@ module ApplePay
     File.join(__dir__, '../VERSION')
   ).strip
 
-  class APIError < StandardError; end
+  class Error < StandardError; end
 
   def self.logger
     @@logger
@@ -38,4 +38,5 @@ module ApplePay
 end
 
 require 'apple_pay/merchant'
+require 'apple_pay/payment_token'
 require 'apple_pay/request_filter/debugger'

data/lib/apple_pay/merchant.rb

@@ -1,5 +1,7 @@
 module ApplePay
   class Merchant
+    class APIError < Error; end
+
     attr_accessor :identifier, :domain, :display_name, :client_cert, :private_key
 
     def initialize(identifier, domain:, display_name:)
@@ -9,7 +11,7 @@ module ApplePay
     end
 
     def authenticate(client_cert, private_key)
-      self.client_cert = client_cert
+      self.client_cert = client_cert # NOTE: Apple Pay Merchant Identity
       self.private_key = private_key
       self
     end

data/lib/apple_pay/payment_token.rb

@@ -0,0 +1,35 @@
+module ApplePay
+  class PaymentToken
+    attr_accessor :token
+
+    def initialize(token)
+      self.token = token.with_indifferent_access
+    end
+
+    def verify!
+      Signature.new(
+        token[:paymentData][:signature],
+        data: token[:paymentData][:data],
+        ephemeral_public_key: token[:paymentData][:header][:ephemeralPublicKey],
+        transaction_id: token[:paymentData][:header][:transactionId],
+        application_data: token[:paymentData][:header][:applicationData]
+      ).verify!
+      self
+    end
+
+    def decrypt!(client_cert, private_key)
+      decrypted = EncryptedData.new(
+        token[:paymentData][:data]
+      ).decrypt!(
+        client_cert,
+        private_key,
+        token[:paymentData][:header][:ephemeralPublicKey]
+      )
+      JSON.parse decrypted
+    end
+  end
+end
+
+require 'apple_pay/payment_token/certificate_chain'
+require 'apple_pay/payment_token/signature'
+require 'apple_pay/payment_token/encrypted_data'

data/lib/apple_pay/payment_token/certificate_chain.rb

@@ -0,0 +1,32 @@
+module ApplePay
+  class PaymentToken
+    class CertificateChain
+      CHAIN_OIDS = {
+        leaf: '1.2.840.113635.100.6.29',
+        intermediate: '1.2.840.113635.100.6.2.14'
+      }
+
+      attr_accessor :pkcs7, :leaf, :intermediate, :root
+
+      def initialize(pkcs7_encoded)
+        self.pkcs7 = OpenSSL::PKCS7.new Base64.decode64(pkcs7_encoded)
+        [:leaf, :intermediate].each do |position|
+          detected = pkcs7.certificates.detect do |cert|
+            cert.extensions.collect(&:oid).include? CHAIN_OIDS[position]
+          end
+          self.send "#{position}=", detected
+        end
+        self.root = OpenSSL::X509::Certificate.new(
+          File.read File.join(__dir__, 'AppleRootCa-G3.cer')
+        )
+      end
+
+      def verify(signature_base_string)
+        trusted_store = OpenSSL::X509::Store.new
+        trusted_store.add_cert root
+        pkcs7.certificates = [leaf, intermediate].compact
+        pkcs7.verify nil, trusted_store, signature_base_string
+      end
+    end
+  end
+end

data/lib/apple_pay/payment_token/encrypted_data.rb

@@ -0,0 +1,77 @@
+module ApplePay
+  class PaymentToken
+    class EncryptedData
+      class DecryptionFailed < Error; end
+
+      MERCHANT_ID_OID = '1.2.840.113635.100.6.32'
+
+      attr_accessor :data
+
+      def initialize(encoded_data)
+        self.data = Base64.decode64 encoded_data
+      end
+
+      def decrypt!(client_cert, private_key, ephemeral_public_key_or_wrapped_key) # NOTE: Payment Processing Certificate
+        merchant_id = merchant_id_in client_cert
+        shared_secret = shared_secret_derived_from private_key, ephemeral_public_key_or_wrapped_key
+        symmetric_key = symmetric_key_derived_from merchant_id, shared_secret
+        cipher = OpenSSL::Cipher.new('aes-256-gcm')
+        cipher.decrypt
+        cipher.iv_len = 16 # NOTE: require ruby 2.4.0+ & openssl gem v2.0.0+
+        cipher.key = symmetric_key
+        cipher.auth_tag = data[-16..-1]
+        cipher.update(data[0..-17]) + cipher.final
+      end
+
+      private
+
+      def merchant_id_in(client_cert)
+        merchant_id_with_prefix = client_cert.extensions.detect do |ext|
+          ext.oid == MERCHANT_ID_OID
+        end
+        raise DecryptionFailed, 'Merchant ID missing' unless merchant_id_with_prefix
+        merchant_id_with_prefix.value[2..-1]
+      end
+
+      def shared_secret_derived_from(private_key, ephemeral_public_key_or_wrapped_key)
+        case private_key
+        when OpenSSL::PKey::RSA
+          shared_secret_derived_from_rsa(
+            private_key,
+            ephemeral_public_key_or_wrapped_key
+          )
+        when OpenSSL::PKey::EC
+          shared_secret_derived_from_ec(
+            private_key,
+            ephemeral_public_key_or_wrapped_key
+          )
+        else
+          raise DecryptionFailed, "Unknown algorithm (#{private_key.class})"
+        end
+      end
+
+      def shared_secret_derived_from_rsa(private_key, wrapped_key)
+        raise DecryptionFailed, 'RSA not supported yet'
+      end
+
+      def shared_secret_derived_from_ec(private_key, ephemeral_public_key)
+        public_key = OpenSSL::PKey::EC.new(
+          Base64.decode64 ephemeral_public_key
+        ).public_key
+        point = OpenSSL::PKey::EC::Point.new(
+          private_key.group,
+          public_key.to_bn
+        )
+        private_key.dh_compute_key point
+      end
+
+      def symmetric_key_derived_from(merchant_id, shared_secret)
+        OpenSSL::Digest::SHA256.digest(
+          "\x00" * 3 + "\x01" +
+          shared_secret +
+          "\x0D" + 'id-aes256-GCM' + 'Apple' + [merchant_id].pack("H*")
+        )
+      end
+    end
+  end
+end

data/lib/apple_pay/payment_token/signature.rb

@@ -0,0 +1,31 @@
+module ApplePay
+  class PaymentToken
+    class Signature
+      class VerificationFailed < Error; end
+
+      attr_accessor :signature, :data, :ephemeral_public_key, :wrapped_key, :transaction_id, :application_data
+
+      def initialize(signature, data:, ephemeral_public_key: nil, wrapped_key: nil, transaction_id:, application_data: nil)
+        self.signature = signature
+        self.data = data
+        self.ephemeral_public_key = ephemeral_public_key
+        self.wrapped_key = wrapped_key
+        self.transaction_id = transaction_id
+        self.application_data = application_data
+      end
+
+      def verify!
+        chain = CertificateChain.new signature
+        signature_base_string = [
+          Base64.decode64(ephemeral_public_key || wrapped_key),
+          Base64.decode64(data),
+          [transaction_id].pack('H*'),
+          [application_data].pack('H*')
+        ].join
+        chain.verify(
+          signature_base_string
+        ) or raise VerificationFailed
+      end
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: apple_pay
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.2
 platform: ruby
 authors:
 - Nov Matake
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2016-09-29 00:00:00.000000000 Z
+date: 2016-10-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -94,7 +94,7 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: "\x10Apple Pay Merchant Backend"
+description: Apple Pay Merchant Backend
 email:
 - nov@matake.jp
 executables: []
@@ -114,6 +114,11 @@ files:
 - bin/setup
 - lib/apple_pay.rb
 - lib/apple_pay/merchant.rb
+- lib/apple_pay/payment_token.rb
+- lib/apple_pay/payment_token/AppleRootCA-G3.cer
+- lib/apple_pay/payment_token/certificate_chain.rb
+- lib/apple_pay/payment_token/encrypted_data.rb
+- lib/apple_pay/payment_token/signature.rb
 - lib/apple_pay/request_filter/debugger.rb
 homepage: https://github.com/nov/apple_pay.git
 licenses:
@@ -135,8 +140,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.1
+rubygems_version: 2.6.6
 signing_key: 
 specification_version: 4
-summary: "\x10Apple Pay Merchant Backend"
+summary: Apple Pay Merchant Backend
 test_files: []