From 43e99277c78a6cf485d1e24fee1338cc53fddbe6 Mon Sep 17 00:00:00 2001 From: Lito Date: Thu, 3 Dec 2015 00:39:47 +0100 Subject: [PATCH] Improved SHA256 integration --- README.md | 2 +- src/Redsys/Tpv/Curl.php | 4 +- src/Redsys/Tpv/Debug.php | 4 +- src/Redsys/Tpv/Signature.php | 40 ++++++++++++--- src/Redsys/Tpv/Tpv.php | 98 +++++++++++++++++++++++++----------- src/autoload.php | 3 +- 6 files changed, 110 insertions(+), 41 deletions(-) diff --git a/README.md b/README.md index 1334879..351c20d 100644 --- a/README.md +++ b/README.md @@ -131,7 +131,7 @@ $TPV = new Redsys\Tpv\Tpv($config); # Realizamos la comprobación de la transacción try { - $datos = $TPV->checkTransaction($_POST); + $datos = $TPV->checkTransactionXml($_POST); } catch (Exception $e) { die(file_put_contents(__DIR__.'/logs/errores-tpv.log', $e->getMessage(), FILE_APPEND)); } diff --git a/src/Redsys/Tpv/Curl.php b/src/Redsys/Tpv/Curl.php index f72aa11..827718b 100644 --- a/src/Redsys/Tpv/Curl.php +++ b/src/Redsys/Tpv/Curl.php @@ -1,7 +1,9 @@ ['.$last['line'].'] '.$row.''; - echo '
'; var_dump($info); echo '
'; + echo '
';
+        var_dump($info);
+        echo '
'; } public static function dd($info, $title = '') diff --git a/src/Redsys/Tpv/Signature.php b/src/Redsys/Tpv/Signature.php index 4814e97..0d3cbeb 100644 --- a/src/Redsys/Tpv/Signature.php +++ b/src/Redsys/Tpv/Signature.php @@ -5,21 +5,39 @@ class Signature { - public static function fromValues($prefix, $values, $key) + public static function fromValues($prefix, array $values, $key) { $fields = array('Amount', 'Order', 'MerchantCode', 'Currency', 'TransactionType', 'MerchantURL'); return self::calculate($prefix, $fields, $values, $key); } - public static function fromTransaction($prefix, $values, $key) + public static function fromTransaction($prefix, array $values, $key) { $fields = array('Amount', 'Order', 'MerchantCode', 'Currency', 'Response'); return self::calculate($prefix, $fields, $values, $key); } - private static function calculate($prefix, $fields, $values, $key) + public static function fromTransactionXML($prefix, array $values, $key) + { + $fields = array('Amount', 'Order', 'MerchantCode', 'Currency', 'Response', 'TransactionType', 'SecurePayment'); + + return self::calculate($prefix, $fields, $values, $key); + } + + public static function fromXML($xml, $key) + { + preg_match('#([^<]+)#i', $xml, $order); + + if (empty($order[1])) { + throw new Exception('Can not be extracted Order from XML string'); + } + + return self::MAC256($xml, self::encryptKey($order[1], $key)); + } + + private static function calculate($prefix, array $fields, array $values, $key) { foreach ($fields as $field) { if (!isset($values[$prefix.$field])) { @@ -27,9 +45,9 @@ private static function calculate($prefix, $fields, $values, $key) } } - $key = self::encrypt3DES($values[$prefix.'Order'], base64_decode($key)); + $key = self::encryptKey($values[$prefix.'Order'], $key); - return base64_encode(hash_hmac('sha256', base64_encode(json_encode($values)), $key, true)); + return self::MAC256(base64_encode(json_encode($values)), $key); } private static function encrypt3DES($message, $key) @@ -38,4 +56,14 @@ private static function encrypt3DES($message, $key) return mcrypt_encrypt(MCRYPT_3DES, $key, $message, MCRYPT_MODE_CBC, $iv); } -} \ No newline at end of file + + private static function encryptKey($order, $key) + { + return self::encrypt3DES($order, base64_decode($key)); + } + + private static function MAC256($string, $key) + { + return base64_encode(hash_hmac('sha256', $string, $key, true)); + } +} diff --git a/src/Redsys/Tpv/Tpv.php b/src/Redsys/Tpv/Tpv.php index 1cdfbc1..d0bd3ca 100644 --- a/src/Redsys/Tpv/Tpv.php +++ b/src/Redsys/Tpv/Tpv.php @@ -2,7 +2,8 @@ namespace Redsys\Tpv; use Exception; -use DOMDocument, DOMElement; +use DOMDocument; +use DOMElement; use Redsys\Messages\Messages; class Tpv @@ -152,22 +153,17 @@ public function sendXml(array $options) { $this->values = array(); - if (isset($options['Order'])) { - $options['Order'] = $this->getOrder($options['Order']); - } - - if (isset($options['Amount'])) { - $options['Amount'] = $this->getAmount($options['Amount']); - } + $options['Order'] = $this->getOrder($options['Order']); + $options['Amount'] = $this->getAmount($options['Amount']); $this->setValueDefault($options, 'MerchantCode'); - $this->setValueDefault($options, 'MerchantName'); - $this->setValueDefault($options, 'MerchantData'); + $this->setValueDefault($options, 'MerchantURL'); $this->setValueDefault($options, 'Currency'); $this->setValueDefault($options, 'Terminal'); - $this->setValueDefault($options, 'TransactionType'); - $this->setValueDefault($options, 'Order'); - $this->setValueDefault($options, 'Amount'); + + $this->setValue($options, 'TransactionType'); + $this->setValue($options, 'Order'); + $this->setValue($options, 'Amount'); $Curl = new Curl(array( 'base' => $this->getPath('') @@ -175,7 +171,9 @@ public function sendXml(array $options) $Curl->setHeader(CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded')); - return $Curl->post('/operaciones', array(), 'entrada='.$this->xmlArray2string($this->setXmlValues())); + return $Curl->post('/operaciones', array( + 'entrada' => $this->xmlArray2string($this->setXmlValues()) + )); } private function setXmlValues() @@ -192,19 +190,18 @@ private function setXmlValues() private function xmlArray2string($xml) { $doc = new DOMDocument(); - $doc->formatOutput = true; $data = $doc->createElement('DATOSENTRADA'); foreach ($xml as $key => $value) { - $data->appendChild((new DOMElement($key, $value))); + $data->appendChild((new DOMElement(strtoupper($key), $value))); } $root = $doc->createElement('REQUEST'); - $root->appendChild(new DOMElement('DS_SIGNATUREVERSION', $this->options['SignatureVersion'])); - $root->appendChild(new DOMElement('DS_SIGNATURE', $this->getValuesSignature())); $root->appendChild($data); + $root->appendChild(new DOMElement('DS_SIGNATUREVERSION', $this->options['SignatureVersion'])); + $root->appendChild(new DOMElement('DS_SIGNATURE', Signature::fromXML((string)$doc->saveXML($data), $this->options['Key']))); $doc->appendChild($root); @@ -216,6 +213,31 @@ public function xmlString2array($xml) return json_decode(json_encode(simplexml_load_string($xml)), true); } + public function checkTransactionXml(array $post) + { + $prefix = 'Ds_'; + + if (empty($post) || empty($post[$prefix.'Signature']) || empty($post[$prefix.'MerchantParameters'])) { + throw new Exception('_POST data is empty'); + } + + $data = $this->getTransactionParameters($post); + $data = $this->xmlString2array($data['datos']); + + if (empty($data)) { + throw new Exception('_POST data can not be decoded'); + } + + $this->checkTransactionError($data, $prefix); + $this->checkTransactionResponse($data, $prefix); + + $signature = Signature::fromTransactionXml($prefix, $data, $this->options['Key']); + + $this->checkTransactionSignature($signature, $post[$prefix.'Signature']); + + return array_merge($post, $data); + } + private function setValueDefault(array $options, $option) { $code = $this->option_prefix.$option; @@ -291,16 +313,33 @@ public function checkTransaction(array $post) throw new Exception('_POST data can not be decoded'); } + $this->checkTransactionError($data, $prefix); + $this->checkTransactionResponse($data, $prefix); + + $signature = Signature::fromTransaction($prefix, $data, $this->options['Key']); + + $this->checkTransactionSignature($signature, $post[$prefix.'Signature']); + + return array_merge($post, array_map('urldecode', $data)); + } + + private function checkTransactionError(array $data, $prefix) + { $error = isset($data[$prefix.'ErrorCode']) ? $data[$prefix.'ErrorCode'] : null; - if ($error) { - if ($message = Messages::getByCode($error)) { - throw new Exception(sprintf('TPV returned error code %s: %s', $error, $message['message'])); - } else { - throw new Exception(sprintf('TPV returned unknown error code %s', $error)); - } + if (empty($error)) { + return null; } + if ($message = Messages::getByCode($error)) { + throw new Exception(sprintf('TPV returned error code %s: %s', $error, $message['message'])); + } else { + throw new Exception(sprintf('TPV returned unknown error code %s', $error)); + } + } + + private function checkTransactionResponse(array $data, $prefix) + { $response = isset($data[$prefix.'Response']) ? $data[$prefix.'Response'] : null; if (is_null($response) || (strlen($response) === 0)) { @@ -314,19 +353,18 @@ public function checkTransaction(array $post) throw new Exception(sprintf('Response code is unknown %s', $response)); } } + } - $signature = Signature::fromTransaction($prefix, $data, $this->options['Key']); - - $postSignature = strtr($post[$prefix.'Signature'], '-_', '+/'); + private function checkTransactionSignature($signature, $postSignature) + { + $postSignature = strtr($postSignature, '-_', '+/'); if ($signature !== $postSignature) { throw new Exception(sprintf('Signature not valid (%s != %s)', $signature, $postSignature)); } - - return array_merge($post, array_map('urldecode', $data)); } - private function getTransactionParameters(array $post) + public function getTransactionParameters(array $post) { return json_decode(base64_decode(strtr($post['Ds_MerchantParameters'], '-_', '+/')), true); } diff --git a/src/autoload.php b/src/autoload.php index ad5b819..afc95ef 100644 --- a/src/autoload.php +++ b/src/autoload.php @@ -1,6 +1,5 @@