Closed leroy-j closed 4 years ago
Hi,
The text you quoted gave above is the description for "Party V Info" which is a "SHA-256 hash of your merchant ID". This is different from IV which is an initialization vector.
They are even used in diferrent places. "Party V Info" is being used in \PayU\ApplePay\Decoding\Decoder\ApplePayEccDecoder::getKdfInfo for restoring the symmetric key while the IV is used later for the actual decoding.
Hi, I really appreciate your response. I have one more question: The decoding instructions from apple payment token reference, step 2 says
"Use the value of the publicKeyHash key to determine which merchant public key was used by Apple, and then retrieve the corresponding merchant public key certificate and private key."
In your code /PayU-EMEA/apple-pay/blob/master/examples/decode_token.php you are using the private key used to create the CSR instead using the publicKeyHash in the payment token data to get to the private key value. Since I dont have the private key used to create my CSR, Should I extract the private key from my Payment Processing Certificate and use this value for my private key OR
should I use this process:
payment token reference:https://developer.apple.com/library/archive/documentation/PassKit/Reference/PaymentTokenJSON/PaymentTokenJSON.html Payment Token Format Reference - Apple Inc.https://developer.apple.com/library/archive/documentation/PassKit/Reference/PaymentTokenJSON/PaymentTokenJSON.html Payment Token Format Reference. A payment token is created by the Secure Element based on a payment request. The payment token has a nested structure, as shown in Figure 1-1.. Figure 1-1 Structure of a payment token. The Secure Element encrypts the token’s payment data using either elliptic curve cryptography (ECC) or RSA encryption. developer.apple.com
From: Daniel Cata notifications@github.com Sent: Sunday, March 8, 2020 4:38 AM To: PayU-EMEA/apple-pay apple-pay@noreply.github.com Cc: leroy-j johnodread01@hotmail.com; Author author@noreply.github.com Subject: Re: [PayU-EMEA/apple-pay] Calculating the IV (#12)
Hi,
The text you quoted gave above is the description for "Party V Info" which is a "SHA-256 hash of your merchant ID". This is different from IV which is an initialization vector.
They are even used in diferrent places. "Party V Info" is being used in \PayU\ApplePay\Decoding\Decoder\ApplePayEccDecoder::getKdfInfo for restoring the symmetric key while the IV is used later for the actual decoding.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FPayU-EMEA%2Fapple-pay%2Fissues%2F12%3Femail_source%3Dnotifications%26email_token%3DAJEVOP4YEDRJYN77KM7FS6LRGNRQHA5CNFSM4LDEASUKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEOERBSI%23issuecomment-596185289&data=02%7C01%7C%7Cdef41403c6f748ba4e8808d7c3446af5%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637192570922474728&sdata=OTjCQeZhT6bEbvMJMdzkcsTJfOiHb3MAiASpMiLjzJQ%3D&reserved=0, or unsubscribehttps://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAJEVOP2K4RJW6B3LBJXR5A3RGNRQHANCNFSM4LDEASUA&data=02%7C01%7C%7Cdef41403c6f748ba4e8808d7c3446af5%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637192570922484739&sdata=UG3QMFpiBqR%2Fn9BnQQrppqfH0M%2FiegeL%2BnwEHdXR86c%3D&reserved=0.
"Since I dont have the private key used to create my CSR, Should I extract the private key from my Payment Processing Certificate and use this value"
The Payment Processing Certificate does not contain the private key. PPC is generated based on a CSR. To generate a CSR you need a private key. So without having the initial private key, you can't decode any Payment Token.
"In your code /PayU-EMEA/apple-pay/blob/master/examples/decode_token.php you are using the private key used to create the CSR instead using the publicKeyHash"
This library assumes you already have the private key. So the step in which you should see which private key to use based on public key hash should be done outside this library, before calling the ApplePayDecodingService
Daniel, I appreciate this. I have learned a lot more abt ssl certificates and cryptography in the last week to better understand how they all work together. Once I learned that the private key is created before and used when creating the CSR, it was easy to use your library successfully. I am able to decrypt the tokens
I hope you dont mind I wish to learn some more. Apple has this line in the token reference:
I think it is asking us to determine the hash of the public key of the payment processing certificate then compare it to the value at the publicKeyHash key. If there is a match then continue. I was looking for that logic your library. Was that done outside of the library and does it make sense to add that logic to the library
In this file /ApplePay/Decoding/Decoder/ApplePayEccDecoder.php, you are setting const IV = '00000000000000000000000000000000'; Where is this value coming from. Is it a 0 byte string?
In this file /ApplePay/Decoding/Decoder/Algorithms/Ecc.php we are generating the symetricKey. would you mind explaining what is happening in these lines 2 and 3? 1... $hashRes = hash_init('sha256'); 2... hash_update ( $hashRes, base64_decode('AAAA')); 3... hash_update ( $hashRes, base64_decode('AQ==')); 4... hash_update ( $hashRes, $sharedSecretBin); 5...hash_update ( $hashRes, $kdfInfo);
From: Daniel Cata notifications@github.com Sent: Wednesday, March 18, 2020 2:05 AM To: PayU-EMEA/apple-pay apple-pay@noreply.github.com Cc: leroy-j johnodread01@hotmail.com; Author author@noreply.github.com Subject: Re: [PayU-EMEA/apple-pay] Calculating the IV (#12)
"Since I dont have the private key used to create my CSR, Should I extract the private key from my Payment Processing Certificate and use this value"
The Payment Processing Certificate does not contain the private key. PPC is generated based on a CSR. To generate a CSR you need a private key. So without having the initial private key, you can't decode any Payment Token.
"In your code /PayU-EMEA/apple-pay/blob/master/examples/decode_token.php you are using the private key used to create the CSR instead using the publicKeyHash"
This library assumes you already have the private key. So the step in which you should see which private key to use based on public key hash should be done outside this library, before calling the ApplePayDecodingService
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FPayU-EMEA%2Fapple-pay%2Fissues%2F12%23issuecomment-600458416&data=02%7C01%7C%7Cf035b6bceb214b9c417308d7cb0aba52%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637201119235222444&sdata=lLVuIjr9qMFa7iE1RM3nAsSbhWkM%2BJ2%2FNgeO%2FZC4SBU%3D&reserved=0, or unsubscribehttps://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAJEVOPYS7KSYZSPZCN5TEWLRIBXDFANCNFSM4LDEASUA&data=02%7C01%7C%7Cf035b6bceb214b9c417308d7cb0aba52%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637201119235222444&sdata=g%2F4Ul5NOFTGrFcGMKYCWMVzUJkqVoGtvTmRKBi3vdl4%3D&reserved=0.
Hi,
Below are my answers:
"Was that done outside of the library and does it make sense to add that logic to the library"
The scope of this library is to decode tokens from ApplePay. So it assumes you already have what you need...and that is the payment token and the private key. So adding here logic to find the right private key is out of the scope of this library. Also, depending on how everyone is storing their keys, there might already be logic in those systems for getting the right key. So we'd only add code that won't be used here.
"Where is this value coming from. Is it a 0 byte string?"
It is a hexadecimal value of a 16 bytes long null characters string. Instead of this we could have used "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
"we are generating the symetricKey. would you mind explaining what is happening in these lines 2 and 3?"
I recommed you first read more about ECC Encryption. Maybe start with this: https://cryptobook.nakov.com/asymmetric-key-ciphers/ecc-encryption-decryption
Daniel, I really want to thank you for being such a great resource
Hi, This is more a question. According to the payment token reference the IV is "the SHA-256 hash of your merchant ID string literal; 32 bytes in size". When I look at your merchantID it is "merchant.sandbox.payu". How did you do the conversion of "merchant.sandbox.payu" to get const IV = '00000000000000000000000000000000'