pedicel 0.0.1 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 402a60cbe58a1a300764a3a37d53434c0e764f60
-  data.tar.gz: 1551470f672d864db8fec34b25eb0521c59de87b
+SHA256:
+  metadata.gz: 74bf3607219c5927eb2c3409abb203f3e8db743ee8d7e264f10b5c801fc8fde3
+  data.tar.gz: a1bc91e194a468eed00e996af0b149d784a801f3fa8608129696af26d1fc34bd
 SHA512:
-  metadata.gz: 3ec3218ec7911fbf7e2cd3d11b5fb3fc839be0f8e51694565f7cef655fdebc0d5133a906ea0bfc215e21da4030281f6c7f5c202fc3332e67b98a108db5d3c0ab
-  data.tar.gz: b770f9aff8ace1d06fda313fcdf9798bd84c9d78394b42539d22bbcd359db63956d201997477aa1e243b3c31fb936592db25cbd0d7cd29c79fdca47290258d91
+  metadata.gz: dd75b505a0eefefba6fa101e6fcd65e5274b495871a602f3f7b308df34a58ca9b10855b090344256658379c330e76a1658f002aa00e46c55bbe14f15c5f12087
+  data.tar.gz: c3cf9f84d1e0fb73bfe0241a305c9bec64a5e75f84ea4c42a95303c88873de3eadd0890d511ca6a3cf45dfc20897b87ecb6981d74f70c5122d3342aa2a1df275

data/lib/pedicel.rb

@@ -9,38 +9,32 @@ module Pedicel
   class VersionError < Error; end
   class CertificateError < Error; end
   class EcKeyError < Error; end
+  class AesKeyError < Error; end
 
-  DEFAULTS = {
-    oids: {
-      intermediate_certificate:  '1.2.840.113635.100.6.2.14',
-      leaf_certificate:          '1.2.840.113635.100.6.29',
-      merchant_identifier_field: '1.2.840.113635.100.6.32',
-    },
-    replay_threshold_seconds: 3*60,
-    apple_root_ca_g3_cert_pem: <<~PEM
-      -----BEGIN CERTIFICATE-----
-      MIICQzCCAcmgAwIBAgIILcX8iNLFS5UwCgYIKoZIzj0EAwMwZzEbMBkGA1UEAwwS
-      QXBwbGUgUm9vdCBDQSAtIEczMSYwJAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0aW9u
-      IEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwHhcN
-      MTQwNDMwMTgxOTA2WhcNMzkwNDMwMTgxOTA2WjBnMRswGQYDVQQDDBJBcHBsZSBS
-      b290IENBIC0gRzMxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9y
-      aXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzB2MBAGByqGSM49
-      AgEGBSuBBAAiA2IABJjpLz1AcqTtkyJygRMc3RCV8cWjTnHcFBbZDuWmBSp3ZHtf
-      TjjTuxxEtX/1H7YyYl3J6YRbTzBPEVoA/VhYDKX1DyxNB0cTddqXl5dvMVztK517
-      IDvYuVTZXpmkOlEKMaNCMEAwHQYDVR0OBBYEFLuw3qFYM4iapIqZ3r6966/ayySr
-      MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMDA2gA
-      MGUCMQCD6cHEFl4aXTQY2e3v9GwOAEZLuN+yRhHFD/3meoyhpmvOwgPUnPWTxnS4
-      at+qIxUCMG1mihDK1A3UT82NQz60imOlM27jbdoXt2QfyFMm+YhidDkLF1vLUagM
-      6BgD56KyKA==
-      -----END CERTIFICATE-----
-    PEM
-  }
+  APPLE_ROOT_CA_G3_CERT_PEM = <<~PEM
+    -----BEGIN CERTIFICATE-----
+    MIICQzCCAcmgAwIBAgIILcX8iNLFS5UwCgYIKoZIzj0EAwMwZzEbMBkGA1UEAwwS
+    QXBwbGUgUm9vdCBDQSAtIEczMSYwJAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0aW9u
+    IEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwHhcN
+    MTQwNDMwMTgxOTA2WhcNMzkwNDMwMTgxOTA2WjBnMRswGQYDVQQDDBJBcHBsZSBS
+    b290IENBIC0gRzMxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9y
+    aXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzB2MBAGByqGSM49
+    AgEGBSuBBAAiA2IABJjpLz1AcqTtkyJygRMc3RCV8cWjTnHcFBbZDuWmBSp3ZHtf
+    TjjTuxxEtX/1H7YyYl3J6YRbTzBPEVoA/VhYDKX1DyxNB0cTddqXl5dvMVztK517
+    IDvYuVTZXpmkOlEKMaNCMEAwHQYDVR0OBBYEFLuw3qFYM4iapIqZ3r6966/ayySr
+    MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMDA2gA
+    MGUCMQCD6cHEFl4aXTQY2e3v9GwOAEZLuN+yRhHFD/3meoyhpmvOwgPUnPWTxnS4
+    at+qIxUCMG1mihDK1A3UT82NQz60imOlM27jbdoXt2QfyFMm+YhidDkLF1vLUagM
+    6BgD56KyKA==
+    -----END CERTIFICATE-----
+  PEM
+  APPLE_ROOT_CA_G3_CERT_PEM.freeze
 
-  def self.config
-    @@config ||= DEFAULTS
-  end
-
-  def self.config=(other)
-    @@config = other
-  end
+  DEFAULT_CONFIG = {
+    oid_intermediate_certificate:  '1.2.840.113635.100.6.2.14',
+    oid_leaf_certificate:          '1.2.840.113635.100.6.29',
+    oid_merchant_identifier_field: '1.2.840.113635.100.6.32',
+    replay_threshold_seconds: 3 * 60,
+    trusted_ca_pem: APPLE_ROOT_CA_G3_CERT_PEM,
+  }.freeze
 end

data/lib/pedicel/base.rb

@@ -1,105 +1,113 @@
 require 'openssl'
 require 'base64'
+require 'pedicel/validator'
 
 module Pedicel
   class Base
-    SUPPORTED_VERSIONS = [:EC_v1]
+    SUPPORTED_VERSIONS = [:EC_v1].freeze
 
-    def initialize(token, now: Time.now)
-      @token = token
-    end
-
-    def validate_content(now: Time.now)
-      raise VersionError, "unsupported version: #{version}" unless SUPPORTED_VERSIONS.include?(@token['version'])
+    attr_reader :config
 
-      raise ReplayAttackError, "token signature time indicates a replay attack (age #{now-cms_signing_time})" unless signing_time_ok?(now: now)
+    def initialize(token, config: Pedicel::DEFAULT_CONFIG)
+      validation = Validator::Token.new(token)
+      validation.validate
 
-      raise SignatureError unless valid_signature?
+      @token  = validation.output
+      @config = config
     end
 
     def version
-      @token['version']&.to_sym
+      @token[:version].to_sym
     end
 
     def encrypted_data
-      return nil unless @token['data']
+      return nil unless @token[:data]
 
-      Base64.decode64(@token['data'])
+      Base64.decode64(@token[:data])
     end
 
     def signature
-      return nil unless @token['signature']
+      return nil unless @token[:signature]
 
-      Base64.decode64(@token['signature'])
+      Base64.decode64(@token[:signature])
     end
 
     def transaction_id
-      [@token['header']['transactionId']].pack('H*')
+      [@token[:header][:transactionId]].pack('H*')
     end
 
     def application_data
-      return nil unless @token['applicationData']
+      return nil unless @token[:header][:applicationData]
 
-      [@token['applicationData']].pack('H*')
-    end
-
-    def signing_time_ok?(now: Time.now)
-      # "Inspect the CMS signing time of the signature, as defined by section 11.3
-      # of RFC 5652. If the time signature and the transaction time differ by more
-      # than a few minutes, it's possible that the token is a replay attack."
-      # https://developer.apple.com/library/content/documentation/PassKit/Reference/PaymentTokenJSON/PaymentTokenJSON.html
-
-      delta = Pedicel.config[:replay_threshold_seconds]
-
-      cms_signing_time.between?(now - delta, now + delta)
-      # Deliberately ignoring leap seconds.
+      [@token[:header][:applicationData]].pack('H*')
     end
 
     def private_key_class
-      {EC_v1: OpenSSL::PKey::EC, RSA_v1: OpenSSL::PKey::RSA}[version]
+      raise VersionError, "unsupported version: #{version}" unless SUPPORTED_VERSIONS.include?(version)
+
+      { EC_v1: OpenSSL::PKey::EC, RSA_v1: OpenSSL::PKey::RSA }[version]
     end
 
     def symmetric_algorithm
-      {EC_v1: 'aes-256-gcm', RSA_v1: 'aes-128-gcm'}[version]
+      raise VersionError, "unsupported version: #{version}" unless SUPPORTED_VERSIONS.include?(version)
+
+      { EC_v1: 'aes-256-gcm', RSA_v1: 'aes-128-gcm' }[version]
     end
 
     def decrypt_aes(key:)
       raise TokenFormatError, 'no encrypted data present' unless encrypted_data
 
       if OpenSSL::Cipher.new('aes-256-gcm').respond_to?(:iv_len=)
-        # Either because you use Ruby >=2.4's native openssl lib, or if you have a
-        # "recent enough" version of the openssl gem available.
+        # Either because you use Ruby >=2.4's native openssl lib, or if you have
+        # a "recent enough" version of the openssl gem available.
+        decrypt_aes_openssl(key)
+      else
+        decrypt_aes_gem(key)
+      end
+    end
 
-        cipher = OpenSSL::Cipher.new(symmetric_algorithm)
-        cipher.decrypt
+    private def decrypt_aes_openssl(key)
+      cipher = OpenSSL::Cipher.new(symmetric_algorithm)
+      cipher.decrypt
 
+      begin
         cipher.key = key
-        cipher.iv_len = 16 # Must be set before the IV because default is 12 and
-                           # only IVs of length `iv_len` will be accepted.
-        cipher.iv = "\x00".b * cipher.iv_len
+      rescue ArgumentError => e
+        raise Pedicel::AesKeyError, "invalid key: #{e.message}"
+      end
 
-        split_position = encrypted_data.length - cipher.iv_len
-        tag = encrypted_data.slice(split_position, cipher.iv_len)
-        untagged_encrypted_data = encrypted_data.slice(0, split_position)
+      # iv_len must be set before the IV because default is 12 and
+      # only IVs of length `iv_len` will be accepted.
+      cipher.iv_len = 16
+      cipher.iv = 0.chr * cipher.iv_len
 
-        cipher.auth_tag = tag
-        cipher.auth_data = ''.b
+      split_position = encrypted_data.length - cipher.iv_len
+      tag = encrypted_data.slice(split_position, cipher.iv_len)
+      untagged_encrypted_data = encrypted_data.slice(0, split_position)
 
-        cipher.update(untagged_encrypted_data) << cipher.final
-      else
-        require 'aes256gcm_decrypt'
+      cipher.auth_tag = tag
+      cipher.auth_data = ''.b
 
-        Aes256GcmDecrypt::decrypt(encrypted_data, key)
-      end
+      cipher.update(untagged_encrypted_data) << cipher.final
+    rescue OpenSSL::Cipher::CipherError
+      raise Pedicel::AesKeyError, 'wrong key'
+    end
+
+    private def decrypt_aes_gem(key)
+      require 'aes256gcm_decrypt'
+
+      Aes256GcmDecrypt.decrypt(encrypted_data, key)
+    rescue Aes256GcmDecrypt::Error => e
+      raise Pedicel::AesKeyError, "decryption failed: #{e}"
     end
 
     def valid_signature?(now: Time.now)
-      true if validate_signature(now: now)
+      !!verify_signature(now: now)
     rescue
       false
     end
 
-    def verify_signature(ca_certificate_pem: Pedicel.config[:apple_root_ca_g3_cert_pem], now: Time.now)
+    def verify_signature(ca_certificate_pem: @config[:trusted_ca_pem], now: Time.now)
       raise SignatureError, 'no signature present' unless signature
 
       begin
@@ -108,24 +116,36 @@ module Pedicel
         raise SignatureError, "invalid PKCS #7 signature: #{e.message}"
       end
 
-      # 1.a
-      # Ensure that the certificates contain the correct custom OIDs: (...).
-      # The value for these marker OIDs doesn't matter, only their presence.
-      leaf, intermediate = self.class.verify_signature_certificate_oids(signature: s)
-
       begin
-        root = OpenSSL::X509::Certificate.new(ca_certificate_pem)
+        trusted_root = OpenSSL::X509::Certificate.new(ca_certificate_pem)
       rescue => e
-        raise CertificateError, "invalid root certificate: #{e.message}"
+        raise CertificateError, "invalid trusted root certificate: #{e.message}"
       end
 
+      # 1.a
+      # Ensure that the certificates contain the correct custom OIDs: (...).
+      # The value for these marker OIDs doesn't matter, only their presence.
+      leaf, intermediate, other = self.class.extract_certificates(signature: s,
+                                                                  intermediate_oid: @config[:oid_intermediate_certificate],
+                                                                  leaf_oid: @config[:oid_leaf_certificate])
+      # Implicit since these are the ones extracted.
+
       # 1.b
       # Ensure that the root CA is the Apple Root CA - G3. (...)
-      self.class.verify_root_certificate(root: root, intermediate: intermediate)
+      if other
+        self.class.verify_root_certificate(trusted_root: trusted_root, root: other)
+        # Allow no other certificate than the root.
+      #else
+        # no other certificate is not extracted from the signature, and thus, we
+        # trust the trusted root.
+      end
 
       # 1.c
-      # Ensure that there is a valid X.509 chain of trust from the signature to the root CA.
-      self.class.verify_x509_chain(root: root, intermediate: intermediate, leaf: leaf)
+      # Ensure that there is a valid X.509 chain of trust from the signature to
+      # the root CA.
+      self.class.verify_x509_chain(root: trusted_root, intermediate: intermediate, leaf: leaf)
+      # We "only" check the *certificate* chain (from leaf to root). Below (in
+      # 1.d) is checked that the signature is created with the leaf.
 
       # 1.d
       # Validate the token's signature.
@@ -135,63 +155,87 @@ module Pedicel
 
       # 1.e
       # Inspect the CMS signing time of the signature (...)
-      self.class.verify_signed_time(signature: s, now: now)
+      self.class.verify_signed_time(signature: s, now: now, few_min: @config[:replay_threshold_seconds])
 
       self
     end
 
-    private
+    def self.extract_certificates(signature:,
+                                  intermediate_oid: Pedicel::DEFAULT_CONFIG[:oid_intermediate_certificate],
+                                  leaf_oid:         Pedicel::DEFAULT_CONFIG[:oid_leaf_certificate])
+      leafs, intermediates, others = [], [], []
 
-    def self.verify_signature_certificate_oids(signature:)
-      leaf = signature.certificates.find{|c| c.extensions.find{|e| e.oid == Pedicel.config[:oids][:leaf_certificate]}}
-      unless leaf
-        raise SignatureError, "no leaf certificate found (OID #{Pedicel.config[:oids][:leaf_certificate]})"
-      end
+      signature.certificates.each do |certificate|
+        leaf_or_intermediate = false
 
-      intermediate = signature.certificates.find{|c| c.extensions.find{|e| e.oid == Pedicel.config[:oids][:intermediate_certificate]}}
-      unless intermediate
-        raise SignatureError, "no intermediate certificate found (OID #{Pedicel.config[:oids][:leaf_certificate]})"
+        certificate.extensions.each do |extension|
+          case extension.oid
+          when intermediate_oid
+            intermediates << certificate
+            leaf_or_intermediate = true
+          when leaf_oid
+            leafs << certificate
+            leaf_or_intermediate = true
+          end
+        end
+
+        others << certificate unless leaf_or_intermediate
       end
 
-      [leaf, intermediate]
+      raise SignatureError, "no unique leaf certificate found (OID #{leaf_oid})" unless leafs.length == 1
+      raise SignatureError, "no unique intermediate certificate found (OID #{intermediate_oid})" unless intermediates.length == 1
+      raise SignatureError, "too many certificates found in the signature: #{others.map(&:subject).join('; ')}" if others.length > 1
+
+      [leafs.first, intermediates.first, others.first]
     end
 
-    def self.verify_root_certificate(root:, intermediate:)
-      unless intermediate.issuer == root.subject
-        raise SignatureError, 'root certificate has not issued intermediate certificate'
-      end
+    def self.verify_root_certificate(root:, trusted_root:)
+      raise SignatureError, 'root certificate is not trusted' unless root.to_der == trusted_root.to_der
+
+      true
     end
 
     def self.verify_x509_chain(root:, intermediate:, leaf:)
-      valid_chain = OpenSSL::X509::Store.new.
-                      add_cert(root).
-                      add_cert(intermediate).
-                      verify(leaf)
+      # Specifically, ensure that the signature was created using the private
+      # key corresponding to the leaf certificate, that the leaf certificate is
+      # signed by the intermediate CA, and that the intermediate CA is signed by
+      # the Apple Root CA - G3.
+
+      unless root.verify(root.public_key)
+        raise SignatureError, 'invalid chain due to root'
+      end
+
+      unless intermediate.verify(root.public_key)
+        raise SignatureError, 'invalid chain due to intermediate'
+      end
+
+      unless leaf.verify(intermediate.public_key)
+        raise SignatureError, 'invalid chain due to leaf'
+      end
 
-      raise SignatureError, 'invalid chain of trust' unless valid_chain
+      true
     end
 
-    def self.verify_signed_time(signature:, now:)
+    def self.verify_signed_time(signature:, now: Time.now, few_min: Pedicel::DEFAULT_CONFIG[:replay_threshold_seconds])
       # Inspect the CMS signing time of the signature, as defined by section
       # 11.3 of RFC 5652. If the time signature and the transaction time differ
       # by more than a few minutes, it's possible that the token is a replay
       # attack.
+      # https://developer.apple.com/library/content/documentation/PassKit/Reference/PaymentTokenJSON/PaymentTokenJSON.html
 
       unless signature.signers.length == 1
         raise SignatureError, 'not 1 signer, unable to determine signing time'
       end
       signed_time = signature.signers.first.signed_time
 
-      few_min = Pedicel.config[:replay_threshold_seconds]
-
-      # Time objects. DST aware. Ignoring leap seconds.
-      return if signed_time.between?(now - few_min, now + few_min) # Both ends included.
+      # Time objects. DST aware. Ignoring leap seconds. Both ends included.
+      return true if signed_time.between?(now - few_min, now + few_min)
 
       diff = signed_time - now
       if diff.negative?
-        raise SignatureError, "signature too old; signed #{-diff.to_i}s ago"
+        raise SignatureError, "signature too old; signed #{-diff}s ago"
       end
-      raise SignatureError, "signature too new; signed #{diff.to_i}s in the future"
+      raise SignatureError, "signature too new; signed #{diff}s in the future"
     end
   end
 end

data/lib/pedicel/ec.rb

@@ -3,51 +3,48 @@ require 'pedicel/base'
 module Pedicel
   class EC < Base
     def ephemeral_public_key
-      Base64.decode64(@token['header']['ephemeralPublicKey'])
+      Base64.decode64(@token[:header][:ephemeralPublicKey])
     end
 
     def decrypt(symmetric_key: nil, merchant_id: nil, certificate: nil, private_key: nil,
-                ca_certificate_pem: Pedicel.config[:apple_root_ca_g3_cert_pem], now: Time.now)
-      raise ArgumentError 'invalid argument combination' unless \
-        !symmetric_key.nil? ^ ((!merchant_id.nil? ^ !certificate.nil?) && !private_key.nil?)
-      # .-------------------'--------. .----------'----. .-------------''---.
-      # | symmetric_key can be       | | merchant_id   | | Both private_key |
-      # | derived from private_key   | | (byte string) | | and merchant_id  |
-      # | and the shared_secret---   | | can be        | | is necessary to  |
-      # | which can be derived from  | | derived from  | | derive the       |
-      # | the private_key and the    | | the public    | | symmetric key    |
-      # | token's ephemeralPublicKey | | certificate   | '------------------'
-      # '----------------------------' '---------------'
-
-      if private_key
-        symmetric_key = symmetric_key(private_key: private_key,
-                                      certificate: certificate,
-                                      merchant_id: merchant_id)
+                ca_certificate_pem: @config[:trusted_ca_pem], now: Time.now)
+      # Check for necessary parameters.
+      unless symmetric_key || ((merchant_id || certificate) && private_key)
+        raise ArgumentError, 'missing parameters'
+      end
+
+      # Check for uniqueness among the supplied parameters used directly here.
+      if symmetric_key && (merchant_id || certificate || private_key)
+        raise ArgumentError, "leave out other parameters when supplying 'symmetric_key'"
       end
 
       verify_signature(ca_certificate_pem: ca_certificate_pem, now: now)
+
+      symmetric_key ||= symmetric_key(private_key: private_key,
+                                      merchant_id: merchant_id,
+                                      certificate: certificate)
+
       decrypt_aes(key: symmetric_key)
     end
 
-    def symmetric_key(shared_secret: nil, private_key: nil, merchant_id: nil, certificate: nil)
-      raise ArgumentError 'invalid argument combination' unless \
-        (!shared_secret.nil? ^ !private_key.nil?) && (!merchant_id.nil? ^ !certificate.nil?)
-      # .--------------------'.  .----------------'|  .-----------------'--.
-      # | shared_secret can   |  | shared_secret   |  | merchant_id (byte  |
-      # | be derived from the |  | and merchant_id |  | string can be      |
-      # | private_key and the |  | is necessary to |  | derived from the   |
-      # | ephemeralPublicKey  |  | derive the      |  | public certificate |
-      # '---------------------'  | symmetric_key   |  '--------------------'
-      #                          '-----------------'
+    def symmetric_key(private_key: nil, merchant_id: nil, certificate: nil)
+      # Check for necessary parameters.
+      unless private_key && (merchant_id || certificate)
+        raise ArgumentError, 'missing parameters'
+      end
+
+      # Check for uniqueness among the supplied parameters.
+      if merchant_id && certificate
+        raise ArgumentError, "leave out 'certificate' when supplying 'merchant_id'"
+      end
+
+      shared_secret = shared_secret(private_key: private_key)
 
-      shared_secret = shared_secret(private_key: private_key) if private_key
-      merchant_id = self.class.merchant_id(certificate: certificate) if certificate
+      merchant_id ||= self.class.merchant_id(certificate: certificate, mid_oid: @config[:oid_merchant_identifier_field])
 
       self.class.symmetric_key(shared_secret: shared_secret, merchant_id: merchant_id)
     end
 
-    # Extract the shared secret from one public key (the ephemeral) and one
-    # private key.
     def shared_secret(private_key:)
       begin
         privkey = OpenSSL::PKey::EC.new(private_key)
@@ -58,19 +55,21 @@ module Pedicel
       begin
         pubkey = OpenSSL::PKey::EC.new(ephemeral_public_key).public_key
       rescue => e
-        raise EcKeyError, "invalid format of ephemeralPublicKey (from token) for EC: #{e.message}"
+        raise EcKeyError, "invalid ephemeralPublicKey (from token) for EC: #{e.message}"
       end
 
       unless privkey.group == pubkey.group
-        raise EcKeyError,
-          "private_key curve '#{privkey.group.curve_name}' differ from " \
-          "ephemeralPublicKey (from token) curve '#{pubkey.group.curve_name}'"
+        raise EcKeyError, "private_key curve '%s' differs from token ephemeralPublicKey curve '%s'" %
+                          [privkey.group.curve_name, pubkey.group.curve_name]
       end
 
       privkey.dh_compute_key(pubkey)
     end
 
     def self.symmetric_key(merchant_id:, shared_secret:)
+      raise ArgumentError, 'merchant_id must be a SHA256' unless merchant_id.is_a?(String) && merchant_id.length == 32
+      raise ArgumentError, 'shared_secret must be a string' unless shared_secret.is_a?(String)
+
       # http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar2.pdf
       # Section 5.8.1.1, The Single-Step KDF Specification.
       #
@@ -92,18 +91,18 @@ module Pedicel
       # >    hashlen` leftmost bits of `K(reps)`.
       # > 7. Return `K(1) || K(2) || ... || K(reps-1) || K_Last`.
       #
-      # Digest::SHA256 will do the calculations when we throw Z and OtherInfo into
-      # the digest.
+      # Digest::SHA256 will do the calculations when we throw Z and OtherInfo
+      # into the digest.
 
       sha256 = Digest::SHA256.new
 
-      # Step 3:
+      # Step 3
       sha256 << "\x00\x00\x00\x01"
 
-      # Z:
+      # Z
       sha256 << shared_secret
 
-      # OtherInfo:
+      # OtherInfo
       # https://developer.apple.com/library/content/documentation/PassKit/Reference/PaymentTokenJSON/PaymentTokenJSON.html
       sha256 << "\x0d" + 'id-aes256-GCM' # AlgorithmID
       sha256 << 'Apple' # PartyUInfo
@@ -112,7 +111,7 @@ module Pedicel
       sha256.digest
     end
 
-    def self.merchant_id(certificate:)
+    def self.merchant_id(certificate:, mid_oid: Pedicel::DEFAULT_CONFIG[:oid_merchant_identifier_field])
       begin
         cert = OpenSSL::X509::Certificate.new(certificate)
       rescue => e
@@ -120,11 +119,11 @@ module Pedicel
       end
 
       merchant_id_hex =
-        cert.
-          extensions.
-          find { |x| x.oid == Pedicel.config[:oids][:merchant_identifier_field] }&.
-          value&. # Hex encoded Merchant ID plus perhaps extra non-hex chars.
-          delete("^[0-9a-fA-F]") # Remove non-hex chars.
+        cert
+        .extensions
+        .find { |x| x.oid == mid_oid }
+        &.value # Hex encoded Merchant ID plus perhaps extra non-hex chars.
+        &.delete('^[0-9a-fA-F]') # Remove non-hex chars.
 
       raise CertificateError, 'no merchant identifier in certificate' unless merchant_id_hex
 
@@ -163,6 +162,8 @@ module Pedicel
       unless signature.verify(certificates, store, message, flags)
         raise SignatureError, 'signature does not match the message'
       end
+
+      true
     end
   end
 end

data/lib/pedicel/validator.rb

@@ -1,78 +1,111 @@
 require 'dry-validation'
 require 'base64'
+require 'openssl'
 
 module Pedicel
-  class Validator
-    class Error < StandardError; end
-    class TokenFormatError < Error; end
-    class TokenDataFormatError < Error; end
 
-    DRY_CUSTOM_PREDICATE_ERRORS = {
-      base64?: 'invalid base64',
-      hex?: 'invalid hex',
-      pan?: 'invalid pan',
-      yymmdd?: 'invalid date format YYMMDD',
-    }
+  # Validations for Apple Pay Payment Token and associated data:
+  # https://developer.apple.com/library/content/documentation/PassKit/Reference/PaymentTokenJSON/PaymentTokenJSON.html
+  # This purposefully only does syntactic validation (as opposed to semantic).
+  module Validator
 
     module Predicates
       include Dry::Logic::Predicates
 
-      predicate(:base64?) { |value| !Base64.decode64(value).nil? rescue false }
+      CUSTOM_PREDICATE_ERRORS = {
+        base64?:          'must be Base64',
+        hex?:             'must be hex',
+        pan?:             'must be a pan',
+        yymmdd?:          'must be formatted YYMMDD',
+        ec_public_key?:   'must be an EC public key',
+        pkcs7_signature?: 'must be a PKCS7 Signature',
+        eci?:             'must be an ECI',
+        hex_sha256?:      'must be a hex-encoded SHA-256',
+        base64_sha256?:   'must be a Base64-encoded SHA-256',
+        iso4217_numeric?: 'must be an ISO 4217 numeric code',
+      }.freeze
+
+      # Support Ruby 2.3, but use the faster #match? when available.
+      match_b = String.new.respond_to?(:match?) ? ->(s, re) { s.match?(re) } : ->(s, re) { !!(s =~ re) }
+
+      predicate(:base64?) do |x|
+        str?(x) &&
+          match_b.(x, /\A[=A-Za-z0-9+\/]*\z/) && # allowable chars
+          x.length.remainder(4).zero? && # multiple of 4
+          !match_b.(x, /=[^$=]/) && # may only end with ='s
+          !match_b.(x, /===/) # at most 2 ='s
+      end
 
-      predicate(:hex?) { |value| !Regexp.new(/\A[a-f0-9-]*\z/i).match(value).nil? }
+      # We should figure out how strict we should be. Hopefully we can discard
+      # the above Base64? predicate and use the following simpler one:
+      #predicate(:strict_base64?) { |x| !!Base64.strict_decode64(x) rescue false }
 
-      predicate(:pan?) { |value| !Regexp.new(/\A[0-9]{13,19}\z/).match(value).nil? }
+      predicate(:base64_sha256?) { |x| base64?(x) && Base64.decode64(x).length == 32 }
 
-      predicate(:yymmdd?) do |value|
-        return false unless value.length == 6
-        Time.new(value[0..1],value[2..3], value[4..5]).is_a?(Time) rescue false
-      end
+      predicate(:hex?) { |x| str?(x) && match_b.(x, /\A[a-f0-9]*\z/i) }
+
+      predicate(:hex_sha256?) { |x| hex?(x) && x.length == 64 }
+
+      predicate(:pan?) { |x| str?(x) && match_b.(x, /\A[1-9][0-9]{11,18}\z/) }
+
+      predicate(:yymmdd?) { |x| str?(x) && match_b.(x, /\A\d{6}\z/) }
+
+      predicate(:eci?) { |x| str?(x) && match_b.(x, /\A\d{1,2}\z/) }
+
+      predicate(:ec_public_key?) { |x| base64?(x) && OpenSSL::PKey::EC.new(Base64.decode64(x)).check_key rescue false }
+
+      predicate(:pkcs7_signature?) { |x| base64?(x) && !!OpenSSL::PKCS7.new(Base64.decode64(x)) rescue false }
+
+      predicate(:iso4217_numeric?) { |x| match_b.(x, /\A[0-9]{3}\z/) }
     end
 
-    TokenSchema = Dry::Validation.Schema do
-      configure do
-        predicates(Predicates)
-        def self.messages
-          super.merge(en: { errors: DRY_CUSTOM_PREDICATE_ERRORS })
-        end
+    class BaseSchema < Dry::Validation::Schema::JSON
+      predicates(Predicates)
+      def self.messages
+        super.merge(en: { errors: Predicates::CUSTOM_PREDICATE_ERRORS })
       end
+    end
 
-      required(:data).filled(:str?, :base64?)
-
-      required(:header).schema do
-        optional(:applicationData).filled(:str?, :hex?)
+    TokenHeaderSchema = Dry::Validation.Schema(BaseSchema) do
+      optional(:applicationData).filled(:str?, :hex?, :hex_sha256?)
 
-        optional(:ephemeralPublicKey).filled(:str?, :base64?)
-        optional(:wrappedKey).filled(:str?, :base64?)
-        rule('ephemeralPublicKey xor wrappedKey': [:ephemeralPublicKey, :wrappedKey]) do |e, w|
-          e.filled? ^ w.filled?
-        end
+      optional(:ephemeralPublicKey).filled(:str?, :base64?, :ec_public_key?)
 
-        required(:publicKeyHash).filled(:str?, :base64?)
+      optional(:wrappedKey).filled(:str?, :base64?)
 
-        required(:transactionId).filled(:str?, :hex?)
+      rule('ephemeralPublicKey xor wrappedKey': [:ephemeralPublicKey, :wrappedKey]) do |e, w|
+        e.filled? ^ w.filled?
       end
 
-      required(:signature).filled(:str?, :base64?)
+      required(:publicKeyHash).filled(:str?, :base64?, :base64_sha256?)
 
-      required(:version).filled(:str?, included_in?: ['EC_v1', 'RSA_v1'])
+      required(:transactionId).filled(:str?, :hex?)
     end
 
-    # Pedicel::Validator::TokenSchema.call({data: 'asdf', header: {ephemeralPublicKey: 'e', publicKeyHash: 'p', transactionId: 'f'}, signature: 's', version: 'EC_v1'})
+    TokenSchema = Dry::Validation.Schema(BaseSchema) do
+      required(:data).filled(:str?, :base64?)
 
-    TokenDataSchema = Dry::Validation.Schema do
-      configure do
-        predicates(Predicates)
-        def self.messages
-          super.merge(en: { errors: DRY_CUSTOM_PREDICATE_ERRORS })
-        end
-      end
+      required(:header).schema(TokenHeaderSchema)
+
+      required(:signature).filled(:str?, :base64?, :pkcs7_signature?)
+
+      required(:version).filled(:str?, included_in?: %w[EC_v1 RSA_v1])
+    end
+
+    TokenDataPaymentDataSchema = Dry::Validation.Schema(BaseSchema) do
+      optional(:onlinePaymentCryptogram).filled(:str?, :base64?)
+      optional(:eciIndicator).filled(:str?, :eci?)
 
+      optional(:emvData).filled(:str?, :base64?)
+      optional(:encryptedPINData).filled(:str?, :hex?)
+    end
+
+    TokenDataSchema = Dry::Validation.Schema(BaseSchema) do
       required(:applicationPrimaryAccountNumber).filled(:str?, :pan?)
 
       required(:applicationExpirationDate).filled(:str?, :yymmdd?)
 
-      required(:currencyCode).filled(:str?, format?: /\A[0-9]{3}\z/)
+      required(:currencyCode).filled(:str?, :iso4217_numeric?)
 
       required(:transactionAmount).filled(:int?)
 
@@ -80,59 +113,89 @@ module Pedicel
 
       required(:deviceManufacturerIdentifier).filled(:str?, :hex?)
 
-      required(:paymentDataType).filled(:str?, included_in?: ['3DSecure', 'EMV'])
+      required(:paymentDataType).filled(:str?, included_in?: %w[3DSecure EMV])
 
-      required(:paymentData).schema do
-        optional(:onlinePaymentCryptogram).filled(:str?, :base64?)
-        optional(:eciIndicator).filled(:str?)
+      required(:paymentData).schema(TokenDataPaymentDataSchema)
 
-        optional(:emvData).filled(:str?, :base64?)
-        optional(:encryptedPINData).filled(:str?, :hex?)
+      rule('when paymentDataType is 3DSecure, onlinePaymentCryptogram': [:paymentDataType, [:paymentData, :onlinePaymentCryptogram]]) do |type, cryptogram|
+        type.eql?('3DSecure') > cryptogram.filled?
+      end
+      rule('when paymentDataType is 3DSecure, emvData': [:paymentDataType, [:paymentData, :emvData]]) do |type, emv|
+        type.eql?('3DSecure') > emv.none?
+      end
+      rule('when paymentDataType is 3DSecure, encryptedPINData': [:paymentDataType, [:paymentData, :encryptedPINData]]) do |type, pin|
+        type.eql?('3DSecure') > pin.none?
       end
 
-      rule('consistent paymentDataType and paymentData': [:paymentDataType, [:paymentData, :onlinePaymentCryptogram]]) do |t, cryptogram|
-        t.eql?('3DSecure') > cryptogram.filled?
+      rule('when paymentDataType is EMV, onlinePaymentCryptogram': [:paymentDataType, [:paymentData, :onlinePaymentCryptogram]]) do |type, cryptogram|
+        type.eql?('EMV') > cryptogram.none?
+      end
+      rule('when paymentDataType is EMV, eciIndicator': [:paymentDataType, [:paymentData, :eciIndicator]]) do |type, eci|
+        type.eql?('EMV') > eci.none?
+      end
+      rule('when paymentDataType is EMV, emvData': [:paymentDataType, [:paymentData, :emvData]]) do |type, emv|
+        type.eql?('EMV') > emv.filled?
       end
+      rule('when paymentDataType is EMV, encryptedPINData': [:paymentDataType, [:paymentData, :encryptedPINData]]) do |type, pin|
+        type.eql?('EMV') > pin.filled?
+      end
+
     end
 
-    # Pedicel::Validator::TokenDataSchema.call(
-    #   applicationPrimaryAccountNumber: '1234567890123',
-    #   applicationExpirationDate: '101112',
-    #   currencyCode: '123',
-    #   transactionAmount: 12.34,
-    #   cardholderName: 'asdf',
-    #   deviceManufacturerIdentifier: 'adsf',
-    #   paymentDataType: 'asdf',
-    # )
+    class Error < StandardError; end
 
-    def self.validate_token(token, now: Time.now)
-      validation = TokenSchema.call(token)
+    module InstanceMethods
+      attr_reader :output
 
-      raise TokenFormatError, validation.hints.map{|key,msg| "#{key} #{msg}"}.join(', and ') unless validation.errors.empty?
+      def validate
+        @validation ||= @schema.call(@input)
 
-      true
-    end
+        @output = @validation.output
 
-    def self.valid_token?(token, now: Time.now)
-      validate_token(token, now: now) rescue false
-    end
+        return true if @validation.success?
 
-    def self.validate_token_data(token_data)
-      validation = TokenDataSchema.call(token_data)
+        raise Error, "validation error: #{@validation.errors.keys.join(', ')}"
+      end
 
-      raise TokenDataFormatError, validation.hints.map{|key,msg| "#{key} #{msg}"}.join(', and ') unless validation.errors.empty?
+      def valid?
+        validate
+      rescue Error
+        false
+      end
 
-      true
-    end
+      def errors
+        valid? unless @validation
+
+        @validation.errors
+      end
 
-    def self.valid_token_data?(token_data)
-      validate_token_data(token_data) rescue false
+      def errors_formatted(node = [errors])
+        node.pop.flat_map do |key, value|
+          if value.is_a?(Array)
+            value.map { |error| "#{(node + [key]).join('.')} #{error}" }
+          else
+            errors_formatted(node + [key, value])
+          end
+        end
+      end
     end
 
-    def validate_content(now: Time.now)
-      raise ReplayAttackError, "token signature time indicates a replay attack (age #{now-cms_signing_time})" unless signing_time_ok?(now: now)
+    class Token
+      include InstanceMethods
+      class Error < ::Pedicel::Validator::Error; end
+      def initialize(input)
+        @input = input
+        @schema = TokenSchema
+      end
+    end
 
-      raise SignatureError unless valid_signature?
+    class TokenData
+      include InstanceMethods
+      class Error < ::Pedicel::Validator::Error; end
+      def initialize(input)
+        @input = input
+        @schema = TokenDataSchema
+      end
     end
   end
 end

data/lib/pedicel/version.rb

@@ -0,0 +1,3 @@
+module Pedicel
+  VERSION = '0.1.0'.freeze
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: pedicel
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.1.0
 platform: ruby
 authors:
 - Clearhaus
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-02-27 00:00:00.000000000 Z
+date: 2020-11-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dry-validation
@@ -25,19 +25,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 0.11.1
 - !ruby/object:Gem::Dependency
-  name: aes256gcm_decrypt
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.0.2
-  type: :runtime
+        version: '12.3'
+  type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.0.2
+        version: '12.3'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -53,20 +53,20 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '3.7'
 - !ruby/object:Gem::Dependency
-  name: pry
+  name: pedicel-pay
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.11'
+        version: '0.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.11'
-description: 
+        version: '0.0'
+description:
 email: hello@clearhaus.com
 executables: []
 extensions: []
@@ -77,28 +77,28 @@ files:
 - lib/pedicel/ec.rb
 - lib/pedicel/rsa.rb
 - lib/pedicel/validator.rb
-homepage: https://github.com/clearhaus/pedicel-pay
+- lib/pedicel/version.rb
+homepage: https://github.com/clearhaus/pedicel
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - "~>"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.5.5
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.5.2
-signing_key: 
+rubygems_version: 3.0.8
+signing_key:
 specification_version: 4
-summary: Backend and client part of Apple Pay
+summary: Decryption of Apple Pay payment tokens
 test_files: []