private static bool ValidateSignatures(dynamic data, string centralApiPublicKey)
{
string paymentInfoJson = data.PaymentInfo;
string centralApiPaymentInfoSignature = data.PaymentInfoSignature;
string paymentProofJson = data.PaymentProof;
string paymentProofSignature = data.PaymentProofSignature;
// validate signatures of PaymentInfo and PaymentProof
using (var centralApiRsa = RSA.Create())
{
RsaExtensions.FromXmlString(centralApiRsa, centralApiPublicKey);
bool isPaymentInfoSignatureValid = centralApiRsa.VerifyData(
Encoding.UTF8.GetBytes(paymentInfoJson),
Convert.FromBase64String(centralApiPaymentInfoSignature),
HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
bool isPaymentProofSignatureValid = centralApiRsa.VerifyData(
Encoding.UTF8.GetBytes(paymentProofJson),
Convert.FromBase64String(paymentProofSignature),
HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
return(isPaymentInfoSignatureValid && isPaymentProofSignatureValid);
}
}
private void InitializeRsa()
{
using (var publicRsa = RSA.Create())
{
var publicKeyXml = File.ReadAllText(_jwtSettings.RsaPublicKeyXml);
RsaExtensions.FromXmlString(publicRsa, publicKeyXml);
_issuerSigningKey = new RsaSecurityKey(publicRsa);
}
}
public static string SignAndEncryptData <T>(
T model,
string apiSigningKey,
string bankKey)
where T : class
{
// Sign data with api private key
using (var rsa = RSA.Create())
{
RsaExtensions.FromXmlString(rsa, apiSigningKey);
var aesParams = CryptographyExtensions.GenerateKey();
var key = Convert.FromBase64String(aesParams[0]);
var iv = Convert.FromBase64String(aesParams[1]);
var serializedModel = JsonConvert.SerializeObject(model);
var dataObject = new
{
Model = serializedModel,
Timestamp = DateTime.UtcNow
};
var data = JsonConvert.SerializeObject(dataObject);
var signature = Convert.ToBase64String(rsa
.SignData(Encoding.UTF8.GetBytes(data), HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1));
// Encrypt with bank public key
string encryptedKey;
string encryptedIv;
using (var encryptionRsa = RSA.Create())
{
RsaExtensions.FromXmlString(encryptionRsa, bankKey);
encryptedKey = Convert.ToBase64String(encryptionRsa.Encrypt(key, RSAEncryptionPadding.Pkcs1));
encryptedIv = Convert.ToBase64String(encryptionRsa.Encrypt(iv, RSAEncryptionPadding.Pkcs1));
}
var encryptedData = Convert.ToBase64String(CryptographyExtensions.Encrypt(data, key, iv));
var json = new
{
EncryptedKey = encryptedKey,
EncryptedIv = encryptedIv,
Data = encryptedData,
Signature = signature
};
var serializedJson = JsonConvert.SerializeObject(json);
var request = Convert.ToBase64String(Encoding.UTF8.GetBytes(serializedJson));
return(request);
}
}
public static string GeneratePaymentRequestWithProof(dynamic request, string bankPublicKey,
string centralApiKey)
{
string paymentInfoJson = request.PaymentInfo;
string websitePaymentInfoSignature = request.PaymentInfoSignature;
string returnUrl = request.ReturnUrl;
// generate PaymentProof containing the bank's public key
// and merchant's original PaymentInfo signature
var paymentProof = new
{
BankPublicKey = bankPublicKey,
PaymentInfoSignature = websitePaymentInfoSignature
};
string paymentProofJson = JsonConvert.SerializeObject(paymentProof);
string paymentInfoCentralApiSignature;
string paymentProofSignature;
// sign the PaymentInfo and PaymentProof
using (var centralApiRsa = RSA.Create())
{
RsaExtensions.FromXmlString(centralApiRsa, centralApiKey);
paymentInfoCentralApiSignature = Convert.ToBase64String(
centralApiRsa.SignData(
Encoding.UTF8.GetBytes(paymentInfoJson),
HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1));
paymentProofSignature = Convert.ToBase64String(
centralApiRsa.SignData(
Encoding.UTF8.GetBytes(paymentProofJson),
HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1));
}
var proofRequest = new
{
PaymentInfo = paymentInfoJson,
PaymentInfoSignature = paymentInfoCentralApiSignature,
PaymentProof = paymentProofJson,
PaymentProofSignature = paymentProofSignature,
ReturnUrl = returnUrl
};
string proofRequestJson = JsonConvert.SerializeObject(proofRequest);
string encodedProofRequest = Convert.ToBase64String(Encoding.UTF8.GetBytes(proofRequestJson));
return(encodedProofRequest);
}
private string SignAndEncryptData(CentralApiSubmitTransferDto model)
{
using (var rsa = RSA.Create())
{
RsaExtensions.FromXmlString(rsa, this.bankConfiguration.Key);
var aesParams = CryptographyExtensions.GenerateKey();
var key = Convert.FromBase64String(aesParams[0]);
var iv = Convert.FromBase64String(aesParams[1]);
var serializedModel = JsonConvert.SerializeObject(model);
var dataObject = new
{
Model = serializedModel,
Timestamp = DateTime.UtcNow
};
var data = JsonConvert.SerializeObject(dataObject);
var signature = Convert.ToBase64String(rsa
.SignData(Encoding.UTF8.GetBytes(data), HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1));
string encryptedKey;
string encryptedIv;
using (var encryptionRsa = RSA.Create())
{
RsaExtensions.FromXmlString(encryptionRsa, this.bankConfiguration.CentralApiPublicKey);
encryptedKey = Convert.ToBase64String(encryptionRsa.Encrypt(key, RSAEncryptionPadding.Pkcs1));
encryptedIv = Convert.ToBase64String(encryptionRsa.Encrypt(iv, RSAEncryptionPadding.Pkcs1));
}
var encryptedData = Convert.ToBase64String(CryptographyExtensions.Encrypt(data, key, iv));
var json = new
{
BankName = this.bankConfiguration.BankName,
BankSwiftCode = this.bankConfiguration.UniqueIdentifier,
BankCountry = this.bankConfiguration.Country,
EncryptedKey = encryptedKey,
EncryptedIv = encryptedIv,
Data = encryptedData,
Signature = signature
};
var jsonRequest = JsonConvert.SerializeObject(json);
var encryptedRequest = Convert.ToBase64String(Encoding.UTF8.GetBytes(jsonRequest));
return(encryptedRequest);
}
}
public static string GenerateSuccessResponse(dynamic paymentRequest, string bankKey)
{
// generate PaymentConfirmation
var paymentConfirmation = new
{
Success = true,
paymentRequest.PaymentProofSignature
};
var paymentConfirmationJson = JsonConvert.SerializeObject(paymentConfirmation);
// sign the PaymentConfirmation
string paymentConfirmationSignature;
using (var bankRsa = RSA.Create())
{
RsaExtensions.FromXmlString(bankRsa, bankKey);
paymentConfirmationSignature = Convert.ToBase64String(
bankRsa.SignData(
Encoding.UTF8.GetBytes(paymentConfirmationJson),
HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1));
}
// generate response
var response = new
{
paymentRequest.PaymentInfo,
paymentRequest.PaymentProof,
PaymentConfirmation = paymentConfirmationJson,
PaymentConfirmationSignature = paymentConfirmationSignature
};
var responseJson = JsonConvert.SerializeObject(response);
var base64Response = Convert.ToBase64String(Encoding.UTF8.GetBytes(responseJson));
return(base64Response);
}
private static bool ValidateSignature(dynamic data)
{
string paymentInfoJson = data.PaymentInfo;
string paymentInfoSignature = data.PaymentInfoSignature;
string websitePublicKey = data.PublicKey;
// validate PaymentInfo signature to make sure it has not been modified
// (or at least make it more difficult to modify as it would require signing it with a new key)
// ! This signature must also be verified by the merchant website after a successful payment
using (var websiteRsa = RSA.Create())
{
RsaExtensions.FromXmlString(websiteRsa, websitePublicKey);
bool isWebsiteSignatureValid = websiteRsa.VerifyData(
Encoding.UTF8.GetBytes(paymentInfoJson),
Convert.FromBase64String(paymentInfoSignature),
HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
return(isWebsiteSignatureValid);
}
}