changes for MLE Request for HTTP Signature

Author: monu-kumar-visa

src/authentication/core/MerchantConfig.js

@@ -4,6 +4,8 @@ var Constants = require('../util/Constants');
 var Logger = require('../logging/Logger');
 var ApiException = require('../util/ApiException');
 var LogConfiguration = require('../logging/LogConfiguration');
+var path = require('path');
+var fs = require('fs');
 
 /**
  * This function has all the merchentConfig properties getters and setters methods
@@ -80,6 +82,7 @@ function MerchantConfig(result) {
     this.useMLEGlobally = result.useMLEGlobally;
     this.mapToControlMLEonAPI = result.mapToControlMLEonAPI;
     this.mleKeyAlias = result.mleKeyAlias; //mleKeyAlias is optional parameter, default value is "CyberSource_SJC_US".
+    this.mleForRequestPublicCertPath = result.mleForRequestPublicCertPath;
 
     /* Fallback logic*/
     this.defaultPropValues();
@@ -415,6 +418,14 @@ MerchantConfig.prototype.setMleKeyAlias = function setMleKeyAlias(mleKeyAlias) {
     this.mleKeyAlias = mleKeyAlias;
 }
 
+MerchantConfig.prototype.getMleForRequestPublicCertPath = function getMleForRequestPublicCertPath() {
+    return this.mleForRequestPublicCertPath;
+}
+
+MerchantConfig.prototype.setMleForRequestPublicCertPath = function setMleForRequestPublicCertPath(mleForRequestPublicCertPath) {
+    this.mleForRequestPublicCertPath = mleForRequestPublicCertPath;
+}
+
 MerchantConfig.prototype.runEnvironmentCheck = function runEnvironmentCheck(logger) {
 
     /*url*/
@@ -610,25 +621,34 @@ MerchantConfig.prototype.defaultPropValues = function defaultPropValues() {
 
     //useMLEGlobally check for auth Type
     if (this.useMLEGlobally === true || this.mapToControlMLEonAPI != null) {
-        if (this.useMLEGlobally === true && this.authenticationType.toLowerCase() !== Constants.JWT) {
-            ApiException.ApiException("MLE is only supported in JWT auth type", logger);
-        }
+        // if (this.useMLEGlobally === true && this.authenticationType.toLowerCase() !== Constants.JWT) {
+        //     ApiException.ApiException("MLE is only supported in JWT auth type", logger);
+        // }
 
         if (this.mapToControlMLEonAPI != null && typeof (this.mapToControlMLEonAPI) !== "object") {
             ApiException.ApiException("mapToControlMLEonAPI in merchantConfig should be key value pair", logger);
         }
 
-        if (this.mapToControlMLEonAPI != null && Object.keys(this.mapToControlMLEonAPI).length !== 0) {
-            var hasTrueValue = false;
-            for (const[key, value] of Object.entries(this.mapToControlMLEonAPI)) {
-                if (value === true) {
-                    hasTrueValue = true;
-                    break;
-                }
-            }
-            if (hasTrueValue && this.authenticationType.toLowerCase() !== Constants.JWT) {
-                ApiException.ApiException("MLE is only supported in JWT auth type", logger);
-            }
+        // if (this.mapToControlMLEonAPI != null && Object.keys(this.mapToControlMLEonAPI).length !== 0) {
+        //     var hasTrueValue = false;
+        //     for (const[key, value] of Object.entries(this.mapToControlMLEonAPI)) {
+        //         if (value === true) {
+        //             hasTrueValue = true;
+        //             break;
+        //         }
+        //     }
+        //     if (hasTrueValue && this.authenticationType.toLowerCase() !== Constants.JWT) {
+        //         ApiException.ApiException("MLE is only supported in JWT auth type", logger);
+        //     }
+        // }
+    }
+
+    if (this.mleForRequestPublicCertPath !== null && this.mleForRequestPublicCertPath !== undefined) {
+        var certFile = path.resolve(path.join(this.mleForRequestPublicCertPath));
+        try {
+            fs.accessSync(certFile, fs.constants.R_OK);
+        } catch (err) {
+            ApiException.ApiException("mleForRequestPublicCertPath file is not readable or does not exist" + ": " + certFile, logger);
         }
     }
 

src/authentication/logging/SensitiveDataTags.js

@@ -34,6 +34,7 @@ exports.getSensitiveDataTags = function () {
     tags.push("signature");
     tags.push("prefix");
     tags.push("bin");
+    tags.push("encryptedRequest");
 
     return tags;
 }

src/authentication/util/Cache.js

@@ -6,6 +6,8 @@ var cache = require('memory-cache');
 var path = require('path');
 var Constants = require('./Constants');
 var ApiException = require('./ApiException');
+var Logger = require('../logging/Logger');
+var Utility = require('./Utility');
 
 
 /**
@@ -77,3 +79,169 @@ exports.fetchPEMFileForNetworkTokenization = function(merchantConfig) {
     }
     return cache.get("privateKeyFromPEMFile");
 }
+
+
+exports.getRequestMLECertFromCache = function(merchantConfig) {
+    var logger = Logger.getLogger(merchantConfig, 'Cache');
+    var merchantId = merchantConfig.getMerchantID();
+    var cacheKey = null;
+    var mleCertPath = null;
+    if (merchantConfig.getMleForRequestPublicCertPath() !== null && merchantConfig.getMleForRequestPublicCertPath() !== undefined) {
+        cacheKey =  merchantId + Constants.MLE_CACHE_IDENTIFIER_FOR_CONFIG_CERT;
+        mleCertPath = merchantConfig.getMleForRequestPublicCertPath();
+    } else if (Constants.JWT === merchantConfig.getAuthenticationType().toLowerCase()) {
+        mleCertPath = path.resolve(path.join(merchantConfig.getKeysDirectory(), merchantConfig.getKeyFileName() + '.p12'));
+        try {
+            fs.accessSync(mleCertPath, fs.constants.R_OK);
+        } catch (err) {
+            logger.warn("MLE certificate file not found or not readable: " + mleCertPath);
+            return null;
+        }
+        cacheKey =  merchantId + Constants.MLE_CACHE_IDENTIFIER_FOR_P12_CERT;
+    } else {
+        logger.debug("The certificate to use for MLE for requests is not provided in the merchant configuration. Please ensure that the certificate path is provided.");
+        return null;
+    }
+    return getMLECertBasedOnCacheKey(merchantConfig, cacheKey, mleCertPath);
+
+}
+
+function getMLECertBasedOnCacheKey(merchantConfig, cacheKey, mleCertPath) {
+    var cachedMLECert = cache.get(cacheKey);
+    var logger = Logger.getLogger(merchantConfig, 'Cache');
+    if (cachedMLECert === null || cachedMLECert === undefined || cachedMLECert.fileLastModifiedTime !== fs.statSync(mleCertPath).mtimeMs) {
+        logger.debug("MLE certificate not found in cache or has been modified. Loading from file: " + mleCertPath);
+        setupMLECache(merchantConfig, cacheKey, mleCertPath);
+    } else {
+        logger.debug("MLE certificate found in cache for key: " + cacheKey);
+    }
+    return cache.get(cacheKey).mleCert;
+}
+
+function setupMLECache(merchantConfig, cacheKey, mleCertPath) {
+    var fileLastModifiedTime = fs.statSync(mleCertPath).mtimeMs;
+    var mleCert = null;
+    if  (cacheKey.endsWith(Constants.MLE_CACHE_IDENTIFIER_FOR_CONFIG_CERT)) {
+        mleCert = loadCertificateFromPem(merchantConfig, mleCertPath);
+    }
+    else if (cacheKey.endsWith(Constants.MLE_CACHE_IDENTIFIER_FOR_P12_CERT)) {
+        mleCert = loadCertificateFromP12(merchantConfig, mleCertPath);
+    }
+    cache.put(cacheKey, {
+        mleCert: mleCert,
+        fileLastModifiedTime: fileLastModifiedTime
+    });
+    validateCertificateExpiry(mleCert, merchantConfig.getMleKeyAlias(), cacheKey, merchantConfig);
+}
+
+
+function loadCertificateFromP12(merchantConfig, mleCertPath) {
+    const logger = Logger.getLogger(merchantConfig, 'Cache');
+    try {
+        // Read the P12 file as before
+        var p12Buffer = fs.readFileSync(mleCertPath);
+        var p12Der = forge.util.binary.raw.encode(new Uint8Array(p12Buffer));
+        var p12Asn1 = forge.asn1.fromDer(p12Der);
+        var p12Cert = forge.pkcs12.pkcs12FromAsn1(p12Asn1, false, merchantConfig.getKeyPass());
+        
+        // Extract the certificate from the P12 container
+        var certBags = p12Cert.getBags({ bagType: forge.pki.oids.certBag });
+        if (certBags && certBags[forge.pki.oids.certBag] && certBags[forge.pki.oids.certBag].length > 0) {
+            // Process all certificates in the P12 file
+            var certs = [];
+            for (var i = 0; i < certBags[forge.pki.oids.certBag].length; i++) {
+                var cert = certBags[forge.pki.oids.certBag][i].cert;
+                var certPem = forge.pki.certificateToPem(cert);
+                certs.push(certPem);
+            }
+            
+            // Try to find the certificate by alias among all certificates
+            var mleCert =  Utility.findCertificateByAlias(certs, merchantConfig.getMleKeyAlias());
+            return forge.pki.certificateFromPem(mleCert);
+        } else {
+            throw new Error("No certificate found in P12 file");
+        }
+    } catch (error) {
+        ApiException.ApiException(error.message + ". " + Constants.INCORRECT_KEY_PASS, logger);
+    }
+}
+
+function loadCertificateFromPem(merchantConfig, mleCertPath) {
+    try {
+        const logger = Logger.getLogger(merchantConfig, 'Cache');
+        var pemData = fs.readFileSync(mleCertPath, 'utf8');
+        var certs = Utility.loadPemCertificates(pemData);
+        var mleCert = null;
+        if (!certs || certs.length === 0) {
+            throw new Error("No valid PEM certificates found in the provided path : " + mleCertPath);
+        }
+        try {
+            mleCert = Utility.findCertificateByAlias(certs, merchantConfig.getMleKeyAlias());
+            
+        } catch (error) {
+            logger.warn("No certificate found for the specified mleKeyAlias '" + merchantConfig.getMleKeyAlias() + "'. Using the first certificate from file " + mleCertPath + " as the MLE request certificate.");
+            mleCert = certs[0];
+        }
+        // Use node forge to parse the PEM certificate
+        var forgeCert = forge.pki.certificateFromPem(mleCert);
+        return forgeCert;
+    } catch (error) {
+        ApiException.AuthException("Error occurred while loading MLE certificate from PEM file : " + error.message);
+    }
+}
+
+function validateCertificateExpiry(certificate, keyAlias, cacheKey, merchantConfig) {
+    var logger = Logger.getLogger(merchantConfig, 'Cache');
+    
+    var warningMessageForNoExpiryDate = "Certificate does not have expiry date";
+    var warningMessageForCertificateExpiringSoon = "Certificate with alias {} is going to expire on {}. Please update the certificate before then.";
+    var warningMessageForExpiredCertificate = "Certificate with alias {} is expired as of {}. Please update the certificate.";
+
+    if (cacheKey.endsWith(Constants.MLE_CACHE_IDENTIFIER_FOR_CONFIG_CERT)) {
+        warningMessageForNoExpiryDate = "Certificate for MLE Requests does not have expiry date from mleForRequestPublicCertPath in merchant configuration.";
+        warningMessageForCertificateExpiringSoon = "Certificate for MLE Requests with alias {} is going to expire on {}. Please update the certificate provided in mleForRequestPublicCertPath in merchant configuration before then.";
+        warningMessageForExpiredCertificate = "Certificate for MLE Requests with alias {} is expired as of {}. Please update the certificate provided in mleForRequestPublicCertPath in merchant configuration.";
+    }
+
+    if (cacheKey.endsWith(Constants.MLE_CACHE_IDENTIFIER_FOR_P12_CERT)) {
+        warningMessageForNoExpiryDate = "Certificate for MLE Requests does not have expiry date in the P12 file.";
+        warningMessageForCertificateExpiringSoon = "Certificate for MLE Requests with alias {} is going to expire on {}. Please update the P12 file before then.";
+        warningMessageForExpiredCertificate = "Certificate for MLE Requests with alias {} is expired as of {}. Please update the P12 file.";
+    }
+
+    // Get the certificate's notAfter date (expiry date)
+    var notAfter = null;
+    try {
+        // All certificates are now in PEM format
+        if (certificate.validity && certificate.validity.notAfter) {
+            notAfter = certificate.validity.notAfter;
+        } else {
+            logger.warn("Unknown certificate format. Cannot extract expiry date.");
+        }
+    } catch (error) {
+        logger.warn("Error extracting certificate expiry date: " + error.message);
+        return;
+    }
+
+    if (!notAfter) {
+        // Certificate does not have an expiry date
+        logger.warn(warningMessageForNoExpiryDate);
+    } else {
+        var now = new Date();
+        
+        if (notAfter < now) {
+            // Certificate is already expired
+            var expiredMessage = warningMessageForExpiredCertificate.replace("{}", keyAlias).replace("{}", notAfter.toISOString().split('T')[0]);
+            logger.warn(expiredMessage);
+        } else {
+            // Calculate days until expiry
+            var timeToExpire = notAfter.getTime() - now.getTime();
+            var daysToExpire = Math.floor(timeToExpire / Constants.FACTOR_DAYS_TO_MILLISECONDS);
+            
+            if (daysToExpire < Constants.CERTIFICATE_EXPIRY_DATE_WARNING_DAYS) {
+                var expiringMessage = warningMessageForCertificateExpiringSoon.replace("{}", keyAlias).replace("{}", notAfter.toISOString().split('T')[0]);
+                logger.warn(expiringMessage);
+            }
+        }
+    }
+};

src/authentication/util/Constants.js

@@ -29,6 +29,8 @@ module.exports = {
     CERTIFICATE_EXPIRY_DATE_WARNING_DAYS : 90,
     FACTOR_DAYS_TO_MILLISECONDS       :  24 * 60 * 60 * 1000,
     DEFAULT_MLE_ALIAS_FOR_CERT        :  "CyberSource_SJC_US",
+    MLE_CACHE_IDENTIFIER_FOR_CONFIG_CERT : "_mleCertFromMerchantConfig",
+    MLE_CACHE_IDENTIFIER_FOR_P12_CERT : "_mleCertFromP12",
 
     OLD_RUN_ENVIRONMENT_CONSTANTS     :  ["CYBERSOURCE.ENVIRONMENT.SANDBOX", "CYBERSOURCE.ENVIRONMENT.PRODUCTION",
         "CYBERSOURCE.IN.ENVIRONMENT.SANDBOX", "CYBERSOURCE.IN.ENVIRONMENT.PRODUCTION"],