cybersource_rest_client 0.0.79 → 0.0.81

data/lib/AuthenticationSDK/util/CachedMLEKId.rb

@@ -0,0 +1,17 @@
+# Cache value object to store MLE KID data
+class CachedMLEKId
+  attr_accessor :kid, :last_modified_timestamp
+
+  def initialize(kid = nil, last_modified_timestamp = nil)
+    @kid = kid
+    @last_modified_timestamp = last_modified_timestamp
+  end
+
+  def to_s
+    "CachedMLEKId(kid: #{@kid ? 'present' : 'nil'}, last_modified_timestamp: #{@last_modified_timestamp})"
+  end
+
+  def empty?
+    @kid.nil? && @last_modified_timestamp.nil?
+  end
+end

data/lib/AuthenticationSDK/util/CertificateUtility.rb

@@ -7,34 +7,6 @@ public
   class CertificateUtility
     @@logger
 
-    def self.getCertificateCollectionAndPrivateKeyFromP12(certificateFilePath, merchantConfig)
-      if !CertificateUtility.class_variable_defined?(:@@logger) || @@logger.nil?
-        @@logger = Log.new merchantConfig.log_config, "CertificateUtility"
-      end
-      logger = @@logger.logger
-
-      p12File = File.binread(certificateFilePath)
-      p12Object = OpenSSL::PKCS12.new(p12File, merchantConfig.keyPass)
-
-      privateKey = OpenSSL::PKey::RSA.new(p12Object.key)
-
-      primaryX5Certificate = p12Object.certificate
-      additionalX5Certificates = p12Object.ca_certs
-
-      certificateList = [primaryX5Certificate]
-      certificateList.concat(additionalX5Certificates) if additionalX5Certificates
-
-      return [privateKey, certificateList]
-    end
-
-    def self.getCertificateBasedOnKeyAlias(certificateList, keyAlias)
-      return nil if certificateList.nil?
-
-      certificateList.find do |cert|
-        cert.subject.to_a.any? { |_, value, _| value.include?(keyAlias) }
-      end
-    end
-
     def self.getCertificatesFromPemFile(certificateFilePath)
       pem_data = File.read(certificateFilePath)
       certificateList = []
@@ -121,4 +93,112 @@ public
         raise IOError, "#{pathType} is not readable: #{path}"
       end
     end
-  end
+
+    def self.read_private_key_from_p12(p12_file_path, password)
+      begin
+        # `password` should be a String in Ruby
+        raise ArgumentError, "password must be a String" unless password.is_a?(String)
+
+        data = File.binread(p12_file_path)
+        pkcs12 = OpenSSL::PKCS12.new(data, password)
+
+        key = pkcs12.key
+        raise "No private key found in the P12 file" if key.nil?
+
+        jwk_private_key = self.convert_key_to_JWK(key)
+        return jwk_private_key
+      rescue OpenSSL::PKCS12::PKCS12Error => e
+        raise "Could not recover key from P12: #{e.message}"
+      rescue Errno::ENOENT => e
+        raise "P12 file not found: #{p12_file_path}"
+      end
+    end
+
+    def self.load_private_key_from_pem_file(key_file_path, password = nil)
+      begin
+        pem_data = File.binread(key_file_path)
+
+        # OpenSSL::PKey.read supports:
+        # - "BEGIN RSA/EC/PRIVATE KEY" (PKCS#1), encrypted or not (Proc-Type/DEK-Info)
+        # - "BEGIN PRIVATE KEY" (PKCS#8 unencrypted)
+        # - "BEGIN ENCRYPTED PRIVATE KEY" (PKCS#8 encrypted)
+        rsa_key = OpenSSL::PKey.read(pem_data, password)
+        jwk_private_key = self.convert_key_to_JWK(rsa_key)
+        return jwk_private_key
+      rescue OpenSSL::PKey::PKeyError => e
+        # Missing password for an encrypted PEM
+        if pem_data =~ /(BEGIN ENCRYPTED PRIVATE KEY|Proc-Type:\s*4,ENCRYPTED)/ && (password.nil? || password.to_s.empty?)
+          raise ArgumentError, "Private key is password protected, but no password was provided."
+        end
+
+        # Wrong password (common OpenSSL messages)
+        if password && e.message =~ /(bad decrypt|bad password|mac verify failure)/i
+          logger&.error("Failed to decrypt PKCS#8 private key - incorrect password provided")
+          raise ArgumentError, "Password is incorrect for the encrypted private key. Error: #{e.message}"
+        end
+
+        # Unsupported/invalid PEM contents
+        raise ArgumentError, "Unsupported PEM object or invalid key: #{e.message}"
+      rescue Errno::ENOENT
+        raise ArgumentError, "PEM file not found: #{key_file_path}"
+      end
+    end
+
+    def self.convert_key_to_JWK(keyValue, password=nil)
+      if !keyValue.nil?
+        case keyValue
+        when String
+          begin
+            if keyValue.encoding == Encoding::UTF_8
+              # This is for PEM formatted string
+              encrypted = keyValue.include?('BEGIN ENCRYPTED PRIVATE KEY')
+              pkey = nil
+
+              key = begin
+                if encrypted
+                  if password.nil? || password.empty?
+                    raise ArgumentError, "Encrypted PEM detected, but no password was provided."
+                  end
+                  pkey = OpenSSL::PKey.read(keyValue, password)
+                else
+                  # Try without password first
+                  pkey = OpenSSL::PKey.read(keyValue)
+                end
+              rescue OpenSSL::PKey::PKeyError
+                # If initial attempt failed and a password was provided, retry with password
+                if !password.nil? && !password.empty?
+                  begin
+                    pkey = OpenSSL::PKey.read(keyValue, password)
+                  rescue OpenSSL::PKey::PKeyError => e
+                    raise "Failed to load PEM private key. Incorrect password or corrupted/unsupported format. OpenSSL: #{e.message}"
+                  end
+                else
+                  raise "Failed to load PEM private key. Invalid key format or password required."
+                end
+              end
+              keyValue = JOSE::JWK.from_key(pkey)
+            else
+              # This is for P12 formatted string
+              begin
+                if !password.nil? && !password.empty?
+                  pkey = OpenSSL::PKCS12.new(keyValue, password)
+                else
+                  pkey = OpenSSL::PKCS12.new(keyValue)
+                end
+              rescue OpenSSL::PKCS12::PKCS12Error => e
+                raise "Could not recover key from P12 data: #{e.message}"
+              end
+
+              key = pkey.key
+              raise "No private key found in the P12 data" if key.nil?
+              keyValue = JOSE::JWK.from_key(key)
+            end
+          end
+        when OpenSSL::PKey::RSA
+          keyValue = JOSE::JWK.from_pem(keyValue.to_pem)
+        else
+          keyValue = JOSE::JWK.from_key(keyValue)
+        end
+      end
+    end
+  end

data/lib/AuthenticationSDK/util/Constants.rb

@@ -175,4 +175,10 @@
       MLE_CACHE_IDENTIFIER_FOR_P12_CERT = "mleCertFromP12"
 
       DEFAULT_KEY_FILE_PATH = File.join(Dir.pwd, "resources")
+
+      MLE_CACHE_KEY_IDENTIFIER_FOR_RESPONSE_PRIVATE_KEY = "mleResponsePrivateKeyFromFile"
+
+      PUBLIC_KEY_CACHE_IDENTIFIER = "FlexV2PublicKeys"
+      
+      RESPONSE_MLE_P12_PFX_CACHE_IDENTIFIER = "_responseMleP12Pfx"
   end

data/lib/AuthenticationSDK/util/JWT/JWTExceptions.rb

@@ -0,0 +1,81 @@
+# frozen_string_literal: true
+
+module CyberSource
+  module Authentication
+    module Util
+      module JWT
+        # Base JWT Exception Class
+        #
+        # Provides enhanced exception handling for JWT-related operations with
+        # error chaining and detailed stack trace information.
+        class JWTException < StandardError
+          # @param message [String] Error message describing the exception
+          # @param cause [Exception, nil] Optional underlying cause of the error
+          def initialize(message = '', cause = nil)
+            super(message)
+            set_backtrace(cause.backtrace) if cause&.backtrace
+          end
+
+          # @return [Boolean] True if a cause exception exists
+          def has_cause?
+            !cause.nil?
+          end
+
+          # @return [String] Exception string with cause information
+          def to_s
+            return super unless has_cause?
+
+            "#{super}\nCaused by: #{cause}"
+          end
+
+          # @return [Array<Exception>] Array of exceptions in the chain
+          def exception_chain
+            chain = [self]
+            current = cause
+
+            while current
+              chain << current
+              current = current.cause
+            end
+
+            chain
+          end
+
+          # @return [Exception] The root cause of the exception chain
+          def root_cause
+            exception_chain.last
+          end
+
+          # @return [Array<String>] Error messages from all exceptions in the chain
+          def cause_chain_messages
+            exception_chain.map(&:message)
+          end
+
+          # @param highlight [Boolean] Whether to highlight the message
+          # @param order [Symbol] :top or :bottom, determines message order
+          # @return [String] Detailed error message with all causes
+          def full_message(highlight: false, order: :top, **)
+            messages = exception_chain.each_with_index.map do |exception, index|
+              prefix = index.zero? ? '' : 'Caused by: '
+              "#{prefix}#{exception.class}: #{exception.message}"
+            end
+
+            order == :bottom ? messages.reverse.join("\n") : messages.join("\n")
+          end
+        end
+
+        # Thrown when a JSON Web Key (JWK) is invalid or malformed
+        class InvalidJwkException < JWTException
+        end
+
+        # Thrown when a JWT token is invalid, malformed, or cannot be processed
+        class InvalidJwtException < JWTException
+        end
+
+        # Thrown when JWT signature validation fails
+        class JwtSignatureValidationException < JWTException
+        end
+      end
+    end
+  end
+end

data/lib/AuthenticationSDK/util/JWT/JWTUtility.rb

@@ -0,0 +1,154 @@
+# frozen_string_literal: true
+
+require 'jwt'
+require 'json'
+require_relative 'JWTExceptions'
+
+module CyberSource
+  module Authentication
+    module Util
+      module JWT
+        # JWT Utility Class
+        #
+        # Provides JWT parsing, verification, and JWK handling functionality.
+        #
+        # @category Class
+        # @package  CyberSource::Authentication::Util::JWT
+        # @author   CyberSource
+        class JWTUtility
+          # Supported JWT algorithms
+          SUPPORTED_ALGORITHMS = %w[RS256 RS384 RS512].freeze
+
+          class << self
+            # Parses a JWT token and extracts its header, payload, and signature components
+            #
+            # @param jwt_token [String] The JWT token to parse
+            #
+            # @return [Hash] Hash containing header, payload, signature, and raw parts
+            # @raise [InvalidJwtException] If the JWT token is invalid or malformed
+            def parse(jwt_token)
+              raise InvalidJwtException.new('JWT token is null or undefined') if jwt_token.to_s.empty?
+
+              token_parts = jwt_token.split('.')
+              if token_parts.length != 3
+                raise InvalidJwtException.new('Invalid JWT token format: expected 3 parts separated by dots')
+              end
+
+              if token_parts.any?(&:empty?)
+                raise InvalidJwtException.new('Malformed JWT : JWT provided does not conform to the proper structure for JWT')
+              end
+
+              begin
+                header = JSON.parse(::JWT::Base64.url_decode(token_parts[0]))
+                payload = JSON.parse(::JWT::Base64.url_decode(token_parts[1]))
+                signature = token_parts[2]
+
+                {
+                  header: header,
+                  payload: payload,
+                  signature: signature,
+                  raw_header: token_parts[0],
+                  raw_payload: token_parts[1]
+                }
+              rescue StandardError => e
+                raise InvalidJwtException.new("Malformed JWT cannot be parsed: #{e.message}", e)
+              end
+            end
+
+            # Verifies a JWT token using an RSA public key
+            #
+            # @param jwt_token [String] The JWT token to verify
+            # @param public_key [String, Hash] The RSA public key (JWK Hash or JSON string)
+            #
+            # @return [void]
+            # @raise [InvalidJwtException] If JWT parsing fails
+            # @raise [JwtSignatureValidationException] If signature verification fails
+            # @raise [InvalidJwkException] If the public key is invalid
+            # @raise [JSON::ParserError] If JSON parsing fails
+            def verify_jwt(jwt_token, public_key)
+              raise JwtSignatureValidationException.new('No public key found') if public_key.to_s.empty?
+              raise JwtSignatureValidationException.new('JWT token is null or undefined') if jwt_token.to_s.empty?
+
+              parsed_token = parse(jwt_token)
+              header = parsed_token[:header]
+
+              if header['alg'].nil? || header['alg'].to_s.empty?
+                raise JwtSignatureValidationException.new('JWT header missing algorithm (alg) field')
+              end
+
+              algorithm = header['alg']
+              unless SUPPORTED_ALGORITHMS.include?(algorithm)
+                supported_algs = SUPPORTED_ALGORITHMS.join(', ')
+                raise JwtSignatureValidationException.new(
+                  format('Unsupported JWT algorithm: %s. Supported algorithms: %s', algorithm, supported_algs)
+                )
+              end
+
+              jwk_key = validate_and_parse_jwk(public_key)
+              jwk_key['alg'] ||= algorithm
+
+              begin
+                rsa_key = jwk_to_rsa_key(jwk_key)
+                ::JWT.decode(jwt_token, rsa_key, true, { algorithm: algorithm })
+
+              rescue ::JWT::VerificationError => e
+                raise JwtSignatureValidationException.new('JWT signature verification failed', e)
+              rescue ::JWT::ExpiredSignature => e
+                raise JwtSignatureValidationException.new('JWT has expired (exp claim)', e)
+              rescue ::JWT::ImmatureSignature => e
+                raise JwtSignatureValidationException.new('JWT not yet valid (nbf claim)', e)
+              rescue ::JWT::DecodeError => e
+                raise JwtSignatureValidationException.new("JWT verification failed: #{e.message}", e)
+              rescue JwtSignatureValidationException, InvalidJwtException
+                raise
+              rescue StandardError => e
+                raise JwtSignatureValidationException.new("JWT verification failed: #{e.message}", e)
+              end
+            end
+
+            private
+
+            # Validates and parses a JWK (JSON Web Key)
+            #
+            # @param public_key [String, Hash] The public key to validate (JWK Hash or JSON string)
+            #
+            # @return [Hash] The parsed and validated JWK
+            # @raise [InvalidJwkException] If the JWK is invalid or not an RSA key
+            def validate_and_parse_jwk(public_key)
+              return public_key if public_key.is_a?(Hash) && public_key.key?('kty')
+
+              jwk_hash = if public_key.is_a?(String)
+                           begin
+                             JSON.parse(public_key)
+                           rescue JSON::ParserError => e
+                             raise InvalidJwkException.new('Invalid public key JSON format', e)
+                           end
+                         else
+                           raise InvalidJwkException.new('Invalid public key format. Expected JWK object or JSON string.')
+                         end
+
+              raise InvalidJwkException.new('Public key must be an RSA key (kty: RSA)') if jwk_hash['kty'] != 'RSA'
+              raise InvalidJwkException.new('Invalid RSA JWK: missing required parameters (n, e)') unless jwk_hash['n'] && jwk_hash['e']
+
+              jwk_hash
+            end
+
+            # Converts a JWK to an RSA key object
+            #
+            # @param jwk [Hash] The JWK to convert
+            #
+            # @return [OpenSSL::PKey::RSA] The RSA key object
+            # @raise [InvalidJwkException] If conversion fails
+            def jwk_to_rsa_key(jwk)
+              # Use jwt gem's JWK support for OpenSSL 3.0+ compatibility
+              # This handles both OpenSSL 1.x and 3.0+ internally
+              ::JWT::JWK.import(jwk).keypair
+            rescue StandardError => e
+              raise InvalidJwkException.new("Failed to convert JWK to RSA key: #{e.message}", e)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/AuthenticationSDK/util/MLEUtility.rb

@@ -1,6 +1,10 @@
 require_relative '../logging/log_factory.rb'
 require 'jose'
+require 'json'
 require_relative './Cache'
+require_relative './Constants'
+require_relative './ExceptionHandler'
+require_relative './AuthJWEUtility'
 
 public
   class MLEUtility
@@ -16,10 +20,10 @@ public
         is_mle_for_api = !merchant_config.disableRequestMLEForMandatoryApisGlobally
       end
 
-      if merchant_config.mapToControlMLEonAPI && operation_ids
+      if !merchant_config.internalMapToControlRequestMLEonAPI.nil? && !merchant_config.internalMapToControlRequestMLEonAPI.empty? && operation_ids
         operation_ids.each do |operation_id|
-          if merchant_config.mapToControlMLEonAPI.key?(operation_id)
-            is_mle_for_api = merchant_config.mapToControlMLEonAPI[operation_id]
+          if merchant_config.internalMapToControlRequestMLEonAPI.key?(operation_id)
+            is_mle_for_api = merchant_config.internalMapToControlRequestMLEonAPI[operation_id]
             break
           end
         end
@@ -45,11 +49,7 @@ public
       end
 
       begin
-        serial_number = extract_serial_number_from_certificate(mleCertificate)
-        if serial_number.nil?
-          @log_obj.logger.error('Serial number not found in certificate for MLE')
-          raise StandardError.new('Serial number not found in MLE certificate')
-        end
+        serial_number = self.extract_serial_number_from_certificate(mleCertificate)
 
         jwk = JOSE::JWK.from_key(mleCertificate.public_key)
         if jwk.nil?
@@ -66,7 +66,7 @@ public
         jwe = JOSE::JWE.block_encrypt(jwk, requestBody, headers)
 
         compact_jwe = jwe.compact
-        mle_request_body = create_request_payload(compact_jwe)
+        mle_request_body = self.create_request_payload(compact_jwe)
         @log_obj.logger.debug('LOG_REQUEST_AFTER_MLE: ' + mle_request_body)
         return mle_request_body
       rescue StandardError => e
@@ -76,14 +76,170 @@ public
     end
 
     def self.extract_serial_number_from_certificate(certificate)
-      return nil if certificate.subject.to_s.empty? && certificate.issuer.to_s.empty?
+      raise StandardError.new('Certificate cannot be nil') if certificate.nil?
+      raise StandardError.new('Certificate subject and issuer cannot both be empty') if certificate.subject.to_s.empty? && certificate.issuer.to_s.empty?
       certificate.subject.to_a.each do |attribute|
         return attribute[1] if attribute[0].include?('serialNumber')
       end
-      certificate.serial.nil? ? nil : certificate.serial.to_s
+      raise StandardError.new('Serial number not found in certificate subject')
     end
 
     def self.create_request_payload(compact_jwe)
       "{ \"encryptedRequest\": \"#{compact_jwe}\" }"
     end
+
+    def self.check_is_response_mle_for_api(merchant_config, operation_ids)
+      isResponseMLEForApi = false
+
+      if merchant_config.enableResponseMleGlobally
+        isResponseMLEForApi = true
+      end
+
+      # operation_ids is an array of the multiple public function for apiCallFunction such as apiCall, apiCallAsync
+      # Control the Response MLE only from map
+      # Special Note: If API expect MLE Response mandatory and map is saying to receive non MLE response then API might throw an error from CyberSource
+      if merchant_config.internalMapToControlResponseMLEonAPI
+        operation_ids.each do |operation_id|
+          if merchant_config.internalMapToControlResponseMLEonAPI.key?(operation_id)
+            isResponseMLEForApi = merchant_config.internalMapToControlResponseMLEonAPI[operation_id]
+            break
+          end
+        end
+      end
+
+      isResponseMLEForApi
+    end
+
+    def self.check_is_mle_encrypted_response(responseBody)
+      return false if responseBody.nil? || responseBody.strip.empty?
+
+      begin
+        jsonObject = JSON.parse(responseBody)
+        return false unless jsonObject.is_a?(Hash) && jsonObject.size == 1
+
+        jsonObject.key?('encryptedResponse') && jsonObject['encryptedResponse'].is_a?(String)
+      rescue JSON::ParserError, TypeError
+        false
+      end
+    end
+
+    def self.decrypt_mle_response_payload(merchantConfig, responseBody)
+      @log_obj ||= Log.new(merchantConfig.log_config, 'MLEUtility')
+
+      if !self.check_is_mle_encrypted_response(responseBody)
+        raise StandardError.new('Response body is not MLE encrypted.')
+      end
+
+      mlePrivateKey = self.get_mle_response_private_key(merchantConfig)
+      jweResponseToken = self.get_response_mle_token(responseBody)
+
+      # When mle token is empty or null then fall back to non mle encrypted response
+      if jweResponseToken.nil? || jweResponseToken.strip.empty?
+        return responseBody
+      end
+
+      begin
+        @log_obj.logger.info("LOG_NETWORK_RESPONSE_BEFORE_MLE_DECRYPTION: #{responseBody}")
+
+        decryptedResponse = AuthJWEUtility.decrypt_jwe_using_private_key(mlePrivateKey, jweResponseToken)
+
+        @log_obj.logger.info("LOG_NETWORK_RESPONSE_AFTER_MLE_DECRYPTION: #{decryptedResponse}")
+
+        return decryptedResponse
+      rescue => e
+        raise StandardError.new(Constants::ERROR_PREFIX + "An error occurred during MLE decryption: #{e.message}")
+      end
+    end
+
+    def self.get_response_mle_token(responseBody)
+      @log_obj ||= Log.new(merchantConfig.log_config, 'MLEUtility')
+
+      begin
+        jsonObject = JSON.parse(responseBody)
+        token = jsonObject['encryptedResponse']
+        token.is_a?(String) ? token : nil
+      rescue JSON::ParserError, TypeError => e
+        err = StandardError.new(Constants::ERROR_PREFIX + "Failed to extract Response MLE token: #{e.message}")
+        @log_obj.logger.error(ExceptionHandler.new.new_api_exception err)
+        raise err
+      end
+    end
+
+    private_class_method :get_response_mle_token
+
+    def self.get_mle_response_private_key(merchantConfig)
+      @log_obj ||= Log.new(merchantConfig.log_config, 'MLEUtility')
+
+      # First priority - Return private key provided in merchant config, if any
+      if !merchantConfig.responseMlePrivateKey.nil? && !merchantConfig.responseMlePrivateKey.to_s.strip.empty?
+        return merchantConfig.responseMlePrivateKey
+      end
+
+      # Second priority - Return private key loaded from merchantConfig.responseMlePrivateKeyFilePath
+      responseMlePrivateKey = Cache.new.getMLEResponsePrivateKeyFromFilePath(merchantConfig)
+      return responseMlePrivateKey
+    end
+
+    private_class_method :get_mle_response_private_key
+
+    def self.validate_and_auto_extract_response_mle_kid(merchant_config)
+      @log_obj ||= Log.new(merchant_config.log_config, 'MLEUtility')
+
+      if !merchant_config.responseMlePrivateKey.nil? && !merchant_config.responseMlePrivateKey.to_s.strip.empty?
+        @log_obj.logger.debug('responseMlePrivateKey is provided directly, using configured responseMleKID')
+        return merchant_config.responseMleKID
+      end
+
+      @log_obj.logger.debug('Validating responseMleKID for JWT token generation')
+      cybs_kid = nil
+      p12_file = false
+
+      # File path validity
+      begin
+        CertificateUtility.validatePathAndFile(merchant_config.responseMlePrivateKeyFilePath, 'responseMlePrivateKeyFilePath', merchant_config.log_config)
+        extension = File.extname(merchant_config.responseMlePrivateKeyFilePath).delete_prefix('.').downcase
+        if extension == 'p12' || extension == 'pfx'
+          p12_file = true
+        end
+      rescue IOError => e
+        @log_obj.logger.debug('No valid private key file path provided, skipping auto-extraction')
+      end
+
+      if p12_file
+        @log_obj.logger.debug('P12/PFX file detected, checking if it is a CyberSource certificate')
+        cached_data = Cache.new.get_mle_kid_data_from_cache(merchant_config)
+        if !cached_data.nil?
+          if !cached_data.kid.nil?
+            # KID present means it's a CyberSource P12, use it
+            cybs_kid = cached_data.kid
+          else
+            # KID is null means either non-CyberSource P12 or extraction failed
+            @log_obj.logger.debug('Private key file is not a CyberSource generated P12/PFX file, skipping auto-extraction')
+          end
+        end
+      else
+        @log_obj.logger.debug('Private key file is not a P12/PFX file, skipping auto-extraction')
+      end
+
+      if !cybs_kid.nil?
+        @log_obj.logger.debug('Successfully auto-extracted responseMleKID from CyberSource P12 certificate')
+      end
+
+      configured_kid = merchant_config.responseMleKID
+      if cybs_kid.nil? && configured_kid.nil?
+        raise StandardError.new('responseMleKID is required when response MLE is enabled. ' +
+                        'Could not auto-extract from certificate and no manual configuration provided. ' +
+                        'Please provide responseMleKID explicitly in your configuration.'
+        )
+      elsif cybs_kid.nil?
+        @log_obj.logger.debug('Using manually configured responseMleKID')
+        return configured_kid
+      elsif configured_kid.nil?
+        @log_obj.logger.debug('Using auto-extracted responseMleKID from CyberSource certificate')
+        return cybs_kid
+      elsif cybs_kid != configured_kid
+        @log_obj.logger.warn('Auto-extracted responseMleKID does not match manually configured responseMleKID. Using configured value as preference')
+      end
+      return configured_kid
+    end
   end

data/lib/AuthenticationSDK/util/Utility.rb

@@ -1,5 +1,6 @@
 require 'openssl'
 require 'base64'
+require_relative '../util/Constants.rb'
 
 public
 
@@ -32,5 +33,40 @@ public
       end
       return tempResponseCodeMessage
     end
-  end
 
+    def self.getCertificateBasedOnKeyAlias(certificateList, keyAlias)
+      return nil if certificateList.nil?
+
+      certificateList.find do |cert|
+        cert.subject.to_a.any? { |_, value, _| value.include?(keyAlias) }
+      end
+    end
+
+    def self.getCertificateCollectionAndPrivateKeyFromP12(certificateFilePath, keyPass)
+      p12File = File.binread(certificateFilePath)
+      p12Object = OpenSSL::PKCS12.new(p12File, keyPass)
+
+      privateKey = OpenSSL::PKey::RSA.new(p12Object.key)
+
+      primaryX5Certificate = p12Object.certificate
+      additionalX5Certificates = p12Object.ca_certs
+
+      certificateList = [primaryX5Certificate]
+      certificateList.concat(additionalX5Certificates) if additionalX5Certificates
+
+      return [privateKey, certificateList]
+    end
+
+    def self.isP12GeneratedByCyberSource(filePath, password, logger = nil)
+      begin
+        _, certificateList = getCertificateCollectionAndPrivateKeyFromP12(filePath, password)
+
+        foundCertificate = getCertificateBasedOnKeyAlias(certificateList, Constants::DEFAULT_ALIAS_FOR_MLE_CERT)
+
+        return !foundCertificate.nil?
+      rescue => e
+        logger&.error("Error while checking if P12 is generated by CyberSource: #{e.message}")
+        return false
+      end
+    end
+  end