From 3ba69d5f1b8591be79b8e3e6f7f85db809941777 Mon Sep 17 00:00:00 2001 From: Jakub Dubec Date: Wed, 23 Feb 2022 12:36:14 +0100 Subject: [PATCH] Fixed response sign verification in the GPWebPay driver using DIGEST1 --- CHANGELOG.md | 4 ++++ README.md | 2 +- composer.json | 2 +- src/Chaching/Chaching.php | 2 +- src/Chaching/Drivers/GPwebpay/Response.php | 23 +++++++++++++++------- src/Chaching/Encryption/PemKeys.php | 4 ++-- 6 files changed, 25 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 916a11b..f3e3d1b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ ## Changelog +### v0.23.1: 2022/02/23 + +Fixed signature verification in GPwebpay response. + ### v0.23.0: 2022/02/11 GPwebpay driver fills `ORDERNUMBER` with the microtime (as int) because this value have to be always unique. For the diff --git a/README.md b/README.md index cfaccb8..0edc127 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ The recommended way to install the library is to use [composer](http://getcompos { "require": { - "backbone/chaching": "0.23.0" + "backbone/chaching": "0.23.1" } } diff --git a/composer.json b/composer.json index 0b97ea4..432657d 100644 --- a/composer.json +++ b/composer.json @@ -1,7 +1,7 @@ { "name": "backbone/chaching", "type": "library", - "version": "0.23.0", + "version": "0.23.1", "license": "MIT", "description": "Universal payment library for banking services in Slovakia", "keywords": [ diff --git a/src/Chaching/Chaching.php b/src/Chaching/Chaching.php index 38e5333..1ddfca1 100644 --- a/src/Chaching/Chaching.php +++ b/src/Chaching/Chaching.php @@ -16,7 +16,7 @@ class Chaching { - const VERSION = '0.22.1'; + const VERSION = '0.23.1'; const CARDPAY = 'cardpay'; const SPOROPAY = 'sporopay'; diff --git a/src/Chaching/Drivers/GPwebpay/Response.php b/src/Chaching/Drivers/GPwebpay/Response.php index a14af30..53e8ec6 100644 --- a/src/Chaching/Drivers/GPwebpay/Response.php +++ b/src/Chaching/Drivers/GPwebpay/Response.php @@ -28,14 +28,20 @@ public function __construct(Array $authorization, Array $attributes, Array $opti $this->readonly_fields = [ 'OPERATION', 'ORDERNUMBER', 'MERORDERNUM', 'MD', 'PRCODE', - 'SRCODE', 'RESULTTEXT', 'DIGEST', 'DIGEST1' + 'SRCODE', 'RESULTTEXT', 'DETAILS', 'USERPARAM1', 'ADDINFO', + 'DIGEST', 'DIGEST1' ]; foreach ($this->readonly_fields as $field) { - $this->fields[ $field ] = !empty($attributes[ $field ]) - ? $attributes[ $field ] - : NULL; + if(array_key_exists($field, $attributes)) + { + $this->fields[ $field ] = $attributes[ $field ]; + } + else + { + $this->fields[ $field ] = NULL; + } } $this->set_authorization($authorization); @@ -54,11 +60,11 @@ public function __construct(Array $authorization, Array $attributes, Array $opti */ protected function validate() { - if (!$this->verify($this->fields['DIGEST'])) + if (!$this->verify($this->fields['DIGEST1'])) throw new \Chaching\Exceptions\InvalidResponseException(sprintf( "Signature received as part of the response is incorrect (" . "'%s'). If this persists contact the bank.", - $this->fields['DIGEST'] + $this->fields['DIGEST1'] )); $this->variable_symbol = $this->fields['MERORDERNUM'] != NULL ? $this->fields['MERORDERNUM'] : $this->fields['ORDERNUMBER']; @@ -73,10 +79,13 @@ protected function validate() protected function verify($given_signature) { $signature_base = ''; - $fields = array_slice($this->readonly_fields, 0, 7); + $fields = array_slice($this->readonly_fields, 0, 10); foreach ($fields as $field) { + if ($this->fields[ $field ] === NULL) + continue; + if (!empty($signature_base)) { $signature_base .= '|'; diff --git a/src/Chaching/Encryption/PemKeys.php b/src/Chaching/Encryption/PemKeys.php index 667bc65..777a431 100644 --- a/src/Chaching/Encryption/PemKeys.php +++ b/src/Chaching/Encryption/PemKeys.php @@ -38,8 +38,8 @@ public function verify($given_signature, $signature_base) file_get_contents($this->authorization[ 1 ]['key']) ); - $signature = base64_encode($signature_base); - $result = openssl_verify($given_signature, $signature, $resource_id); + $given_signature = base64_decode($given_signature); + $result = openssl_verify($signature_base, $given_signature, $resource_id); openssl_free_key($resource_id);