beatty / applepay_crypto_demo Goto Github PK

Seems like the conversion to ECPrivateKey does not work, the var type is ECPrivateKey but still throws this exception on:
public static byte[] decrypt(...
keyAgreement.init(merchantPrivateKey);

Exception in thread "main" java.security.InvalidKeyException: ECKeyAgreement requires ECPrivateKey
at org.bouncycastle.jce.provider.JCEECDHKeyAgreement.engineInit(Unknown Source)
at javax.crypto.KeyAgreement.init(KeyAgreement.java:461)
at javax.crypto.KeyAgreement.init(KeyAgreement.java:435)
at com.johndbeatty.applepay.Main.decrypt(Main.java:113)
at com.johndbeatty.applepay.Main.main(Main.java:104)

Any idea how to fix?

I am facing this issue while executing the line
"cipher.init(Cipher.DECRYPT_MODE, keySpec,new IvParameterSpec(IV));"

Error:
java.security.InvalidAlgorithmParameterException: Unsupported parameter: javax.crypto.spec.IvParameterSpec@1984b1f

Thanks, in advance

As the title Please ask your seniors how to solve this problem

I redone the cert, exported the key, etc， is also a problem

Can you help me see what part of me is wrong?

I would also like to ask how I can get the OID 1.2.840.113635.100.6.32

with bcprov-jdk16 (from 1.45 to 1.49 ) and bcpkix-jdk16 (from 1.45 to 1.49), running the following code:

PEMReader pemReaderPublic = new PEMReader(new StringReader(ephemeralPubKeyStr)); 
ECPublicKey ephemeralPublicKey = (ECPublicKey) pemReaderPublic.readObject(); 

the 'ephemeralPublicKey' was null. Debug into the code:

private PublicKey readPublicKey(String endMarker)
        throws IOException
    {
        KeySpec keySpec = new X509EncodedKeySpec(readBytes(endMarker));
        String[] algorithms = { "DSA", "RSA" };
        for (int i = 0; i < algorithms.length; i++) 
        {
            try 
            {
                KeyFactory keyFact = KeyFactory.getInstance(algorithms[i], provider);
                PublicKey pubKey = keyFact.generatePublic(keySpec);
                return pubKey;
            }
            catch (NoSuchAlgorithmException e) 
            { 
                // ignore
            }
            catch (InvalidKeySpecException e) 
            { 
                // ignore
            }
            catch (NoSuchProviderException e)
            {
                throw new RuntimeException("can't find provider " + provider);
            }
        }
        return null;
    }

' PublicKey pubKey = keyFact.generatePublic(keySpec);' always fall into 'InvalidKeySpecException'

My abc.cer certificates contains OID = 1.xxxxxxxxxx.5.

byte[] merchantIdentifierTlv = merchantCertificate.getExtensionValue("1.xxxxxxxxxx.5");

this always gives null value.
please note :xxxxxxxx = some value. I have just morphed it (for some security re seasons).

Any chance we will see the signature verification in the sample? :)

I tried...

    //Parse payment token here...

    System.out.println("Signature: " + signatureStr);
    System.out.println("Data: " + data);
    System.out.println("Transaction Id: " + transactionId);
    System.out.println("Ephemeral Key: " + ephemeralKey);
    System.out.println("Concat: " + concat);


    Signature sig = Signature.getInstance("SHA256withECDSA", "BC");
    sig.initSign(merchantPrivateKey);
    sig.update(concat.getBytes());
    byte[] signature = sig.sign();
    System.out.println(Base64.encodeBase64String(signature));

But it doesn't seem to match...

Hi,

I am using artifact bcprov-jdk15on with version 1.56 and class org.bouncycastle.openssl.PEMReader is missing. Can you please suggest how to solve this.

Hi,

I noticed that in the public static byte[] decrypt... method in main.java, the partyV is set to the merchantIdentifier whereas as per Apple spec (https://developer.apple.com/library/ios/documentation/PassKit/Reference/PaymentTokenJSON/PaymentTokenJSON.html), it should be the SHA256 hash of the merchant identifier. Has this been observed or I've misunderstood the spec?

Thanks for you this:
The merchantPrivateKey is neither .cer nor .p12, but the processed .p12!

Is that so?

once you have the decrypted data, what all do you need to pass it to apple pay enabled gateways? Is the pan and expiry sufficient or do you have to somehow get the other data there too?

I got this exception whenever I tried to decrypt the payment token

paymentTokenFilename = "payment_token.json";
merchantPkcFilename = "merchant.cer";
pkcs12Filename = "Certificates.p12";    //set .p12 password to "test"


return cipher.doFinal(ciphertext); throws this exception

Exception in thread "main" javax.crypto.BadPaddingException: mac check in GCM failed
at org.bouncycastle.jce.provider.JCEBlockCipher.engineDoFinal(Unknown Source)
at javax.crypto.Cipher.doFinal(DashoA13*..)
at com.wp.applepay.Main.decrypt(Main.java:133)
at com.wp.applepay.Main.main(Main.java:105)

Any help as to what am doing wrong ?

Thank you

Hello,

I've been trying to decrypt the apple pay token with beatty/applepay_crypto_demo program.

I loaded the message.json file, the .p12 file and the .cer files in the appropriate parts of the code, but I got an exception message as in,

Exception in thread "main" java.io.IOException: error constructing MAC: java.lang.SecurityException: JCE cannot authenticate the provider BC
at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineLoad(JDKPKCS12KeyStore.java:716)
at java.security.KeyStore.load(Unknown Source)
at Main.loadPrivateKey(Main.java:178)
at Main.main(Main.java:116)

when I tried and followed some online helper forums, now its throwing another exception,

Exception in thread "main" java.io.IOException: exception unwrapping private key - java.security.InvalidKeyException: Illegal key size
at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.unwrapKey(Unknown Source)
at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineLoad(Unknown Source)
at java.security.KeyStore.load(Unknown Source)
at Main.loadPrivateKey(Main.java:158)
at Main.main(Main.java:110)

I'm really led out of this place here. Its really important to get this thing working. Am I doing something wrong here?? can someone help me out of this situation please. Its really important, any thoughts would be appreciated. Thanks in advance.