sepafm 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: d8d907ad1e367406e6f1a98af49893e5f6211b04
+  data.tar.gz: cc91cebf5cfc771b33e98c4136f948fde2626631
+SHA512:
+  metadata.gz: 812949f6537bfd6e1df79f7a58b74033593e0788aa99103016eba8f9e578e2dd073337a11f58ff4fca586812d4b4842690e807f0c692c1f4bdaec9900481b02f
+  data.tar.gz: e8a469ea127b5003583a99a1c2cfc593fdb53ecfc43b95046bab97c67f1e83d1d9d3844e8442e46b0d78f376fdab2aeb4687a1c5dedb3f9ab931b5af1a2b877e

data/.gitignore

@@ -0,0 +1,35 @@
+*.gem
+*.rbc
+.bundle
+.config
+coverage
+Gemfile.lock
+InstalledFiles
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+vendor
+lib/debug.rb
+lib/CSR.csr
+lib/signing_key.pem
+lib/encrypting_key.pem
+lib/req_key.pem
+lib/danske
+
+# YARD artifacts
+.yardoc
+_yardoc
+doc/
+
+# ms-crap
+*~
+
+# osx-crap
+.DS_Store
+
+#Coverage
+coverage

data/.ruby-version

@@ -0,0 +1 @@
+2.0.0-p247

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in sepa.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,8 @@
+The MIT License (MIT)
+Copyright (c) 2013 Devlab Oy, http://www.devlab.fi
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,236 @@
+# Devlab / SEPA
+
+This project aims to create an open source implementation of SEPA Financial Messages using Web Services. Project implementation will be done in Ruby. We will also create a REST API for this module.
+
+## First milestone
+
+* Support for SEPA Web Services
+* Customer-to-Bank Statement. ISO standard "CustomerCreditTransferInitiationV03", XML schema "pain.001.001.03"
+* Bank-to-Customer Statement. ISO standard "BankToCustomerStatementV02", XML schema "camt.053.001.02"
+* Bank-to-Customer Debit/Credit Notification. ISO standard "BankToCustomerDebitCreditNotificationV02", XML schma "camt.054.001.02"
+* Update README
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'sepa'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install sepa
+
+## Usage
+
+### Communicating with the bank
+
+1. Require the gem:
+
+        require 'sepa'
+
+2. Define the hash that will be passed to the gem when initializing it:
+
+        params = {
+          bank: :nordea,
+          private_key_path: "path/to/key", (OR private_key_plain : "Your private key in plain text form ")
+          cert_path: "path/to/key", (OR cert_plain : "Your certificate in plain text form ")
+          command: :command_as_symbol,
+          customer_id: '11111111',
+          environment: 'PRODUCTION',
+          status: 'NEW',
+          target_id: '11111111A1',
+          language: 'FI',
+          file_type: 'TITO',
+          content: payload,
+          file_reference: "11111111A12006030329501800000014"
+        }
+
+3. Initialize a new instance of the client and pass the params hash
+
+        sepa_client = Sepa::Client.new(params)
+
+4. There is only one method that can be called after initializing the client:
+
+  * Returns the whole soap response as a savon response object:
+
+            response = client.send
+
+### Verifying the response
+
+* Check that the hashes match in the response
+
+        response.hashes_match?
+
+        # You can also provide an optional parameter verbose:true
+        # if you want to see which hashes failed to verify.
+
+        response.hashes_match?(verbose: true)
+
+* Check that the signature of the response is valid
+
+        response.signature_is_valid?
+
+* Extract the certificate from the response
+
+        # Will return an OpenSSL::X509::Certificate object
+        response.certificate
+
+* Check that the certificate is trusted against a root cert
+
+        # The root cert has to be of type OpenSSL::X509::Certificate
+        response.cert_is_trusted?(root_cert)
+
+### Verifying the application response
+
+1. Extract the application request from the request
+
+        ar = response.application_request
+
+* Check that the hashes match in the application response
+
+        ar.hashes_match?
+
+* Check that the signature of the application response is valid
+
+        ar.signature_is_valid?
+
+* Extract the certificate from the application response
+
+        # Will return an OpenSSL::X509::Certificate object
+        ar.certificate
+
+* Check that the certificate is trusted against a root cert
+
+        # The root cert has to be of type OpenSSL::X509::Certificate
+        ar.cert_is_trusted?(root_cert)
+
+### For downloading Nordea certificate
+
+1. Require the gem:
+
+        require 'sepa'
+
+2. Define the hash that will be passed to the gem when initializing it:
+
+        params = {
+          bank: :nordea,
+          command: :get_certificate,
+          customer_id: '11111111',
+          environment: 'TEST',
+          csr_path: "path_to_your_local_csr_file", (OR csr_plain: "your csr in plain text format")
+          service: 'service'
+        }
+
+3. Initialize a new instance of the client and pass the params hash
+
+        sepa_client = Sepa::Client.new(params)
+        sepa_client.call
+
+4. Save the certificate from the response into a local file
+
+### For downloading Danske bank certificates
+
+1. Require the gem:
+
+        require 'sepa'
+
+2. Define the hash that will be passed to the gem when initializing it:
+
+        params = {
+          bank: :danske,
+          target_id: 'Danske FI',
+          language: 'EN',
+          command: :get_bank_certificate,
+          bank_root_cert_serial: '1111110002',
+          customer_id: '360817',
+          environment: 'TEST',
+        }
+
+3. Initialize a new instance of the client and pass the params hash
+
+        sepa_client = Sepa::Client.new(params)
+        sepa_client.call
+
+4. Save the certificates from the response into a local file
+
+***
+
+### Parameter breakdown
+
+* bank : The bank you want to send the request to as a symbol. Either :nordea or :danske
+
+* private_key_plain: Your private key in plain text format
+
+* private_key_path: Path to your local private key file
+
+* cert_plain: Your certificate in plain text format.
+
+* cert_path: Path to your local certificate file
+
+* csr_plain: Your certificate signing request in plain text format
+
+* csr_path: Path to your local certificate signing request file
+
+* command: Either :download_file_list, :upload_file, :download_file, :get_user_info, :get_certificate or :get_bank_certificate, depending on what you want to do.
+
+* customer_id: Your personal id with the bank.
+
+* environment: Must be either PRODUCTION or TEST
+
+* status: For filtering stuff. Must be either NEW, DOWNLOADED or ALL
+
+* target_id: Some specification of the folder which to access in the bank.
+
+* language: Language must be either FI, EN or SV
+
+* file_type: File types to upload or download:
+
+  * LMP300 = Laskujen maksupalvelu (lähtevä)
+
+  * LUM2 = Valuuttamaksut (lähtevä)
+
+  * KTL = Saapuvat viitemaksut (saapuva)
+
+  * TITO = Konekielinen tiliote (saapuva)
+
+  * NDCORPAYS = Yrityksen maksut XML (lähtevä)
+
+  * NDCAMT53L = Konekielinen XML-tiliote (saapuva)
+
+  * NDCAMT54L = Saapuvat XML viitemaksu (saapuva)
+
+* content: The actual payload to send. The creation of this file may be supported by the client at some point.
+
+* file_reference: File reference for :download_file command
+
+* pin: Your personal pin-code provided by the bank
+
+* service: For testing value is service, otherwise ISSUER
+
+* bank_root_cert_serial: Serial number for Danske bank certificate download (1111110002)
+
+***
+
+### Parsing data from bank response xml
+Parsing based on specifications by Federation of Finnish Financial Services provided xml examples account statement [XML account statement](http://www.fkl.fi/teemasivut/sepa/tekninen_dokumentaatio/Dokumentit/FI_camt_053_sample.xml.xml) and debit credit notification [XML debit credit notification](http://www.fkl.fi/teemasivut/sepa/tekninen_dokumentaatio/Dokumentit/FI_camt_054_sample.xml.xml) and ISO20022 transaction reporting guide [ISO20022 Transaction reporting guide](http://www.fkl.fi/en/themes/sepa/sepa_documents/Dokumentit/ISO20022_Payment_Guide.pdf)
+* Hardcode wanted specs into app_response.rb methods get_account_statement_content/get_debit_credit_notification_content
+* Create new instance of ApplicationResponse
+* method get_account_statement_content takes a bank statement file (xml) as a parameter and returns selected info in a hash
+* method get_debit_credit_notification_content takes a debit credit notification file (xml) as a parameter and returns selected info in a hash
+* method animate_response takes a full application response xml as a parameter and parses data into objects, can be used to take out different formats of Content-field, without predefined parameter specs
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request
+
+## License
+
+Released under the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,10 @@
+require 'bundler/gem_tasks'
+require 'rake/testtask'
+
+Rake::TestTask.new do |t|
+  t.libs << 'lib/sepa'
+  t.test_files = FileList['test/sepa/*_test.rb']
+  t.verbose = true
+end
+
+task :default => :test

data/lib/danske_get_bank_certificate_test.rb

@@ -0,0 +1,15 @@
+require 'sepa'
+
+params = {
+          bank: :danske,
+          target_id: 'Danske FI',
+          language: 'EN',
+          command: :get_bank_certificate,
+          bank_root_cert_serial: '1111110002',
+          customer_id: '360817',
+          environment: 'TEST',
+}
+
+sepa_client = Sepa::Client.new(params)
+
+sepa_client.send

data/lib/sepa/application_request.rb

@@ -0,0 +1,182 @@
+module Sepa
+  class ApplicationRequest
+    def initialize(params)
+      # Used by most, both Nordea and Danske
+      @command = check_command(params.fetch(:command))
+      @customer_id = params.fetch(:customer_id)
+      @environment = params.fetch(:environment)
+      @target_id = params[:target_id]
+      @status = params[:status]
+      @file_type = params[:file_type]
+      @content = params[:content]
+      @file_reference = params[:file_reference]
+
+      @private_key, @cert, @pin, @service, @csr, @hmac,
+        @bank_root_cert_serial,@request_id = ''
+
+      # Set values for the previously defined attributes
+      initialize_required_fields_per_request(params)
+    end
+
+    def get_as_base64
+      load_template(@command)
+      set_nodes_contents
+      # No signature for Certificate Requests
+      if @command != :get_certificate && @command != :get_bank_certificate
+        process_signature
+      end
+
+      Base64.encode64(@ar.to_xml)
+    end
+
+    private
+
+      def initialize_required_fields_per_request(params)
+        generic_commands = [:get_user_info, :upload_file, :download_file,
+                            :download_file_list]
+
+        case @command
+        when *generic_commands
+          @private_key = params.fetch(:private_key)
+          @cert = params.fetch(:cert)
+        when :get_certificate
+          @service = params[:service]
+          @pin = params[:pin]
+          @csr = params[:csr]
+          @hmac = create_hmac_seal(@pin,@csr)
+        when :get_bank_certificate
+          @pin = params[:pin]
+          @request_id = params[:request_id]
+          @bank_root_cert_serial = params[:bank_root_cert_serial]
+        end
+      end
+
+      def check_command(command)
+        valid_commands = [:get_certificate, :download_file_list, :download_file,
+                          :get_user_info, :upload_file, :download_file,
+                          :get_bank_certificate]
+        unless valid_commands.include?(command)
+          fail ArgumentError, "You didn't provide a proper command. " \
+            "Acceptable values are #{valid_commands.inspect}"
+        else
+          command
+        end
+      end
+      # Loads the application request template according to the command
+      def load_template(command)
+        template_dir = File.expand_path('../xml_templates/application_request',
+                                        __FILE__)
+
+        case command
+
+        when :get_certificate
+          path = "#{template_dir}/get_certificate.xml"
+        when :download_file_list
+          path = "#{template_dir}/download_file_list.xml"
+        when :get_user_info
+          path = "#{template_dir}/get_user_info.xml"
+        when :upload_file
+          path = "#{template_dir}/upload_file.xml"
+        when :download_file
+          path = "#{template_dir}/download_file.xml"
+        when :get_bank_certificate
+          path = "#{template_dir}/danske_get_bank_certificate.xml"
+        end
+
+        @ar = Nokogiri::XML(File.open(path))
+      end
+
+
+      def set_node(node, value)
+        @ar.at_css(node).content = value
+      end
+
+      # Set the nodes' contents according to the command
+      def set_nodes_contents
+        if @command != :get_bank_certificate
+          set_node("CustomerId", @customer_id)
+          set_node("Timestamp", Time.now.iso8601)
+          set_node("Environment", @environment)
+          set_node("SoftwareId", "Sepa Transfer Library version #{VERSION}")
+          set_node("Command",
+                   @command.to_s.split(/[\W_]/).map {|c| c.capitalize}.join)
+        end
+
+        case @command
+
+        when :get_certificate
+          set_node("Service", @service)
+          set_node("Content", Base64.encode64(@csr.to_der))
+          set_node("HMAC", Base64.encode64(@hmac).chop)
+        when :download_file_list
+          set_node("Status", @status)
+          set_node("TargetId", @target_id)
+          set_node("FileType", @file_type)
+        when :download_file
+          set_node("Status", @status)
+          set_node("TargetId", @target_id)
+          set_node("FileType", @file_type)
+          set_node("FileReference", @file_reference)
+        when :upload_file
+          set_node("Content", Base64.encode64(@content))
+          set_node("FileType", @file_type)
+          set_node("TargetId", @target_id)
+        when :get_bank_certificate
+          set_node("elem|BankRootCertificateSerialNo", @bank_root_cert_serial)
+          set_node("elem|Timestamp", Time.now.iso8601)
+          set_node("elem|RequestId", @request_id)
+        end
+      end
+
+      def create_hmac_seal(pin, csr)
+        hmacseal = OpenSSL::HMAC.digest('sha1',pin,csr.to_der)
+        hmacseal
+      end
+
+      def remove_node(doc, node, xmlns)
+        doc.at_css("xmlns|#{node}", 'xmlns' => xmlns).remove
+      end
+
+      def add_node_to_root(doc, node)
+        doc.root.add_child(node)
+      end
+
+      def calculate_digest(doc)
+        sha1 = OpenSSL::Digest::SHA1.new
+        Base64.encode64(sha1.digest(doc.canonicalize))
+      end
+
+      def add_value_to_signature(node, value)
+        node = @ar.at_css("dsig|#{node}",
+                          'dsig' => 'http://www.w3.org/2000/09/xmldsig#')
+        node.content = value
+      end
+
+      def calculate_signature(private_key)
+        sha1 = OpenSSL::Digest::SHA1.new
+        node = @ar.at_css("dsig|SignedInfo",
+                          'dsig' => 'http://www.w3.org/2000/09/xmldsig#')
+        signature = private_key.sign(sha1, node.canonicalize)
+        Base64.encode64(signature)
+      end
+
+      def format_cert(cert)
+        cert = cert.to_s
+        cert = cert.split('-----BEGIN CERTIFICATE-----')[1]
+        cert = cert.split('-----END CERTIFICATE-----')[0]
+        cert.gsub!(/\s+/, "")
+      end
+
+      def process_signature
+        signature_node = remove_node(@ar,
+                                     'Signature',
+                                     'http://www.w3.org/2000/09/xmldsig#')
+        digest = calculate_digest(@ar)
+        add_node_to_root(@ar, signature_node)
+        add_value_to_signature('DigestValue', digest)
+        signature = calculate_signature(@private_key)
+        add_value_to_signature('SignatureValue', signature)
+        add_value_to_signature('X509Certificate',format_cert(@cert))
+      end
+  end
+end

data/lib/sepa/application_response.rb

@@ -0,0 +1,123 @@
+module Sepa
+  class ApplicationResponse
+    def initialize(ar)
+      @ar = ar
+
+      if !@ar.respond_to?(:canonicalize)
+        fail ArgumentError,
+          "The application response you provided is not a valid Nokogiri::XML" \
+          " file."
+      elsif !valid_against_ar_schema?(@ar)
+        fail ArgumentError,
+          "The application response you provided doesn't validate against" \
+          " application response schema."
+      end
+    end
+
+    # Checks that the hash value reported in the signature matches the actual
+    # one.
+    def hashes_match?
+      ar = @ar.clone
+
+      digest_value = ar.at_css(
+        'xmlns|DigestValue',
+        'xmlns' => 'http://www.w3.org/2000/09/xmldsig#'
+      ).content.strip
+
+      ar.at_css(
+        "xmlns|Signature",
+        'xmlns' => 'http://www.w3.org/2000/09/xmldsig#'
+      ).remove
+
+      actual_digest = calculate_digest(ar)
+
+      if digest_value == actual_digest
+        true
+      else
+        false
+      end
+    end
+
+    # Extracts the X509 certificate from the application response.
+    def certificate
+      cert_value = @ar.at_css(
+        'xmlns|X509Certificate',
+        'xmlns' => 'http://www.w3.org/2000/09/xmldsig#'
+      ).content.gsub(/\s+/, "")
+
+      cert = process_cert_value(cert_value)
+
+      begin
+        OpenSSL::X509::Certificate.new(cert)
+      rescue => e
+        fail OpenSSL::X509::CertificateError,
+          "The certificate embedded in the application response could not be " \
+          "processed. It's most likely corrupted. " \
+          "OpenSSL had this to say: #{e}."
+          end
+    end
+
+    # Checks that the signature is signed with the private key of the
+    # certificate's public key.
+    def signature_is_valid?
+      node = @ar.at_css('xmlns|SignedInfo',
+                        'xmlns' => 'http://www.w3.org/2000/09/xmldsig#')
+
+      node = node.canonicalize
+
+      signature = @ar.at_css(
+        'xmlns|SignatureValue',
+        'xmlns' => 'http://www.w3.org/2000/09/xmldsig#'
+      ).content
+
+      signature = Base64.decode64(signature)
+
+      certificate.public_key.verify(OpenSSL::Digest::SHA1.new, signature, node)
+    end
+
+    # Checks that the certificate in the application response is signed with the
+    # private key of the public key of the certificate as parameter.
+    def cert_is_trusted?(root_cert)
+      if root_cert.subject == certificate.issuer
+        certificate.verify(root_cert.public_key)
+      else
+        fail SecurityError,
+          "The issuer of the certificate doesn't match the subject of the " \
+          "root certificate."
+      end
+    end
+
+    private
+
+      def calculate_digest(node)
+        sha1 = OpenSSL::Digest::SHA1.new
+
+        canon_node = node.canonicalize(
+          mode=Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0,
+          inclusive_namespaces=nil,with_comments=false
+        )
+
+        Base64.encode64(sha1.digest(canon_node)).gsub(/\s+/, "")
+      end
+
+      def valid_against_ar_schema?(doc)
+        schemas_path = File.expand_path('../../../lib/sepa/xml_schemas',
+                                        __FILE__)
+
+        Dir.chdir(schemas_path) do
+          xsd = Nokogiri::XML::Schema(IO.read('application_response.xsd'))
+          xsd.valid?(doc)
+        end
+      end
+
+      # Takes the certificate from the application response, adds begin and end
+      # certificate texts and splits it into multiple lines so that OpenSSL
+      # can read it.
+      def process_cert_value(cert_value)
+        cert = "-----BEGIN CERTIFICATE-----\n"
+        cert += cert_value.to_s.gsub(/\s+/, "").scan(/.{1,64}/).join("\n")
+        cert += "\n"
+        cert += "-----END CERTIFICATE-----"
+      end
+  end
+end