using serial number as response mle kid for cybersource generated p12

monu-kumar-visa · monu-kumar-visa · commit 032444185d93 · 2025-11-13T11:52:21.000+05:30
diff --git a/src/authentication/core/MerchantConfig.js b/src/authentication/core/MerchantConfig.js
@@ -937,9 +937,18 @@ MerchantConfig.prototype.defaultPropValues = function defaultPropValues() {
             }
         }
         
-        // Validate KID
-        if (typeof this.responseMleKID !== "string" || !this.responseMleKID?.trim()) {
-            throw new ApiException.ApiException("responseMleKID is required when response MLE is enabled.", logger);
+        // Validate KID - Auto-extract from CyberSource P12 if applicable, then validate
+        if (!this.responseMleKID || !this.responseMleKID?.trim()) {
+            tryAutoExtractResponseMleKid.call(this, logger);
+            
+            if (typeof this.responseMleKID !== "string" || !this.responseMleKID?.trim()) {
+                throw new ApiException.ApiException(
+                    "responseMleKID is required when response MLE is enabled. " +
+                    "For CyberSource-generated P12 certificates, this will be auto-extracted. " +
+                    "For other certificate types, please provide it explicitly in your configuration.",
+                    logger
+                );
+            }
         }
     }
     /**
@@ -970,6 +979,47 @@ MerchantConfig.prototype.defaultPropValues = function defaultPropValues() {
 }
 
 
+function tryAutoExtractResponseMleKid(logger) {
+    const hasValidFilePath = typeof this.responseMlePrivateKeyFilePath === "string" && this.responseMlePrivateKeyFilePath.trim() !== "";
+    
+    if (!hasValidFilePath) {
+        return;
+    }
+    
+    const fileExtension = path.extname(this.responseMlePrivateKeyFilePath).toLowerCase();
+    const isP12File = fileExtension === ".p12";
+    
+    if (!isP12File) {
+        logger.debug('Private key file is not a P12 file, skipping auto-extraction of responseMleKID');
+        return;
+    }
+    
+    const isCybersourceP12 = Utility.isCybersourceP12(
+        this.responseMlePrivateKeyFilePath,
+        this.responseMlePrivateKeyFilePassword,
+        logger
+    );
+    
+    if (!isCybersourceP12) {
+        logger.debug('P12 file is not a CyberSource-generated certificate, skipping auto-extraction of responseMleKID');
+        return;
+    }
+    
+    logger.debug('Detected CyberSource P12 file, attempting to auto-extract responseMleKID');
+    try {
+        const extractedKid = Utility.extractResponseMleKid(
+            this.responseMlePrivateKeyFilePath,
+            this.responseMlePrivateKeyFilePassword,
+            this.merchantID,
+            logger
+        );
+        this.setResponseMleKID(extractedKid);
+        logger.info('Successfully auto-extracted responseMleKID from CyberSource P12 certificate');
+    } catch (error) {
+        logger.warn(`Failed to auto-extract responseMleKID from P12 file: ${error.message}. Please provide responseMleKID manually.`);
+    }
+}
+
 function validateAndSetMapToControlMLEonAPI(mapFromConfig) {
     let tempMap;
     var logger = Logger.getLogger(this, 'MerchantConfig');
diff --git a/src/authentication/util/Constants.js b/src/authentication/util/Constants.js
@@ -29,6 +29,7 @@ module.exports = {
     CERTIFICATE_EXPIRY_DATE_WARNING_DAYS : 90,
     FACTOR_DAYS_TO_MILLISECONDS       :  24 * 60 * 60 * 1000,
     DEFAULT_MLE_ALIAS_FOR_CERT        :  "CyberSource_SJC_US",
+    CYBERSOURCE_P12_CERT_ALIAS        :  "CyberSource_SJC_US",
     MLE_CACHE_IDENTIFIER_FOR_CONFIG_CERT : "_mleCertFromMerchantConfig",
     MLE_CACHE_IDENTIFIER_FOR_P12_CERT : "_mleCertFromP12",
 
diff --git a/src/authentication/util/Utility.js b/src/authentication/util/Utility.js
@@ -172,6 +172,32 @@ exports.ParseMLEConfigString = function (configString, logger) {
     }
 }
 
+/**
+ * Internal helper: Parses a P12 file and returns the pkcs12 object
+ * @param {string} filePath - Path to the P12 file
+ * @param {string} password - Password for the P12 file
+ * @param {object} logger - Logger object for logging messages
+ * @returns {object} - Parsed pkcs12 object
+ * @throws Will throw an error if file reading or parsing fails
+ */
+function parseP12File(filePath, password, logger) {
+    logger.debug(`Parsing P12 file: ${filePath}`);
+    
+    if (!fs.existsSync(filePath)) {
+        logger.error(`File not found: ${filePath}`);
+        throw new Error(Constants.FILE_NOT_FOUND + filePath);
+    }
+    
+    var p12Buffer = fs.readFileSync(filePath);
+    var p12Der = forge.util.binary.raw.encode(new Uint8Array(p12Buffer));
+    var p12Asn1 = forge.asn1.fromDer(p12Der);
+    var p12 = forge.pkcs12.pkcs12FromAsn1(p12Asn1, false, password);
+    
+    logger.debug(`Successfully parsed P12 file`);
+    
+    return p12;
+}
+
 /**
  * Reads a private key from a P12 file
  * @param {string} filePath - Path to the P12 file
@@ -183,18 +209,7 @@ exports.readPrivateKeyFromP12 = function(filePath, password, logger) {
     try {
         logger.debug(`Reading private key from P12 file: ${filePath}`);
         
-        if (!fs.existsSync(filePath)) {
-            logger.error(`File not found: ${filePath}`);
-            ApiException.AuthException(Constants.FILE_NOT_FOUND + filePath);
-        }
-        
-        // Read the P12 file and convert to ASN1
-        var p12Buffer = fs.readFileSync(filePath);
-        var p12Der = forge.util.binary.raw.encode(new Uint8Array(p12Buffer));
-        var p12Asn1 = forge.asn1.fromDer(p12Der);
-        var p12 = forge.pkcs12.pkcs12FromAsn1(p12Asn1, false, password);
-        
-        logger.debug(`Successfully read P12 file and converted to ASN1`);
+        var p12 = parseP12File(filePath, password, logger);
         
         // Extract the private key
         var keyBags = p12.getBags({ bagType: forge.pki.oids.keyBag });
@@ -357,3 +372,169 @@ exports.parseAndReturnPem = function(key, logger, password, passwordPropertyName
     throw new Error('Unsupported key format');
   }
 }
+
+/**
+ * Checks if a P12 file is generated by CyberSource
+ * Validates that the P12 contains a certificate with CN="CyberSource_SJC_US" and only one private key
+ * @param {string} filePath - Path to the P12 file
+ * @param {string} password - Password for the P12 file
+ * @param {object} logger - Logger object for logging messages
+ * @returns {boolean} - True if the P12 file is generated by CyberSource, false otherwise
+ */
+exports.isCybersourceP12 = function(filePath, password, logger) {
+    try {
+        logger.debug(`Checking if P12 file is generated by CyberSource: ${filePath}`);
+        
+        const p12 = parseP12File(filePath, password, logger);
+        const certBags = p12.getBags({ bagType: forge.pki.oids.certBag });
+        const certs = certBags[forge.pki.oids.certBag];
+        
+        // Early return if no certificates found
+        if (!certs) {
+            logger.debug('No certificates found in P12 file');
+            return false;
+        }
+        
+        logger.debug(`Found ${certs.length} certificate(s) in P12 file`);
+        
+        // Check for CyberSource certificate using modern iteration
+        const hasCybersourceCert = certs.some(({ cert }) => {
+            if (!cert?.subject?.attributes) return false;
+            
+            const cnAttr = cert.subject.attributes.find(
+                attr => attr.name === 'commonName' || attr.shortName === 'CN'
+            );
+            
+            if (cnAttr) {
+                logger.debug(`Found certificate with CN: ${cnAttr.value}`);
+                if (cnAttr.value === Constants.CYBERSOURCE_P12_CERT_ALIAS) {
+                    logger.debug(`Found CyberSource certificate (CN=${Constants.CYBERSOURCE_P12_CERT_ALIAS})`);
+                    return true;
+                }
+            }
+            return false;
+        });
+        
+        if (!hasCybersourceCert) {
+            logger.debug(`P12 file does not contain CyberSource certificate (CN=${Constants.CYBERSOURCE_P12_CERT_ALIAS})`);
+            return false;
+        }
+        
+        // Count private keys from both bag types
+        const bagTypes = [
+            { oid: forge.pki.oids.keyBag, name: 'keyBag' },
+            { oid: forge.pki.oids.pkcs8ShroudedKeyBag, name: 'pkcs8ShroudedKeyBag' }
+        ];
+        
+        let privateKeyCount = 0;
+        for (const { oid, name } of bagTypes) {
+            const bags = p12.getBags({ bagType: oid });
+            const count = bags[oid]?.length || 0;
+            if (count > 0) {
+                privateKeyCount += count;
+                logger.debug(`Found ${count} ${name} private key(s)`);
+            }
+        }
+        
+        logger.debug(`Total private keys found: ${privateKeyCount}`);
+        
+        // Verify exactly one private key
+        if (privateKeyCount !== 1) {
+            logger.debug(`P12 file does not contain exactly one private key (found ${privateKeyCount})`);
+            return false;
+        }
+        
+        logger.debug('P12 file is generated by CyberSource: contains CyberSource certificate and exactly one private key');
+        return true;
+        
+    } catch (error) {
+        logger.error(`Error checking if P12 file is generated by CyberSource: ${error.message}`);
+        return false;
+    }
+};
+
+/**
+ * Extracts the serial number (KID) from a certificate's subject in a P12 file where CN matches the merchantId
+ * @param {string} filePath - Path to the P12 file
+ * @param {string} password - Password for the P12 file
+ * @param {string} merchantId - The merchant ID to match against the CN in the certificate subject
+ * @param {object} logger - Logger object for logging messages
+ * @returns {string} - The serial number extracted from the certificate's subject attributes
+ * @throws Will throw an error if the certificate with matching CN is not found or serial number is missing
+ */
+exports.extractResponseMleKid = function(filePath, password, merchantId, logger) {
+    try {
+        logger.debug(`Extracting MLE KID from P12 file: ${filePath} for merchantId: ${merchantId}`);
+        
+        const p12 = parseP12File(filePath, password, logger);
+        
+        // Get certificate bags from P12
+        const certBags = p12.getBags({ bagType: forge.pki.oids.certBag });
+        const certs = certBags[forge.pki.oids.certBag];
+        
+        if (!certs || certs.length === 0) {
+            logger.error(`No certificates found in P12 file: ${filePath}`);
+            ApiException.AuthException(`No certificates found in P12 file: ${filePath}`);
+        }
+        
+        logger.debug(`Found ${certs.length} certificate(s) in P12 file`);
+        
+        // Iterate through certificates to find one with matching CN
+        for (let i = 0; i < certs.length; i++) {
+            const certBag = certs[i];
+            const cert = certBag.cert;
+            
+            if (!cert || !cert.subject || !cert.subject.attributes) {
+                logger.debug(`Certificate ${i + 1} has no subject attributes, skipping`);
+                continue;
+            }
+            
+            // Extract CN from certificate subject
+            let cn = null;
+            for (const attr of cert.subject.attributes) {
+                if (attr.name === 'commonName' || attr.shortName === 'CN') {
+                    cn = attr.value;
+                    break;
+                }
+            }
+            
+            if (!cn) {
+                logger.debug(`Certificate ${i + 1} has no CN in subject, skipping`);
+                continue;
+            }
+            
+            logger.debug(`Certificate ${i + 1} CN: ${cn}`);
+            
+            // Check if CN matches merchantId (case-insensitive)
+            if (cn.toLowerCase() === merchantId.toLowerCase()) {
+                logger.debug(`Found certificate with matching CN: ${cn}`);
+                
+                // Extract serial number from certificate subject
+                let serialNumber = null;
+                for (const attr of cert.subject.attributes) {
+                    if (attr.name === 'serialNumber' || attr.shortName === 'serialNumber') {
+                        serialNumber = attr.value;
+                        break;
+                    }
+                }
+                
+                if (!serialNumber) {
+                    logger.debug(`Certificate with CN=${cn} has no serialNumber in subject, continuing search`);
+                    continue;
+                }
+                
+                logger.debug(`Serial number (MLE KID) extracted from certificate subject: ${serialNumber}`);
+                
+                return serialNumber;
+            }
+        }
+        
+        // If we get here, no matching certificate was found
+        logger.error(`No certificate with CN matching merchantId (${merchantId}) and valid serialNumber found in P12 file: ${filePath}`);
+        ApiException.AuthException(`No certificate with CN matching merchantId (${merchantId}) found in P12 file: ${filePath}`);
+        
+    } catch (error) {
+        logger.error(`Error extracting MLE KID from P12 file: ${filePath}: ${error.message}`);
+        ApiException.AuthException(`Error extracting MLE KID from P12 file: ${filePath}: ${error.message}`);
+    }
+};
