Amazon Pay Java SDK 3.7.0

Author: Shangamesh T

CHANGES.txt

@@ -1,3 +1,9 @@
+Version 3.7.0 - March 2021
+- Fixed following two security risks :
+1. Deprecated setSecretKey(String) method & enabled setSecretKey(char[]) in Config & PayConfig
+2. Buyer Access token is passed as HTTP header instead of query parameter in URL for GetUserInfo API
+- Note: Consumers of previous SDK versions strongly recommended to update data type of secret key from string to char[] as of this SDK Version 3.7.0. Please check the link : https://www.techiedelight.com/why-character-array-preferred-over-string-storing-passwords/ to know why char array is preferred over string for string. 
+
 Version 3.6.5 - January 2021
 - Added additional attribute (expectImmediateAuthorization) to ConfirmOrderReference. This value can be set to true or false (Boolean). See Amazon Pay Strong Customer Authentication (SCA) Upgrade Integration Guide for more information.
 

README.md

@@ -25,7 +25,7 @@ import com.amazon.pay.impl.PayConfig;
 ```java
 String merchantId = "YOUR_MERCHANT_ID";
 String accessKey = "YOUR_ACCESS_KEY";
-String secretKey = "YOUR_SECRET_Key";
+char[] secretKey = getSecretKey() // Replace with your implementation
 
 Config config = new PayConfig()
                 .withSellerId(merchantId)

dist/amazon-pay-3.6.5.jar dist/amazon-pay-3.7.0.jar

@@ -4,7 +4,7 @@
     <groupId>com.amazon.pay</groupId>
     <artifactId>amazon-pay-java-sdk</artifactId>
     <packaging>jar</packaging>
-    <version>3.6.5</version>
+    <version>3.7.0</version>
     <dependencies>
         <dependency>
             <groupId>commons-codec</groupId>

pom.xml

@@ -74,7 +74,7 @@ public interface Config {
     /**
      * @return Returns SecretKey from PayConfig
      */
-    String getSecretKey();
+    char[] getSecretKey();
 
     /**
      * @return Returns the MerchantId/SellerId from PayConfig
@@ -138,9 +138,16 @@ public interface Config {
     void setRegion(Region region);
 
     /**
+     * @deprecated(since = "3.7.0") This method is deprecated, instead use setSecretKey(char[] secretAccessKey)
      * @param secretAccessKey Sets SecretKey in PayConfig
      */
+    @Deprecated
     void setSecretKey(String secretAccessKey);
+    
+    /**
+     * @param secretAccessKey Sets SecretKey in PayConfig
+     */
+    void setSecretKey(char[] secretAccessKey);
 
     /**
      * @param sellerId Sets MerchantId/SellerId in PayConfig

src/com/amazon/pay/Config.java

@@ -1,5 +1,5 @@
 /**
- * Copyright 2016-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License").
  * You may not use this file except in compliance with the License.

src/com/amazon/pay/exceptions/AmazonClientException.java

@@ -1,5 +1,5 @@
 /**
- * Copyright 2016-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License").
  * You may not use this file except in compliance with the License.

src/com/amazon/pay/exceptions/AmazonServiceException.java

@@ -916,7 +916,7 @@ public  ReverseProviderCreditResponseData reverseProviderCredit(ReverseProviderC
     @Override
     public User getUserInfo(String accessToken , String clientId) throws AmazonServiceException, IOException {
 
-        final String decodedAccessToken = URLDecoder.decode(accessToken, "UTF-8");
+        final String decodedAccessToken = URLDecoder.decode(accessToken, ServiceConstants.UTF_8);
         String profileEndpoint;
 
         if (payConfig.getOverrideProfileURL() != null) {
@@ -930,23 +930,23 @@ public User getUserInfo(String accessToken , String clientId) throws AmazonServi
         }
 
         Map<String,String> headerValues = new HashMap<String, String>();
-        ResponseData response = Util.httpSendRequest("GET" , profileEndpoint + "/auth/o2/tokeninfo?access_token=" + decodedAccessToken, null, headerValues, null);
+        headerValues.put(ServiceConstants.X_AMZ_ACCESS_TOKEN, decodedAccessToken);
+        ResponseData response = Util.httpSendRequest(ServiceConstants.GET, profileEndpoint + ServiceConstants.AUTH_O2_TOKENINFO_URI, null, headerValues, null);
 
         Map m = Util.convertJsonToObject(response.toXML(), Map.class);
-        if (m.containsKey("error")) {
-            throw new AmazonServiceException("Retrieving User Info Failed. "+(String)m.get("error_description"));
+        if (m.containsKey(ServiceConstants.ERROR)) {
+            throw new AmazonServiceException("Retrieving User Info Failed. " + (String)m.get(ServiceConstants.ERROR_DESCRIPTION));
         }
 
         if (clientId == null || !clientId.equals(m.get("aud"))) {
             //the access token does not belong to us
             throw new AmazonClientException("Access token does not belong to clientId: " + clientId);
         }
 
-        headerValues.put("Authorization", "bearer " + decodedAccessToken);
-        response = Util.httpSendRequest("GET" , profileEndpoint + "/user/profile", null, headerValues);
+        response = Util.httpSendRequest(ServiceConstants.GET , profileEndpoint + ServiceConstants.USER_PROFILE_URI, null, headerValues);
         m = Util.convertJsonToObject(response.toXML() , Map.class);
-        if (m.containsKey("error")) {
-            throw new AmazonServiceException("Retrieving User Info Failed. " + (String)m.get("error_description"));
+        if (m.containsKey(ServiceConstants.ERROR)) {
+            throw new AmazonServiceException("Retrieving User Info Failed. " + (String)m.get(ServiceConstants.ERROR_DESCRIPTION));
         }
 
         final User user = Util.convertJsonToObject(response.toXML() , User.class);

src/com/amazon/pay/impl/PayClient.java

@@ -26,7 +26,7 @@
 public class PayConfig implements Config  {
 
     private String accessKey;
-    private String secretKey;
+    private char[] secretKey;
     private String merchantId;
     private Region region;
     private Environment environment;
@@ -143,27 +143,46 @@ public PayConfig withAccessKey(String accessKey) {
      *
      */
     @Override
-    public String getSecretKey() {
+    public char[] getSecretKey() {
         return secretKey;
     }
 
 
     /**
-     *
+     * @deprecated(since = "3.7.0") This method is deprecated, instead use setSecretKey(char[] secretKey)
      * @param secretKey - Sets SecretKey in PayConfig
      */
     @Override
+    @Deprecated
     public void setSecretKey(String secretKey) {
-        this.secretKey = secretKey;
+        this.secretKey = secretKey.toCharArray();
     }
+    
+    /**
+    * @param secretKey - Sets SecretKey in PayConfig
+    */
+   @Override
+   public void setSecretKey(char[] secretKey) {
+       this.secretKey = secretKey;
+   }
 
 
     /**
-     *
+     * @deprecated(since = "3.7.0") This method is deprecated, instead use withSecretKey(char[] privateKey)
      * @param secretKey - Sets SecretKey in PayConfig
      * @return Returns updated PayConfig object
      */
+   @Deprecated
     public PayConfig withSecretKey(String secretKey) {
+        this.secretKey = secretKey.toCharArray();
+        return this;
+    }
+    
+    /**
+     * @param secretKey - Sets SecretKey in PayConfig
+     * @return Returns updated PayConfig object
+     */
+    public PayConfig withSecretKey(char[] secretKey) {
         this.secretKey = secretKey;
         return this;
     }
@@ -605,7 +624,7 @@ private PayConfig loadConfigurationFromProperties(Properties prop) {
                         this.setAccessKey(prop.getProperty(property));
                         break;
                     case SECRET_KEY:
-                        this.setSecretKey(prop.getProperty(property));
+                        this.setSecretKey(prop.getProperty(property).toCharArray());
                         break;
                     case MERCHANT_ID:
                         this.setSellerId(prop.getProperty(property));
@@ -681,7 +700,7 @@ private PayConfig loadConfigurationFromProperties(Properties prop) {
     private boolean checkIfRequriedPropertiesExist() {
         if (this.accessKey == null)
             generateException(Key.ACCESS_KEY);
-        else if (this.secretKey == null)
+        else if (this.secretKey == null || this.secretKey.length == 0)
             generateException(Key.SECRET_KEY);
         else if (this.merchantId == null)
             generateException(Key.MERCHANT_ID);
@@ -711,7 +730,6 @@ private void generateException(Key propertyKey) {
     public String toString() {
         return "PayConfig{" +
                 "accessKeyId=" + accessKey +
-                ", secretAccessKey=" + secretKey +
                 ", sellerId=" + merchantId +
                 ", region=" + region +
                 ", environment=" + environment +

src/com/amazon/pay/impl/PayConfig.java

@@ -30,9 +30,13 @@
 import java.net.HttpURLConnection;
 import java.net.URL;
 import java.net.URLEncoder;
+import java.nio.ByteBuffer;
+import java.nio.CharBuffer;
+import java.nio.charset.Charset;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
 import java.text.SimpleDateFormat;
+import java.util.Arrays;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.Iterator;
@@ -70,11 +74,12 @@ public class Util {
      *
      * @return signatureBase64 base64 encoded signature using specified secret key
      */
-    public static String getSignature(String stringToSign, String secretKey) throws IllegalStateException, InvalidKeyException, NoSuchAlgorithmException, UnsupportedEncodingException {
-        Mac mac = Mac.getInstance("HmacSHA256");
-        mac.init(new SecretKeySpec(secretKey.getBytes("UTF-8"), "HmacSHA256"));
-        byte[] signature = mac.doFinal(stringToSign.getBytes("UTF-8"));
-        String signatureBase64 = new String(Base64.encodeBase64(signature), "UTF-8");
+    public static String getSignature(String stringToSign, char[] secretKey) throws IllegalStateException, InvalidKeyException, NoSuchAlgorithmException, UnsupportedEncodingException {
+        final ByteBuffer byteBuffer = Charset.forName(ServiceConstants.UTF_8).encode(CharBuffer.wrap(secretKey));
+        final Mac mac = Mac.getInstance(ServiceConstants.HMAC_SHA256);
+        mac.init(new SecretKeySpec(Arrays.copyOf(byteBuffer.array(), byteBuffer.limit()), ServiceConstants.HMAC_SHA256));
+        final byte[] signature = mac.doFinal(stringToSign.getBytes(ServiceConstants.UTF_8));
+        final String signatureBase64 = new String(Base64.encodeBase64(signature), ServiceConstants.UTF_8);
         return signatureBase64;
     }
 
@@ -159,6 +164,9 @@ public static ResponseData httpSendRequest(String method, String url, String url
     public static ResponseData httpSendRequest(String method, String url, String urlParameters, Map<String,String> headers, PayConfig config) throws IOException {
 
         Map<String,String> headerMap = new HashMap<String,String>();
+        if (headers != null) {
+            headerMap.putAll(headers);
+        }
 
         if (config != null) {
 

src/com/amazon/pay/impl/Util.java

@@ -1,5 +1,5 @@
 /**
- * Copyright 2016-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License").
  * You may not use this file except in compliance with the License.

src/com/amazon/pay/impl/ipn/NotificationFactory.java

@@ -1,5 +1,5 @@
 /**
- * Copyright 2016-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License").
  * You may not use this file except in compliance with the License.

src/com/amazon/pay/impl/ipn/NotificationVerification.java

@@ -1,5 +1,5 @@
 /**
- * Copyright 2016-2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License").
  * You may not use this file except in compliance with the License.

src/com/amazon/pay/request/AuthorizeRequest.java

@@ -1,5 +1,5 @@
 /**
- * Copyright 2016-2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License").
  * You may not use this file except in compliance with the License.

src/com/amazon/pay/request/CancelOrderReferenceRequest.java

@@ -1,5 +1,5 @@
 /**
- * Copyright 2016-2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License").
  * You may not use this file except in compliance with the License.

src/com/amazon/pay/request/CaptureRequest.java

@@ -1,5 +1,5 @@
 /**
- * Copyright 2016-2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License").
  * You may not use this file except in compliance with the License.

src/com/amazon/pay/request/ChargeRequest.java

@@ -1,5 +1,5 @@
 /**
- * Copyright 2016-2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License").
  * You may not use this file except in compliance with the License.

src/com/amazon/pay/request/CloseAuthorizationRequest.java

@@ -1,5 +1,5 @@
 /**
- * Copyright 2016-2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License").
  * You may not use this file except in compliance with the License.

src/com/amazon/pay/request/CloseBillingAgreementRequest.java

@@ -1,5 +1,5 @@
 /**
- * Copyright 2016-2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License").
  * You may not use this file except in compliance with the License.

src/com/amazon/pay/request/CloseOrderReferenceRequest.java

@@ -1,5 +1,5 @@
 /**
- * Copyright 2016-2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License").
  * You may not use this file except in compliance with the License.

src/com/amazon/pay/request/CreateOrderReferenceForIdRequest.java

@@ -1,5 +1,5 @@
 /**
- * Copyright 2016-2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License").
  * You may not use this file except in compliance with the License.

src/com/amazon/pay/request/GetAuthorizationDetailsRequest.java

@@ -1,5 +1,5 @@
 /**
- * Copyright 2016-2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License").
  * You may not use this file except in compliance with the License.

src/com/amazon/pay/request/GetBillingAgreementDetailsRequest.java

@@ -1,5 +1,5 @@
 /**
- * Copyright 2016-2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License").
  * You may not use this file except in compliance with the License.

src/com/amazon/pay/request/GetCaptureDetailsRequest.java

@@ -1,5 +1,5 @@
 /**
- * Copyright 2016-2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License").
  * You may not use this file except in compliance with the License.

src/com/amazon/pay/request/GetOrderReferenceDetailsRequest.java

@@ -1,5 +1,5 @@
 /**
- * Copyright 2016-2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License").
  * You may not use this file except in compliance with the License.

src/com/amazon/pay/request/GetProviderCreditDetailsRequest.java

@@ -1,5 +1,5 @@
 /**
- * Copyright 2016-2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License").
  * You may not use this file except in compliance with the License.

src/com/amazon/pay/request/GetProviderCreditReversalDetailsRequest.java

@@ -1,5 +1,5 @@
 /**
- * Copyright 2016-2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License").
  * You may not use this file except in compliance with the License.

src/com/amazon/pay/request/GetRefundDetailsRequest.java

@@ -1,5 +1,5 @@
 /**
- * Copyright 2016-2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License").
  * You may not use this file except in compliance with the License.

src/com/amazon/pay/request/ListOrderReferenceRequest.java

@@ -1,5 +1,5 @@
 /**
- * Copyright 2016-2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License").
  * You may not use this file except in compliance with the License.

src/com/amazon/pay/request/RefundRequest.java

@@ -1,5 +1,5 @@
 /**
- * Copyright 2016-2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License").
  * You may not use this file except in compliance with the License.

src/com/amazon/pay/request/ReverseProviderCreditRequest.java

@@ -1,5 +1,5 @@
 /**
- * Copyright 2016-2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License").
  * You may not use this file except in compliance with the License.

src/com/amazon/pay/request/SetOrderReferenceDetailsRequest.java

@@ -1,5 +1,5 @@
 /**
- * Copyright 2016-2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License").
  * You may not use this file except in compliance with the License.

src/com/amazon/pay/request/ValidateBillingAgreementRequest.java

@@ -1,5 +1,5 @@
 /**
- * Copyright 2016-2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License").
  * You may not use this file except in compliance with the License.