r2d2 0.1.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 026e3de4d7dca643f8f57f519a93014eaa3587ea
+  data.tar.gz: 1a58252e22b3595cf709d132b10308012baae046
+SHA512:
+  metadata.gz: abf1504ec9d6bbcfc77f774052e4c66d073033d2eb562edfe397711e03252e41e51ddf764be8c6abc14be455a4641b43cb1527b703ec1fb49def7a0a2f708b4e
+  data.tar.gz: 72bc939de0608e03740b44cfff6ba6941933ead007ba2c044b38f3c2e6964da749e8bdb355fad0b63658efbe4b4751f847fad37426363294c9de857d7fb9eb70

data/.circleci/config.yml

@@ -0,0 +1,46 @@
+version: 2
+jobs:
+  ruby-2.1:
+    docker:
+      - image: circleci/ruby:2.1.10
+    steps:
+      - checkout
+      - run: bundle
+      - run: rake test
+  ruby-2.2:
+    docker:
+      - image: circleci/ruby:2.2.10
+    steps:
+      - checkout
+      - run: bundle
+      - run: rake test
+  # ruby-2.3:
+  #   docker:
+  #     - image: circleci/ruby:2.3.7
+  #   steps:
+  #     - checkout
+  #     - run: bundle
+  #     - run: rake test
+  # ruby-2.4:
+  #   docker:
+  #     - image: circleci/ruby:2.4.4
+  #   steps:
+  #     - checkout
+  #     - run: bundle
+  #     - run: rake test
+  # ruby-2.5:
+  #   docker:
+  #     - image: circleci/ruby:2.5.1
+  #   steps:
+  #     - checkout
+  #     - run: bundle
+  #     - run: rake test
+workflows:
+  version: 2
+  rubies:
+    jobs:
+      - ruby-2.1
+      - ruby-2.2
+      # - ruby-2.3
+      # - ruby-2.4
+      # - ruby-2.5

data/.gitignore

@@ -0,0 +1,6 @@
+vendor/*
+.bundle
+notes.md
+Gemfile.lock
+.ruby-version
+.ruby-gemset

data/Gemfile

@@ -0,0 +1,5 @@
+source 'https://rubygems.org'
+
+gemspec
+
+gem 'hkdf', '~> 0.2.0'

data/README.md

@@ -0,0 +1,120 @@
+# R2D2
+
+[![CircleCI](https://circleci.com/gh/spreedly/r2d2.svg?style=svg)](https://circleci.com/gh/spreedly/r2d2)
+
+R2D2 is a Ruby library for decrypting Android Pay payment tokens.
+
+## Ruby support
+
+Currently, only Ruby v2.2 and below are supported. For Ruby >= 2.3, work will need to be done (similar to [what was done in Gala](https://github.com/spreedly/gala/commit/0a4359ccdd5654b78747f9141645ca510ee255c2)) to use a compatible aead decryption algorithm.
+
+## Install
+
+Add to your `Gemfile`:
+
+```ruby
+gem "android_pay", git: "https://github.com/spreedly/android_pay.git"
+```
+
+## Usage
+
+R2D2 takes input in the form of the hash of Android Pay token values:
+
+```json
+{
+  "encryptedMessage": "ZW5jcnlwdGVkTWVzc2FnZQ==",
+  "ephemeralPublicKey": "ZXBoZW1lcmFsUHVibGljS2V5",
+  "tag": "c2lnbmF0dXJl"
+}
+```
+
+and the merchant's private key private key (which is managed by a third-party such as a gateway or independent processor like [Spreedly](https://spreedly.com)).
+
+```ruby
+require "android_pay"
+
+# token_json = raw token string you get from Android Pay { "encryptedMessage": "...", "tag": "...", ...}
+token_attrs = JSON.parse(token_json)
+token = R2D2::PaymentToken.new(token_attrs)
+
+private_key_pem = File.read("private_key.pem")
+decrypted_json = token.decrypt(private_key_pem)
+
+JSON.parse(decrypted_json)
+# =>
+{
+  “dpan”: “4444444444444444”,
+  “expirationMonth”: 10,
+  “expirationYear”: 2015 ,
+  “authMethod”: “3DS”,
+  “3dsCryptogram”: “AAAAAA...”,
+  “3dsEciIndicator”: “eci indicator”
+}
+```
+
+### Performance
+
+The library implements a constant time comparison algorithm for preventing timing attacks. The default pure ruby implementation is quite inefficient, but portable. If performance is a priority for you, you can use a faster comparison algorithm provided by the [fast_secure_compare](https://github.com/daxtens/fast_secure_compare).
+
+To enable `FastSecureCompare` in your environment, add the following to your Gemfile:
+
+```ruby
+gem 'fast_secure_compare`
+```
+
+and require the extension in your application prior to loading r2d2:
+
+```ruby
+require 'fast_secure_compare/fast_secure_compare'
+require 'r2d2/payment_token'
+```
+
+Benchmarks illustrating the overhead of the pure Ruby version:
+
+```
+                          user     system      total        real
+secure_compare        1.070000   0.010000   1.080000 (  1.231714)
+fast secure_compare   0.050000   0.000000   0.050000 (  0.049753)
+```
+
+## Testing
+
+```session
+$ bundle exec rake
+...
+5 tests, 18 assertions, 0 failures, 0 errors, 0 skips
+```
+
+## Releasing
+
+To cut a new gem:
+
+### Setup RubyGems account
+
+Make sure you have a [RubyGems account](https://rubygems.org) and have setup your local gem credentials with something like this:
+
+```bash
+$ curl -u rwdaigle https://rubygems.org/api/v1/api_key.yaml > ~/.gem/credentials; chmod 0600 ~/.gem/credentials
+<enter rubygems account password>
+```
+
+If you are not yet listed as a gem owner, you will need to [request access](http://guides.rubygems.org/command-reference/#gem-owner) from @rwdaigle.
+
+### Release
+
+Build and release the gem with (all changes should be committed and pushed to Github):
+
+```bash
+$ rake release
+```
+
+## Changelog
+
+### v0.1.2
+
+* Setup CircleCI for more exhaustive Ruby version compatibility tests
+* Add gem release instructions
+
+## Contributors
+
+* [methodmissing](https://github.com/methodmissing)

data/Rakefile

@@ -0,0 +1,10 @@
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList["test/**/*_test.rb"]
+end
+
+task :default => :test

data/lib/r2d2/payment_token.rb

@@ -0,0 +1,82 @@
+require 'openssl'
+require 'base64'
+require 'hkdf'
+
+module R2D2
+  class PaymentToken
+
+    attr_accessor :encrypted_message, :ephemeral_public_key, :tag
+
+    class TagVerificationError < StandardError; end;
+
+    def initialize(token_attrs)
+      self.ephemeral_public_key = token_attrs["ephemeralPublicKey"]
+      self.tag = token_attrs["tag"]
+      self.encrypted_message = token_attrs["encryptedMessage"]
+    end
+
+    def decrypt(private_key_pem)
+      digest = OpenSSL::Digest.new('sha256')
+      private_key = OpenSSL::PKey::EC.new(private_key_pem)
+
+      shared_secret = self.class.generate_shared_secret(private_key, ephemeral_public_key)
+
+      # derive the symmetric_encryption_key and mac_key
+      hkdf_keys = self.class.derive_hkdf_keys(ephemeral_public_key, shared_secret);
+
+      # verify the tag is a valid value
+      self.class.verify_mac(digest, hkdf_keys[:mac_key], encrypted_message, tag)
+
+      self.class.decrypt_message(encrypted_message, hkdf_keys[:symmetric_encryption_key])
+    end
+
+    class << self
+
+      def generate_shared_secret(private_key, ephemeral_public_key)
+        ec = OpenSSL::PKey::EC.new('prime256v1')
+        bn = OpenSSL::BN.new(Base64.decode64(ephemeral_public_key), 2)
+        point = OpenSSL::PKey::EC::Point.new(ec.group, bn)
+        private_key.dh_compute_key(point)
+      end
+
+      def derive_hkdf_keys(ephemeral_public_key, shared_secret)
+        key_material = Base64.decode64(ephemeral_public_key) + shared_secret;
+        hkdf = HKDF.new(key_material, :algorithm => 'SHA256', :info => 'Android')
+        {
+          :symmetric_encryption_key => hkdf.next_bytes(16),
+          :mac_key => hkdf.next_bytes(16)
+        }
+      end
+
+      def verify_mac(digest, mac_key, encrypted_message, tag)
+        mac = OpenSSL::HMAC.digest(digest, mac_key, Base64.decode64(encrypted_message))
+        raise TagVerificationError unless secure_compare(mac, Base64.decode64(tag))
+      end
+
+      def decrypt_message(encrypted_data, symmetric_key)
+        decipher = OpenSSL::Cipher::AES128.new(:CTR)
+        decipher.decrypt
+        decipher.key = symmetric_key
+        decipher.auth_data = ""
+        decipher.update(Base64.decode64(encrypted_data)) + decipher.final
+      end
+
+      if defined?(FastSecureCompare)
+        def secure_compare(a, b)
+          FastSecureCompare.compare(a, b)
+        end
+      else
+        # constant-time comparison algorithm to prevent timing attacks; borrowed from ActiveSupport::MessageVerifier
+        def secure_compare(a, b)
+          return false unless a.bytesize == b.bytesize
+
+          l = a.unpack("C#{a.bytesize}")
+
+          res = 0
+          b.each_byte { |byte| res |= byte ^ l.shift }
+          res == 0
+        end
+      end
+    end
+  end
+end

data/lib/r2d2/version.rb

@@ -0,0 +1,3 @@
+module R2D2
+  VERSION = "0.1.2" unless defined? R2D2::VERSION
+end

data/lib/r2d2.rb

@@ -0,0 +1,3 @@
+require "json"
+
+require_relative "r2d2/payment_token"

data/r2d2.gemspec

@@ -0,0 +1,27 @@
+$LOAD_PATH.push File.expand_path("../lib", __FILE__)
+require 'r2d2/version'
+
+Gem::Specification.new do |s|
+  s.name              = "r2d2"
+  s.version           = R2D2::VERSION
+  s.platform          = Gem::Platform::RUBY
+  s.authors           = ["Miki Rezentes", "Ryan Daigle"]
+  s.email             = ["mrezentes@gmail.com", "ryan.daigle@gmail.com"]
+  s.homepage          = "https://github.com/spreedly/r2d2"
+  s.summary           = "Android Pay payment token decryption library"
+  s.description       = "Given an (encrypted) Android Pay token, verify and decrypt it"
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+
+  s.required_ruby_version = ">= 1.8.7"
+
+  s.add_runtime_dependency 'hkdf'
+
+  s.add_development_dependency "bundler", "~> 1.15"
+  s.add_development_dependency "rake", "~> 12.0"
+  s.add_development_dependency "minitest", "~> 5.0"
+  s.add_development_dependency "pry-byebug"
+end

data/test/fixtures/private_key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIDnEBl2fHeMqFqePupLh6RTQM6Ro16v8JjIAVXcHp4ktoAoGCCqGSM49
+AwEHoUQDQgAEa6fxL04JEhOi/+1QzTHuh6d+qoEizAo79xNkJ5xvaeizZv2wBRV+
+cynhOeThDf8FJDE4TIGL0G+a4zlrM3wqNw==
+-----END EC PRIVATE KEY-----

data/test/fixtures/public_key.pem

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEa6fxL04JEhOi/+1QzTHuh6d+qoEi
+zAo79xNkJ5xvaeizZv2wBRV+cynhOeThDf8FJDE4TIGL0G+a4zlrM3wqNw==
+-----END PUBLIC KEY-----

data/test/fixtures/token.json

@@ -0,0 +1,5 @@
+{
+"encryptedMessage": "V65NNwqzK0A1bi0F96HQZr4eFA8fWCatwykv3sFA8Cg4Wn4Ylk/szN6GiFTuYQFrHA7a/h0P3tfEQd09bor6pRqrM8/Bt12R0SHKtnQxbYxTjpMr/7C3Um79n0jseaPlK8+CHXljbYifwGB+cEFh/smP8IO1iw3TL/192HesutfVMKm9zpo5mLNzQ2GMU4JWUGIgrzsew6S6XshelrjE",
+"ephemeralPublicKey": "BB9cOXHgf3KcY8dbsU6fhzqTJm3JFvzD+8wcWg0W9r+Xl5gYjoZRxHuYocAx3g82v2o0Le1E2w4sDDl5w3C0lmY=",
+"tag": "boJLmOxDduTV5a34CO2IRbgxUjZ9WmfzxNl1lWqQ+Z0="
+}

data/test/initial_dev/test_data.md

@@ -0,0 +1,526 @@
+This file contains test data obtained from AndroidPay decryption code.
+The values were used to confirm the steps of the processs were completing correctly.
+This represents all needed info to confirm each step of the decryption process.
+
+Note: for the HDFK step, the keying material is the ephemeral public key + the shared secret
+
+
+```
+{
+"ephemeralPublicKey":"BPhVspn70Zj2Kkgu9t8+ApEuUWsI/zos5whGCQBlgOkuYagOis7qsrcbQrcprjvTZO3XOU+Qbcc28FSgsRtcgQE=",
+"encryptedMessage":"PHxZxBQvVWwP",
+"tag":"s9wa3Q2WiyGi/eDA4XYVklq08KZiSxB7xvRiKK3H7kE="
+}
+```
+```
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIAj0rha+IkiGkKa443IRz8g7tjVxXtLwwaE6T5GGivXXoAoGCCqGSM49
+AwEHoUQDQgAE52hc/70CrjvdKcbCDclTVqI2mx328faiCerg+0O2UsZrcqPxM9/6
+NpA0/INKSHclSGJLQrKuuVaECA1kodgXZg==
+-----END EC PRIVATE KEY-----
+```
+
+Keys include the byte array first, then the hex underneath
+
+encryptionKey
+
+```
+[16, 79, 44, -105, -90, -108, -104, -111, 8, 18, -18, -101, 121, 100, -109, 98]
+104F2C97A69498910812EE9B79649362
+```
+
+macKey
+
+```
+[-28, -1, 49, -64, 121, -124, -9, 98, -89, 11, -22, 96, -37, -118, -47, 28]
+E4FF31C07984F762A70BEA60DB8AD11C
+```
+
+sharedKey
+
+```
+[16, 79, 44, -105, -90, -108, -104, -111, 8, 18, -18, -101, 121, 100, -109, 98, -28, -1, 49, -64, 121, -124, -9, 98, -89, 11, -22, 96, -37, -118, -47, 28]
+104F2C97A69498910812EE9B79649362E4FF31C07984F762A70BEA60DB8AD11C
+```
+
+Java class for decryption
+
+```
+import org.bouncycastle.crypto.digests.SHA256Digest;
+
+import org.bouncycastle.crypto.generators.HKDFBytesGenerator;
+
+import org.bouncycastle.crypto.params.HKDFParameters;
+
+import org.bouncycastle.jce.ECNamedCurveTable;
+
+import org.bouncycastle.jce.ECPointUtil;
+
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+
+import org.bouncycastle.jce.spec.ECNamedCurveParameterSpec;
+
+import org.bouncycastle.jce.spec.ECNamedCurveSpec;
+
+import org.bouncycastle.pqc.math.linearalgebra.ByteUtils;
+
+import org.bouncycastle.util.encoders.Base64;
+
+import org.bouncycastle.util.encoders.Hex;
+
+import org.json.JSONException;
+
+import org.json.JSONObject;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.nio.charset.Charset;
+
+import java.security.InvalidAlgorithmParameterException;
+
+import java.security.InvalidKeyException;
+
+import java.security.KeyFactory;
+
+import java.security.NoSuchAlgorithmException;
+
+import java.security.NoSuchProviderException;
+
+import java.security.PrivateKey;
+
+import java.security.PublicKey;
+
+import java.security.Security;
+
+import java.security.spec.ECParameterSpec;
+
+import java.security.spec.ECPublicKeySpec;
+
+import java.security.spec.InvalidKeySpecException;
+
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.util.Arrays;
+
+import javax.crypto.BadPaddingException;
+
+import javax.crypto.Cipher;
+
+import javax.crypto.IllegalBlockSizeException;
+
+import javax.crypto.KeyAgreement;
+
+import javax.crypto.Mac;
+
+import javax.crypto.NoSuchPaddingException;
+
+import javax.crypto.spec.IvParameterSpec;
+
+import javax.crypto.spec.SecretKeySpec;
+
+import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
+
+/** Utility for decrypting encrypted network tokens as per Android Pay InApp
+
+spec. */
+
+class NetworkTokenDecryptionUtil {
+
+	private static final String SECURITY_PROVIDER = "BC";
+
+	private static final Charset DEFAULT_CHARSET = Charset.forName("UTF-8");
+
+	private static final String ASYMMETRIC_KEY_TYPE = "EC";
+
+	private static final String KEY_AGREEMENT_ALGORITHM = "ECDH";
+
+	/** OpenSSL name of the NIST P­126 Elliptic Curve */
+
+	private static final String EC_CURVE = "prime256v1";
+
+	private static final String SYMMETRIC_KEY_TYPE = "AES";
+
+	private static final String SYMMETRIC_ALGORITHM = "AES/CTR/NoPadding";
+
+	private static final byte[] SYMMETRIC_IV = Hex.decode("00000000000000000000000000000000");
+
+	private static final int SYMMETRIC_KEY_BYTE_COUNT = 16;
+
+	private static final String MAC_ALGORITHM = "HmacSHA256";
+
+	private static final int MAC_KEY_BYTE_COUNT = 16;
+
+	private static final byte[] HKDF_INFO = "Android".getBytes(DEFAULT_CHARSET);
+
+	private static final byte[] HKDF_SALT = null /* equivalent to a zeroed salt of hashLen */;
+
+	final protected static char[] hexArray = "0123456789ABCDEF".toCharArray();
+
+	private PrivateKey privateKey;
+
+	private NetworkTokenDecryptionUtil(PrivateKey privateKey) {
+
+		if (!ASYMMETRIC_KEY_TYPE.equals(privateKey.getAlgorithm())) {
+
+			throw new IllegalArgumentException("Unexpected type of private key");
+
+		}
+
+		this.privateKey = privateKey;
+
+	}
+
+	public static NetworkTokenDecryptionUtil createFromPkcs8EncodedPrivateKey(byte[] pkcs8PrivateKey) {
+
+		PrivateKey privateKey = null;
+
+		try {
+
+			KeyFactory asymmetricKeyFactory = KeyFactory.getInstance(ASYMMETRIC_KEY_TYPE, SECURITY_PROVIDER);
+
+			privateKey = asymmetricKeyFactory.generatePrivate(new PKCS8EncodedKeySpec(pkcs8PrivateKey));
+//			System.out.println("Private key");
+//			System.out.println(privateKey);
+//			JcaPEMWriter writer = new JcaPEMWriter(new PrintWriter(System.out));
+//			writer.writeObject(privateKey);
+//			writer.close();
+
+		} catch (NoSuchAlgorithmException | NoSuchProviderException |
+
+			InvalidKeySpecException e) {
+
+			throw new RuntimeException("Failed to create NetworkTokenDecryptionUtil", e);
+
+		}
+
+		return new NetworkTokenDecryptionUtil(privateKey);
+
+	}
+
+	/**
+
+	* Sets up the {@link #SECURITY_PROVIDER} if not yet set up.
+
+	*
+
+	* <p>You must call this method at least once before using this class.
+
+	*/
+
+	public static void setupSecurityProviderIfNecessary() {
+
+		if (Security.getProvider(SECURITY_PROVIDER) == null) {
+
+			Security.addProvider(new BouncyCastleProvider());
+
+		}
+
+	}
+
+	/**
+
+	* Verifies then decrypts the given payload according to the Android Pay
+
+	Network Token
+
+	* encryption spec.
+
+	*/
+
+	public String verifyThenDecrypt(String encryptedPayloadJson) {
+
+		try {
+
+			JSONObject object = new JSONObject(encryptedPayloadJson);
+
+			byte[] ephemeralPublicKeyBytes = Base64.decode(object.getString("ephemeralPublicKey"));
+			System.out.println("ephemeralPublicKey");
+			System.out.println(object.getString("ephemeralPublicKey"));
+			System.out.println("encryptedMessage");
+			System.out.println(object.getString("encryptedMessage"));
+			System.out.println("tag");
+			System.out.println(object.getString("tag"));
+			byte[] encryptedMessage = Base64.decode(object.getString("encryptedMessage"));
+
+			byte[] tag = Base64.decode(object.getString("tag"));
+
+			// Parsing public key.
+
+			ECParameterSpec asymmetricKeyParams = generateECParameterSpec();
+
+			KeyFactory asymmetricKeyFactory = KeyFactory.getInstance(ASYMMETRIC_KEY_TYPE, SECURITY_PROVIDER);
+
+			PublicKey ephemeralPublicKey = asymmetricKeyFactory.generatePublic(new ECPublicKeySpec( ECPointUtil.decodePoint(asymmetricKeyParams.getCurve(), ephemeralPublicKeyBytes), asymmetricKeyParams));
+
+			// Deriving shared secret.
+
+			KeyAgreement keyAgreement = KeyAgreement.getInstance(KEY_AGREEMENT_ALGORITHM,SECURITY_PROVIDER);
+
+			keyAgreement.init(privateKey);
+
+			keyAgreement.doPhase(ephemeralPublicKey, true);
+
+			byte[] sharedSecret = keyAgreement.generateSecret();
+			System.out.println("Shared Secret Byte Array");
+			System.out.println(Arrays.toString(sharedSecret));
+			char[] hexChars = new char[sharedSecret.length * 2];
+		    for ( int j = 0; j < sharedSecret.length; j++ ) {
+		        int v = sharedSecret[j] & 0xFF;
+		        hexChars[j * 2] = hexArray[v >>> 4];
+		        hexChars[j * 2 + 1] = hexArray[v & 0x0F];
+		    }
+			System.out.println("Shared Secret Hex Array");
+			System.out.println(hexChars);
+
+
+			// Deriving encryption and mac keys.
+
+			HKDFBytesGenerator hkdfBytesGenerator = new HKDFBytesGenerator(new SHA256Digest());
+
+			byte[] khdfInput = ByteUtils.concatenate(ephemeralPublicKeyBytes, sharedSecret);
+
+			hkdfBytesGenerator.init(new HKDFParameters(khdfInput, HKDF_SALT, HKDF_INFO));
+			byte[] sharedKey = new byte[SYMMETRIC_KEY_BYTE_COUNT * 2];
+			hkdfBytesGenerator.generateBytes(sharedKey, 0, SYMMETRIC_KEY_BYTE_COUNT*2);
+			System.out.println("sharedKey");
+			System.out.println(Arrays.toString(sharedKey));
+			char[] sharedChars = new char[sharedKey.length * 2];
+		    for ( int j = 0; j < sharedKey.length; j++ ) {
+		        int v = sharedKey[j] & 0xFF;
+		        sharedChars[j * 2] = hexArray[v >>> 4];
+		        sharedChars[j * 2 + 1] = hexArray[v & 0x0F];
+		    }
+			System.out.println(sharedChars);
+
+			byte[] encryptionKey = new byte[SYMMETRIC_KEY_BYTE_COUNT];
+
+			hkdfBytesGenerator.generateBytes(encryptionKey, 0, SYMMETRIC_KEY_BYTE_COUNT);
+			System.out.println("encryptionKey");
+			System.out.println(Arrays.toString(encryptionKey));
+			char[] encryptChars = new char[encryptionKey.length * 2];
+		    for ( int j = 0; j < encryptionKey.length; j++ ) {
+		        int v = encryptionKey[j] & 0xFF;
+		        encryptChars[j * 2] = hexArray[v >>> 4];
+		        encryptChars[j * 2 + 1] = hexArray[v & 0x0F];
+		    }
+			System.out.println(encryptChars);
+
+			byte[] macKey = new byte[MAC_KEY_BYTE_COUNT];
+			hkdfBytesGenerator.generateBytes(macKey, 0, MAC_KEY_BYTE_COUNT);
+			System.out.println("macKey");
+			System.out.println(Arrays.toString(macKey));
+			char[] macChars = new char[macKey.length * 2];
+		    for ( int j = 0; j < macKey.length; j++ ) {
+		        int v = macKey[j] & 0xFF;
+		        macChars[j * 2] = hexArray[v >>> 4];
+		        macChars[j * 2 + 1] = hexArray[v & 0x0F];
+		    }
+			System.out.println(macChars);
+
+
+
+			// Verifying Message Authentication Code (aka mac/tag)
+
+			Mac macGenerator = Mac.getInstance(MAC_ALGORITHM, SECURITY_PROVIDER);
+
+			macGenerator.init(new SecretKeySpec(macKey, MAC_ALGORITHM));
+
+			byte[] expectedTag = macGenerator.doFinal(encryptedMessage);
+
+			if (!isArrayEqual(tag, expectedTag)) {
+
+				throw new RuntimeException("Bad Message Authentication Code!");
+
+			}
+
+			// Decrypting the message.
+
+			Cipher cipher = Cipher.getInstance(SYMMETRIC_ALGORITHM);
+
+			cipher.init( Cipher.DECRYPT_MODE, new SecretKeySpec(encryptionKey, SYMMETRIC_KEY_TYPE), new IvParameterSpec(SYMMETRIC_IV));
+
+			return new String(cipher.doFinal(encryptedMessage), DEFAULT_CHARSET);
+
+		} catch (JSONException | NoSuchAlgorithmException |NoSuchProviderException| InvalidKeySpecException | InvalidKeyException |NoSuchPaddingException
+
+			| InvalidAlgorithmParameterException | IllegalBlockSizeException |BadPaddingException e) {
+
+				throw new RuntimeException("Failed verifying/decrypting message", e);
+
+		}
+
+	}
+
+	private ECNamedCurveSpec generateECParameterSpec() {
+
+		ECNamedCurveParameterSpec bcParams =ECNamedCurveTable.getParameterSpec(EC_CURVE);
+
+		ECNamedCurveSpec params = new ECNamedCurveSpec(bcParams.getName(),bcParams.getCurve(),bcParams.getG(), bcParams.getN(), bcParams.getH(),bcParams.getSeed());
+
+		return params;
+
+	}
+
+	/**
+
+	* Fixed­timing array comparison.
+
+	*/
+
+	public static boolean isArrayEqual(byte[] a, byte[] b) {
+
+		if (a.length != b.length) {
+
+			return false;
+
+		}
+
+		int result = 0;
+
+		for (int i = 0; i < a.length; i++) {
+
+			result |= a[i] ^ b[i];
+
+		}
+
+		return result == 0;
+
+		}
+
+}
+```
+
+Java Test class
+
+```
+import static org.junit.Assert.assertEquals;import static org.junit.Assert.fail;
+
+import com.google.common.io.BaseEncoding;
+
+import org.bouncycastle.util.encoders.Base64;
+
+import org.json.JSONObject;
+
+import org.junit.Before;
+
+import org.junit.Test;
+
+import org.junit.runner.RunWith;
+
+import org.junit.runners.JUnit4;
+
+/** Unit tests for {@link NetworkTokenDecryptionUtil}. */
+
+@RunWith(JUnit4.class)
+
+public class NetworkTokenDecryptionUtilTest {
+
+	/**
+
+	* Created with:
+
+	* <pre>
+
+	* openssl pkcs8 ­topk8 ­inform PEM ­outform PEM ­in merchant­key.pem ­nocrypt
+
+	* </pre>
+
+	*/
+
+	private static final String MERCHANT_PRIVATE_KEY_PKCS8_BASE64 =
+		"MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgCPSuFr4iSIaQprjj" +
+
+		"chHPyDu2NXFe0vDBoTpPkYaK9dehRANCAATnaFz/vQKuO90pxsINyVNWojabHfbx" +
+
+		"9qIJ6uD7Q7ZSxmtyo/Ez3/o2kDT8g0pIdyVIYktCsq65VoQIDWSh2Bdm";
+
+	private static final String ENCRYPTED_PAYLOAD = "{"
+
+		+ "\"encryptedMessage\":\"PHxZxBQvVWwP\","
+
+		+ "\"ephemeralPublicKey\":\"BPhVspn70Zj2Kkgu9t8+ApEuUWsI\\/zos5whGCQBlgOkuYagOis7qsrcbQrcpr"
+
+		+ "jvTZO3XOU+Qbcc28FSgsRtcgQE=\","
+
+		+ "\"tag\":\"TNwa3Q2WiyGi\\/eDA4XYVklq08KZiSxB7xvRiKK3H7kE=\"}";
+
+	private NetworkTokenDecryptionUtil util;
+
+	@Before
+	public void setUp() {
+
+		NetworkTokenDecryptionUtil.setupSecurityProviderIfNecessary();
+		System.out.println("Merchant private key array");
+		System.out.println(MERCHANT_PRIVATE_KEY_PKCS8_BASE64);
+
+		util = NetworkTokenDecryptionUtil.createFromPkcs8EncodedPrivateKey( BaseEncoding.base64().decode(MERCHANT_PRIVATE_KEY_PKCS8_BASE64));
+
+	}
+
+	@Test
+	public void testShouldDecrypt() {
+
+		assertEquals("plaintext", util.verifyThenDecrypt(ENCRYPTED_PAYLOAD));
+
+	}
+
+	@Test
+	public void testShouldFailIfBadTag() throws Exception {
+
+		JSONObject payload = new JSONObject(ENCRYPTED_PAYLOAD);
+
+		byte[] tag = Base64.decode(payload.getString("tag"));
+		// Messing with the first byte
+
+		tag[0] = (byte) ~tag[0];
+
+		payload.put("tag", new String(Base64.encode(tag)));
+
+		try {
+
+			util.verifyThenDecrypt(payload.toString());
+
+			fail();
+
+		} catch (RuntimeException e) {
+
+			assertEquals("Bad Message Authentication Code!", e.getMessage());
+
+		}
+	}
+
+		@Test
+
+	public void testShouldFailIfEncryptedMessageWasChanged() throws Exception {
+
+		JSONObject payload = new JSONObject(ENCRYPTED_PAYLOAD);
+
+		byte[] encryptedMessage =
+
+		Base64.decode(payload.getString("encryptedMessage"));
+
+		// Messing with the first byte
+
+		encryptedMessage[0] = (byte) ~encryptedMessage[0];
+
+		payload.put("encryptedMessage", new
+
+		String(Base64.encode(encryptedMessage)));
+
+		try {
+
+			util.verifyThenDecrypt(payload.toString());
+
+			fail();
+
+		} catch (RuntimeException e) {
+
+			assertEquals("Bad Message Authentication Code!", e.getMessage());
+
+		}
+	}
+}
+```
+
+
+
+

data/test/initial_dev/test_data_private_key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIAj0rha+IkiGkKa443IRz8g7tjVxXtLwwaE6T5GGivXXoAoGCCqGSM49
+AwEHoUQDQgAE52hc/70CrjvdKcbCDclTVqI2mx328faiCerg+0O2UsZrcqPxM9/6
+NpA0/INKSHclSGJLQrKuuVaECA1kodgXZg==
+-----END EC PRIVATE KEY-----

data/test/initial_dev/test_data_token.json

@@ -0,0 +1,5 @@
+{
+"ephemeralPublicKey":"BPhVspn70Zj2Kkgu9t8+ApEuUWsI/zos5whGCQBlgOkuYagOis7qsrcbQrcprjvTZO3XOU+Qbcc28FSgsRtcgQE=",
+"encryptedMessage":"PHxZxBQvVWwP",
+"tag":"s9wa3Q2WiyGi/eDA4XYVklq08KZiSxB7xvRiKK3H7kE="
+}

data/test/payment_token_test.rb

@@ -0,0 +1,49 @@
+require "test_helper"
+
+class R2D2::PaymentTokenTest < Minitest::Test
+
+  def setup
+    fixtures = File.dirname(__FILE__) + "/fixtures/"
+    @token_attrs = JSON.parse(File.read(fixtures + "token.json"))
+    @private_key = File.read(fixtures + "private_key.pem")
+    @payment_token = R2D2::PaymentToken.new(@token_attrs)
+    @shared_secret = ['44a9715c18ebcb255af705f7332657420aca40604334a7d48a89baba18280a97']
+    @mac_key = ["d8976b95c980760d8ce3933994c6eda1"]
+    @symmetric_encryption_key = ["c7b2670dc0630edd0a9101dd5d70e4b2"]
+  end
+
+  def test_initialize
+    assert_equal @token_attrs["ephemeralPublicKey"], @payment_token.ephemeral_public_key
+    assert_equal @token_attrs["tag"], @payment_token.tag
+    assert_equal @token_attrs["encryptedMessage"], @payment_token.encrypted_message
+  end
+
+  def test_successful_decrypt
+    payment_data = JSON.parse(@payment_token.decrypt( @private_key))
+    assert_equal "4895370012003478", payment_data["dpan"]
+    assert_equal 12, payment_data["expirationMonth"]
+    assert_equal 2020, payment_data["expirationYear"]
+    assert_equal "3DS", payment_data["authMethod"]
+    assert_equal "AgAAAAAABk4DWZ4C28yUQAAAAAA=", payment_data["3dsCryptogram"]
+    assert_equal "07", payment_data["3dsEciIndicator"]
+  end
+
+  def test_shared_secret
+    priv_key = OpenSSL::PKey::EC.new(@private_key)
+    assert_equal @shared_secret, R2D2::PaymentToken.generate_shared_secret(priv_key, @payment_token.ephemeral_public_key).unpack('H*')
+  end
+
+  def test_derive_hkdf_keys
+    hkdf_keys = R2D2::PaymentToken.derive_hkdf_keys(@payment_token.ephemeral_public_key, @shared_secret[0])
+    assert_equal hkdf_keys[:symmetric_encryption_key].unpack('H*'), @symmetric_encryption_key
+    assert_equal hkdf_keys[:mac_key].unpack('H*'), @mac_key
+  end
+
+  def test_invalid_tag
+    @payment_token.tag = "SomethingBogus"
+    assert_raises R2D2::PaymentToken::TagVerificationError do
+      JSON.parse(@payment_token.decrypt( @private_key))
+    end
+  end
+
+end

data/test/test_helper.rb

@@ -0,0 +1,5 @@
+$LOAD_PATH.unshift File.expand_path("../../lib", __FILE__)
+require "r2d2"
+
+require "minitest/autorun"
+require "pry-byebug"

metadata

@@ -0,0 +1,140 @@
+--- !ruby/object:Gem::Specification
+name: r2d2
+version: !ruby/object:Gem::Version
+  version: 0.1.2
+platform: ruby
+authors:
+- Miki Rezentes
+- Ryan Daigle
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2018-05-08 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: hkdf
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.15'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.15'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.0'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+- !ruby/object:Gem::Dependency
+  name: pry-byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Given an (encrypted) Android Pay token, verify and decrypt it
+email:
+- mrezentes@gmail.com
+- ryan.daigle@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".circleci/config.yml"
+- ".gitignore"
+- Gemfile
+- README.md
+- Rakefile
+- lib/r2d2.rb
+- lib/r2d2/payment_token.rb
+- lib/r2d2/version.rb
+- r2d2.gemspec
+- test/fixtures/private_key.pem
+- test/fixtures/public_key.pem
+- test/fixtures/token.json
+- test/initial_dev/test_data.md
+- test/initial_dev/test_data_private_key.pem
+- test/initial_dev/test_data_token.json
+- test/payment_token_test.rb
+- test/test_helper.rb
+homepage: https://github.com/spreedly/r2d2
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 1.8.7
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.11
+signing_key: 
+specification_version: 4
+summary: Android Pay payment token decryption library
+test_files:
+- test/fixtures/private_key.pem
+- test/fixtures/public_key.pem
+- test/fixtures/token.json
+- test/initial_dev/test_data.md
+- test/initial_dev/test_data_private_key.pem
+- test/initial_dev/test_data_token.json
+- test/payment_token_test.rb
+- test/test_helper.rb