pedicel 0.0.4 → 0.0.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 628cf5b61cec879b91695fdbbf8f9c3a0803a9c7be2645076d34da772f030b86
-  data.tar.gz: 04dd8ff38fe186fdf5f79a2c648a9482e63add4df9ac2b42aa2b229b2c4ae3fa
+  metadata.gz: 67d155d5766564d4ca2580589ca57cacb94415eb7b7b3bfa9eefe01d6b30e270
+  data.tar.gz: a384e5e0b28d9aaa8d51fbe80dfe532efd4adfaa27ce44995306385ae0b7363f
 SHA512:
-  metadata.gz: 111ea8c7a4baf9cdf7128aeb710cd9ea8d51a31e722d2ae93939812bc12cee9c388476e62b33042ca5fe41324239b106f87a128e2ea599b57b9d2771ec7521fe
-  data.tar.gz: ad718264658b4c26ae9c62644e98a5b6056637b781a3100c01666e08b1d07ff569c21abe1cb7bd18647bcd904898730b4b081349552b37d81672f72242b4a9b5
+  metadata.gz: fda0a0d5b14ddf620e42523352b5ced7c6725d03b1a6d6af12677220e42ca979188fd3049602bc0946d2f456572f8e8c92681a42b8a28cd353834e397f06192f
+  data.tar.gz: 40b85a602bd41992fb8ddf8e147dac5668422b9148319ff4d8885eb7a825498a0ef638a73655453a08079f2d66426be3b13333cfa7721c0bd1e8bd3241b5bbf8

data/lib/pedicel/base.rb

@@ -9,36 +9,37 @@ module Pedicel
     attr_reader :config
 
     def initialize(token, config: Pedicel::DEFAULT_CONFIG)
-      Validator.validate_token(token)
+      validation = Validator::Token.new(token)
+      validation.validate
 
-      @token  = token
+      @token  = validation.output
       @config = config
     end
 
     def version
-      @token['version']&.to_sym
+      @token[:version].to_sym
     end
 
     def encrypted_data
-      return nil unless @token['data']
+      return nil unless @token[:data]
 
-      Base64.decode64(@token['data'])
+      Base64.decode64(@token[:data])
     end
 
     def signature
-      return nil unless @token['signature']
+      return nil unless @token[:signature]
 
-      Base64.decode64(@token['signature'])
+      Base64.decode64(@token[:signature])
     end
 
     def transaction_id
-      [@token['header']['transactionId']].pack('H*')
+      [@token[:header][:transactionId]].pack('H*')
     end
 
     def application_data
-      return nil unless @token['header']['applicationData']
+      return nil unless @token[:header][:applicationData]
 
-      [@token['header']['applicationData']].pack('H*')
+      [@token[:header][:applicationData]].pack('H*')
     end
 
     def private_key_class
@@ -65,8 +66,7 @@ module Pedicel
       end
     end
 
-    private
-    def decrypt_aes_openssl(key)
+    private def decrypt_aes_openssl(key)
       cipher = OpenSSL::Cipher.new(symmetric_algorithm)
       cipher.decrypt
 
@@ -93,14 +93,13 @@ module Pedicel
       raise Pedicel::AesKeyError, 'wrong key'
     end
 
-    def decrypt_aes_gem(key)
+    private def decrypt_aes_gem(key)
       require 'aes256gcm_decrypt'
 
       Aes256GcmDecrypt.decrypt(encrypted_data, key)
     rescue Aes256GcmDecrypt::Error => e
       raise Pedicel::AesKeyError, "decryption failed: #{e}"
     end
-    public
 
     def valid_signature?(now: Time.now)
       !!verify_signature(now: now)
@@ -126,7 +125,9 @@ module Pedicel
       # 1.a
       # Ensure that the certificates contain the correct custom OIDs: (...).
       # The value for these marker OIDs doesn't matter, only their presence.
-      leaf, intermediate, other = self.class.extract_certificates(signature: s)
+      leaf, intermediate, other = self.class.extract_certificates(signature: s,
+                                                                  intermediate_oid: @config[:oid_intermediate_certificate],
+                                                                  leaf_oid: @config[:oid_leaf_certificate])
       # Implicit since these are the ones extracted.
 
       # 1.b
@@ -154,12 +155,14 @@ module Pedicel
 
       # 1.e
       # Inspect the CMS signing time of the signature (...)
-      self.class.verify_signed_time(signature: s, now: now)
+      self.class.verify_signed_time(signature: s, now: now, few_min: @config[:replay_threshold_seconds])
 
       self
     end
 
-    def self.extract_certificates(signature:, config: Pedicel::DEFAULT_CONFIG)
+    def self.extract_certificates(signature:,
+                                  intermediate_oid: Pedicel::DEFAULT_CONFIG[:oid_intermediate_certificate],
+                                  leaf_oid:         Pedicel::DEFAULT_CONFIG[:oid_leaf_certificate])
       leafs, intermediates, others = [], [], []
 
       signature.certificates.each do |certificate|
@@ -167,10 +170,10 @@ module Pedicel
 
         certificate.extensions.each do |extension|
           case extension.oid
-          when config[:oid_intermediate_certificate]
+          when intermediate_oid
             intermediates << certificate
             leaf_or_intermediate = true
-          when config[:oid_leaf_certificate]
+          when leaf_oid
             leafs << certificate
             leaf_or_intermediate = true
           end
@@ -179,8 +182,8 @@ module Pedicel
         others << certificate unless leaf_or_intermediate
       end
 
-      raise SignatureError, "no unique leaf certificate found (OID #{config[:oid_leaf_certificate]})" unless leafs.length == 1
-      raise SignatureError, "no unique intermediate certificate found (OID #{config[:oid_intermediate_certificate]})" unless intermediates.length == 1
+      raise SignatureError, "no unique leaf certificate found (OID #{leaf_oid})" unless leafs.length == 1
+      raise SignatureError, "no unique intermediate certificate found (OID #{intermediate_oid})" unless intermediates.length == 1
       raise SignatureError, "too many certificates found in the signature: #{others.map(&:subject).join('; ')}" if others.length > 1
 
       [leafs.first, intermediates.first, others.first]
@@ -222,7 +225,7 @@ module Pedicel
       true
     end
 
-    def self.verify_signed_time(signature:, now:, config: Pedicel::DEFAULT_CONFIG)
+    def self.verify_signed_time(signature:, now: Time.now, few_min: Pedicel::DEFAULT_CONFIG[:replay_threshold_seconds])
       # Inspect the CMS signing time of the signature, as defined by section
       # 11.3 of RFC 5652. If the time signature and the transaction time differ
       # by more than a few minutes, it's possible that the token is a replay
@@ -234,8 +237,6 @@ module Pedicel
       end
       signed_time = signature.signers.first.signed_time
 
-      few_min = config[:replay_threshold_seconds]
-
       # Time objects. DST aware. Ignoring leap seconds. Both ends included.
       return true if signed_time.between?(now - few_min, now + few_min)
 

data/lib/pedicel/ec.rb

@@ -3,7 +3,7 @@ require 'pedicel/base'
 module Pedicel
   class EC < Base
     def ephemeral_public_key
-      Base64.decode64(@token['header']['ephemeralPublicKey'])
+      Base64.decode64(@token[:header][:ephemeralPublicKey])
     end
 
     def decrypt(symmetric_key: nil, merchant_id: nil, certificate: nil, private_key: nil,
@@ -40,7 +40,7 @@ module Pedicel
 
       shared_secret = shared_secret(private_key: private_key)
 
-      merchant_id ||= self.class.merchant_id(certificate: certificate)
+      merchant_id ||= self.class.merchant_id(certificate: certificate, mid_oid: @config[:oid_merchant_identifier_field])
 
       self.class.symmetric_key(shared_secret: shared_secret, merchant_id: merchant_id)
     end
@@ -111,7 +111,7 @@ module Pedicel
       sha256.digest
     end
 
-    def self.merchant_id(certificate:, config: Pedicel::DEFAULT_CONFIG)
+    def self.merchant_id(certificate:, mid_oid: Pedicel::DEFAULT_CONFIG[:oid_merchant_identifier_field])
       begin
         cert = OpenSSL::X509::Certificate.new(certificate)
       rescue => e
@@ -121,7 +121,7 @@ module Pedicel
       merchant_id_hex =
         cert
         .extensions
-        .find { |x| x.oid == config[:oid_merchant_identifier_field] }
+        .find { |x| x.oid == mid_oid }
         &.value # Hex encoded Merchant ID plus perhaps extra non-hex chars.
         &.delete('^[0-9a-fA-F]') # Remove non-hex chars.
 

data/lib/pedicel/validator.rb

@@ -3,31 +3,30 @@ require 'base64'
 require 'openssl'
 
 module Pedicel
-  # Validation class for Apple Pay Payment Token and associated data:
+
+  # Validations for Apple Pay Payment Token and associated data:
   # https://developer.apple.com/library/content/documentation/PassKit/Reference/PaymentTokenJSON/PaymentTokenJSON.html
   # This purposefully only does syntactic validation (as opposed to semantic).
-  class Validator
-    class Error < StandardError; end
-    class TokenFormatError < Error; end
-    class TokenDataFormatError < Error; end
+  module Validator
 
     module Predicates
       include Dry::Logic::Predicates
 
       CUSTOM_PREDICATE_ERRORS = {
-        base64?:          'invalid base64',
-        hex?:             'invalid hex',
-        pan?:             'invalid pan',
-        yymmdd?:          'invalid date format YYMMDD',
-        ec_public_key?:   'is not an EC public key',
-        pkcs7_signature?: 'is not a PKCS7 Signature',
-        eci?:             'not an ECI indicator',
-        hex_sha256?:      'not hex-encoded SHA256',
-        base64_sha256?:   'not base64-encoded SHA256',
+        base64?:          'must be Base64',
+        hex?:             'must be hex',
+        pan?:             'must be a pan',
+        yymmdd?:          'must be formatted YYMMDD',
+        ec_public_key?:   'must be an EC public key',
+        pkcs7_signature?: 'must be a PKCS7 Signature',
+        eci?:             'must be an ECI',
+        hex_sha256?:      'must be a hex-encoded SHA-256',
+        base64_sha256?:   'must be a Base64-encoded SHA-256',
+        iso4217_numeric?: 'must be an ISO 4217 numeric code',
       }.freeze
 
       # Support Ruby 2.3, but use the faster #match? when available.
-      match_b = String.new.respond_to?(:match?) ? lambda{|s, re| s.match?(re)} : lambda{|s, re| !!(s =~ re)}
+      match_b = String.new.respond_to?(:match?) ? ->(s, re) { s.match?(re) } : ->(s, re) { !!(s =~ re) }
 
       predicate(:base64?) do |x|
         str?(x) &&
@@ -38,7 +37,7 @@ module Pedicel
       end
 
       # We should figure out how strict we should be. Hopefully we can discard
-      # the above base64? predicate and use the following simpler one:
+      # the above Base64? predicate and use the following simpler one:
       #predicate(:strict_base64?) { |x| !!Base64.strict_decode64(x) rescue false }
 
       predicate(:base64_sha256?) { |x| base64?(x) && Base64.decode64(x).length == 32 }
@@ -56,113 +55,137 @@ module Pedicel
       predicate(:ec_public_key?) { |x| base64?(x) && OpenSSL::PKey::EC.new(Base64.decode64(x)).check_key rescue false }
 
       predicate(:pkcs7_signature?) { |x| base64?(x) && !!OpenSSL::PKCS7.new(Base64.decode64(x)) rescue false }
+
+      predicate(:iso4217_numeric?) { |x| match_b.(x, /\A[0-9]{3}\z/) }
     end
 
-    TokenSchema = Dry::Validation.Schema do
-      configure do
-        # NOTE: This option removes/sanitizes hash element not mentioned/tested.
-        # Hurray for good documentation.
-        config.input_processor = :json
-
-        # In theory, I would guess that :strict below would cause a failure if
-        # untested keys were encountered, however this appears to not be the
-        # case. Anyways, it's (of course) not documented.
-        # config.hash_type = :strict
-
-        predicates(Predicates)
-        def self.messages
-          super.merge(en: { errors: Predicates::CUSTOM_PREDICATE_ERRORS })
-        end
+    class BaseSchema < Dry::Validation::Schema::JSON
+      predicates(Predicates)
+      def self.messages
+        super.merge(en: { errors: Predicates::CUSTOM_PREDICATE_ERRORS })
       end
+    end
 
-      required(:data).filled(:str?, :base64?)
+    TokenHeaderSchema = Dry::Validation.Schema(BaseSchema) do
+      optional(:applicationData).filled(:str?, :hex?, :hex_sha256?)
 
-      required(:header).schema do
-        optional(:applicationData).filled(:str?, :hex?, :hex_sha256?)
+      optional(:ephemeralPublicKey).filled(:str?, :base64?, :ec_public_key?)
 
-        optional(:ephemeralPublicKey).filled(:str?, :base64?, :ec_public_key?)
+      optional(:wrappedKey).filled(:str?, :base64?)
 
-        optional(:wrappedKey).filled(:str?, :base64?)
+      rule('ephemeralPublicKey xor wrappedKey': [:ephemeralPublicKey, :wrappedKey]) do |e, w|
+        e.filled? ^ w.filled?
+      end
 
-        rule('ephemeralPublicKey xor wrappedKey': [:ephemeralPublicKey, :wrappedKey]) do |e, w|
-          e.filled? ^ w.filled?
-        end
+      required(:publicKeyHash).filled(:str?, :base64?, :base64_sha256?)
 
-        required(:publicKeyHash).filled(:str?, :base64?, :base64_sha256?)
+      required(:transactionId).filled(:str?, :hex?)
+    end
 
-        required(:transactionId).filled(:str?, :hex?)
-      end
+    TokenSchema = Dry::Validation.Schema(BaseSchema) do
+      required(:data).filled(:str?, :base64?)
+
+      required(:header).schema(TokenHeaderSchema)
 
       required(:signature).filled(:str?, :base64?, :pkcs7_signature?)
 
       required(:version).filled(:str?, included_in?: %w[EC_v1 RSA_v1])
     end
 
-    TokenDataSchema = Dry::Validation.Schema do
-      configure do
-        predicates(Predicates)
-        def self.messages
-          super.merge(en: { errors: Predicates::CUSTOM_PREDICATE_ERRORS })
-        end
-      end
+    TokenDataPaymentDataSchema = Dry::Validation.Schema(BaseSchema) do
+      optional(:onlinePaymentCryptogram).filled(:str?, :base64?)
+      optional(:eciIndicator).filled(:str?, :eci?)
 
-      required('applicationPrimaryAccountNumber').filled(:str?, :pan?)
+      optional(:emvData).filled(:str?, :base64?)
+      optional(:encryptedPINData).filled(:str?, :hex?)
+    end
 
-      required('applicationExpirationDate').filled(:str?, :yymmdd?)
+    TokenDataSchema = Dry::Validation.Schema(BaseSchema) do
+      required(:applicationPrimaryAccountNumber).filled(:str?, :pan?)
 
-      required('currencyCode').filled(:str?, format?: /\A[0-9]{3}\z/)
+      required(:applicationExpirationDate).filled(:str?, :yymmdd?)
 
-      required('transactionAmount').filled(:int?)
+      required(:currencyCode).filled(:str?, :iso4217_numeric?)
 
-      optional('cardholderName').filled(:str?)
+      required(:transactionAmount).filled(:int?)
 
-      required('deviceManufacturerIdentifier').filled(:str?, :hex?)
+      optional(:cardholderName).filled(:str?)
 
-      required('paymentDataType').filled(:str?, included_in?: %w[3DSecure EMV])
+      required(:deviceManufacturerIdentifier).filled(:str?, :hex?)
 
-      required('paymentData').schema do
-        optional('onlinePaymentCryptogram').filled(:str?, :base64?)
-        optional('eciIndicator').filled(:str?, :eci?)
+      required(:paymentDataType).filled(:str?, included_in?: %w[3DSecure EMV])
 
-        optional('emvData').filled(:str?, :base64?)
-        optional('encryptedPINData').filled(:str?, :hex?)
+      required(:paymentData).schema(TokenDataPaymentDataSchema)
+
+      rule('when paymentDataType is 3DSecure, onlinePaymentCryptogram': [:paymentDataType, [:paymentData, :onlinePaymentCryptogram]]) do |type, cryptogram|
+        type.eql?('3DSecure') > cryptogram.filled?
+      end
+      rule('when paymentDataType is 3DSecure, emvData': [:paymentDataType, [:paymentData, :emvData]]) do |type, emv|
+        type.eql?('3DSecure') > emv.none?
+      end
+      rule('when paymentDataType is 3DSecure, encryptedPINData': [:paymentDataType, [:paymentData, :encryptedPINData]]) do |type, pin|
+        type.eql?('3DSecure') > pin.none?
       end
 
-      rule('paymentDataType affects paymentData': [:paymentDataType, [:paymentData, :onlinePaymentCryptogram]]) do |t, cryptogram|
-        t.eql?('3DSecure') > cryptogram.filled?
+      rule('when paymentDataType is EMV, onlinePaymentCryptogram': [:paymentDataType, [:paymentData, :onlinePaymentCryptogram]]) do |type, cryptogram|
+        type.eql?('EMV') > cryptogram.none?
       end
+      rule('when paymentDataType is EMV, eciIndicator': [:paymentDataType, [:paymentData, :eciIndicator]]) do |type, eci|
+        type.eql?('EMV') > eci.none?
+      end
+      rule('when paymentDataType is EMV, emvData': [:paymentDataType, [:paymentData, :emvData]]) do |type, emv|
+        type.eql?('EMV') > emv.filled?
+      end
+      rule('when paymentDataType is EMV, encryptedPINData': [:paymentDataType, [:paymentData, :encryptedPINData]]) do |type, pin|
+        type.eql?('EMV') > pin.filled?
+      end
+
     end
 
-    def self.validate_token(token)
-      validation = TokenSchema.call(token)
+    class Error < StandardError; end
 
-      raise TokenFormatError, format_errors(validation) if validation.failure?
+    module InstanceMethods
+      attr_reader :output
 
-      true
-    end
+      def validate
+        @validation ||= @schema.call(@input)
 
-    def self.valid_token?(token)
-      validate_token(token)
-    rescue TokenFormatError
-      false
-    end
+        @output = @validation.output
 
-    def self.validate_token_data(token_data)
-      validation = TokenDataSchema.call(token_data)
+        return true if @validation.success?
 
-      raise TokenDataFormatError, format_errors(validation) if validation.failure?
+        raise Error, "validation error: #{@validation.errors.keys.join(', ')}"
+      end
+
+      def valid?
+        validate
+      rescue Error
+        false
+      end
+
+      def errors
+        valid? unless @validation
 
-      true
+        @validation.errors
+      end
     end
 
-    def self.valid_token_data?(token_data)
-      validate_token_data(token_data)
-    rescue TokenDataFormatError
-      false
+    class Token
+      include InstanceMethods
+      class Error < ::Pedicel::Validator::Error; end
+      def initialize(input)
+        @input = input
+        @schema = TokenSchema
+      end
     end
 
-    def self.format_errors(validation)
-      validation.errors.map{|key, msg| "#{key}: #{msg}"}.join('; ')
+    class TokenData
+      include InstanceMethods
+      class Error < ::Pedicel::Validator::Error; end
+      def initialize(input)
+        @input = input
+        @schema = TokenDataSchema
+      end
     end
   end
 end

data/lib/pedicel/version.rb

@@ -1,3 +1,3 @@
 module Pedicel
-  VERSION = '0.0.4'.freeze
+  VERSION = '0.0.5'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: pedicel
 version: !ruby/object:Gem::Version
-  version: 0.0.4
+  version: 0.0.5
 platform: ruby
 authors:
 - Clearhaus
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-06-04 00:00:00.000000000 Z
+date: 2018-06-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dry-validation