payu-emea / apple-pay Goto Github PK

Hello,

How / where can I get the private key , our payment provider seems to generate only a CSR which then we upload to Apple

Please advice
Thanks

It would be great to have dedicated exceptions for various failure scenarios. Now there is only DecodingFailedException. Other failure scenarios that could use their own exception class:

• SignatureValidationFailedException - the signature is not valid or was not created using Apple's private key
• PaymentDataExpiredException - the payment data has expired
• DecryptingFailureException - the data cannot be decrypted using the private key provided.

Now, we have to resort to substring matching on the exception message.

I'm getting 'Can't get certificates' error.
stack trace:
OpenSslService.php
public function getCertificatesFromPkcs7($certificatePath) {
$getCertificatesCommand = ['openssl', 'pkcs7', '-inform', 'DER', '-in', $certificatePath, '-print_certs'];
$commandOutput = $this->runCommand($getCertificatesCommand);
// This gives me 'Unable to load PKCS7 object'. I've tested it outside the script, storing $certificatePath file.
}

PKCS7SignatureValidator.php
private function extractCertificates($signature) {
$pkcs7TemporaryFile = $this->temporaryFileService->createFile($signature);
$certificates = $this->openSslService->getCertificatesFromPkcs7($pkcs7TemporaryFile->getPath());
}
public function validate(array $paymentData, $rootCertificatePath, $signatureExpirationTime) {
$signature = base64_decode($paymentData['signature']);
$certificates = $this->extractCertificates($signature);
}

Could you please guide me in the right direction? As far as I can see, either my paymentData is wrong or that $signature saved into the file is not of *.p7b format (PKCS7)

How can I decrypt payment data that contains RSA_v1 encryption?

Hi, I am trying to decrypt a payment but I am receiving this response.

Hi, we're using this library in one of our projects that should be upgraded to PHP8.
Do you plan to add PHP8 support in the near future?

Hi,
This is more a question. According to the payment token reference the IV is "the SHA-256 hash of your merchant ID string literal; 32 bytes in size". When I look at your merchantID it is "merchant.sandbox.payu".
How did you do the conversion of "merchant.sandbox.payu" to get
const IV = '00000000000000000000000000000000'

The package is not compatible with symfony/process:^5.0.

No need to work on it yourself, but I may open a PR one day to sort it out and would like it to be tracked here.

Something like

"symfony/process": "^4.1|^5.0|^6.0"

Hello,

I have been testing your implementation on Ubuntu 20.04, using Docker with Devilbox and DigitalOcean. Despite having OpenSSL installed, I am encountering the following exception: “Decoding failed: Openssl command failed. Is OpenSsl installed?”

I am unsure if this issue is related to temporary file problems, execution permissions, or something else. Any guidance on how to resolve this would be greatly appreciated.

Thank you for your time and assistance.

dump in extractCertificates PKCS7SignatureValidator
array:1 [ // vendor/payu/apple-pay/src/ApplePay/Decoding/PKCS7SignatureValidator.php:134
0 => "-rw------- 1 devilbox devilbox 73 Dec 2 14:59 /tmp/phpFLKgj8"
]
openssl version
OpenSSL 1.1.1w 11 Sep 2023 (Library: OpenSSL 1.1.1n 15 Mar 2022)

Hello!

Would you be able to advise me on this error?

CN = Apple Application Integration CA - G3, OU = Apple Certification Authority, O = Apple Inc., C = US *** error 20 at 1 depth lookup:unable to get loca
l issuer certificate"
#code: 0
#file: "./vendor/payu/apple-pay/src/ApplePay/Decoding/OpenSSL/OpenSslService.php"
#line: 29
trace: {

Thank you!!!

Hello :-),

In your example, there is a $privateKey variable:

https://github.com/PayU/apple-pay/blob/a7982095aabf97f4d74bb2b2fb5f1830ab3d00f5/examples/decode_token.php#L10-L11

The comment says it is the private key used to create the CSR. I don't get it. When creating the payment processing certificate, a .certSigningRequest file is generated and given to Apple, which, in turn, gives us a .cert file (https://help.apple.com/developer-account/#/devb2e62b839?sub=devf31990e3f). What information do we need to extract from what?

Thanks for your help!

OpenSSL introduced a tiny BC-break between v1.0.2 and v1.1.x: command fails when validating an expired leaf certificate (unless the flag -no_check_time is passed):

# v1.0.2
$ openssl verify -CAfile apple-root-ca.pem -untrusted intermediate.pem leaf.pem
leaf.pem: CN = ecc-smp-broker-sign_UC4-SANDBOX, OU = iOS Systems, O = Apple Inc., C = US
error 10 at 0 depth lookup:certificate has expired
OK

# v1.1.1
$ openssl verify -CAfile apple-root-ca.pem -untrusted intermediate.pem leaf.pem
CN = ecc-smp-broker-sign_UC4-SANDBOX, OU = iOS Systems, O = Apple Inc., C = US
error 10 at 0 depth lookup: certificate has expired
error leaf.pem: verification failed

$ openssl verify -no_check_time -CAfile apple-root-ca.pem -untrusted intermediate.pem leaf.pem
leaf.pem: OK

In the production flow this shouldn't be a problem but when executing integration tests using a fixed token (with expired certs in the signature) with recent versions of OpenSSL the process fails - you can test that by running the example script in this repo =)

My suggestion is to have an alternative implementation of the OpenSslService to be used for tests, which would verify the openssl version and add the flag.

What are your thoughts?

I decrypted successfully on mac os big sur, but I could not decrypt on backend server

exception: Can't validate certificate chain

Symfony\Component\Process\Exception\ProcessFailedException: The command "'openssl' 'verify' '-CAfile' '../ApplePayCA.pem' '-untrusted' '/tmp/phpcgCT7A' '/tmp/phpou32WH'" failed.

Exit Code: 2(Misuse of shell builtins)

Working directory: /path/.../public

Output:
================
error /tmp/phpou32WH: verification failed


Error Output:
================
CN = Apple Application Integration CA - G3, OU = Apple Certification Authority, O = Apple Inc., C = US
error 20 at 1 depth lookup: unable to get local issuer certificate
 in /path/.../vendor/symfony/process/Process.php:269

on mac:
openssl version

LibreSSL 2.8.3
openssl version -a
LibreSSL 2.8.3
built on: date not available
platform: information not available
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: information not available
OPENSSLDIR: "/private/etc/ssl"

on centos 8:
openssl version

OpenSSL 1.1.1k FIPS 25 Mar 2021
openssl version -a
OpenSSL 1.1.1k FIPS 25 Mar 2021
built on: Thu Dec 2 16:40:48 2021 UTC
platform: linux-x86_64
options: bn(64,64) md2(char) rc4(16x,int) des(int) idea(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM=""/dev/urandom"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config"
OPENSSLDIR: "/etc/pki/tls"
ENGINESDIR: "/usr/lib64/engines-1.1"
Seeding source: os-specific
engines: rdrand dynamic