search

spreedly / gala

Ruby library for decrypting Apple Pay payment tokens
MIT License
41 stars 24 forks source link

Verify token signature #1

Closed rwdaigle closed 8 years ago

rwdaigle commented 9 years ago

Per step one here

Verify the signature as follows:

  • Ensure that the certificates contain the correct custom OIDs: 1.2.840.113635.100.6.29 for the leaf certificate and 1.2.840.113635.100.6.2.14 for the intermediate CA. The value for these marker OIDs doesn’t matter, only their presence.
  • Ensure that the root CA is the Apple Root CA - G3. This certificate is available from apple.com/certificateauthority.
  • Ensure that there is a valid X.509 chain of trust from the signature to the root CA. Specifically, ensure that the signature was created using the private key corresponding to the leaf certificate, that the leaf certificate is signed by the intermediate CA, and that the intermediate CA is signed by the Apple Root CA - G3.
  • Ensure that the signature is a valid ECDSA signature (ecdsa-with-SHA256 1.2.840.10045.4.3.2) of the concatenated values of the ephemeralPublicKey, data, transactionId, and applicationData keys. Inspect the CMS signing time of the signature, as defined by section 11.3 of RFC 5652. If the time signature and the transaction time differ by more than a few minutes, it's possible that the token is a replay attack.
mrezentes commented 8 years ago

https://github.com/spreedly/gala/compare/verify?expand=1

rwdaigle commented 8 years ago

@mrezentes can we go ahead and make it a PR pls?

mrezentes commented 8 years ago

I have squashed the commits, tests are passing and I am ready to merge. My only question is about deploying core. I am guessing that I need to bundle, run tests, make empty commit with test message and deploy? @rwdaigle

rwdaigle commented 8 years ago

We should create a separate issue in Core to discuss the specifics of that. But, there is some work we need to do there to properly expose the new sig validation error case... On Mon, Dec 14, 2015 at 2:34 PM Miki Rezentes notifications@github.com wrote:

I have squashed the commits, tests are passing and I am ready to merge. My only question is about deploying core. I am guessing that I need to bundle, run tests, make empty commit with test message and deploy? @rwdaigle https://github.com/rwdaigle

— Reply to this email directly or view it on GitHub https://github.com/spreedly/gala/issues/1#issuecomment-164536160.