spreedly / gala

Ruby library for decrypting Apple Pay payment tokens
MIT License
41 stars 24 forks source link

Check signature's signed time #10

Closed ct-clearhaus closed 10 months ago

ct-clearhaus commented 6 years ago

I hand-picked the number 5 to substitute for "few" in

If the time signature and the transaction time differ by more than a few minutes, it's possible that the token is a replay attack.

https://developer.apple.com/library/content/documentation/PassKit/Reference/PaymentTokenJSON/PaymentTokenJSON.html

YMMV

Ref. https://github.com/spreedly/gala/pull/3#issuecomment-164321362

rwdaigle commented 6 years ago

@ct-clearhaus thank you for this!

Any clever ideas on how to create a test case around this functionality?

ct-clearhaus commented 6 years ago

Unfortunately I'm not familiar with test/unit (I couldn't even make the specs run locally; see below), but in rspec I'd amend test_failed_decrypt to hit the different InvalidSignatureErrors and e.g.

expect(Time).to receive(:now).twice.and_return(time)

and have time be just before the interval, just inside the interval and just after the interval.

Also, it would be nicer to adjust this PR to have

now = Time.now
raise InvalidSignatureError, "..." unless '...'.between?(now - 5*60, now + 5*60)

Couldn't make specs run:

$ docker run --rm -it -v $PWD:/gala ruby:2.4 bash
root@74d394cd3940:/# cd gala/
root@74d394cd3940:/gala# bundle install
Fetching gem metadata from https://rubygems.org/.........
Fetching https://github.com/Shopify/aead.git
Fetching rake 12.0.0
Installing rake 12.0.0
Fetching systemu 2.6.5
Installing systemu 2.6.5
Fetching macaddr 1.7.1
Installing macaddr 1.7.1
Using aead 1.8.2 from https://github.com/Shopify/aead.git (at 340e771@340e771)
Using bundler 1.16.1
Fetching coderay 1.1.2
Installing coderay 1.1.2
Using gala 0.3.1 from source at `.`
Fetching method_source 0.9.0
Installing method_source 0.9.0
Fetching pry 0.11.3
Installing pry 0.11.3
Bundle complete! 5 Gemfile dependencies, 9 gems now installed.
Bundled gems are installed into `/usr/local/bundle`
root@74d394cd3940:/gala# bundle exec rake test
/gala/test/payment_token_test.rb:2:in `require': cannot load such file -- test/unit (LoadError)
        from /gala/test/payment_token_test.rb:2:in `<top (required)>'
        from /usr/local/bundle/gems/rake-12.0.0/lib/rake/rake_test_loader.rb:15:in `require'
        from /usr/local/bundle/gems/rake-12.0.0/lib/rake/rake_test_loader.rb:15:in `block in <main>'
        from /usr/local/bundle/gems/rake-12.0.0/lib/rake/rake_test_loader.rb:4:in `select'
        from /usr/local/bundle/gems/rake-12.0.0/lib/rake/rake_test_loader.rb:4:in `<main>'
rake aborted!
Command failed with status (1)
/usr/local/bundle/gems/rake-12.0.0/exe/rake:27:in `<top (required)>'
/usr/local/bin/bundle:23:in `load'
/usr/local/bin/bundle:23:in `<main>'
Tasks: TOP => test
(See full trace by running task with --trace)
rwdaigle commented 6 years ago

Ah, yes, fiddling with time. Good idea.

Re: test failures, if you rebase against latest, it should be Ruby2.4 compatible.

ct-clearhaus commented 10 months ago

Replaced by https://github.com/spreedly/gala/pull/24.