mastercard-client-encryption 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 1a98e0ce57b2212e9f27e9d09c2aa3586afa57c8f351549b1566607525608c2e
+  data.tar.gz: 4f054c956f369efc28dc7f288d39c0105769232084806379d1b4a07ff0200094
+SHA512:
+  metadata.gz: c2efcd434d514d9404a583c22bf3417cdb988a407cd29c1ce84b85e577a11c6582c7b4c51eff4c09db21e104d08bcf79517838ac4d639b88ee4c9242b9e283d0
+  data.tar.gz: d3399d4cec5349ffc560e1f2de941f04bb9cdf5a75e2c897afaeefad648e415fcd22b1127a33fef3c0423715229061d9d3a260552b8ba51b852c090965f35a19

data/lib/mcapi/encryption/crypto/crypto.rb

@@ -0,0 +1,174 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'openssl'
+require 'base64'
+require_relative '../utils/utils'
+require_relative '../utils/openssl_rsa_oaep'
+
+module McAPI
+  module Encryption
+    #
+    # Crypto class provide RSA/AES encrypt/decrypt methods
+    #
+    class Crypto
+      #
+      # Create a new instance with the provided config
+      #
+      # @param [Hash] config configuration object
+      #
+      def initialize(config)
+        valid_config?(config)
+        @encoding = config['dataEncoding']
+        @cert = OpenSSL::X509::Certificate.new(File.read(config['encryptionCertificate']))
+        if config['privateKey']
+          @private_key = OpenSSL::PKey.read(File.new(config['privateKey']))
+        elsif config['keyStore']
+          @private_key = OpenSSL::PKCS12.new(File.read(config['keyStore']), config['keyStorePassword']).key
+        end
+        @oaep_hashing_alg = config['oaepPaddingDigestAlgorithm']
+        @encrypted_value_field_name = config['encryptedValueFieldName']
+        @encrypted_key_field_name = config['encryptedKeyFieldName']
+        @public_key_fingerprint = compute_public_fingerprint(config['publicKeyFingerprintType'])
+        @public_key_fingerprint_field_name = config['publicKeyFingerprintFieldName']
+        @oaep_hashing_alg_field_name = config['oaepHashingAlgorithmFieldName']
+      end
+
+      #
+      # Generate encryption parameters.
+      #
+      # @param [String] iv IV to use instead to generate a random IV
+      # @param [String] secret_key Secret Key to use instead to generate a random key
+      #
+      # @return [Hash] hash with the generated encryption parameters
+      #
+      def new_encryption_params(iv = nil, secret_key = nil)
+        # Generate a secret key (should be 128 (or 256) bits)
+        secret_key ||= OpenSSL::Random.random_bytes(16)
+        # Generate a random initialization vector (IV)
+        iv ||= OpenSSL::Random.random_bytes(16)
+        md = Utils.create_message_digest(@oaep_hashing_alg)
+        # Encrypt secret key with issuer key
+        encrypted_key = @cert.public_key.public_encrypt_oaep(secret_key, '', md, md)
+
+        {
+            iv: iv,
+            secretKey: secret_key,
+            encryptedKey: encrypted_key,
+            oaepHashingAlgorithm: @oaep_hashing_alg,
+            publicKeyFingerprint: @public_key_fingerprint,
+            encoded: {
+                iv: Utils.encode(iv, @encoding),
+                secretKey: Utils.encode(secret_key, @encoding),
+                encryptedKey: Utils.encode(encrypted_key, @encoding)
+            }
+        }
+      end
+
+      #
+      # Perform data encryption:
+      # If +iv+, +secret_key+, +encryption_params+ and +encoding+ are not provided, randoms will be generated.
+      #
+      # @param [String] data json string to encrypt
+      # @param [String] (optional) iv Initialization vector to use to create the cipher, if not provided generate a random one
+      # @param [String] (optional) encryption_params encryption parameters
+      # @param [String] encoding encoding to use for the encrypted bytes (hex or base64)
+      #
+      # @return [String] encrypted data
+      #
+      def encrypt_data(data:, iv: nil, secret_key: nil, encryption_params: nil, encoding: nil)
+        encoding ||= @encoding
+        encryption_params ||= new_encryption_params(iv, secret_key)
+        # Create Symmetric Cipher: AES 128-bit
+        aes = OpenSSL::Cipher::AES.new(128, :CBC)
+        # Initialize for encryption mode
+        aes.encrypt
+        aes.iv = encryption_params[:iv]
+        aes.key = encryption_params[:secretKey]
+        encrypted = aes.update(data) + aes.final
+        data = {
+            @encrypted_value_field_name => Utils.encode(encrypted, encoding),
+            'iv' => Utils.encode(encryption_params[:iv], encoding)
+        }
+        data[@encrypted_key_field_name] = Utils.encode(encryption_params[:encryptedKey], encoding) if @encrypted_key_field_name
+        data[@public_key_fingerprint_field_name] = @public_key_fingerprint if @public_key_fingerprint
+        data[@oaep_hashing_alg_field_name] = @oaep_hashing_alg.sub('-', '') if @oaep_hashing_alg_field_name
+        data
+      end
+
+      #
+      # Perform data decryption
+      #
+      # @param [String] encrypted_data encrypted data to decrypt
+      # @param [String] iv Initialization vector to use to create the Decipher
+      # @param [String] encrypted_key Encrypted key to use to decrypt the data
+      #                 (the key is the decrypted using the provided PrivateKey)
+      #
+      # @return [String] Decrypted JSON object
+      #
+      def decrypt_data(encrypted_data, iv, encrypted_key)
+        md = Utils.create_message_digest(@oaep_hashing_alg)
+        decrypted_key = @private_key.private_decrypt_oaep(Utils.decode(encrypted_key, @encoding), '', md, md)
+        aes = OpenSSL::Cipher::AES.new(decrypted_key.size * 8, :CBC)
+        aes.decrypt
+        aes.key = decrypted_key
+        aes.iv = Utils.decode(iv, @encoding)
+        aes.update(Utils.decode(encrypted_data, @encoding)) + aes.final
+      end
+
+      private
+
+      #
+      # Compute the fingerprint for the provided public key
+      #
+      # @param [String] type: +certificate+ or +publickey+
+      #
+      # @return [String] the computed fingerprint encoded using the configured encoding
+      #
+      def compute_public_fingerprint(type)
+        return unless type
+
+        case type.downcase
+        when 'certificate'
+          if @encoding == 'hex'
+            OpenSSL::Digest::SHA256.new(@cert.to_der).to_s
+          else
+            Digest::SHA256.base64digest(@cert.to_der)
+          end
+        when 'publickey'
+          OpenSSL::Digest::SHA256.new(@cert.public_key.to_der).to_s
+        else
+          raise 'Selected public fingerprint not supported'
+        end
+      end
+
+      #
+      # Check if the passed configuration is valid
+      #
+      def valid_config?(config)
+        props_basic = %w[oaepPaddingDigestAlgorithm paths dataEncoding encryptionCertificate encryptedValueFieldName]
+        props_field = %w[ivFieldName encryptedKeyFieldName]
+        props_header = %w[ivHeaderName encryptedKeyHeaderName oaepHashingAlgorithmHeaderName]
+        props_fingerprint = %w[publicKeyFingerprintType publicKeyFingerprintFieldName publicKeyFingerprintHeaderName]
+        props_opt_fingerprint = %w[publicKeyFingerprint]
+
+        raise 'Config not valid: config should be an Hash.' unless config.is_a?(Hash)
+        raise 'Config not valid: paths should be an array of path element.' unless config['paths'] && config['paths'].is_a?(Array)
+
+        check_props = !Utils.contains(config, props_basic) ||
+            (!Utils.contains(config, props_field) && !Utils.contains(config, props_header))
+        raise 'Config not valid: please check that all the properties are defined.' if check_props
+
+        raise 'Config not valid: paths should be not empty.' if config['paths'].length.zero?
+        raise "Config not valid: dataEncoding should be 'hex' or 'base64'" if config['dataEncoding'] != 'hex' &&
+            config['dataEncoding'] != 'base64'
+
+        check_finger = !Utils.contains(config, props_opt_fingerprint) &&
+            (config[props_fingerprint[1]] || config[props_fingerprint[2]]) &&
+            config[props_fingerprint[0]] != 'certificate' &&
+            config[props_fingerprint[0]] != 'publicKey'
+        raise "Config not valid: propertiesFingerprint should be: 'certificate' or 'publicKey'" if check_finger
+      end
+    end
+  end
+end

data/lib/mcapi/encryption/field_level_encryption.rb

@@ -0,0 +1,145 @@
+# frozen_string_literal: true
+
+require_relative 'crypto/crypto'
+require_relative 'utils/hash.ext'
+require 'json'
+
+module McAPI
+  module Encryption
+    #
+    # Performs field level encryption on HTTP payloads.
+    #
+    class FieldLevelEncryption
+      #
+      # Create a new instance with the provided configuration
+      #
+      # @param [Object] config Configuration object
+      #
+      def initialize(config)
+        @config = config
+        @crypto = McAPI::Encryption::Crypto.new(config)
+        @is_with_header = config['ivHeaderName'] && config['encryptedKeyHeaderName']
+        @encryption_response_properties = [@config['ivFieldName'], @config['encryptedKeyFieldName'],
+                                           @config['publicKeyFingerprintFieldName'], @config['oaepHashingAlgorithmFieldName']]
+      end
+
+      #
+      # Encrypt parts of a HTTP request using the given config
+      #
+      # @param [String] endpoint HTTP URL for the current call
+      # @param [Object] header HTTP header
+      # @param [String,Hash] body HTTP body
+      #
+      # @return [Hash] Hash with two keys:
+      # * :header header with encrypted value (if configured with header)
+      # * :body encrypted body
+      #
+      def encrypt(endpoint, header, body)
+        body = JSON.parse(body) if body.is_a?(String)
+        config = config?(endpoint)
+        if config
+          if !@is_with_header
+            config['toEncrypt'].each do |v|
+              encrypt_with_body(v, body)
+            end
+          else
+            enc_params = @crypto.new_encryption_params
+            config['toEncrypt'].each do |v|
+              body = encrypt_with_header(v, enc_params, header, body)
+            end
+          end
+        end
+        { header: header, body: body.json }
+      end
+
+      #
+      # Decrypt part of the HTTP response using the given config
+      #
+      # @param [Object] response object as obtained from the http client
+      #
+      # @return [Object] response object with decrypted fields
+      #
+      def decrypt(response)
+        response = JSON.parse(response)
+        config = config?(response['request']['url'])
+        if config
+          if !@is_with_header
+            config['toDecrypt'].each do |v|
+              decrypt_with_body(v, response['body'])
+            end
+          else
+            config['toDecrypt'].each do |v|
+              elem = elem_from_path(v['obj'], response['body'])
+              decrypt_with_header(v, elem, response) if elem[:node][v['element']]
+            end
+          end
+        end
+        JSON.generate(response)
+      end
+
+      private
+
+      def encrypt_with_body(path, body)
+        elem = elem_from_path(path['element'], body)
+        encrypted_data = @crypto.encrypt_data(data: JSON.generate(elem[:node]))
+        McAPI::Utils.mutate_obj_prop(path['obj'], encrypted_data, body)
+        McAPI::Utils.delete_node(path['element'], body) if path['element'] != "#{path['obj']}.#{@config['encryptedValueFieldName']}"
+      end
+
+      def encrypt_with_header(path, enc_params, header, body)
+        elem = elem_from_path(path['element'], body)
+        encrypted_data = @crypto.encrypt_data(data: JSON.generate(elem[:node]), encryption_params: enc_params)
+        body = { path['obj'] => { @config['encryptedValueFieldName'] => encrypted_data[@config['encryptedValueFieldName']] } }
+        set_header(header, enc_params)
+        body
+      end
+
+      def decrypt_with_body(path, body)
+        elem = elem_from_path(path['element'], body)
+        return unless elem && elem[:node]
+
+        decrypted = JSON.parse(@crypto.decrypt_data(elem[:node][@config['encryptedValueFieldName']],
+                                                    elem[:node][@config['ivFieldName']],
+                                                    elem[:node][@config['encryptedKeyFieldName']]))
+        McAPI::Utils.mutate_obj_prop(path['obj'], decrypted, body, path['element'], @encryption_response_properties)
+      end
+
+      def decrypt_with_header(path, elem, response)
+        encrypted_data = elem[:node][path['element']][@config['encryptedValueFieldName']]
+        response['body'].clear
+        response['body'] = JSON.parse(@crypto.decrypt_data(encrypted_data,
+                                                           response['headers'][@config['ivHeaderName']][0],
+                                                           response['headers'][@config['encryptedKeyHeaderName']][0]))
+      end
+
+      def elem_from_path(path, obj)
+        parent = nil
+        paths = path.split('.')
+        if path && !paths.empty?
+          paths.each do |e|
+            parent = obj
+            obj = obj[e]
+          end
+        end
+        { node: obj, parent: parent }
+      rescue StandardError
+        nil
+      end
+
+      def config?(endpoint)
+        return unless endpoint
+
+        endpoint = endpoint.split('?').shift
+        conf = @config['paths'].select { |e| endpoint.match(e['path']) }
+        conf.empty? ? nil : conf[0]
+      end
+
+      def set_header(header, params)
+        header[@config['encryptedKeyHeaderName']] = params[:encoded][:encryptedKey]
+        header[@config['ivHeaderName']] = params[:encoded][:iv]
+        header[@config['oaepHashingAlgorithmHeaderName']] = params[:oaepHashingAlgorithm].sub('-', '')
+        header[@config['publicKeyFingerprintHeaderName']] = params[:publicKeyFingerprint]
+      end
+    end
+  end
+end

data/lib/mcapi/encryption/openapi_interceptor.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require_relative 'field_level_encryption'
+require_relative 'utils/utils'
+
+module McAPI
+  module Encryption
+    ##
+    # Service class that provide interceptor facilities for OpenApi swagger client
+    #
+    class OpenAPIInterceptor
+      class << self
+        #
+        # Install the field level encryption in the OpenAPI HTTP client
+        # adding encryption/decryption capabilities for the request/response payload.
+        #
+        # @param [Object] swagger_client OpenAPI service client (it can be generated by the swagger code generator)
+        # @param [Object] config configuration object describing which field to enable encryption/decryption
+        #
+        def install_field_level_encryption(swagger_client, config)
+          fle = McAPI::Encryption::FieldLevelEncryption.new(config)
+          # Hooking ApiClient#call_api
+          hook_call_api fle
+          # Hooking ApiClient#deserialize
+          hook_deserialize fle
+          McAPI::Encryption::OpenAPIInterceptor.init_call_api swagger_client
+          McAPI::Encryption::OpenAPIInterceptor.init_deserialize swagger_client
+        end
+
+        private
+
+        def hook_call_api(fle)
+          self.class.send :define_method, :init_call_api do |client|
+            client.define_singleton_method(:call_api) do |http_method, path, opts|
+              if opts && opts[:body]
+                encrypted = fle.encrypt(path, opts[:header_params], opts[:body])
+                opts[:body] = JSON.generate(encrypted[:body])
+              end
+              # noinspection RubySuperCallWithoutSuperclassInspection
+              super(http_method, path, opts)
+            end
+          end
+        end
+
+        def hook_deserialize(fle)
+          self.class.send :define_method, :init_deserialize do |client|
+            client.define_singleton_method(:deserialize) do |response, return_type|
+              if response && response.body
+                endpoint = response.request.base_url.sub client.config.base_url, ''
+                to_decrypt = { headers: McAPI::Utils.parse_header(response.options[:response_headers]),
+                               request: { url: endpoint },
+                               body: JSON.parse(response.body) }
+                decrypted = fle.decrypt(JSON.generate(to_decrypt, symbolize_names: false))
+                body = JSON.generate(JSON.parse(decrypted)['body'])
+                response.options[:response_body] = JSON.generate(JSON.parse(body))
+              end
+              # noinspection RubySuperCallWithoutSuperclassInspection
+              super(response, return_type)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/mcapi/encryption/utils/hash.ext.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+#
+# Hash extension
+#
+class Hash
+  #
+  # Parse the current hash as json
+  #
+  def json
+    JSON.parse(to_json)
+  end
+end

data/lib/mcapi/encryption/utils/openssl_rsa_oaep.rb

@@ -0,0 +1,128 @@
+# frozen_string_literal: true
+
+require 'openssl'
+
+#
+# Extends the OpenSSL library with RSA OAEP MGF1 padding
+#
+
+module OpenSSL
+  module PKey
+    class RSA
+      def public_encrypt_oaep(str, label = '', md = nil, mgf1md = nil)
+        padded = PKCS1.add_oaep_mgf1(str, n.num_bytes, label, md, mgf1md)
+        public_encrypt(padded, OpenSSL::PKey::RSA::NO_PADDING)
+      end
+
+      def private_decrypt_oaep(str, label = '', md = nil, mgf1md = nil)
+        padded = private_decrypt(str, OpenSSL::PKey::RSA::NO_PADDING)
+        PKCS1.check_oaep_mgf1(padded, label, md, mgf1md)
+      end
+    end
+  end
+
+  module PKCS1
+    def add_oaep_mgf1(str, len, label = '', md = nil, mgf1md = nil)
+      md ||= OpenSSL::Digest::SHA1
+      mgf1md ||= md
+
+      mdlen = md.new.digest_length
+      z_len = len - str.bytesize - 2 * mdlen - 2
+      raise OpenSSL::PKey::RSAError, 'key size too small' if len < 2 * mdlen + 1
+      raise OpenSSL::PKey::RSAError, 'data too large for key size' if z_len.negative?
+
+      l_hash = md.digest(label)
+      db = l_hash + ([0] * z_len + [1]).pack('C*') + [str].pack('a*')
+      seed = OpenSSL::Random.random_bytes(mdlen)
+
+      masked_db = mgf1_xor(db, seed, mgf1md)
+      masked_seed = mgf1_xor(seed, masked_db, mgf1md)
+
+      [0, masked_seed, masked_db].pack('Ca*a*')
+    end
+
+    module_function :add_oaep_mgf1
+
+    def check_oaep_mgf1(str, label = '', md = nil, mgf1md = nil)
+      md ||= OpenSSL::Digest::SHA1
+      mgf1md ||= md
+
+      mdlen = md.new.digest_length
+      em = str.bytes
+      raise OpenSSL::PKey::RSAError if em.size < 2 * mdlen + 2
+
+      # Keep constant calculation even if the text is invaid in order to avoid attacks.
+      good = secure_byte_is_zero(em[0])
+      masked_seed = em[1...1 + mdlen].pack('C*')
+      masked_db = em[1 + mdlen...em.size].pack('C*')
+
+      seed = mgf1_xor(masked_seed, masked_db, mgf1md)
+      db = mgf1_xor(masked_db, seed, mgf1md)
+      db_bytes = db.bytes
+
+      l_hash = md.digest(label)
+      good &= secure_hash_eq(l_hash.bytes, db_bytes[0...mdlen])
+
+      one_index = 0
+      found_one_byte = 0
+      (mdlen...db_bytes.size).each do |i|
+        equals1 = secure_byte_eq(db_bytes[i], 1)
+        equals0 = secure_byte_is_zero(db_bytes[i])
+        one_index = secure_select(~found_one_byte & equals1, i, one_index)
+        found_one_byte |= equals1
+        good &= (found_one_byte | equals0)
+      end
+
+      good &= found_one_byte
+
+      raise OpenSSL::PKey::RSAError if good.zero?
+
+      db_bytes[one_index + 1...db_bytes.size].pack('C*')
+    end
+
+    module_function :check_oaep_mgf1
+
+    def mgf1_xor(out, seed, md)
+      counter = 0
+      out_bytes = out.bytes
+      mask_bytes = []
+      while mask_bytes.size < out_bytes.size
+        mask_bytes += md.digest([seed, counter].pack('a*N')).bytes
+        counter += 1
+      end
+      out_bytes.size.times do |i|
+        out_bytes[i] ^= mask_bytes[i]
+      end
+      out_bytes.pack('C*')
+    end
+
+    module_function :mgf1_xor
+
+    # Constant time comparistion utilities.
+    def secure_byte_is_zero(v)
+      v - 1 >> 8
+    end
+
+    def secure_byte_eq(v1, v2)
+      secure_byte_is_zero(v1 ^ v2)
+    end
+
+    def secure_select(mask, eq, ne)
+      (mask & eq) | (~mask & ne)
+    end
+
+    def secure_hash_eq(vs1, vs2)
+      # Assumes the given hash values have the same size.
+      # This check is not constant time, but should not depends on the texts.
+      return 0 unless vs1.size == vs2.size
+
+      res = secure_byte_is_zero(0)
+      (0...vs1.size).each do |i|
+        res &= secure_byte_eq(vs1[i], vs2[i])
+      end
+      res
+    end
+
+    module_function :secure_byte_is_zero, :secure_byte_eq, :secure_select, :secure_hash_eq
+  end
+end

data/lib/mcapi/encryption/utils/utils.rb

@@ -0,0 +1,144 @@
+# frozen_string_literal: true
+
+require 'base64'
+
+module McAPI
+  #
+  # Utils module
+  module Utils
+    #
+    # Data encoding
+    #
+    def self.encode(data, encoding)
+      return unless encoding
+
+      case encoding.downcase
+      when 'hex'
+        data.each_byte.map { |b| format('%02x', b.to_i) }.join
+      when 'base64'
+        Base64.encode64(data).delete("\n")
+      else
+        raise 'Encoding not supported'
+      end
+    end
+
+    #
+    # Data decoding
+    #
+    def self.decode(data, encoding)
+      return unless encoding
+
+      case encoding.downcase
+      when 'hex'
+        [data].pack('H*')
+      when 'base64'
+        Base64.decode64(data)
+      else
+        raise 'Encoding not supported'
+      end
+    end
+
+    #
+    # Create Digest object for the provided digest string
+    #
+    def self.create_message_digest(digest)
+      return unless digest
+
+      case digest.upcase
+      when 'SHA-256', 'SHA256'
+        OpenSSL::Digest::SHA256
+      when 'SHA-512', 'SHA512'
+        OpenSSL::Digest::SHA512
+      else
+        raise 'Digest algorithm not supported'
+      end
+    end
+
+    def self.contains(config, props)
+      props.any? do |i|
+        config.key? i
+      end
+    end
+
+    #
+    # Perform JSON object properties manipulations
+    #
+    def self.mutate_obj_prop(path, value, obj, src_path = nil, properties = [])
+      tmp = obj
+      prev = nil
+      return unless path
+
+      delete_node(src_path, obj, properties) if src_path
+      paths = path.split('.')
+      paths.each do |e|
+        tmp[e] = {} unless tmp[e]
+        prev = tmp
+        tmp = tmp[e]
+      end
+      elem = path.split('.').pop
+      if value.is_a?(Hash) && !value.is_a?(Array)
+        prev[elem] = {} unless prev[elem].is_a?(Hash)
+        override_props(prev[elem], value)
+      else
+        prev[elem] = value
+      end
+    end
+
+    def self.override_props(target, obj)
+      obj.each do |k, _|
+        target[k] = obj[k]
+      end
+    end
+
+    #
+    # Delete node from JSON object
+    #
+    def self.delete_node(path, obj, properties = [])
+      return unless path && obj
+
+      paths = path.split('.')
+      to_delete = paths[paths.size - 1]
+      paths.each_with_index do |e, index|
+        prev = obj
+        next unless obj[e]
+
+        obj = obj[e]
+        prev.delete(to_delete) if obj && index == paths.size - 1
+      end
+      properties.each { |e| obj.delete(e) } if paths.empty?
+    end
+
+    #
+    # Parse raw HTTP Header
+    #
+    def self.parse_header(raw)
+      raw = raw.partition("\n").last
+      header = Hash.new([].freeze)
+      field = nil
+      raw.each_line do |line|
+        case line
+        when /^([A-Za-z0-9!\#$%&'*+\-.^_`|~]+):\s*(.*?)\s*\z/om
+          field = Regexp.last_match(1)
+          value = Regexp.last_match(2)
+          field.downcase!
+          header[field] = [] unless header.key?(field)
+          header[field] << value
+        when /^\s+(.*?)\s*\z/om
+          value = Regexp.last_match(1)
+          raise Exception, "bad header '#{line}'." unless field
+
+          header[field][-1] << ' ' << value
+        else
+          raise Exception, "bad header '#{line}'."
+        end
+      end
+      header.each do |_key, values|
+        values.each do |value|
+          value.strip!
+          value.gsub!(/\s+/, ' ')
+        end
+      end
+      header
+    end
+  end
+end

metadata

@@ -0,0 +1,105 @@
+--- !ruby/object:Gem::Specification
+name: mastercard-client-encryption
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Mastercard
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2019-05-14 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.5'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.16.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.16.1
+description: Library for Mastercard API compliant payload encryption/decryption.
+email: 
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/mcapi/encryption/crypto/crypto.rb
+- lib/mcapi/encryption/field_level_encryption.rb
+- lib/mcapi/encryption/openapi_interceptor.rb
+- lib/mcapi/encryption/utils/hash.ext.rb
+- lib/mcapi/encryption/utils/openssl_rsa_oaep.rb
+- lib/mcapi/encryption/utils/utils.rb
+homepage: https://github.com/Mastercard/client-encryption-ruby
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.7
+signing_key: 
+specification_version: 4
+summary: Mastercard encryption library
+test_files: []