cardInfo is now fundingAccountInfo

Bug Report Checklist

• Have you provided a code sample to reproduce the issue?
• Have you tested with the latest release to confirm the issue still exists?
• Have you searched for related issues/PRs?
• What's the actual output vs expected output?

Description
I am trying to invoke FLD Mastercard Submit API, I am using field level encryption lib in order to encrypt a the following payload on sandbox env and I am getting internal server error, and after checking with master card team they told me that they are getting an error: decryption key is missing in the request hoewever it exists in the config payload:
{ "paths": {"$": {"toEncrypt": {"$": "$"}, "toDecrypt": {"$": "$"}}}, "ivFieldName": "iv", "encryptedKeyFieldName": "encryptedKey", "encryptedValueFieldName": "encryptedValue", "oaepPaddingDigestAlgorithmFieldName": "oaepPaddingDigestAlgorithm", "oaepPaddingDigestAlgorithm": "SHA256", "dataEncoding": "hex", "decryptionKey": "Path/to/p12.file", "decryptionKeyPassword": "keystorepassword", "encryptionCertificate": "path/to/pemfile", "encryptionKeyFingerprintFieldName": "encryptionKeyFingerprint", "encryptionKeyFingerprint": "FINGEPRINT", "encryptionCertificateFingerprintFieldName": "encryptionCertificateFingerprint", "encryptionCertificateFingerprint": "FINGERPRINT", }

To Reproduce
Steps to reproduce the behavior.

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
I have used the same keys in the developed java application and it worked fine, however I didn't provide the decryption key in the config payload, as it is not required for this endpoints
https://sandbox.api.mastercard.com/fld/confirmed-frauds/mastercard-frauds

Related issues/PRs
Has a similar issue/PR been reported/opened before?
No
Suggest a fix/enhancement
If you can't fix the bug yourself, perhaps you can point to what might be causing the problem (line of code or commit), or simply make a suggestion.

Hi,

I am trying to run MDES tokenize api against sandbox as below and getting error for hash mismatch. I am attaching the code so if any one can help debug. I am not sharing keys.

./tokenize.sh
{
"Errors": {
"Error": [
{
"Source": "Gateway",
"ReasonCode": "INVALID_BODY_HASH",
"Description": "The provided oauth_body_hash does not match the SHA256 hash of the request payload. Calculated: 8gvc07EIynBEDNsawysKl3cd+LbHDylpYlDiaX0Rbz8=, Received: 01NcCrM7J5FOzJrJiGs+5+UMnkZ5S5iveHoxY3inu+A=",
"Recoverable": false,
"Details": null
}
]
}
code.txt

}

There has been a recent vulnerability found in Cryptography 41.0.0 which requires an upgrade to at least 42.0.0. However you have pinned pyopenssl to <=23.2.0 and Cryptography 42.0.0 requires pyopenssl 23.3.0. Additionally this mastercard library uses the load_pkcs12 functionality which has been deprecated in pyopenssl version 23.3.0. Due to these dependencies we have been unable to upgrade to the latest Cryptography version. I have also raised this issue with another of your python libraries: Mastercard/oauth1-signer-python#52

• github link to Cryptography vulnerability: GithubLink
• cve link to Cryptography vulnerability: CVELink

Please upgrade the mastercard client-encryption-python library to support openssl version 23.3.0

Running pipdeptree after install of the mastercard client-encryption-library shows that this library is pinning the pyopenssl version meaning that cryptography 42.0.0 is not supported

mastercard-client-encryption==1.9.0
├── pycryptodome [required: >=3.8.1, installed: 3.20.0]
├── pyOpenSSL [required: >=22.1.0,<=23.2.0, installed: 23.2.0]
│ └── cryptography [required: >=38.0.0,<42,!=40.0.1,!=40.0.0, installed: 41.0.7]
│ └── cffi [required: >=1.12, installed: 1.16.0]
│ └── pycparser [required: Any, installed: 2.21]

The issue seems to be on this line: https://github.com/Mastercard/client-encryption-python/blob/main/setup.py#L25 where the pyOpenSSL library version is restricted. Please update your library to support a minumum of pyOpenSSL 23.3.0 (so that Cryptography 42.0.0 can be installed)

We recently went live with Issuer-Initiated Digitization for MDES.

The implementation wasn't flawless though. One issue that came up - it seems like MC is expecting publicKeyFingerprint to be the SHA1 fingerprint of the certificate. However, the FieldLevelEncryptionConfig.__compute_fingerprint method only returns the SHA256 fingerprint.

In the "MDES Issuer Implementation Guide" (dated 5/12/2021) on page 101, the example payload shows a SHA1 fingerprint in publicKeyFingerprint.

I'm happy to submit a PR for this but wondering if any maintainers have feedback.

The logic for padding removal from JWE encryption is incorrect. The current code merely strips unprintable characters regardless if they belong to the padding or not:

For AES GCM this isn't an issue because the padding removal is handled automatically.
For modes that do care about padding (e.g. AES CBC) this is blindly removing characters under the assumption that A) they belong to the padding and B) that the padding is valid. This allows an attacker to spoof data much more easily because the padding is never validated and invalid JSON characters are being silently removed.

The pycryptodome library that this package uses contains padding utilities. I strongly recommend you use them.