mastercard-client-encryption 1.1.0 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b77cd2d8a1ded5e2456a290e91add5537e3de8ce397e02c049b58a23c4d93f79
-  data.tar.gz: 82350cf1e7aafc602f7efccdf94b271ef218b77fa26b90be3bd7baac18855c27
+  metadata.gz: 498fe9a62ff880357316d0dd97d78d27dae85bca253702d905e2769087579ba2
+  data.tar.gz: 22a35a9afebde5f8f746067154c339ced42edd4b0d4ec0d6fa920963f1de5abd
 SHA512:
-  metadata.gz: a56bec98e3a1ed10af314ecf1c318abbf88b36a39dab24f3f888ed2a05d8767befde6fc807022a57ae1d33d6a50c163903bb436f52de480683be9d59f2044c43
-  data.tar.gz: cf09bf8da562269a9f481bea48662cf44c0381cdbfed88945436d627bea23cc8bb3b4fb63247042f7c3fbffc87ece128109ec128b832a868588f7db478a52012
+  metadata.gz: 3fe63908d6249e94fc6db683aefe97a82622ee4c8c59eca8e8a7cd21f7d79a96c0476f6efb6bc9362d2903eed8afc0a0d04a37b2b8a44ed438989560c5b47034
+  data.tar.gz: 879b24f693402374293b543d7a5bbacd4b05b12b23f4586a85ee2c078a3631fa16159051cc2acac2f07820fa48ddfdf6f1205dcd3419cf9cd2d6851af0ebb383

data/lib/mcapi/encryption/crypto/jwe-crypto.rb

@@ -0,0 +1,175 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'openssl'
+require 'base64'
+require 'securerandom'
+require_relative '../utils/utils'
+require_relative '../utils/openssl_rsa_oaep'
+
+module McAPI
+  module Encryption
+    #
+    # JWE Crypto class provide RSA/AES encrypt/decrypt methods
+    #
+    class JweCrypto
+      #
+      # Create a new instance with the provided config
+      #
+      # @param [Hash] config configuration object
+      #
+      def initialize(config)
+        @encoding = config['dataEncoding']
+        @cert = OpenSSL::X509::Certificate.new(IO.binread(config['encryptionCertificate']))
+        if config['privateKey']
+          @private_key = OpenSSL::PKey.read(IO.binread(config['privateKey']))
+        elsif config['keyStore']
+          @private_key = OpenSSL::PKCS12.new(IO.binread(config['keyStore']), config['keyStorePassword']).key
+        end
+        @encrypted_value_field_name = config['encryptedValueFieldName'] || 'encryptedData'
+        @public_key_fingerprint = compute_public_fingerprint
+      end
+
+      #
+      # Perform data encryption:
+      #
+      # @param [String] data json string to encrypt
+      #
+      # @return [Hash] encrypted data
+      #
+      def encrypt_data(data:)
+        cek = SecureRandom.random_bytes(32)
+        iv = SecureRandom.random_bytes(12)
+
+        md = OpenSSL::Digest::SHA256
+        encrypted_key = @cert.public_key.public_encrypt_oaep(cek, '', md, md)
+
+        header = generate_header('RSA-OAEP-256', 'A256GCM')
+        json_hdr = header.to_json
+        auth_data = jwe_encode(json_hdr)
+
+        cipher = OpenSSL::Cipher.new('aes-256-gcm')
+        cipher.encrypt
+        cipher.key = cek
+        cipher.iv = iv
+        cipher.padding = 0
+        cipher.auth_data = auth_data
+        cipher_text = cipher.update(data) + cipher.final
+
+        payload = generate_serialization(json_hdr, encrypted_key, cipher_text, iv, cipher.auth_tag)
+        {
+          @encrypted_value_field_name => payload
+        }
+      end
+
+      #
+      # Perform data decryption
+      #
+      # @param [String] encrypted_data encrypted data to decrypt
+      #
+      # @return [String] Decrypted JSON object
+      #
+      def decrypt_data(encrypted_data:)
+        parts = encrypted_data.split('.')
+        encrypted_header, encrypted_key, initialization_vector, cipher_text, authentication_tag = parts
+
+        jwe_header = jwe_decode(encrypted_header)
+        encrypted_key = jwe_decode(encrypted_key)
+        iv = jwe_decode(initialization_vector)
+        cipher_text = jwe_decode(cipher_text)
+        cipher_tag = jwe_decode(authentication_tag)
+
+        md = OpenSSL::Digest::SHA256
+        cek = @private_key.private_decrypt_oaep(encrypted_key, '', md, md)
+
+        enc_method = JSON.parse(jwe_header)['enc']
+
+        if enc_method == "A256GCM"
+          enc_string = "aes-256-gcm"
+        elsif enc_method == "A128CBC-HS256"
+          cek = cek.byteslice(16, cek.length)
+          enc_string = "aes-128-cbc"
+        else
+          raise Exception, "Encryption method '#{enc_method}' not supported."
+        end
+
+        cipher = OpenSSL::Cipher.new(enc_string)
+        cipher.decrypt
+        cipher.key = cek
+        cipher.iv = iv
+        cipher.padding = 0
+        if enc_method == "A256GCM"
+          cipher.auth_data = encrypted_header
+          cipher.auth_tag = cipher_tag
+        end
+
+        cipher.update(cipher_text) + cipher.final
+      end
+
+      private
+
+      #
+      # Compute the fingerprint for the provided public key
+      #
+      # @return [String] the computed fingerprint encoded using the configured encoding
+      #
+      def compute_public_fingerprint
+        OpenSSL::Digest::SHA256.new(@cert.public_key.to_der).to_s
+      end
+
+      #
+      # Generate the JWE header for the provided encryption algorithm and encryption method
+      #
+      # @param [String] alg the cryptographic algorithm used to encrypt the value of the CEK
+      # @param [String] enc the content encryption algorithm used to perform authenticated encryption on the plaintext
+      #
+      # @return [Hash] the JWE header
+      #
+      def generate_header(alg, enc)
+        { alg: alg, enc: enc, kid: @public_key_fingerprint, cty: 'application/json' }
+      end
+
+      #
+      # URL safe Base64 encode the provided value
+      #
+      # @param [String] value to be encoded
+      #
+      # @return [String] URL safe Base64 encoded value
+      #
+      def jwe_encode(value)
+        ::Base64.urlsafe_encode64(value).delete('=')
+      end
+
+      #
+      # URL safe Base64 decode the provided value
+      #
+      # @param [String] value to be decoded
+      #
+      # @return [String] URL safe Base64 decoded value
+      #
+      def jwe_decode(value)
+        padlen = 4 - (value.length % 4)
+        if padlen < 4
+          pad = '=' * padlen
+          value += pad
+        end
+        ::Base64.urlsafe_decode64(value)
+      end
+
+      #
+      # Generate JWE compact payload from the provided values
+      #
+      # @param [String] hdr JWE header
+      # @param [String] cek content encryption key
+      # @param [String] content cipher text
+      # @param [String] iv initialization vector
+      # @param [String] tag cipher auth tag
+      #
+      # @return [String] URL safe Base64 decoded value
+      #
+      def generate_serialization(hdr, cek, content, iv, tag)
+        [hdr, cek, iv, content, tag].map { |piece| jwe_encode(piece) }.join '.'
+      end
+    end
+  end
+end

data/lib/mcapi/encryption/field_level_encryption.rb

@@ -2,6 +2,7 @@
 
 require_relative 'crypto/crypto'
 require_relative 'utils/hash.ext'
+require_relative 'utils/utils'
 require 'json'
 
 module McAPI
@@ -36,7 +37,7 @@ module McAPI
       #
       def encrypt(endpoint, header, body)
         body = JSON.parse(body) if body.is_a?(String)
-        config = config?(endpoint)
+        config = McAPI::Utils.config?(endpoint, @config)
         body_map = body
         if config
           if !@is_with_header
@@ -50,7 +51,7 @@ module McAPI
             end
           end
         end
-        { header: header, body: config ? compute_body(config['toEncrypt'], body_map) { body.json } : body.json }
+        { header: header, body: config ? McAPI::Utils.compute_body(config['toEncrypt'], body_map) { body.json } : body.json }
       end
 
       #
@@ -62,7 +63,7 @@ module McAPI
       #
       def decrypt(response)
         response = JSON.parse(response)
-        config = config?(response['request']['url'])
+        config = McAPI::Utils.config?(response['request']['url'], @config)
         body_map = response
         if config
           if !@is_with_header
@@ -71,31 +72,31 @@ module McAPI
             end
           else
             config['toDecrypt'].each do |v|
-              elem = elem_from_path(v['obj'], response['body'])
+              elem = McAPI::Utils.elem_from_path(v['obj'], response['body'])
               decrypt_with_header(v, elem, response) if elem[:node][v['element']]
             end
           end
         end
-        response['body'] = compute_body(config['toDecrypt'], body_map) { response['body'] } unless config.nil?
+        response['body'] = McAPI::Utils.compute_body(config['toDecrypt'], body_map) { response['body'] } unless config.nil?
         JSON.generate(response)
       end
 
       private
 
       def encrypt_with_body(path, body)
-        elem = elem_from_path(path['element'], body)
+        elem = McAPI::Utils.elem_from_path(path['element'], body)
         return unless elem && elem[:node]
 
         encrypted_data = @crypto.encrypt_data(data: JSON.generate(elem[:node]))
         body = McAPI::Utils.mutate_obj_prop(path['obj'], encrypted_data, body)
-        unless json_root?(path['obj']) || path['element'] == "#{path['obj']}.#{@config['encryptedValueFieldName']}"
+        unless McAPI::Utils.json_root?(path['obj']) || path['element'] == "#{path['obj']}.#{@config['encryptedValueFieldName']}"
           McAPI::Utils.delete_node(path['element'], body)
         end
         body
       end
 
       def encrypt_with_header(path, enc_params, header, body)
-        elem = elem_from_path(path['element'], body)
+        elem = McAPI::Utils.elem_from_path(path['element'], body)
         return unless elem && elem[:node]
 
         encrypted_data = @crypto.encrypt_data(data: JSON.generate(elem[:node]), encryption_params: enc_params)
@@ -105,7 +106,7 @@ module McAPI
       end
 
       def decrypt_with_body(path, body)
-        elem = elem_from_path(path['element'], body)
+        elem = McAPI::Utils.elem_from_path(path['element'], body)
         return unless elem && elem[:node]
 
         decrypted = @crypto.decrypt_data(elem[:node][@config['encryptedValueFieldName']],
@@ -130,46 +131,12 @@ module McAPI
                                                            response['headers'][@config['oaepHashingAlgorithmHeaderName']][0]))
       end
 
-      def elem_from_path(path, obj)
-        parent = nil
-        paths = path.split('.')
-        if path && !paths.empty?
-          paths.each do |e|
-            parent = obj
-            obj = json_root?(e) ? obj : obj[e]
-          end
-        end
-        { node: obj, parent: parent }
-      rescue StandardError
-        nil
-      end
-
-      def config?(endpoint)
-        return unless endpoint
-
-        endpoint = endpoint.split('?').shift
-        conf = @config['paths'].select { |e| endpoint.match(e['path']) }
-        conf.empty? ? nil : conf[0]
-      end
-
       def set_header(header, params)
         header[@config['encryptedKeyHeaderName']] = params[:encoded][:encryptedKey]
         header[@config['ivHeaderName']] = params[:encoded][:iv]
         header[@config['oaepHashingAlgorithmHeaderName']] = params[:oaepHashingAlgorithm].sub('-', '')
         header[@config['publicKeyFingerprintHeaderName']] = params[:publicKeyFingerprint]
       end
-
-      def json_root?(elem)
-        elem == '$'
-      end
-
-      def compute_body(config_param, body_map)
-        encryption_param?(config_param, body_map) ? body_map[0] : yield
-      end
-
-      def encryption_param?(enc_param, body_map)
-        enc_param.length == 1 && body_map.length == 1
-      end
     end
   end
 end

data/lib/mcapi/encryption/jwe_encryption.rb

@@ -0,0 +1,95 @@
+# frozen_string_literal: true
+
+require_relative 'crypto/jwe-crypto'
+require_relative 'utils/hash.ext'
+require 'json'
+
+module McAPI
+  module Encryption
+    #
+    # Performs JWE encryption on HTTP payloads.
+    #
+    class JweEncryption
+      #
+      # Create a new instance with the provided configuration
+      #
+      # @param [Hash] config Configuration object
+      #
+      def initialize(config)
+        @config = config
+        @crypto = McAPI::Encryption::JweCrypto.new(config)
+      end
+
+      #
+      # Encrypt parts of a HTTP request using the given config
+      #
+      # @param [String] endpoint HTTP URL for the current call
+      # @param [Object|nil] header HTTP header
+      # @param [String,Hash] body HTTP body
+      #
+      # @return [Hash] Hash with two keys:
+      # * :header header with encrypted value (if configured with header)
+      # * :body encrypted body
+      #
+      def encrypt(endpoint, body)
+        body = JSON.parse(body) if body.is_a?(String)
+        config = McAPI::Utils.config?(endpoint, @config)
+        body_map = body
+        if config
+          body_map = config['toEncrypt'].map do |v|
+            encrypt_with_body(v, body)
+          end
+        end
+        { body: config ? McAPI::Utils.compute_body(config['toEncrypt'], body_map) { body.json } : body.json }
+      end
+
+      #
+      # Decrypt part of the HTTP response using the given config
+      #
+      # @param [Object] response object as obtained from the http client
+      #
+      # @return [Object] response object with decrypted fields
+      #
+      def decrypt(response)
+        response = JSON.parse(response)
+        config = McAPI::Utils.config?(response['request']['url'], @config)
+        body_map = response
+        if config
+          body_map = config['toDecrypt'].map do |v|
+            decrypt_with_body(v, response['body'])
+          end
+        end
+        response['body'] = McAPI::Utils.compute_body(config['toDecrypt'], body_map) { response['body'] } unless config.nil?
+        JSON.generate(response)
+      end
+
+      private
+
+      def encrypt_with_body(path, body)
+        elem = McAPI::Utils.elem_from_path(path['element'], body)
+        return unless elem && elem[:node]
+
+        encrypted_data = @crypto.encrypt_data(data: JSON.generate(elem[:node]))
+        body = McAPI::Utils.mutate_obj_prop(path['obj'], encrypted_data, body)
+        unless McAPI::Utils.json_root?(path['obj']) || path['element'] == "#{path['obj']}.#{@config['encryptedValueFieldName']}"
+          McAPI::Utils.delete_node(path['element'], body)
+        end
+        body
+      end
+
+      def decrypt_with_body(path, body)
+        elem = McAPI::Utils.elem_from_path(path['element'], body)
+        return unless elem && elem[:node]
+
+        decrypted = @crypto.decrypt_data(encrypted_data: elem[:node][@config['encryptedValueFieldName']])
+        begin
+          decrypted = JSON.parse(decrypted)
+        rescue JSON::ParserError
+          # ignored
+        end
+
+        McAPI::Utils.mutate_obj_prop(path['obj'], decrypted, body, path['element'], @encryption_response_properties)
+      end
+    end
+  end
+end

data/lib/mcapi/encryption/openapi_interceptor.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require_relative 'field_level_encryption'
+require_relative 'jwe_encryption'
 require_relative 'utils/utils'
 
 module McAPI
@@ -27,14 +28,36 @@ module McAPI
           McAPI::Encryption::OpenAPIInterceptor.init_deserialize swagger_client
         end
 
+        #
+        # Install the JWE encryption in the OpenAPI HTTP client
+        # adding encryption/decryption capabilities for the request/response payload.
+        #
+        # @param [Object] swagger_client OpenAPI service client (it can be generated by the swagger code generator)
+        # @param [Hash] config configuration object describing which field to enable encryption/decryption
+        #
+        def install_jwe_encryption(swagger_client, config)
+          jwe = McAPI::Encryption::JweEncryption.new(config)
+          # Hooking ApiClient#call_api
+          hook_call_api jwe
+          # Hooking ApiClient#deserialize
+          hook_deserialize jwe
+          McAPI::Encryption::OpenAPIInterceptor.init_call_api swagger_client
+          McAPI::Encryption::OpenAPIInterceptor.init_deserialize swagger_client
+        end
+
         private
 
-        def hook_call_api(fle)
+        def hook_call_api(enc)
           self.class.send :define_method, :init_call_api do |client|
             client.define_singleton_method(:call_api) do |http_method, path, opts|
               if opts && opts[:body]
-                encrypted = fle.encrypt(path, opts[:header_params], opts[:body])
-                opts[:body] = JSON.generate(encrypted[:body])
+                if enc.instance_of? McAPI::Encryption::FieldLevelEncryption
+                  encrypted = enc.encrypt(path, opts[:header_params], opts[:body])
+                  opts[:body] = JSON.generate(encrypted[:body])
+                else
+                  encrypted = enc.encrypt(path, opts[:body])
+                  opts[:body] = JSON.generate(encrypted[:body])
+                end
               end
               # noinspection RubySuperCallWithoutSuperclassInspection
               super(http_method, path, opts)
@@ -42,15 +65,20 @@ module McAPI
           end
         end
 
-        def hook_deserialize(fle)
+        def hook_deserialize(enc)
           self.class.send :define_method, :init_deserialize do |client|
             client.define_singleton_method(:deserialize) do |response, return_type|
               if response&.body
                 endpoint = response.request.base_url.sub client.config.base_url, ''
-                to_decrypt = { headers: McAPI::Utils.parse_header(response.options[:response_headers]),
-                               request: { url: endpoint },
-                               body: JSON.parse(response.body) }
-                decrypted = fle.decrypt(JSON.generate(to_decrypt, symbolize_names: false))
+                if enc.instance_of? McAPI::Encryption::FieldLevelEncryption
+                  to_decrypt = { headers: McAPI::Utils.parse_header(response.options[:response_headers]),
+                                 request: { url: endpoint },
+                                 body: JSON.parse(response.body) }
+                else
+                  to_decrypt = { request: { url: endpoint },
+                                 body: JSON.parse(response.body) }
+                end
+                decrypted = enc.decrypt(JSON.generate(to_decrypt, symbolize_names: false))
                 body = JSON.generate(JSON.parse(decrypted)['body'])
                 response.options[:response_body] = JSON.generate(JSON.parse(body))
               end

data/lib/mcapi/encryption/utils/utils.rb

@@ -146,5 +146,45 @@ module McAPI
       end
       header
     end
+
+    #
+    # Get an element from the JSON path
+    #
+    def self.elem_from_path(path, obj)
+      parent = nil
+      paths = path.split('.')
+      if path && !paths.empty?
+        paths.each do |e|
+          parent = obj
+          obj = json_root?(e) ? obj : obj[e]
+        end
+      end
+      { node: obj, parent: parent }
+    rescue StandardError
+      nil
+    end
+
+    #
+    # Check whether the encryption/decryption path refers to the root element
+    #
+    def self.json_root?(elem)
+      elem == '$'
+    end
+
+    def self.config?(endpoint, config)
+      return unless endpoint
+
+      endpoint = endpoint.split('?').shift
+      conf = config['paths'].select { |e| endpoint.match(e['path']) }
+      conf.empty? ? nil : conf[0]
+    end
+
+    def self.compute_body(config_param, body_map)
+      encryption_param?(config_param, body_map) ? body_map[0] : yield
+    end
+
+    def self.encryption_param?(enc_param, body_map)
+      enc_param.length == 1 && body_map.length == 1
+    end
   end
 end

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: mastercard-client-encryption
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.2.0
 platform: ruby
 authors:
 - Mastercard
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-09-17 00:00:00.000000000 Z
+date: 2022-07-21 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: hamster
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -73,7 +87,9 @@ extensions: []
 extra_rdoc_files: []
 files:
 - lib/mcapi/encryption/crypto/crypto.rb
+- lib/mcapi/encryption/crypto/jwe-crypto.rb
 - lib/mcapi/encryption/field_level_encryption.rb
+- lib/mcapi/encryption/jwe_encryption.rb
 - lib/mcapi/encryption/openapi_interceptor.rb
 - lib/mcapi/encryption/utils/hash.ext.rb
 - lib/mcapi/encryption/utils/openssl_rsa_oaep.rb