pedicel-pay 0.0.1 → 0.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bdb70920d44fc3ca94c23bf72503189c8a382675aab89f1f3247a59b05ef353f
-  data.tar.gz: a014ce297bc24449810a25cdae9fd29fc39344a6bf4cbf5180aa55b1d1f40a91
+  metadata.gz: 68626ff88a9448225853d1c8547535236f4a734fe850618a3cf5ee7593c4ccee
+  data.tar.gz: 64cbedfe02190675426b05e0db34f386be38c38c46a4d00029bd22578630f687
 SHA512:
-  metadata.gz: e6ca39b5d3b99fe056eb145f62b01b976924ef2e1de997671925f0975388319965d2a5a34c5eede178c83f4fee84564ff27b823db3caa2bad129867f3a4f265b
-  data.tar.gz: 966fdf5fbab66e081952e3014498fd689f28b165b5a522ba3c642920838115178954d1e2954de4adcffe60ecaa46cf5de32942c60f3832c9b79736a300ed9193
+  metadata.gz: 070601a57849d8d89aff29301cf9b299beba45f6f0ba6d2922f4be7c969c4d69ad0cf0e108bc0946116f078fad7fb349dd712ed063da856bc854d2da8f3f54ef
+  data.tar.gz: 92b6937df63bd603bd8abf06a261b57af47aa9898a4a8cfbf179079f8e74f4bf4a9b658028a58561098b07704b75e0223ef7668f83424ade10d245bcac24bf86

data/exe/pedicel-pay

@@ -0,0 +1,182 @@
+#!/usr/bin/env ruby
+
+require 'bundler/setup'
+require 'thor'
+require 'pedicel-pay'
+require 'json'
+require 'time'
+
+module PedicelPay
+  class Cli < Thor
+    BACKEND_FILES = [
+      'ca-key.pem',
+      'ca-certificate.pem',
+      'intermediate-key.pem',
+      'intermediate-certificate.pem',
+      'leaf-key.pem',
+      'leaf-certificate.pem',
+    ]
+
+    CLIENT_FILES = [
+      'client-key.pem',
+      'client-certificate.pem',
+    ]
+
+    FILES = BACKEND_FILES | CLIENT_FILES
+
+
+    desc 'clean', 'Remove all generated files'
+    option :path, type: :string, path: true, aliases: :p
+
+    def clean
+      FILES.
+        map { |f| options[:path] ? File.join(File.expand_path(options[:path]), f) : f }.
+        each { |f| File.delete(f) if File.exist?(f) }
+    end
+
+
+    desc 'generate-backend', 'Generate a backend: CA, intermediate and leaf certificates and keys'
+    option 'force', type: :boolean, aliases: :f
+    option 'destination', type: :string, aliases: [:dest, :d]
+    option 'path', type: :string, path: true, aliases: :p
+    option 'valid-from', type: :string
+    option 'valid-to', type: :string
+
+    def generate_backend
+      path = File.expand_path(options[:path] || '.')
+
+      BACKEND_FILES.map{|f| File.join(path, f)}.each do |file|
+        if File.exist?(file)
+          $stderr.puts "File #{file} already exist"
+          exit 1
+        end
+      end unless options[:force]
+
+      Dir.mkdir(path) unless File.directory?(path)
+
+      PedicelPay.config[:valid] = \
+        (options['valid-from'] ? Time.parse(options['valid-from']) : PedicelPay.config[:valid].min) ..
+        (options['valid-to']   ? Time.parse(options['valid-to'])   : PedicelPay.config[:valid].max)
+
+      backend = PedicelPay::Backend.generate
+
+      File.open(File.join(path, 'ca-key.pem'), 'w')                   { |f| f.write(backend.ca_key.to_pem) }
+      File.open(File.join(path, 'ca-certificate.pem'), 'w')           { |f| f.write(backend.ca_certificate.to_pem) }
+      File.open(File.join(path, 'intermediate-key.pem'), 'w')         { |f| f.write(backend.intermediate_key.to_pem) }
+      File.open(File.join(path, 'intermediate-certificate.pem'), 'w') { |f| f.write(backend.intermediate_certificate.to_pem) }
+      File.open(File.join(path, 'leaf-key.pem'), 'w')                 { |f| f.write(backend.leaf_key.to_pem) }
+      File.open(File.join(path, 'leaf-certificate.pem'), 'w')         { |f| f.write(backend.leaf_certificate.to_pem) }
+    end
+
+
+    desc 'check-backend', 'Check that the backend created is functional'
+    option :path, type: :string, path: true, aliases: :p
+
+    def check_backend
+      backend = Helper.load_backend(options[:path])
+
+      backend.is_a?(PedicelPay::Backend) && backend.validate
+    rescue => e
+      $stderr.puts e
+      exit 1
+    end
+
+
+    desc 'generate-client', 'Generate a client, the merchant side'
+    option 'backend-path', type: :string, path: true, aliases: :b
+    option 'force', type: :boolean, aliases: :f
+    option 'path', type: :string, path: true, aliases: :p
+    option 'valid-from', type: :string
+    option 'valid-to', type: :string
+
+    def generate_client
+      path = File.expand_path(options[:path] || '.')
+
+      CLIENT_FILES.map{|f| File.join(path, f)}.each do |file|
+        if File.exist?(file)
+          $stderr.puts "File #{file} already exist"
+          exit 1
+        end
+      end unless options[:force]
+
+      Dir.mkdir(path) unless File.directory?(path)
+
+      valid = \
+        (options['valid-from'] ? Time.parse(options['valid-from']) : PedicelPay.config[:valid].min) ..
+        (options['valid-to']   ? Time.parse(options['valid-to'])   : PedicelPay.config[:valid].max)
+
+      client = Helper.load_backend(options['backend-path']).generate_client(valid: valid)
+
+      File.open(File.join(path, 'client-key.pem'), 'w')         { |f| f.write(client.key.to_pem) }
+      File.open(File.join(path, 'client-certificate.pem'), 'w') { |f| f.write(client.certificate.to_pem) }
+    end
+
+
+    desc 'generate-token', 'Generate a token'
+    option 'backend-path', type: :string, path: true, aliases: :b
+    option 'client-path', type: :string, path: true, aliases: :c
+    option 'amount', type: :string
+    option 'currency', type: :string
+    option 'pan', type: :string
+    option 'expiry', type: :string
+
+    def generate_token
+      backend = Helper.load_backend(options['backend-path'])
+      client = Helper.load_client(options['client-path'])
+
+      token = PedicelPay::Token.new
+      token.sample
+
+      token.unencrypted_data.amount   = options['amount'].to_i if options['amount']&.to_i
+      token.unencrypted_data.currency = options['currency'] if options['currency']
+      token.unencrypted_data.pan      = options['pan'] if options['pan']
+      token.unencrypted_data.expiry   = options['expiry'] if options['expiry']
+
+      backend.encrypt_and_sign(token, recipient: client)
+
+      puts token.to_json
+    end
+
+
+    desc 'decrypt-token', 'Decrypt a token'
+    option 'client-path', type: :string, path: true, aliases: :c
+    option 'backend-path', type: :string, path: true, aliases: :b
+    option 'file', type: :string, aliases: :f
+
+    def decrypt_token
+      raw_token = options['file'] ? File.read(options['file']) : $stdin.read
+      token = JSON.parse(raw_token)
+
+      client = Helper.load_client(options['client-path'])
+      backend = Helper.load_backend(options['backend-path'])
+
+      puts client.decrypt(token, ca_certificate_pem: backend.ca_certificate.to_pem)
+    end
+  end
+
+  class Helper
+    def self.load_backend(path)
+      path = File.expand_path(path || '.')
+
+      PedicelPay::Backend.new(
+        ca_key:                   OpenSSL::PKey::EC.new(         File.read(File.join(path, 'ca-key.pem'))),
+        ca_certificate:           OpenSSL::X509::Certificate.new(File.read(File.join(path, 'ca-certificate.pem'))),
+        intermediate_key:         OpenSSL::PKey::EC.new(         File.read(File.join(path, 'intermediate-key.pem'))),
+        intermediate_certificate: OpenSSL::X509::Certificate.new(File.read(File.join(path, 'intermediate-certificate.pem'))),
+        leaf_key:                 OpenSSL::PKey::EC.new(         File.read(File.join(path, 'leaf-key.pem'))),
+        leaf_certificate:         OpenSSL::X509::Certificate.new(File.read(File.join(path, 'leaf-certificate.pem')))
+      )
+    end
+
+    def self.load_client(path)
+      path = File.expand_path(path || '.')
+
+      PedicelPay::Client.new(
+        key:               OpenSSL::PKey::EC.new(         File.read(File.join(path, 'client-key.pem'))),
+        certificate:       OpenSSL::X509::Certificate.new(File.read(File.join(path, 'client-certificate.pem'))),
+      )
+    end
+  end
+end
+
+PedicelPay::Cli.start(ARGV)

data/lib/pedicel-pay/backend.rb

@@ -0,0 +1,261 @@
+require 'pedicel-pay/helper'
+require 'pedicel'
+require 'openssl'
+
+module PedicelPay
+  class Backend
+    Error = Class.new(PedicelPay::Error)
+    CertificateError = Class.new(PedicelPay::Backend::Error)
+    KeyError = Class.new(PedicelPay::Backend::Error)
+
+    attr_accessor \
+      :ca_key,           :ca_certificate,
+      :intermediate_key, :intermediate_certificate,
+      :leaf_key,         :leaf_certificate
+
+    def initialize(ca_key: nil,           ca_certificate: nil,
+                   intermediate_key: nil, intermediate_certificate: nil,
+                   leaf_key: nil,         leaf_certificate: nil)
+      @ca_key         = ca_key
+      @ca_certificate = ca_certificate
+
+      @intermediate_key         = intermediate_key
+      @intermediate_certificate = intermediate_certificate
+
+      @leaf_key         = leaf_key
+      @leaf_certificate = leaf_certificate
+    end
+
+    def generate_client(valid: PedicelPay.config[:valid])
+      client = PedicelPay::Client.new(ca_certificate_pem: ca_certificate.to_pem)
+      client.generate_key
+
+      client.ca_certificate_pem = ca_certificate.to_pem
+      client.certificate = sign_csr(client.generate_csr, valid: valid)
+
+      client
+    end
+
+    def sign_csr(csr, valid: PedicelPay.config[:valid])
+      cert = OpenSSL::X509::Certificate.new
+      cert.version = 2
+      cert.serial = 1
+      cert.not_before = valid.min
+      cert.not_after = valid.max
+      cert.subject = PedicelPay.config[:subject][:client]
+      cert.public_key = csr.public_key
+      cert.issuer = intermediate_certificate.issuer
+      cert.sign(intermediate_key, OpenSSL::Digest::SHA256.new)
+
+      merchant_id_hex = Helper.bytestring_to_hex(PedicelPay.config[:random].bytes(32))
+
+      cert.add_extension(OpenSSL::X509::Extension.new(PedicelPay.config[:oid][:merchant_identifier_field], merchant_id_hex))
+
+      cert
+    end
+
+    def encrypt_and_sign(token, recipient:, shared_secret: nil, ephemeral_pubkey: nil)
+      encrypt(token, recipient: recipient, shared_secret: shared_secret, ephemeral_pubkey: ephemeral_pubkey)
+      sign(token)
+
+      token
+    end
+
+    def encrypt(token, recipient:, shared_secret: nil, ephemeral_pubkey: nil)
+      raise ArgumentError, 'invalid token' unless token.is_a?(Token)
+
+      if shared_secret && ephemeral_pubkey
+        # Use them. No check that they come from the same ephemeral secret key.
+      elsif shared_secret.nil? ^ ephemeral_pubkey.nil?
+        raise ArgumentError, "'shared_secret' and 'ephemeral_pubkey' must be supplied together"
+      else # None of shared_secret or ephemeral_pubkey is supplied.
+        shared_secret, ephemeral_pubkey = self.class.generate_shared_secret_and_ephemeral_pubkey(recipient: recipient)
+      end
+
+      symmetric_key = Pedicel::EC.symmetric_key(shared_secret: shared_secret, merchant_id: Helper.merchant_id(recipient))
+
+      token.encrypted_data = Helper.encrypt(
+        data: token.unencrypted_data.to_json,
+        key: symmetric_key
+      )
+
+      token.header.ephemeral_pubkey = ephemeral_pubkey
+      token.update_pubkey_hash(recipient: recipient)
+
+      token
+    end
+
+    def sign(token, certificate: leaf_certificate, key: leaf_key)
+      raise ArgumentError, 'token has no encrypted_data' unless token.encrypted_data
+      raise ArgumentError, 'token has no ephemeral_pubkey' unless token.header.ephemeral_pubkey
+
+      message = [
+        Helper.ec_key_to_pkey_public_key(token.header.ephemeral_pubkey).to_der,
+        token.encrypted_data,
+        token.header.transaction_id,
+        token.header.data_hash
+      ].compact.join
+
+      signature = OpenSSL::PKCS7.sign(
+        certificate,
+        key,
+        message,
+        [intermediate_certificate, ca_certificate], # Chain.
+        OpenSSL::PKCS7::BINARY # Handle 0x00 correctly.
+      )
+
+      if token.signature # Already signed.
+        oldsig = OpenSSL::PKCS7.new(Base64.strict_decode64(token.signature))
+        signature = oldsig.add_signer(signature.signers.first)
+      end
+
+      token.signature = Base64.strict_encode64(signature.to_der)
+
+      token
+    end
+
+    def self.generate_shared_secret_and_ephemeral_pubkey(recipient:)
+      pubkey = case recipient
+               when Client
+                 OpenSSL::PKey::EC.new(recipient.certificate.public_key).public_key
+               when OpenSSL::X509::Certificate
+                 OpenSSL::PKey::EC.new(recipient.public_key).public_key
+               when OpenSSL::PKey::EC::Point
+                 recipient
+               else raise ArgumentError, 'invalid recipient'
+               end
+
+      ephemeral_seckey = OpenSSL::PKey::EC.new(PedicelPay::EC_CURVE).generate_key
+
+      [ephemeral_seckey.dh_compute_key(pubkey), ephemeral_seckey.public_key]
+    end
+
+    def self.generate(config: PedicelPay.config)
+      ck, cc = generate_ca(config: config)
+
+      ik, ic = generate_intermediate(ca_key: ck, ca_certificate: cc, config: config)
+
+      lk, lc = generate_leaf(intermediate_key: ik, intermediate_certificate: ic, config: config)
+
+      new(ca_key: ck, ca_certificate: cc,
+          intermediate_key: ik, intermediate_certificate: ic,
+          leaf_key: lk, leaf_certificate: lc)
+    end
+
+    def self.generate_ca(config: PedicelPay.config)
+      key = OpenSSL::PKey::EC.new(PedicelPay::EC_CURVE)
+      key.generate_key
+
+      cert = OpenSSL::X509::Certificate.new
+      cert.version = 2 # https://www.ietf.org/rfc/rfc5280.txt -> Section 4.1, search for "v3(2)".
+      cert.serial = 1
+      cert.subject = config[:subject][:ca]
+      cert.issuer = cert.subject # Self-signed
+      cert.public_key = PedicelPay::Helper.ec_key_to_pkey_public_key(key)
+      cert.not_before = config[:valid].min
+      cert.not_after = config[:valid].max
+
+      ef = OpenSSL::X509::ExtensionFactory.new
+      ef.subject_certificate = cert
+      ef.issuer_certificate = cert
+      cert.add_extension(ef.create_extension('basicConstraints','CA:TRUE',true))
+      cert.add_extension(ef.create_extension('keyUsage','keyCertSign, cRLSign', true))
+      cert.add_extension(ef.create_extension('subjectKeyIdentifier','hash',false))
+      cert.add_extension(ef.create_extension('authorityKeyIdentifier','keyid:always',false))
+      cert.sign(key, OpenSSL::Digest::SHA256.new)
+
+      [key, cert]
+    end
+
+    def self.generate_intermediate(ca_key:, ca_certificate:, config: PedicelPay.config)
+      key = OpenSSL::PKey::EC.new(PedicelPay::EC_CURVE)
+      key.generate_key
+
+      cert = OpenSSL::X509::Certificate.new
+      # https://www.ietf.org/rfc/rfc5280.txt -> Section 4.1, search for "v3(2)".
+      cert.version = 2
+      cert.serial = 1
+      cert.subject = config[:subject][:intermediate]
+      cert.issuer = ca_certificate.subject
+      cert.public_key = PedicelPay::Helper.ec_key_to_pkey_public_key(key)
+      cert.not_before = config[:valid].min
+      cert.not_after = config[:valid].max
+
+      ef = OpenSSL::X509::ExtensionFactory.new
+      ef.subject_certificate = cert
+      ef.issuer_certificate = ca_certificate
+
+      # According to https://tools.ietf.org/html/rfc5280#section-4.2.1.9,
+      # CA:TRUE must be set in order to allow signing using this intermediate
+      # certificate.
+      cert.add_extension(ef.create_extension('basicConstraints', 'CA:TRUE', true))
+
+      cert.add_extension(ef.create_extension('keyUsage', 'keyCertSign, cRLSign', true))
+      cert.add_extension(ef.create_extension('subjectKeyIdentifier', 'hash', false))
+
+      cert.add_extension(OpenSSL::X509::Extension.new(config[:oid][:intermediate_certificate], ''))
+
+      cert.sign(ca_key, OpenSSL::Digest::SHA256.new)
+
+      [key, cert]
+    end
+
+    def self.generate_leaf(intermediate_key:, intermediate_certificate:, config: PedicelPay.config)
+      key = OpenSSL::PKey::EC.new(PedicelPay::EC_CURVE)
+      key.generate_key
+
+      cert = OpenSSL::X509::Certificate.new
+      cert.version = 2 # https://www.ietf.org/rfc/rfc5280.txt -> Section 4.1, search for "v3(2)".
+      cert.serial = 1
+      cert.subject = config[:subject][:leaf]
+      cert.issuer = intermediate_certificate.subject
+      cert.public_key = PedicelPay::Helper.ec_key_to_pkey_public_key(key)
+      cert.not_before = config[:valid].min
+      cert.not_after = config[:valid].max
+
+      ef = OpenSSL::X509::ExtensionFactory.new
+      ef.subject_certificate = cert
+      ef.issuer_certificate = intermediate_certificate
+      cert.add_extension(ef.create_extension('keyUsage','digitalSignature', true))
+      cert.add_extension(ef.create_extension('subjectKeyIdentifier','hash',false))
+
+      cert.add_extension(OpenSSL::X509::Extension.new(config[:oid][:leaf_certificate], ''))
+
+      cert.sign(intermediate_key, OpenSSL::Digest::SHA256.new)
+
+      [key, cert]
+    end
+
+    def validate
+      validate_ca
+      validate_intermediate
+      validate_leaf
+
+      true
+    end
+
+    def validate_ca
+      raise KeyError, 'ca private key not valid for ca certificate' unless ca_certificate.check_private_key(ca_key)
+
+      raise CertificateError, 'ca certificate is not self-signed' unless ca_certificate.verify(ca_key)
+
+      true
+    end
+
+    def validate_intermediate
+      raise KeyError, 'intermediate private key not valid for intermediate certificate' unless intermediate_certificate.check_private_key(intermediate_key)
+
+      raise CertificateError, 'intermediate certificate not signed by ca' unless intermediate_certificate.verify(ca_key)
+
+      true
+    end
+
+    def validate_leaf
+      raise KeyError, 'leaf private key not valid for leaf certificate' unless leaf_certificate.check_private_key(leaf_key)
+
+      raise CertificateError, 'leaf certificate not signed by intermediate' unless leaf_certificate.verify(intermediate_key)
+
+      true
+    end
+  end
+end

data/lib/pedicel-pay/client.rb

@@ -0,0 +1,42 @@
+require 'pedicel-pay/helper'
+require 'openssl'
+require 'pedicel'
+
+module PedicelPay
+  class Client
+    attr_accessor :key, :certificate, :ca_certificate_pem
+
+    def initialize(key: nil, certificate: nil, ca_certificate_pem: nil)
+      @key = key
+      @certificate = certificate
+      @ca_certificate_pem = ca_certificate_pem
+    end
+
+    def generate_key
+      @key = OpenSSL::PKey::EC.new(PedicelPay::EC_CURVE)
+      @key.generate_key
+
+      @key
+    end
+
+    def generate_csr(subject: PedicelPay.config[:subject][:csr])
+      req = OpenSSL::X509::Request.new
+      req.version = 0
+      req.subject = subject
+      req.public_key = PedicelPay::Helper.ec_key_to_pkey_public_key(key)
+      req.sign(key, OpenSSL::Digest::SHA256.new)
+
+      req
+    end
+
+    def merchant_id
+      Pedicel::EC.merchant_id(certificate: certificate)
+    end
+
+    def decrypt(token, ca_certificate_pem: @ca_certificate_pem, now: Time.now)
+      Pedicel::EC.
+        new(token).
+        decrypt(private_key: key, certificate: certificate, ca_certificate_pem: ca_certificate_pem, now: now)
+    end
+  end
+end

data/lib/pedicel-pay/helper.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+module PedicelPay
+  # Assistance/collection functions.
+  class Helper
+    def initialize(config: PedicelPay.config, pedicel_instance: nil)
+      @config = config
+      @pedicel = pedicel_instance
+    end
+
+    def self.ec_key_to_pkey_public_key(ec_key)
+      # EC#public_key is not a PKey public key, but an EC point.
+      pub = OpenSSL::PKey::EC.new(ec_key.group)
+      pub.public_key = ec_key.is_a?(OpenSSL::PKey::PKey) ? ec_key.public_key : ec_key
+
+      pub
+    end
+
+    def self.bytestring_to_hex(string)
+      string.unpack('H*').first
+    end
+
+    def self.merchant_id(x)
+      case x
+      when Client
+        Pedicel::EC.merchant_id(certificate: x.certificate)
+      when OpenSSL::X509::Certificate
+        Pedicel::EC.merchant_id(certificate: x)
+      when /\A[0-9a-fA-F]{64}\z/
+        [x].pack('H*')
+      when /\A.{32}\z/
+        x
+      else
+        raise ArgumentError, "cannot extract 'merchant_id' from #{x}"
+      end
+    end
+
+    def self.recipient_certificate(recipient:)
+      case recipient
+      when Client                     then recipient.certificate
+      when OpenSSL::X509::Certificate then recipient
+      else raise ArgumentError, 'invalid recipient'
+      end
+    end
+
+    def self.encrypt(data:, key:)
+      cipher = OpenSSL::Cipher.new('aes-256-gcm')
+      cipher.encrypt
+      cipher.key = key
+      cipher.iv_len = 16
+      cipher.iv = 0.chr * cipher.iv_len
+      cipher.auth_data = ''
+      cipher.update(data) + cipher.final + cipher.auth_tag
+    end
+  end
+end

data/lib/pedicel-pay/token.rb

@@ -0,0 +1,74 @@
+require 'pedicel-pay/token_data'
+require 'pedicel-pay/token_header'
+require 'digest'
+
+module PedicelPay
+  class Token
+    Error = Class.new(PedicelPay::Error)
+
+    attr_accessor \
+      :header,
+      :signature,
+      :unencrypted_data,
+      :encrypted_data,
+      :version
+
+    def initialize(unencrypted_data: nil, encrypted_data: nil, header: nil, signature: nil, version: 'EC_v1')
+      @unencrypted_data = unencrypted_data
+      @encrypted_data   = encrypted_data
+      @header           = header
+      @signature        = signature
+      @version          = version
+    end
+
+    def update_pubkey_hash(recipient:)
+      pubkey = Helper.recipient_certificate(recipient: recipient)
+
+      header.pubkey_hash = Digest::SHA256.base64digest(pubkey.to_der)
+    end
+
+    def to_json
+      to_hash.to_json
+    end
+
+    def to_hash
+      raise Error, 'no encrypted data' unless encrypted_data
+
+      {
+        'data'      => Base64.strict_encode64(encrypted_data),
+        'header'    => header.to_hash,
+        'signature' => signature,
+        'version'   => version,
+      }
+    end
+
+    def sample
+      sample_data
+      sample_header
+
+      self
+    end
+
+    def sample_data
+      return if encrypted_data
+
+      if unencrypted_data
+        unencrypted_data.sample
+      else
+        self.unencrypted_data = TokenData.new.sample
+      end
+
+      self
+    end
+
+    def sample_header
+      if header
+        header.sample
+      else
+        self.header = TokenHeader.new.sample
+      end
+
+      self
+    end
+  end
+end

data/lib/pedicel-pay/token_data.rb

@@ -0,0 +1,152 @@
+require 'json'
+
+module PedicelPay
+  class TokenData
+    Error = Class.new(PedicelPay::Error)
+    DateError = Class.new(Error)
+
+    attr_accessor \
+      :pan,
+      :expiry,
+      :currency,
+      :amount,
+      :name,
+      :dm_id,
+      :cryptogram,
+      :eci
+
+    CURRENCIES = %w[
+      008 012 032 036 044 048 050 051 052 060 064 068 072 084 090 096 104 108
+      116 124 132 136 144 152 156 170 174 188 191 192 203 208 214 222 230 232
+      238 242 262 270 292 320 324 328 332 340 344 348 352 356 360 364 368 376
+      388 392 398 400 404 408 410 414 417 418 422 426 430 434 446 454 458 462
+      480 484 496 498 504 512 516 524 532 533 548 554 558 566 578 586 590 598
+      600 604 608 634 643 646 654 682 690 694 702 704 706 710 728 748 752 756
+      760 764 776 780 784 788 800 807 818 826 834 840 858 860 882 886 901 929
+      930 931 932 933 934 936 937 938 940 941 943 944 946 947 948 949 950 951
+      952 953 955 956 957 958 959 960 961 962 963 964 965 967 968 969 970 971
+      972 973 975 976 977 978 979 980 981 984 985 986 990 994 997 999
+    ].freeze
+
+    def initialize(pan: nil, expiry: nil, currency: nil, amount: nil,
+                   name: nil, dm_id: nil, cryptogram: nil, eci: nil)
+      @pan        = pan
+      @expiry     = expiry
+      @currency   = currency
+      @amount     = amount
+      @name       = name
+      @dm_id      = dm_id
+      @cryptogram = cryptogram
+      @eci        = eci
+    end
+
+    def to_hash
+      data = { onlinePaymentCryptogram: cryptogram }
+      data[:eciIndicator] = eci if eci
+
+      result = {
+        applicationPrimaryAccountNumber: pan,
+        applicationExpirationDate: expiry,
+        currencyCode: currency,
+        transactionAmount: amount,
+        deviceManufacturerIdentifier: dm_id,
+        paymentDataType: '3DSecure',
+        paymentData: data
+      }
+
+      result[:cardholderName] = name if name
+
+      result
+    end
+
+    def to_json
+      to_hash.to_json
+    end
+
+    def sample(expired: nil, pan_length: nil)
+      # PAN
+      # Override @pan if pan_length doesn't match.
+      if pan.nil? || (pan_length && pan.length != pan_length)
+        pan_length ||= [12, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 19, 19, 19].sample
+
+        self.pan = [ [2, 4, 5, 6].sample, *(2..pan_length).map { rand(0..9) } ].join
+      end
+
+      # Expiry
+      # Override @expiry if it doesn't match `expired`.
+      # WARNING: Time calculations ahead!
+      # Think very carefully about all the crazy corner cases.
+      now = Time.now
+      if expiry.nil? || (expired ^ card_expired?(now)) # Cannot use "soon".
+        self.expiry = self.class.sample_expiry(expired: expired, now: now, soon: now + 5 * 60)
+      end
+
+      # Currency
+      self.currency ||= CURRENCIES.sample
+
+      # Amount
+      self.amount ||= rand(100..99_999)
+
+      # Name
+
+      # Device Manufacturer Identification
+      self.dm_id ||= Helper.bytestring_to_hex(PedicelPay.config[:random].bytes(5))
+
+      # Cryptogram
+      self.cryptogram ||= Base64.strict_encode64(PedicelPay.config[:random].bytes(10))
+
+      # ECI
+      self.eci ||= %w[05 06 07].sample
+
+      self
+    end
+
+    def card_expired?(now)
+      Time.parse(expired) <= now
+    end
+
+    def self.sample_expiry(expired: nil, now: nil, soon: nil)
+      # WARNING: Time calculations ahead!
+      # Think very carefully about all the crazy corner cases.
+
+      now  ||= Time.now
+      soon ||= now + 5 * 60
+
+      year  = sample_expiry_year(expired: expired, soon: soon)
+      month = sample_expiry_month(expired: expired, year: year, now: now, soon: soon)
+
+      require 'date'
+      Date.civil(year, month, -1).strftime('%y%m%d')
+    end
+
+    def self.sample_expiry_year(expired: nil, soon:)
+      # WARNING: Time calculations ahead!
+      # Think very carefully about all the crazy corner cases.
+
+      case expired
+      when nil   then -5..6
+      when true  then -5..0
+      when false then 0..6
+      end
+        .map { |i| soon.year + i }
+        .to_a.sample
+    end
+
+    def self.sample_expiry_month(expired: nil, year:, now:, soon:)
+      # WARNING: Time calculations ahead!
+      # Think very carefully about all the crazy corner cases.
+
+      case expired
+      when nil
+        1..12
+      when true
+        year < now.year ? 1..12 : 1..(now.month - 1)
+      when false
+        raise DateError, 'cannot expire in a soon future year' if expired && year > soon.year
+
+        year == soon.year ? 1..soon.month : 1..12
+      end
+        .to_a.sample
+    end
+  end
+end

data/lib/pedicel-pay/token_header.rb

@@ -0,0 +1,36 @@
+module PedicelPay
+  class TokenHeader
+    Error = Class.new(PedicelPay::Error)
+
+    attr_accessor \
+      :data_hash,
+      :ephemeral_pubkey,
+      :pubkey_hash,
+      :transaction_id
+
+    def initialize(data_hash: nil, ephemeral_pubkey: nil, pubkey_hash: nil, transaction_id: nil)
+      @data_hash, @ephemeral_pubkey, @pubkey_hash, @transaction_id = \
+        data_hash, ephemeral_pubkey,  pubkey_hash,  transaction_id
+    end
+
+    def to_hash
+      raise Error, 'missing ephemeral_pubkey' unless ephemeral_pubkey
+
+      result = {
+        'ephemeralPublicKey' => Base64.strict_encode64(Helper.ec_key_to_pkey_public_key(ephemeral_pubkey).to_der),
+        'publicKeyHash'      => pubkey_hash,
+        'transactionId'      => Helper.bytestring_to_hex(transaction_id),
+      }
+      result.merge!('applicationData' => data_hash) if data_hash
+
+      result
+    end
+
+    def sample
+      self.transaction_id ||= PedicelPay.config[:random].bytes(32)
+
+      self
+    end
+  end
+end
+

data/lib/pedicel-pay/version.rb

@@ -0,0 +1,3 @@
+module PedicelPay
+  VERSION = '0.0.2'
+end

data/lib/pedicel-pay.rb

@@ -0,0 +1,43 @@
+require 'openssl'
+
+module PedicelPay
+  class Error < StandardError; end
+end
+
+require 'pedicel-pay/backend'
+require 'pedicel-pay/client'
+require 'pedicel-pay/token'
+
+module PedicelPay
+  EC_CURVE = 'prime256v1'
+
+  DEFAULTS = {
+    oid: {
+      intermediate_certificate:  '1.2.840.113635.100.6.2.14',
+      leaf_certificate:          '1.2.840.113635.100.6.29',
+      merchant_identifier_field: '1.2.840.113635.100.6.32',
+    },
+    subject: {
+      ca:           OpenSSL::X509::Name.parse('/C=DK/O=Pedicel Inc./OU=Pedicel Certification Authority/CN=Pedicel Root CA - G3'),
+      intermediate: OpenSSL::X509::Name.parse('/C=DK/O=Pedicel Inc./OU=Pedicel Certification Authority/CN=Pedicel Application Integration CA - G3'),
+      leaf:         OpenSSL::X509::Name.parse('/C=DK/O=Pedicel Inc./OU=pOS Systems/CN=ecc-smp-broker-sign_UC4-PROD'),
+      csr:          OpenSSL::X509::Name.parse('/CN=merchant-url.tld'),
+      client:       OpenSSL::X509::Name.parse('/UID=merchant-url.tld.pedicel-merchant.PedicelMerchant/CN=Merchant ID: merchant-url.tld.pedicel-merchant.PedicelMerchant/OU=1W2X3Y4Z5A/O=PedicelMerchant Inc./C=DK'),
+    },
+    random: Random.new,
+    valid: Time.new(Time.now.year - 1)..Time.new(Time.now.year + 2),
+  }.freeze
+
+  def self.config
+    @@config ||= DEFAULTS.dup
+  end
+end
+
+# Monkey-patch to make OpenSSL::X509::Certificate#sign work.
+if OpenSSL::PKey::EC.new.respond_to?(:private_key?) && !OpenSSL::PKey::EC.new.respond_to?(:private?)
+  class OpenSSL::PKey::EC
+    def private?
+      private_key?
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pedicel-pay
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.2
 platform: ruby
 authors:
 - Clearhaus A/S
@@ -24,20 +24,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.16'
-- !ruby/object:Gem::Dependency
-  name: pry
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: pedicel
   requirement: !ruby/object:Gem::Requirement
@@ -56,41 +42,46 @@ dependencies:
   name: thor
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.20'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.20'
 - !ruby/object:Gem::Dependency
   name: openssl
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.1'
 description: 
 email: hello@clearhaus.com
-executables: []
+executables:
+- pedicel-pay
 extensions: []
 extra_rdoc_files: []
 files:
-- Dockerfile
-- Gemfile
-- LICENSE.txt
-- README.md
-- pedicel-pay.gemspec
+- exe/pedicel-pay
+- lib/pedicel-pay.rb
+- lib/pedicel-pay/backend.rb
+- lib/pedicel-pay/client.rb
+- lib/pedicel-pay/helper.rb
+- lib/pedicel-pay/token.rb
+- lib/pedicel-pay/token_data.rb
+- lib/pedicel-pay/token_header.rb
+- lib/pedicel-pay/version.rb
 homepage: https://github.com/clearhaus/pedicel-pay
 licenses:
 - MIT

data/Dockerfile

@@ -1,9 +0,0 @@
-FROM ruby:2.4-alpine
-
-LABEL maintainer="Clearhaus"
-
-WORKDIR /opt/pedicel-pay
-COPY . /opt/pedicel-pay
-RUN bundle install
-
-ENTRYPOINT ["/opt/pedicel-pay/exe/pedicel-pay"]

data/Gemfile

@@ -1,3 +0,0 @@
-source 'https://rubygems.org'
-
-gemspec

data/LICENSE.txt

@@ -1,21 +0,0 @@
-The MIT License (MIT)
-
-Copyright (c) 2018 Clearhaus A/S
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.

data/README.md

@@ -1,99 +0,0 @@
-# PedicelPay
-
-A tool to handle the server and client side of Apple Pay. It consist of both a
-CLI part and a Ruby library e.g. for testing purposes.
-
-## Usage (CLI)
-
-### Setup a backend and a client
-
-1. Generate a backend (Apple side of Apple Pay):
-
-        $ pedicel-pay generate-backend
-
-   Creates these files:
-   * `ca.key`
-   * `ca-certificate.pem`
-   * `intermediate.key`
-   * `intermediate-certificate.pem`
-   * `leaf.key`
-   * `leaf-certificate.pem`
-
-2. Generate a client (merchant side of Apple Pay):
-
-        $ pedicel-pay generate-client
-
-   Creates `client.key` and `client-certificate.pem`.
-
-
-### Create tokens
-
-    $ pedicel-pay generate-token \
-        --pan=4111111111111111 \
-        --expiry=$(date -d 'next year' +%y%m%d) \
-        --amount=1234 \
-        --currency=978
-
-Specify some values, sample remaining:
-
-    $ pedicel-pay generate-token \
-        --pan=4111111111111111 \
-        --sample
-
-### Decrypt tokens
-
-    $ echo $TOKEN | pedicel-pay decrypt-token
-
-
-## Usage (Ruby)
-
-### Setup a backend and a client
-
-```ruby
-backend = PedicelPay::Backend.generate
-client = backend.generate_client
-```
-
-### Create tokens
-
-Sample data
-
-```ruby
-token = PedicelPay::Token.new.sample
-backend.encrypt(token: token, recipient: client)
-backend.sign(token)
-puts token.to_json
-```
-
-or decide:
-
-```ruby
-token = PedicelPay::Token.new
-
-token.unencrypted_data.pan = '4111111111111111'
-token.unencrypted_data.currency = '987' # EUR
-token.unencrypted_data.amount = 1234 # 12.34 EUR
-token.sample # Sample remaining.
-
-backend.encrypt(token: token, recipient: client)
-backend.sign(token)
-puts token.to_json
-```
-
-The JSON formatted Payment Token; refer to
-https://developer.apple.com/library/content/documentation/PassKit/Reference/PaymentTokenJSON/PaymentTokenJSON.html
-
-
-### Decrypt tokens
-
-Using the `client` (if it knows the CA cert):
-
-```ruby
-client.decrypt(JSON.parse(token.to_json))
-```
-
-To decrypt the token data by hand, use these values:
-* The client's secret key `client.key`.
-* The merchant ID `client.merchant_id` or client's certificate (containing the
-  merchant ID) `client.certificate`.
-* Use `backend.ca_certificate` as Apple Root CA G3 certificate.

data/pedicel-pay.gemspec

@@ -1,26 +0,0 @@
-lib = File.expand_path('../lib', __FILE__)
-$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-
-require 'pedicel-pay/version'
-
-Gem::Specification.new do |s|
-  s.name          = 'pedicel-pay'
-  s.version       = PedicelPay::VERSION
-  s.author        = 'Clearhaus A/S'
-  s.email         = 'hello@clearhaus.com'
-
-  s.summary       = 'Backend and client part of Apple Pay'
-  s.homepage      = 'https://github.com/clearhaus/pedicel-pay'
-  s.license       = 'MIT'
-
-  s.files         = `ls`.split.reject {|f| f.match(/^spec\//) }
-  s.bindir        = 'exe'
-  s.executables   = s.files.grep(/^exe\//) { |f| File.basename(f) }
-  s.require_paths = ['lib']
-
-  s.add_development_dependency 'bundler', '~> 1.16'
-  s.add_development_dependency 'pry'
-  s.add_runtime_dependency 'pedicel', '~> 0.0.2'
-  s.add_runtime_dependency 'thor'
-  s.add_runtime_dependency 'openssl' # for ruby <= 2.3
-end