spreedly / gala

Ruby library for decrypting Apple Pay payment tokens
MIT License
41 stars 24 forks source link

Use OpenSSL gem, drop aead dependency and support for old Ruby versions #9

Closed dankimio closed 6 years ago

dankimio commented 7 years ago

This pull request drops aead dependency by using Ruby's openssl gem with support for iv_len for AEAD ciphers. Therefore, there's no need to fetch the forked version of aead and maintain Gemfile.lock.

However, openssl gem works only with Ruby 2.3 or later. I suggest that this pull request is merged into a separate branch unless there's no goal to support old Ruby versions (then it can be safely merged into master after testing).

mt-clearhaus commented 6 years ago

FWIW, you could also consider having the decryption in C and make a binding to it :slightly_smiling_face: I am exploring the possibility here: https://github.com/clearhaus/aes256gcm_decrypt

rwdaigle commented 6 years ago

@dankimio Thank you for this!

I've run into an issue that is only resolved if ruby >= 2.4:

irb(main):002:0> cipher = OpenSSL::Cipher.new("aes-256-gcm").decrypt
=> #<OpenSSL::Cipher:0x00007fe8e6813e00>
irb(main):003:0> cipher.iv_len
=> 12
irb(main):004:0> cipher.iv_len=2
NoMethodError: undefined method `iv_len=' for #<OpenSSL::Cipher:0x00007fe8e6813e00>

Normally just bumping the ruby requirement from 2.3 to 2.4 would be no big deal, but we're currently locked to 2.3 internally here at Spreedly. Not a blocker, but I'm going to investigate some other options here to see if we can have it both (broader ruby compatibility and no unsupported aead dependency).

Stay tuned 👍

rwdaigle commented 6 years ago

Went ahead and branched based on Ruby version. Current master, v0.4.0 and later, and all future dev will be on Ruby 2.4. v0.3.2 and prior, and the legacy-ruby branch, support Ruby 2.3 and lower.