pedicel 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 402a60cbe58a1a300764a3a37d53434c0e764f60
+  data.tar.gz: 1551470f672d864db8fec34b25eb0521c59de87b
+SHA512:
+  metadata.gz: 3ec3218ec7911fbf7e2cd3d11b5fb3fc839be0f8e51694565f7cef655fdebc0d5133a906ea0bfc215e21da4030281f6c7f5c202fc3332e67b98a108db5d3c0ab
+  data.tar.gz: b770f9aff8ace1d06fda313fcdf9798bd84c9d78394b42539d22bbcd359db63956d201997477aa1e243b3c31fb936592db25cbd0d7cd29c79fdca47290258d91

data/lib/pedicel.rb

@@ -0,0 +1,46 @@
+require 'pedicel/base'
+require 'pedicel/ec'
+require 'pedicel/rsa'
+
+module Pedicel
+  class Error < StandardError; end
+  class TokenFormatError < Error; end
+  class SignatureError < Error; end
+  class VersionError < Error; end
+  class CertificateError < Error; end
+  class EcKeyError < Error; end
+
+  DEFAULTS = {
+    oids: {
+      intermediate_certificate:  '1.2.840.113635.100.6.2.14',
+      leaf_certificate:          '1.2.840.113635.100.6.29',
+      merchant_identifier_field: '1.2.840.113635.100.6.32',
+    },
+    replay_threshold_seconds: 3*60,
+    apple_root_ca_g3_cert_pem: <<~PEM
+      -----BEGIN CERTIFICATE-----
+      MIICQzCCAcmgAwIBAgIILcX8iNLFS5UwCgYIKoZIzj0EAwMwZzEbMBkGA1UEAwwS
+      QXBwbGUgUm9vdCBDQSAtIEczMSYwJAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0aW9u
+      IEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwHhcN
+      MTQwNDMwMTgxOTA2WhcNMzkwNDMwMTgxOTA2WjBnMRswGQYDVQQDDBJBcHBsZSBS
+      b290IENBIC0gRzMxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9y
+      aXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzB2MBAGByqGSM49
+      AgEGBSuBBAAiA2IABJjpLz1AcqTtkyJygRMc3RCV8cWjTnHcFBbZDuWmBSp3ZHtf
+      TjjTuxxEtX/1H7YyYl3J6YRbTzBPEVoA/VhYDKX1DyxNB0cTddqXl5dvMVztK517
+      IDvYuVTZXpmkOlEKMaNCMEAwHQYDVR0OBBYEFLuw3qFYM4iapIqZ3r6966/ayySr
+      MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMDA2gA
+      MGUCMQCD6cHEFl4aXTQY2e3v9GwOAEZLuN+yRhHFD/3meoyhpmvOwgPUnPWTxnS4
+      at+qIxUCMG1mihDK1A3UT82NQz60imOlM27jbdoXt2QfyFMm+YhidDkLF1vLUagM
+      6BgD56KyKA==
+      -----END CERTIFICATE-----
+    PEM
+  }
+
+  def self.config
+    @@config ||= DEFAULTS
+  end
+
+  def self.config=(other)
+    @@config = other
+  end
+end

data/lib/pedicel/base.rb

@@ -0,0 +1,197 @@
+require 'openssl'
+require 'base64'
+
+module Pedicel
+  class Base
+    SUPPORTED_VERSIONS = [:EC_v1]
+
+    def initialize(token, now: Time.now)
+      @token = token
+    end
+
+    def validate_content(now: Time.now)
+      raise VersionError, "unsupported version: #{version}" unless SUPPORTED_VERSIONS.include?(@token['version'])
+
+      raise ReplayAttackError, "token signature time indicates a replay attack (age #{now-cms_signing_time})" unless signing_time_ok?(now: now)
+
+      raise SignatureError unless valid_signature?
+    end
+
+    def version
+      @token['version']&.to_sym
+    end
+
+    def encrypted_data
+      return nil unless @token['data']
+
+      Base64.decode64(@token['data'])
+    end
+
+    def signature
+      return nil unless @token['signature']
+
+      Base64.decode64(@token['signature'])
+    end
+
+    def transaction_id
+      [@token['header']['transactionId']].pack('H*')
+    end
+
+    def application_data
+      return nil unless @token['applicationData']
+
+      [@token['applicationData']].pack('H*')
+    end
+
+    def signing_time_ok?(now: Time.now)
+      # "Inspect the CMS signing time of the signature, as defined by section 11.3
+      # of RFC 5652. If the time signature and the transaction time differ by more
+      # than a few minutes, it's possible that the token is a replay attack."
+      # https://developer.apple.com/library/content/documentation/PassKit/Reference/PaymentTokenJSON/PaymentTokenJSON.html
+
+      delta = Pedicel.config[:replay_threshold_seconds]
+
+      cms_signing_time.between?(now - delta, now + delta)
+      # Deliberately ignoring leap seconds.
+    end
+
+    def private_key_class
+      {EC_v1: OpenSSL::PKey::EC, RSA_v1: OpenSSL::PKey::RSA}[version]
+    end
+
+    def symmetric_algorithm
+      {EC_v1: 'aes-256-gcm', RSA_v1: 'aes-128-gcm'}[version]
+    end
+
+    def decrypt_aes(key:)
+      raise TokenFormatError, 'no encrypted data present' unless encrypted_data
+
+      if OpenSSL::Cipher.new('aes-256-gcm').respond_to?(:iv_len=)
+        # Either because you use Ruby >=2.4's native openssl lib, or if you have a
+        # "recent enough" version of the openssl gem available.
+
+        cipher = OpenSSL::Cipher.new(symmetric_algorithm)
+        cipher.decrypt
+
+        cipher.key = key
+        cipher.iv_len = 16 # Must be set before the IV because default is 12 and
+                           # only IVs of length `iv_len` will be accepted.
+        cipher.iv = "\x00".b * cipher.iv_len
+
+        split_position = encrypted_data.length - cipher.iv_len
+        tag = encrypted_data.slice(split_position, cipher.iv_len)
+        untagged_encrypted_data = encrypted_data.slice(0, split_position)
+
+        cipher.auth_tag = tag
+        cipher.auth_data = ''.b
+
+        cipher.update(untagged_encrypted_data) << cipher.final
+      else
+        require 'aes256gcm_decrypt'
+
+        Aes256GcmDecrypt::decrypt(encrypted_data, key)
+      end
+    end
+
+    def valid_signature?(now: Time.now)
+      true if validate_signature(now: now)
+    rescue
+      false
+    end
+
+    def verify_signature(ca_certificate_pem: Pedicel.config[:apple_root_ca_g3_cert_pem], now: Time.now)
+      raise SignatureError, 'no signature present' unless signature
+
+      begin
+        s = OpenSSL::PKCS7.new(signature)
+      rescue => e
+        raise SignatureError, "invalid PKCS #7 signature: #{e.message}"
+      end
+
+      # 1.a
+      # Ensure that the certificates contain the correct custom OIDs: (...).
+      # The value for these marker OIDs doesn't matter, only their presence.
+      leaf, intermediate = self.class.verify_signature_certificate_oids(signature: s)
+
+      begin
+        root = OpenSSL::X509::Certificate.new(ca_certificate_pem)
+      rescue => e
+        raise CertificateError, "invalid root certificate: #{e.message}"
+      end
+
+      # 1.b
+      # Ensure that the root CA is the Apple Root CA - G3. (...)
+      self.class.verify_root_certificate(root: root, intermediate: intermediate)
+
+      # 1.c
+      # Ensure that there is a valid X.509 chain of trust from the signature to the root CA.
+      self.class.verify_x509_chain(root: root, intermediate: intermediate, leaf: leaf)
+
+      # 1.d
+      # Validate the token's signature.
+      #
+      # Implemented in the subclass.
+      validate_signature(signature: s, leaf: leaf)
+
+      # 1.e
+      # Inspect the CMS signing time of the signature (...)
+      self.class.verify_signed_time(signature: s, now: now)
+
+      self
+    end
+
+    private
+
+    def self.verify_signature_certificate_oids(signature:)
+      leaf = signature.certificates.find{|c| c.extensions.find{|e| e.oid == Pedicel.config[:oids][:leaf_certificate]}}
+      unless leaf
+        raise SignatureError, "no leaf certificate found (OID #{Pedicel.config[:oids][:leaf_certificate]})"
+      end
+
+      intermediate = signature.certificates.find{|c| c.extensions.find{|e| e.oid == Pedicel.config[:oids][:intermediate_certificate]}}
+      unless intermediate
+        raise SignatureError, "no intermediate certificate found (OID #{Pedicel.config[:oids][:leaf_certificate]})"
+      end
+
+      [leaf, intermediate]
+    end
+
+    def self.verify_root_certificate(root:, intermediate:)
+      unless intermediate.issuer == root.subject
+        raise SignatureError, 'root certificate has not issued intermediate certificate'
+      end
+    end
+
+    def self.verify_x509_chain(root:, intermediate:, leaf:)
+      valid_chain = OpenSSL::X509::Store.new.
+                      add_cert(root).
+                      add_cert(intermediate).
+                      verify(leaf)
+
+      raise SignatureError, 'invalid chain of trust' unless valid_chain
+    end
+
+    def self.verify_signed_time(signature:, now:)
+      # Inspect the CMS signing time of the signature, as defined by section
+      # 11.3 of RFC 5652. If the time signature and the transaction time differ
+      # by more than a few minutes, it's possible that the token is a replay
+      # attack.
+
+      unless signature.signers.length == 1
+        raise SignatureError, 'not 1 signer, unable to determine signing time'
+      end
+      signed_time = signature.signers.first.signed_time
+
+      few_min = Pedicel.config[:replay_threshold_seconds]
+
+      # Time objects. DST aware. Ignoring leap seconds.
+      return if signed_time.between?(now - few_min, now + few_min) # Both ends included.
+
+      diff = signed_time - now
+      if diff.negative?
+        raise SignatureError, "signature too old; signed #{-diff.to_i}s ago"
+      end
+      raise SignatureError, "signature too new; signed #{diff.to_i}s in the future"
+    end
+  end
+end

data/lib/pedicel/ec.rb

@@ -0,0 +1,168 @@
+require 'pedicel/base'
+
+module Pedicel
+  class EC < Base
+    def ephemeral_public_key
+      Base64.decode64(@token['header']['ephemeralPublicKey'])
+    end
+
+    def decrypt(symmetric_key: nil, merchant_id: nil, certificate: nil, private_key: nil,
+                ca_certificate_pem: Pedicel.config[:apple_root_ca_g3_cert_pem], now: Time.now)
+      raise ArgumentError 'invalid argument combination' unless \
+        !symmetric_key.nil? ^ ((!merchant_id.nil? ^ !certificate.nil?) && !private_key.nil?)
+      # .-------------------'--------. .----------'----. .-------------''---.
+      # | symmetric_key can be       | | merchant_id   | | Both private_key |
+      # | derived from private_key   | | (byte string) | | and merchant_id  |
+      # | and the shared_secret---   | | can be        | | is necessary to  |
+      # | which can be derived from  | | derived from  | | derive the       |
+      # | the private_key and the    | | the public    | | symmetric key    |
+      # | token's ephemeralPublicKey | | certificate   | '------------------'
+      # '----------------------------' '---------------'
+
+      if private_key
+        symmetric_key = symmetric_key(private_key: private_key,
+                                      certificate: certificate,
+                                      merchant_id: merchant_id)
+      end
+
+      verify_signature(ca_certificate_pem: ca_certificate_pem, now: now)
+      decrypt_aes(key: symmetric_key)
+    end
+
+    def symmetric_key(shared_secret: nil, private_key: nil, merchant_id: nil, certificate: nil)
+      raise ArgumentError 'invalid argument combination' unless \
+        (!shared_secret.nil? ^ !private_key.nil?) && (!merchant_id.nil? ^ !certificate.nil?)
+      # .--------------------'.  .----------------'|  .-----------------'--.
+      # | shared_secret can   |  | shared_secret   |  | merchant_id (byte  |
+      # | be derived from the |  | and merchant_id |  | string can be      |
+      # | private_key and the |  | is necessary to |  | derived from the   |
+      # | ephemeralPublicKey  |  | derive the      |  | public certificate |
+      # '---------------------'  | symmetric_key   |  '--------------------'
+      #                          '-----------------'
+
+      shared_secret = shared_secret(private_key: private_key) if private_key
+      merchant_id = self.class.merchant_id(certificate: certificate) if certificate
+
+      self.class.symmetric_key(shared_secret: shared_secret, merchant_id: merchant_id)
+    end
+
+    # Extract the shared secret from one public key (the ephemeral) and one
+    # private key.
+    def shared_secret(private_key:)
+      begin
+        privkey = OpenSSL::PKey::EC.new(private_key)
+      rescue => e
+        raise EcKeyError, "invalid PEM format of private key for EC: #{e.message}"
+      end
+
+      begin
+        pubkey = OpenSSL::PKey::EC.new(ephemeral_public_key).public_key
+      rescue => e
+        raise EcKeyError, "invalid format of ephemeralPublicKey (from token) for EC: #{e.message}"
+      end
+
+      unless privkey.group == pubkey.group
+        raise EcKeyError,
+          "private_key curve '#{privkey.group.curve_name}' differ from " \
+          "ephemeralPublicKey (from token) curve '#{pubkey.group.curve_name}'"
+      end
+
+      privkey.dh_compute_key(pubkey)
+    end
+
+    def self.symmetric_key(merchant_id:, shared_secret:)
+      # http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar2.pdf
+      # Section 5.8.1.1, The Single-Step KDF Specification.
+      #
+      # With slight adjustments:
+      # > 1. Set `reps = ceil(keydatalen/hashlen)`
+      # > 2. If `reps > (2^32 - 1)`, then return an error indicator without
+      # >    performing the remaining actions.
+      # > 3. Initialize a 32-bit, big-endian bit string `counter` as 00000001 base
+      # >    16 (i.e. 0x00000001).
+      # > 4. If `counter || Z || OtherInfo` is more than `max_H_inputlen` bits
+      # >    long, then return an error indicator without performing the remaining
+      # >    actions.
+      # > 5. For `i = 1` to `reps` by `1`, do the following:
+      # >      5.1  Compute `K(i) = H(counter || Z || OtherInfo)`.
+      # >      5.2  Increment `counter` (modulo `2^32`), treating it as an
+      # >           unsigned 32-bit integer.
+      # > 6. Let `K_Last` be set to `K(reps)` if `keydatalen / hashlen` is an
+      # >    integer; otherwise, let `K_Last` be set to the `keydatalen mod
+      # >    hashlen` leftmost bits of `K(reps)`.
+      # > 7. Return `K(1) || K(2) || ... || K(reps-1) || K_Last`.
+      #
+      # Digest::SHA256 will do the calculations when we throw Z and OtherInfo into
+      # the digest.
+
+      sha256 = Digest::SHA256.new
+
+      # Step 3:
+      sha256 << "\x00\x00\x00\x01"
+
+      # Z:
+      sha256 << shared_secret
+
+      # OtherInfo:
+      # https://developer.apple.com/library/content/documentation/PassKit/Reference/PaymentTokenJSON/PaymentTokenJSON.html
+      sha256 << "\x0d" + 'id-aes256-GCM' # AlgorithmID
+      sha256 << 'Apple' # PartyUInfo
+      sha256 << merchant_id # PartyVInfo
+
+      sha256.digest
+    end
+
+    def self.merchant_id(certificate:)
+      begin
+        cert = OpenSSL::X509::Certificate.new(certificate)
+      rescue => e
+        raise CertificateError, "invalid PEM format of certificate: #{e.message}"
+      end
+
+      merchant_id_hex =
+        cert.
+          extensions.
+          find { |x| x.oid == Pedicel.config[:oids][:merchant_identifier_field] }&.
+          value&. # Hex encoded Merchant ID plus perhaps extra non-hex chars.
+          delete("^[0-9a-fA-F]") # Remove non-hex chars.
+
+      raise CertificateError, 'no merchant identifier in certificate' unless merchant_id_hex
+
+      [merchant_id_hex].pack('H*')
+    end
+
+    private
+
+    def validate_signature(signature:, leaf:)
+      # (...) ensure that the signature is a valid ECDSA signature
+      # (ecdsa-with-SHA256 1.2.840.10045.4.3.2) of the concatenated values of
+      # the ephemeralPublicKey, data, transactionId, and applicationData keys.
+
+      unless leaf.signature_algorithm == 'ecdsa-with-SHA256'
+        raise SignatureError, 'signature algorithm is not ecdsa-with-SHA256'
+      end
+
+      message = [
+        ephemeral_public_key,
+        encrypted_data,
+        transaction_id,
+        application_data,
+      ].compact.join
+
+      # https://wiki.openssl.org/index.php/Manual:PKCS7_verify(3)#VERIFY_PROCESS
+      flags = \
+        OpenSSL::PKCS7::NOCHAIN  | # Ignore certs in the message.
+        OpenSSL::PKCS7::NOINTERN | # Only look at the supplied certificate.
+        OpenSSL::PKCS7::NOVERIFY   # Do not verify the chain; already done.
+
+      # Trust exactly the leaf which has already been verified.
+      certificates = [leaf]
+
+      store = OpenSSL::X509::Store.new
+
+      unless signature.verify(certificates, store, message, flags)
+        raise SignatureError, 'signature does not match the message'
+      end
+    end
+  end
+end

data/lib/pedicel/rsa.rb

@@ -0,0 +1,15 @@
+require 'pedicel/base'
+
+module Pedicel
+  class RSA < Base
+
+    private
+
+    def symmetric_key(private_key)
+      # RSA/ECB/OAEPWithSHA256AndMGF1Padding
+
+      # OpenSSL::PKey::RSA#private_decrypt will use SHA1. Only. :-(
+
+    end
+  end
+end

data/lib/pedicel/validator.rb

@@ -0,0 +1,138 @@
+require 'dry-validation'
+require 'base64'
+
+module Pedicel
+  class Validator
+    class Error < StandardError; end
+    class TokenFormatError < Error; end
+    class TokenDataFormatError < Error; end
+
+    DRY_CUSTOM_PREDICATE_ERRORS = {
+      base64?: 'invalid base64',
+      hex?: 'invalid hex',
+      pan?: 'invalid pan',
+      yymmdd?: 'invalid date format YYMMDD',
+    }
+
+    module Predicates
+      include Dry::Logic::Predicates
+
+      predicate(:base64?) { |value| !Base64.decode64(value).nil? rescue false }
+
+      predicate(:hex?) { |value| !Regexp.new(/\A[a-f0-9-]*\z/i).match(value).nil? }
+
+      predicate(:pan?) { |value| !Regexp.new(/\A[0-9]{13,19}\z/).match(value).nil? }
+
+      predicate(:yymmdd?) do |value|
+        return false unless value.length == 6
+        Time.new(value[0..1],value[2..3], value[4..5]).is_a?(Time) rescue false
+      end
+    end
+
+    TokenSchema = Dry::Validation.Schema do
+      configure do
+        predicates(Predicates)
+        def self.messages
+          super.merge(en: { errors: DRY_CUSTOM_PREDICATE_ERRORS })
+        end
+      end
+
+      required(:data).filled(:str?, :base64?)
+
+      required(:header).schema do
+        optional(:applicationData).filled(:str?, :hex?)
+
+        optional(:ephemeralPublicKey).filled(:str?, :base64?)
+        optional(:wrappedKey).filled(:str?, :base64?)
+        rule('ephemeralPublicKey xor wrappedKey': [:ephemeralPublicKey, :wrappedKey]) do |e, w|
+          e.filled? ^ w.filled?
+        end
+
+        required(:publicKeyHash).filled(:str?, :base64?)
+
+        required(:transactionId).filled(:str?, :hex?)
+      end
+
+      required(:signature).filled(:str?, :base64?)
+
+      required(:version).filled(:str?, included_in?: ['EC_v1', 'RSA_v1'])
+    end
+
+    # Pedicel::Validator::TokenSchema.call({data: 'asdf', header: {ephemeralPublicKey: 'e', publicKeyHash: 'p', transactionId: 'f'}, signature: 's', version: 'EC_v1'})
+
+    TokenDataSchema = Dry::Validation.Schema do
+      configure do
+        predicates(Predicates)
+        def self.messages
+          super.merge(en: { errors: DRY_CUSTOM_PREDICATE_ERRORS })
+        end
+      end
+
+      required(:applicationPrimaryAccountNumber).filled(:str?, :pan?)
+
+      required(:applicationExpirationDate).filled(:str?, :yymmdd?)
+
+      required(:currencyCode).filled(:str?, format?: /\A[0-9]{3}\z/)
+
+      required(:transactionAmount).filled(:int?)
+
+      optional(:cardholderName).filled(:str?)
+
+      required(:deviceManufacturerIdentifier).filled(:str?, :hex?)
+
+      required(:paymentDataType).filled(:str?, included_in?: ['3DSecure', 'EMV'])
+
+      required(:paymentData).schema do
+        optional(:onlinePaymentCryptogram).filled(:str?, :base64?)
+        optional(:eciIndicator).filled(:str?)
+
+        optional(:emvData).filled(:str?, :base64?)
+        optional(:encryptedPINData).filled(:str?, :hex?)
+      end
+
+      rule('consistent paymentDataType and paymentData': [:paymentDataType, [:paymentData, :onlinePaymentCryptogram]]) do |t, cryptogram|
+        t.eql?('3DSecure') > cryptogram.filled?
+      end
+    end
+
+    # Pedicel::Validator::TokenDataSchema.call(
+    #   applicationPrimaryAccountNumber: '1234567890123',
+    #   applicationExpirationDate: '101112',
+    #   currencyCode: '123',
+    #   transactionAmount: 12.34,
+    #   cardholderName: 'asdf',
+    #   deviceManufacturerIdentifier: 'adsf',
+    #   paymentDataType: 'asdf',
+    # )
+
+    def self.validate_token(token, now: Time.now)
+      validation = TokenSchema.call(token)
+
+      raise TokenFormatError, validation.hints.map{|key,msg| "#{key} #{msg}"}.join(', and ') unless validation.errors.empty?
+
+      true
+    end
+
+    def self.valid_token?(token, now: Time.now)
+      validate_token(token, now: now) rescue false
+    end
+
+    def self.validate_token_data(token_data)
+      validation = TokenDataSchema.call(token_data)
+
+      raise TokenDataFormatError, validation.hints.map{|key,msg| "#{key} #{msg}"}.join(', and ') unless validation.errors.empty?
+
+      true
+    end
+
+    def self.valid_token_data?(token_data)
+      validate_token_data(token_data) rescue false
+    end
+
+    def validate_content(now: Time.now)
+      raise ReplayAttackError, "token signature time indicates a replay attack (age #{now-cms_signing_time})" unless signing_time_ok?(now: now)
+
+      raise SignatureError unless valid_signature?
+    end
+  end
+end

metadata

@@ -0,0 +1,104 @@
+--- !ruby/object:Gem::Specification
+name: pedicel
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Clearhaus
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2018-02-27 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: dry-validation
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.11.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.11.1
+- !ruby/object:Gem::Dependency
+  name: aes256gcm_decrypt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.0.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.0.2
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.7'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.11'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.11'
+description: 
+email: hello@clearhaus.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/pedicel.rb
+- lib/pedicel/base.rb
+- lib/pedicel/ec.rb
+- lib/pedicel/rsa.rb
+- lib/pedicel/validator.rb
+homepage: https://github.com/clearhaus/pedicel-pay
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.2
+signing_key: 
+specification_version: 4
+summary: Backend and client part of Apple Pay
+test_files: []