cybersource_rest_client 0.0.80 → 0.0.81

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 74de73ed4d3ea5cdc01fd04adad6790dd6f78c8e1c8735ac77ef876fda92b6b1
-  data.tar.gz: '09b961a66b260468680e254cd21dac203d5218663d008d556d338a5e6d02a044'
+  metadata.gz: 2ea8b1d8350133ff8b367e96c70a70abe706b01c701f1ed9cab11518836ee9d8
+  data.tar.gz: 947eb679f3c7a6de9e2946b8c621ee7ee945039f43e8eac60b5999298c24ba55
 SHA512:
-  metadata.gz: 28a45c4a395b75f6d76d5f498acbe50a3a7a7bbe80714286ac11514dfb7ae184126ba7deac4a8fc39d2e4a6d033401f318789f75f9dd69d98cbf8350d7346064
-  data.tar.gz: 16e5b2d1a241c7fb43dae529c5250a367d7ea591418ed812073d3a552bbe345d956521f39ff54e6e0aa9cdc67508ce7c03e29ffd15458f0eb6780d529f8ff575
+  metadata.gz: 374d020327bff052168ee27f74ca1dcdfe6c20e306958d5adf647b234cbec5eb90db64b1c315a2a71309f2bc3e97223c47d54874d9d3a29b4cdc2923c9841021
+  data.tar.gz: 280efbdd1ce57c95e8f0f5f047284408f3ee9897cdf7f39c282cefac8a4e3ab0f8aff36b846f50a2c11f4a1f389424e18cb658ccad0da8883d2a87e97ffbf1c5

data/lib/AuthenticationSDK/authentication/jwt/JwtToken.rb

@@ -8,6 +8,7 @@ require_relative '../../core/ITokenGeneration.rb'
 require_relative '../../util/Constants.rb'
 require_relative '../../util/ExceptionHandler.rb'
 require_relative '../../util/Cache.rb'
+require_relative '../../util/MLEUtility.rb'
 require_relative '../../authentication/payloadDigest/digest.rb'
 require_relative '../../logging/log_factory.rb'
 
@@ -16,19 +17,19 @@ public
     @log_obj
 
     #JWT Token-generated based  on the Request type
-    def getToken(merchantconfig_obj,gmtDatetime)
+    def getToken(merchantconfig_obj, gmtDatetime, isResponseMLEForApi)
       @log_obj = Log.new merchantconfig_obj.log_config, "JwtToken"
 
       jwtBody = ''
       request_type = merchantconfig_obj.requestType.upcase
       
-      jwtBody=getJwtBody(request_type, gmtDatetime, merchantconfig_obj)
+      jwtBody = getJwtBody(request_type, gmtDatetime, merchantconfig_obj, isResponseMLEForApi)
       claimSet = JSON.parse(jwtBody)
 
       cache_value = Cache.new.fetchCachedP12Certificate(merchantconfig_obj)
       privateKey = cache_value.private_key
       jwt_cert_obj = cache_value.cert
-      jwt_cert_in_der= Base64.strict_encode64(jwt_cert_obj.to_der)
+      jwt_cert_in_der = Base64.strict_encode64(jwt_cert_obj.to_der)
 
 
       # JWT token-Generates using RS256 algorithm only
@@ -51,18 +52,27 @@ public
       raise err
     end
 
-    def getJwtBody(request_type, gmtDatetime, merchantconfig_obj)
+    def getJwtBody(request_type, gmtDatetime, merchantconfig_obj, isResponseMLEForApi=false)
+      jwtBody = "{\n "
+      
       if request_type == Constants::POST_REQUEST_TYPE || request_type == Constants::PUT_REQUEST_TYPE || request_type == Constants::PATCH_REQUEST_TYPE
         payload = merchantconfig_obj.requestJsonData
 
         # Note: Digest is not passed for GET calls
         digest = DigestGeneration.new.generateDigest(payload)
-        jwtBody = "{\n \"digest\":\"" + digest + "\", \"digestAlgorithm\":\"SHA-256\", \"iat\":" + Time.parse(gmtDatetime).to_i.to_s + "}"
+        jwtBody = jwtBody + "\"digest\":\"" + digest + "\", \"digestAlgorithm\":\"SHA-256\", \"iat\":" + Time.parse(gmtDatetime).to_i.to_s
       elsif request_type == Constants::GET_REQUEST_TYPE || request_type == Constants::DELETE_REQUEST_TYPE
-        jwtBody = "{\n \"iat\":" + Time.parse(gmtDatetime).to_i.to_s + "\n} \n\n"
+        jwtBody = jwtBody + "\"iat\":" + Time.parse(gmtDatetime).to_i.to_s
       else
         raise StandardError.new(Constants::ERROR_PREFIX + Constants::INVALID_REQUEST_TYPE_METHOD)
       end
+
+      if isResponseMLEForApi
+        mleKid = MLEUtility.validate_and_auto_extract_response_mle_kid(merchantconfig_obj)
+        jwtBody = jwtBody + ", \"v-c-response-mle-kid\":\"" + mleKid + "\""
+      end
+
+      jwtBody = jwtBody + "\n}"
     end
     implements TokenInterface
-  end
+  end

data/lib/AuthenticationSDK/core/Authorization.rb

@@ -8,7 +8,7 @@ public
 # This function calls for the generation of Signature message depending on the authentication type.
     class Authorization
         @log_obj
-        def getToken(merchantconfig_obj, gmtdatetime)
+        def getToken(merchantconfig_obj, gmtdatetime, isResponseMLEForApi)
             @log_obj = Log.new merchantconfig_obj.log_config, "Authorization"
 
             authenticationType = merchantconfig_obj.authenticationType.upcase
@@ -21,7 +21,7 @@ public
             if authenticationType == Constants::AUTH_TYPE_HTTP
                 token = GenerateHttpSignature.new.getToken(merchantconfig_obj, gmtdatetime)
             elsif authenticationType == Constants::AUTH_TYPE_JWT
-                token = GenerateJwtToken.new.getToken(merchantconfig_obj, gmtdatetime)
+                token = GenerateJwtToken.new.getToken(merchantconfig_obj, gmtdatetime, isResponseMLEForApi)
             elsif authenticationType == Constants::AUTH_TYPE_OAUTH
                 token = GenerateOAuthToken.new.getToken(merchantconfig_obj, gmtdatetime)
             else

data/lib/AuthenticationSDK/core/MerchantConfig.rb

@@ -7,7 +7,7 @@ require_relative '../util/CertificateUtility.rb'
 public
 # This fuction has all the merchantConfig properties getters and setters methods
   class Merchantconfig
-    def initialize(cybsPropertyObj)
+    def initialize(cybsPropertyObj, responseMlePrivateKeyValue = nil, responseMlePrivateKeyPasswordValue = nil)
       # Common Parameters
       @merchantId = cybsPropertyObj['merchantID']
       @runEnvironment = cybsPropertyObj['runEnvironment']
@@ -50,18 +50,97 @@ public
       @keepAliveTime = cybsPropertyObj['keepAliveTime'] || 118 # Default to 118 seconds as same as default of libcurl
       # Path to client JWE pem file directory
       @pemFileDirectory = cybsPropertyObj['pemFileDirectory']
-      @mleKeyAlias = cybsPropertyObj['mleKeyAlias']
+
+      # Optional parameter. User can pass a custom requestMleKeyAlias to fetch from the certificate.
+      # Older flag "mleKeyAlias" is deprecated and will be used as alias/another name for requestMleKeyAlias.
+      if cybsPropertyObj.has_key?('mleKeyAlias')
+        @requestMleKeyAlias = cybsPropertyObj['mleKeyAlias']
+      elsif cybsPropertyObj.has_key?('requestMleKeyAlias')
+        @requestMleKeyAlias = cybsPropertyObj['requestMleKeyAlias']
+      end
+
+      # Deprecated flag to enable MLE for request. This flag is now known as "enableRequestMLEForOptionalApisGlobally"
       @useMLEGlobally = cybsPropertyObj['useMLEGlobally']
+
+      # Flag to enable MLE (Message Level Encryption) for request body to all APIs in SDK which have optional support for MLE.
+      # This means the API can send both non-encrypted and encrypted requests.
+      # Older flag "useMLEGlobally" is deprecated and will be used as alias/another name for enableRequestMLEForOptionalApisGlobally.
       @enableRequestMLEForOptionalApisGlobally = !!(cybsPropertyObj['enableRequestMLEForOptionalApisGlobally'] || cybsPropertyObj['useMLEGlobally'])
+      # Flag to disable MLE (Message Level Encryption) for request body to APIs in SDK which have mandatory MLE requirement when sending calls.
       @disableRequestMLEForMandatoryApisGlobally = cybsPropertyObj['disableRequestMLEForMandatoryApisGlobally']
 
-      
+      # Parameter to pass the request MLE public certificate path.
       if !cybsPropertyObj['mleForRequestPublicCertPath'].nil? && !cybsPropertyObj['mleForRequestPublicCertPath'].to_s.strip.empty?
           @mleForRequestPublicCertPath = cybsPropertyObj['mleForRequestPublicCertPath'].to_s.strip
       end
 
+      # Map to control MLE (Message Level Encryption) settings for individual API functions. This overrides global MLE configuration for specific APIs.
+      # The key is the function name of the API in the SDK, and the value is a String in the format "requestMLE::responseMLE" separated by "::",
+      # where the first boolean value controls MLE for the request and the second boolean value controls MLE for the response.
+      # Use "true" to enable or "false" to disable MLE for that specific component.
+
+      # Valid Examples:
+      # mapToControlMLEonAPI.put("apiFunctionName1", "true::true") - enables MLE for both request and response for apiFunctionName1
+      # mapToControlMLEonAPI.put("apiFunctionName2", "false::false") - disables MLE for both request and response for apiFunctionName2
+      # mapToControlMLEonAPI.put("apiFunctionName3", "true::false") - enables request MLE only, disables response MLE for apiFunctionName3
+      # mapToControlMLEonAPI.put("apiFunctionName4", "false::true") - disables request MLE, enables response MLE only for apiFunctionName4
+      # mapToControlMLEonAPI.put("apiFunctionName5", "false") - disables request MLE only. Since the "::" separator is not included, mleForResponse will use the default value set by the global flag
+      # mapToControlMLEonAPI.put("apiFunctionName6", "true") - enables request MLE only. Since the "::" separator is not included, mleForResponse will use the default value set by the global flag
+      # mapToControlMLEonAPI.put("apiFunctionName7", "::true") - enables response MLE only. Because the value before "::" is missing, the SDK will use the default request MLE value from the global flag
+      # mapToControlMLEonAPI.put("apiFunctionName8", "true::") - enables request MLE only. Since the value after the "::" separator is missing, mleForResponse will use the default value
+
+      # Invalid Examples (will be ignored or cause errors):
+      # mapToControlMLEonAPI.put("apiFunctionName9", "::") - both values empty, will use global defaults
+      # mapToControlMLEonAPI.put("apiFunctionName10", "invalid::true") - invalid first value, may cause parsing error
+      # mapToControlMLEonAPI.put("apiFunctionName11", "true::invalid") - invalid second value, may cause parsing error
+      # mapToControlMLEonAPI.put("apiFunctionName12", "true::true::false") - multiple separators not allowed
+      # mapToControlMLEonAPI.put("apiFunctionName13", "") - empty string not allowed
       @mapToControlMLEonAPI = cybsPropertyObj['mapToControlMLEonAPI']
-      validateMerchantDetails
+
+      # Initialize internal maps before validation
+      # Both fields used for internal purpose only not exposed for merchants to set
+      @internalMapToControlRequestMLEonAPI = {}
+      @internalMapToControlResponseMLEonAPI = {}
+
+      # Set up MLE configuration first since validation depends on it
+      if @mapToControlMLEonAPI
+        begin
+          @mapToControlMLEonAPI = convertBooleanToStringMapType(@mapToControlMLEonAPI)
+          setMapToControlMLEOnAPI(@mapToControlMLEonAPI)
+        rescue => err
+          error = StandardError.new(Constants::WARNING_PREFIX + "Unable to initialise MLE control Map from config: #{err.message}")
+          raise error
+        end
+      end
+
+      if responseMlePrivateKeyPasswordValue.nil?
+        responseMlePrivateKeyPasswordValue = cybsPropertyObj['responseMlePrivateKeyPassword']
+      end
+
+      responseMlePrivateKeyPassword = responseMlePrivateKeyPasswordValue
+
+      if !responseMlePrivateKeyValue.nil? && !cybsPropertyObj['responseMlePrivateKey'].nil?
+        raise StandardError.new(Constants::ERROR_PREFIX + "The value for `responseMlePrivateKey` is provided in both the configuration object and the constructor for MerchantConfig. Please provide only one of them for response mle private key.")
+      end
+
+      if responseMlePrivateKeyValue.nil?
+        responseMlePrivateKeyValue = cybsPropertyObj['responseMlePrivateKey']
+      end
+
+      responseMlePrivateKeyValue = CertificateUtility.convert_key_to_JWK(responseMlePrivateKeyValue, responseMlePrivateKeyPassword)
+
+      @responseMlePrivateKey = responseMlePrivateKeyValue
+
+      @enableResponseMleGlobally = false
+      if !cybsPropertyObj['enableResponseMleGlobally'].nil?
+        @enableResponseMleGlobally = cybsPropertyObj['enableResponseMleGlobally']
+      end
+
+      @responseMleKID = cybsPropertyObj['responseMleKID']
+      @responseMlePrivateKeyFilePath = cybsPropertyObj['responseMlePrivateKeyFilePath']
+      @responseMlePrivateKeyFilePassword = cybsPropertyObj['responseMlePrivateKeyFilePassword']
+
+      validateMerchantDetails()
       validateMLEConfiguration(cybsPropertyObj)
       @p12KeyFilePath = File.join(@keysDirectory, @keyFilename + ".p12")
       logAllProperties(cybsPropertyObj)
@@ -252,7 +331,6 @@ public
     end
 
     def validateMLEConfiguration(cybsPropertyObj)
-
       if !@useMLEGlobally.nil? && !cybsPropertyObj['enableRequestMLEForOptionalApisGlobally'].nil?
         if @useMLEGlobally != cybsPropertyObj['enableRequestMLEForOptionalApisGlobally']
           raise StandardError.new(Constants::ERROR_PREFIX + "useMLEGlobally and enableRequestMLEForOptionalApisGlobally must have the same value if both are set")
@@ -275,21 +353,19 @@ public
         raise err
       end
 
-      unless @mapToControlMLEonAPI.nil?
-        unless @mapToControlMLEonAPI.is_a?(Hash) && @mapToControlMLEonAPI.keys.all? {|k| k.is_a?(String)} && @mapToControlMLEonAPI.values.all? { |v| [true, false].include?(v) }
-          err = StandardError.new(Constants::ERROR_PREFIX + "mapToControlMLEonAPI must be a map with boolean values")
-          @log_obj.logger.error(ExceptionHandler.new.new_api_exception err)
-          raise err
-        end
-      end
+        # unless @mapToControlMLEonAPI.is_a?(Hash) && @mapToControlMLEonAPI.keys.all? {|k| k.is_a?(String)} && @mapToControlMLEonAPI.values.all? { |v| [true, false].include?(v) }
+        #   err = StandardError.new(Constants::ERROR_PREFIX + "mapToControlMLEonAPI must be a map with boolean values")
+        #   @log_obj.logger.error(ExceptionHandler.new.new_api_exception err)
+        #   raise err
+        # end
 
-      !@mleKeyAlias.nil? && unless @mleKeyAlias.instance_of? String
-                              (err = StandardError.new(Constants::ERROR_PREFIX + "mleKeyAlias must be a string"))
-                              @log_obj.logger.error(ExceptionHandler.new.new_api_exception err)
-                              raise err
-                            end
-      if @mleKeyAlias.to_s.empty?
-        @mleKeyAlias = Constants::DEFAULT_ALIAS_FOR_MLE_CERT
+      !@requestMleKeyAlias.nil? && unless @requestMleKeyAlias.instance_of? String
+        err = StandardError.new(Constants::ERROR_PREFIX + "requestMleKeyAlias must be a string")
+        @log_obj.logger.error(ExceptionHandler.new.new_api_exception err)
+        raise err
+      end
+      if @requestMleKeyAlias.to_s.empty?
+        @requestMleKeyAlias = Constants::DEFAULT_ALIAS_FOR_MLE_CERT
       end
 
       if @mleForRequestPublicCertPath && !@mleForRequestPublicCertPath.to_s.strip.empty?
@@ -302,9 +378,9 @@ public
       end
 
       request_mle_configured = @enableRequestMLEForOptionalApisGlobally
-      if !@mapToControlMLEonAPI.nil? && !@mapToControlMLEonAPI.empty?
-        @mapToControlMLEonAPI.each do |_, value|
-          unless [true, false].include?(value) && value
+      if !@internalMapToControlRequestMLEonAPI.nil? && !@internalMapToControlRequestMLEonAPI.empty?
+        @internalMapToControlRequestMLEonAPI.each do |_, value|
+          if value
             request_mle_configured = true
             break
           end
@@ -316,10 +392,179 @@ public
         @log_obj.logger.error(ExceptionHandler.new.new_api_exception err)
         raise err
       end
+
+      is_response_mle_configured = @enableResponseMleGlobally
+
+      if !@internalMapToControlResponseMLEonAPI.nil? && !@internalMapToControlResponseMLEonAPI.empty?
+        @internalMapToControlResponseMLEonAPI.values.each do |value|
+          if value == true
+            is_response_mle_configured = true
+            break
+          end
+        end
+      end
+
+      if is_response_mle_configured
+        # Validate for Auth type- Currently responseMLE feature will be enabled for JWT auth type only
+        if !Constants::AUTH_TYPE_JWT.eql?(@authenticationType.upcase)
+          err = StandardError.new(Constants::ERROR_PREFIX + "Response MLE can only be used with JWT authentication type")
+          @log_obj.logger.error(ExceptionHandler.new.new_api_exception err)
+          raise err
+        end
+
+        # Check if either private key object or private key file path is provided
+        if @responseMlePrivateKey.nil? || @responseMlePrivateKey.to_s.strip.empty?
+          if @responseMlePrivateKeyFilePath.nil? || @responseMlePrivateKeyFilePath.to_s.strip.empty?
+            err = StandardError.new(Constants::ERROR_PREFIX + "Response MLE is enabled but no private key provided. Either set responseMlePrivateKey object or provide responseMlePrivateKeyFilePath.")
+            @log_obj.logger.error(ExceptionHandler.new.new_api_exception err)
+            raise err
+          end
+        end
+
+        # Check that both private key object or private key file path should not be provided
+        if !@responseMlePrivateKey.nil? && !@responseMlePrivateKey.to_s.strip.empty? && !@responseMlePrivateKeyFilePath.nil? && !@responseMlePrivateKeyFilePath.to_s.strip.empty?
+            err = StandardError.new(Constants::ERROR_PREFIX + "Both responseMlePrivateKey object and responseMlePrivateKeyFilePath are provided. Please provide only one of them for response mle private key.")
+            @log_obj.logger.error(ExceptionHandler.new.new_api_exception err)
+            raise err
+        end
+
+        isP12 = false
+        # If private key file path is provided, validate the file exists
+        if !@responseMlePrivateKeyFilePath.nil? && !@responseMlePrivateKeyFilePath.to_s.strip.empty?
+          begin
+            CertificateUtility.validatePathAndFile(@responseMlePrivateKeyFilePath, "responseMlePrivateKeyFilePath", @log_config)
+            ext = File.extname(@responseMlePrivateKeyFilePath).downcase
+            if ext == '.p12' || ext == '.pfx'
+              isP12 = true
+            end
+          rescue => err
+            error = StandardError.new(Constants::ERROR_PREFIX + "Invalid responseMlePrivateKeyFilePath : #{err.message}")
+            @log_obj.logger.error(ExceptionHandler.new.new_api_exception error)
+            raise error
+          end
+        end
+
+        # Validate responseMleKID is provided when response MLE is enabled
+        if !isP12 && (@responseMleKID.nil? || @responseMleKID.to_s.strip.empty?)
+          err = StandardError.new(Constants::ERROR_PREFIX + "responseMleKID is required when response MLE is enabled for non-P12/PFX files.")
+          @log_obj.logger.error(ExceptionHandler.new.new_api_exception err)
+          raise err
+        end
+      end
+    end
+
+    def setMapToControlMLEOnAPI(inputMap)
+      # validate the map value format
+      validateMapToControlMLEonAPIValues(inputMap) if inputMap
+
+      # @mapToControlMLEonAPI = inputMap
+
+      if inputMap
+        internalRequest = {}
+        internalResponse = {}
+
+        inputMap.each do |apiName, rawValue|
+          value = rawValue.to_s
+
+          if value.include?("::")
+            # Format: "requestMLE::responseMLE"
+            requestMLE, responseMLE = value.split("::", 2)
+
+            # Set request MLE value when present
+            unless requestMLE.nil? || requestMLE.empty?
+              internalRequest[apiName] = requestMLE.to_s.strip.casecmp?("true")
+            end
+
+            # Set response MLE value when present
+            unless responseMLE.nil? || responseMLE.empty?
+              internalResponse[apiName] = responseMLE.to_s.strip.casecmp?("true")
+            end
+          else
+            # Format: "true" or "false" - applies to request MLE only
+            internalRequest[apiName] = value.to_s.strip.casecmp?("true")
+          end
+        end
+
+        @internalMapToControlRequestMLEonAPI = internalRequest
+        @internalMapToControlResponseMLEonAPI = internalResponse
+      end
+    end
+
+    # Validates the map values for MLE control API configuration.
+    # Allowed formats: "true::true", "false::false", "::true", "true::", "::false", "false::", "true", "false"
+    def validateMapToControlMLEonAPIValues(inputMap)
+      inputMap.each do |key, value|
+        if value.nil? || value == ""
+          err = StandardError.new(Constants::ERROR_PREFIX + "Invalid MLE control map value for key '#{key}'. Value cannot be null or empty.")
+          @log_obj.logger.error(ExceptionHandler.new.new_api_exception err)
+          raise err
+        end
+
+        str = value.to_s
+        if str.include?("::")
+          parts = str.split("::", -1)
+
+          unless parts.length == 2
+            err = StandardError.new(Constants::ERROR_PREFIX + "Invalid MLE control map value format for key '#{key}'. Expected format: true/false for 'requestMLE::responseMLE' but got: '#{str}'")
+            @log_obj.logger.error(ExceptionHandler.new.new_api_exception err)
+            raise err
+          end
+
+          requestMLE, responseMLE = parts
+
+          if !requestMLE.empty? && !isValidBooleanString?(requestMLE)
+            err = StandardError.new(Constants::ERROR_PREFIX + "Invalid request MLE value for key '#{key}'. Expected 'true', 'false', or empty but got: '#{requestMLE}'")
+            @log_obj.logger.error(ExceptionHandler.new.new_api_exception err)
+            raise err
+          end
+
+          if !responseMLE.empty? && !isValidBooleanString?(responseMLE)
+            err = StandardError.new(Constants::ERROR_PREFIX + "Invalid response MLE value for key '#{key}'. Expected 'true', 'false', or empty but got: '#{responseMLE}'")
+            @log_obj.logger.error(ExceptionHandler.new.new_api_exception err)
+            raise err
+          end
+        else
+          unless isValidBooleanString?(str)
+            err = StandardError.new(Constants::ERROR_PREFIX + "Invalid MLE control map value for key '#{key}'. Expected 'true' or 'false' for requestMLE but got: '#{str}'")
+            @log_obj.logger.error(ExceptionHandler.new.new_api_exception err)
+            raise err
+          end
+        end
+      end
+    end
+
+    def isValidBooleanString?(s)
+      s.casecmp?("true") || s.casecmp?("false")
+    end
+
+    def convertBooleanToStringMapType(inputMap)
+      if inputMap.nil? || inputMap.empty?
+        raise StandardError.new(Constants::ERROR_PREFIX + "Unsupported null value to mapToControlMLEonAPI in merchantConfig. Expected Map<String, String> which corresponds to <'apiFunctionName','flagForRequestMLE::flagForResponseMLE'> as dataType for field.")
+      end
+
+      unless inputMap.is_a?(Hash)
+        raise TypeError.new(Constants::ERROR_PREFIX + "Unsupported datatype for field mapToControlMLEonAPI. Expected Hash<String, String> which corresponds to <'apiFunctionName','flagForRequestMLE::flagForResponseMLE'> as dataType for field but got: #{inputMap.class}")
+      end
+
+      keys_all_strings   = inputMap.keys.all? { |k| k.is_a?(String) }
+      values_all_strings = inputMap.values.all? { |v| v.is_a?(String) }
+      values_all_bools   = inputMap.values.all? { |v| v.is_a?(TrueClass) || v.is_a?(FalseClass) }
+
+      if keys_all_strings && values_all_strings
+        # Already Hash<String, String>
+        inputMap
+      elsif keys_all_strings && values_all_bools
+        # Convert Hash<String, Boolean> -> Hash<String, String>
+        inputMap.transform_values { |v| v.to_s }
+      else
+        err = StandardError.new("Unsupported map type combination for mapToControlMLEonAPI in merchantConfig. Expected Hash<String, String> which corresponds to <'apiFunctionName','flagForRequestMLE::flagForResponseMLE'> as dataType for field.")
+        @log_obj.logger.error(ExceptionHandler.new.new_api_exception err)
+        raise err
+      end
     end
 
     def logAllProperties(merchantPropertyObj)
-      propertyObj = Marshal.load(Marshal.dump(merchantPropertyObj))      
+      propertyObj = Marshal.load(Marshal.dump(merchantPropertyObj))
       merchantConfig = ''
       hiddenProperties = (Constants::HIDDEN_MERCHANT_PROPERTIES).split(',')
       hiddenPropArray = Array.new
@@ -408,6 +653,15 @@ public
     attr_accessor :mleForRequestPublicCertPath
     attr_accessor :mapToControlMLEonAPI
     attr_accessor :mleKeyAlias
+    attr_accessor :requestMleKeyAlias
     attr_accessor :p12KeyFilePath
     attr_reader   :runEnvironment
+    attr_accessor :enableResponseMleGlobally
+    attr_accessor :responseMleKID
+    attr_accessor :responseMlePrivateKeyFilePath
+    attr_accessor :responseMlePrivateKeyFilePassword
+    attr_accessor :responseMlePrivateKey
+    attr_accessor :responseMlePrivateKeyPassword
+    attr_accessor :internalMapToControlRequestMLEonAPI
+    attr_accessor :internalMapToControlResponseMLEonAPI
   end

data/lib/AuthenticationSDK/util/Cache.rb

@@ -3,7 +3,9 @@ require 'base64'
 require 'active_support'
 require 'thread'
 require_relative 'CacheValue'
+require_relative 'CachedMLEKId'
 require_relative 'CertificateUtility'
+require_relative 'Utility'
 require_relative '../util/Constants.rb'
 require_relative '../logging/log_factory.rb'
 require_relative '../logging/log_configuration.rb'
@@ -41,9 +43,37 @@ public
       logger = @@logger.logger
       fileModifiedTime = File.mtime(certificateFilePath)
 
+      if cacheKey.end_with?(Constants::MLE_CACHE_KEY_IDENTIFIER_FOR_RESPONSE_PRIVATE_KEY)
+        password = merchantConfig.responseMlePrivateKeyFilePassword
+        mlePrivateKey = nil
+
+        begin
+          fileExtension = File.extname(certificateFilePath).delete_prefix('.').downcase
+
+          if fileExtension == 'p12' || fileExtension == 'pfx'
+            mlePrivateKey = CertificateUtility.read_private_key_from_p12(certificateFilePath, password)
+          elsif fileExtension == 'pem' || fileExtension == 'key' || fileExtension == 'p8'
+            mlePrivateKey = CertificateUtility.load_private_key_from_pem_file(certificateFilePath, password)
+          else
+            err = StandardError.new(Constants::ERROR_PREFIX + "Unsupported Response MLE Private Key file format: `" + fileExtension + "`. Supported formats are: .p12, .pfx, .pem, .key, .p8")
+            logger.error(ExceptionHandler.new.new_api_exception err)
+            raise err
+          end
+
+          cacheValue = CacheValue.new(mlePrivateKey, nil, fileModifiedTime)
+
+          @@cache_obj.write(cacheKey, cacheValue)
+        rescue StandardError => e
+          err = StandardError.new(Constants::ERROR_PREFIX + "Error loading MLE response private key from: " + certificateFilePath + ". Error: " + e.message)
+          logger.error(ExceptionHandler.new.new_api_exception err)
+          raise err
+        end
+        return
+      end
+
       if (cacheKey.end_with?("_JWT"))
-        privateKey, certificateList = CertificateUtility.getCertificateCollectionAndPrivateKeyFromP12(certificateFilePath, merchantConfig)
-        jwtCertificate = CertificateUtility.getCertificateBasedOnKeyAlias(certificateList, merchantConfig.keyAlias)
+        privateKey, certificateList = Utility.getCertificateCollectionAndPrivateKeyFromP12(certificateFilePath, merchantConfig.keyPass)
+        jwtCertificate = Utility.getCertificateBasedOnKeyAlias(certificateList, merchantConfig.keyAlias)
 
         cacheValue = CacheValue.new(privateKey, jwtCertificate, fileModifiedTime)
 
@@ -53,10 +83,10 @@ public
 
       if (cacheKey.end_with?(Constants::MLE_CACHE_IDENTIFIER_FOR_CONFIG_CERT))
         certificateList = CertificateUtility.getCertificatesFromPemFile(certificateFilePath)
-        mleCertificate = CertificateUtility.getCertificateBasedOnKeyAlias(certificateList, merchantConfig.mleKeyAlias)
+        mleCertificate = Utility.getCertificateBasedOnKeyAlias(certificateList, merchantConfig.requestMleKeyAlias)
         if (!mleCertificate)
           fileName = File.basename(certificateFilePath)
-          logger.warn("No certificate found for the specified mle_key_alias '#{merchantConfig.mleKeyAlias}'. Using the first certificate from file #{fileName} as the MLE request certificate.")
+          logger.warn("No certificate found for the specified mle_key_alias '#{merchantConfig.requestMleKeyAlias}'. Using the first certificate from file #{fileName} as the MLE request certificate.")
           mleCertificate = certificateList[0]
         end
 
@@ -67,12 +97,12 @@ public
       end
 
       if (cacheKey.end_with?(Constants::MLE_CACHE_IDENTIFIER_FOR_P12_CERT))
-        privateKey, certificateList = CertificateUtility.getCertificateCollectionAndPrivateKeyFromP12(certificateFilePath, merchantConfig)
-        mleCertificate = CertificateUtility.getCertificateBasedOnKeyAlias(certificateList, merchantConfig.mleKeyAlias)
+        privateKey, certificateList = Utility.getCertificateCollectionAndPrivateKeyFromP12(certificateFilePath, merchantConfig.keyPass)
+        mleCertificate = Utility.getCertificateBasedOnKeyAlias(certificateList, merchantConfig.requestMleKeyAlias)
         if (!mleCertificate)
           fileName = File.basename(certificateFilePath)
-          logger.error("No certificate found for the specified mle_key_alias '#{merchantConfig.mleKeyAlias}' in file #{fileName}.")
-          raise ArgumentError, "No certificate found for the specified mle_key_alias '#{merchantConfig.mleKeyAlias}' in file #{fileName}."
+          logger.error("No certificate found for the specified mle_key_alias '#{merchantConfig.requestMleKeyAlias}' in file #{fileName}.")
+          raise ArgumentError, "No certificate found for the specified mle_key_alias '#{merchantConfig.requestMleKeyAlias}' in file #{fileName}."
         end
 
         cacheValue = CacheValue.new(privateKey, mleCertificate, fileModifiedTime)
@@ -129,6 +159,112 @@ public
       cachedCertificateInfo ? cachedCertificateInfo.cert : nil
     end
 
+    def getMLEResponsePrivateKeyFromFilePath(merchantConfig)
+      merchantId = merchantConfig.merchantId
+      keyIdentifier = Constants::MLE_CACHE_KEY_IDENTIFIER_FOR_RESPONSE_PRIVATE_KEY
+      cacheIdentifier = "#{merchantId}_#{keyIdentifier}"
+      mleResponsePrivateKeyFilePath = merchantConfig.responseMlePrivateKeyFilePath
+      cachedCertificateInfo = nil
+
+      @@mutex.synchronize do
+        cachedCertificateInfo = @@cache_obj.read(cacheIdentifier)
+
+        if cachedCertificateInfo.nil? || cachedCertificateInfo.file_modified_time != File.mtime(mleResponsePrivateKeyFilePath)
+          setupCache(cacheIdentifier, mleResponsePrivateKeyFilePath, merchantConfig)
+          cachedCertificateInfo = @@cache_obj.read(cacheIdentifier)
+        end
+      end
+
+      cachedCertificateInfo ? cachedCertificateInfo.private_key : nil
+    end
+
+    def get_mle_kid_data_from_cache(merchant_config)
+      cache_key = merchant_config.responseMlePrivateKeyFilePath + Constants::RESPONSE_MLE_P12_PFX_CACHE_IDENTIFIER
+      file_path = merchant_config.responseMlePrivateKeyFilePath
+
+      @@mutex.synchronize do
+        if !@@cache_obj.exist?(cache_key)
+          setup_mle_kid_cache(merchant_config)
+        else
+          cached_mle_kid = @@cache_obj.read(cache_key)
+          file_modified_time = File.mtime(file_path).to_i
+
+          if cached_mle_kid.nil? || cached_mle_kid.last_modified_timestamp != file_modified_time
+            if !Cache.class_variable_defined?(:@@logger) || @@logger.nil?
+              @@logger = Log.new merchant_config.log_config, "Cache"
+            end
+            logger = @@logger.logger
+            logger.info("MLE KID cache outdated or file modified. Refreshing cache for: #{file_path}")
+            setup_mle_kid_cache(merchant_config)
+          end
+        end
+
+        return @@cache_obj.read(cache_key)
+      end
+    end
+
+    private
+
+    def setup_mle_kid_cache(merchant_config)
+      file_path = nil
+      cache_key = nil
+
+      begin
+        if !Cache.class_variable_defined?(:@@logger) || @@logger.nil?
+          @@logger = Log.new merchant_config.log_config, "Cache"
+        end
+        logger = @@logger.logger
+
+        file_path = merchant_config.responseMlePrivateKeyFilePath
+        cache_key = merchant_config.responseMlePrivateKeyFilePath + Constants::RESPONSE_MLE_P12_PFX_CACHE_IDENTIFIER
+
+        # Get certificate from P12 file
+        _, certificate_list = Utility.getCertificateCollectionAndPrivateKeyFromP12(
+          file_path,
+          merchant_config.responseMlePrivateKeyFilePassword
+        )
+
+        merchant_cert = Utility.getCertificateBasedOnKeyAlias(certificate_list, merchant_config.merchantId)
+
+        if merchant_cert.nil?
+          raise StandardError.new("No certificate found for Response MLE Private Key file with merchant ID alias #{merchant_config.merchantId}")
+        end
+
+        # Check if this is a CyberSource-generated P12 file
+        is_cybersource_p12 = Utility.isP12GeneratedByCyberSource(
+          file_path,
+          merchant_config.responseMlePrivateKeyFilePassword,
+          logger
+        )
+
+        cached_mle_kid = CachedMLEKId.new
+        cached_mle_kid.last_modified_timestamp = File.mtime(file_path).to_i
+
+        if is_cybersource_p12
+          begin
+            mle_kid = MLEUtility.extract_serial_number_from_certificate(merchant_cert)
+            cached_mle_kid.kid = mle_kid
+          rescue ArgumentError => e
+            raise StandardError.new("Failed to extract serial number from certificate for Response MLE: #{e.message}")
+          end
+        end
+
+        @@cache_obj.write(cache_key, cached_mle_kid)
+
+      rescue StandardError => e
+        logger.error("Failed to load MLE KID from Response MLE Private Key file: #{file_path}. Error: #{e.message}")
+
+        if !cache_key.nil?
+          failure_marker = CachedMLEKId.new
+          failure_marker.kid = nil
+          failure_marker.last_modified_timestamp = 0
+          @@cache_obj.write(cache_key, failure_marker)
+        end
+      end
+    end
+
+    public
+
     # <b>DEPRECATED:</b> This method has been marked as Deprecated and will be removed in coming releases.
     def fetchPEMFileForNetworkTokenization(filePath)
       warn("[DEPRECATED] 'fetchPEMFileForNetworkTokenization' method is deprecated and will be removed in coming releases.")

data/lib/AuthenticationSDK/util/CachedMLEKId.rb

@@ -0,0 +1,17 @@
+# Cache value object to store MLE KID data
+class CachedMLEKId
+  attr_accessor :kid, :last_modified_timestamp
+
+  def initialize(kid = nil, last_modified_timestamp = nil)
+    @kid = kid
+    @last_modified_timestamp = last_modified_timestamp
+  end
+
+  def to_s
+    "CachedMLEKId(kid: #{@kid ? 'present' : 'nil'}, last_modified_timestamp: #{@last_modified_timestamp})"
+  end
+
+  def empty?
+    @kid.nil? && @last_modified_timestamp.nil?
+  end
+end