The certificate and/or key fingerprints are not computed for every request anymore

Author: jaaufauvre

src/Developer/Encryption/FieldLevelEncryption.php

@@ -117,10 +117,10 @@ private static function encryptPayloadPath($payloadJsonObject, $jsonPathIn, $jso
             $outJsonObject->{$config->encryptedKeyFieldName} = $params->getEncryptedKeyValue();
         }
         if (!empty($config->encryptionCertificateFingerprintFieldName)) {
-            $outJsonObject->{$config->encryptionCertificateFingerprintFieldName} = $params->getEncryptionCertificateFingerprintValue();
+            $outJsonObject->{$config->encryptionCertificateFingerprintFieldName} = $config->encryptionCertificateFingerprint;
         }
         if (!empty($config->encryptionKeyFingerprintFieldName)) {
-            $outJsonObject->{$config->encryptionKeyFingerprintFieldName} = $params->getEncryptionKeyFingerprintValue();
+            $outJsonObject->{$config->encryptionKeyFingerprintFieldName} = $config->encryptionKeyFingerprint;
         }
         if (!empty($config->oaepPaddingDigestAlgorithmFieldName)) {
             $outJsonObject->{$config->oaepPaddingDigestAlgorithmFieldName} = $params->getOaepPaddingDigestAlgorithmValue();

src/Developer/Encryption/FieldLevelEncryptionConfig.php

@@ -158,4 +158,12 @@ public function getEncryptionCertificateFingerprintHeaderName() {
     public function getEncryptionKeyFingerprintHeaderName() {
         return $this->encryptionKeyFingerprintHeaderName;
     }
+
+    public function getEncryptionCertificateFingerprint() {
+        return $this->encryptionCertificateFingerprint;
+    }
+
+    public function getEncryptionKeyFingerprint() {
+        return $this->encryptionKeyFingerprint;
+    }
 }

src/Developer/Encryption/FieldLevelEncryptionConfigBuilder.php

@@ -3,6 +3,8 @@
 namespace Mastercard\Developer\Encryption;
 
 use Mastercard\Developer\Json\JsonPath;
+use Mastercard\Developer\Utils\EncodingUtils;
+use phpseclib\Crypt\Hash;
 
 /**
  * A builder class for FieldLevelEncryptionConfig.
@@ -195,13 +197,17 @@ public function withEncryptionKeyFingerprintHeaderName($encryptionKeyFingerprint
     /**
      * Build a FieldLevelEncryptionConfig.
      * @see FieldLevelEncryptionConfig
+     * @throws EncryptionException, InvalidArgumentException
      */
     public function build() {
 
         $this->checkJsonPathParameterValues();
         $this->checkParameterValues();
         $this->checkParameterConsistency();
 
+        $this->computeEncryptionCertificateFingerprintWhenNeeded();
+        $this->computeEncryptionKeyFingerprintWhenNeeded();
+
         $config = new FieldLevelEncryptionConfig();
         $config->encryptionCertificateFingerprintFieldName = $this->encryptionCertificateFingerprintFieldName;
         $config->encryptionKeyFingerprintFieldName = $this->encryptionKeyFingerprintFieldName;
@@ -283,4 +289,33 @@ private function checkParameterConsistency () {
             throw new \InvalidArgumentException('IV field name and encrypted key field name must be both set or both unset!');
         }
     }
+
+    private function computeEncryptionCertificateFingerprintWhenNeeded() {
+        $providedEncryptionCertificate = $this->encryptionCertificate;
+        if (empty($providedEncryptionCertificate) || !empty($this->encryptionCertificateFingerprint)) {
+            // No encryption certificate set or certificate fingerprint already provided
+            return;
+        }
+        try {
+            $this->encryptionCertificateFingerprint = openssl_x509_fingerprint($providedEncryptionCertificate, 'sha256');
+        } catch (\Exception $e) {
+            throw new EncryptionException('Failed to compute encryption certificate fingerprint!', $e);
+        }
+    }
+
+    private function computeEncryptionKeyFingerprintWhenNeeded() {
+        $providedEncryptionCertificate = $this->encryptionCertificate;
+        if (empty($providedEncryptionCertificate) || !empty($this->encryptionKeyFingerprint)) {
+            // No encryption certificate set or key fingerprint already provided
+            return;
+        }
+        try {
+            $publicKeyPem = openssl_pkey_get_details(openssl_pkey_get_public($providedEncryptionCertificate))['key'];
+            $publicKeyDer = EncodingUtils::pemToDer($publicKeyPem, '-----BEGIN PUBLIC KEY-----', '-----END PUBLIC KEY-----');
+            $hash = new Hash('sha256');
+            $this->encryptionKeyFingerprint = EncodingUtils::encodeBytes($hash->hash($publicKeyDer), FieldValueEncoding::HEX);
+        } catch (\Exception $e) {
+            throw new EncryptionException('Failed to compute encryption key fingerprint!', $e);
+        }
+    }
 }

src/Developer/Encryption/FieldLevelEncryptionParams.php

@@ -2,7 +2,6 @@
 
 namespace Mastercard\Developer\Encryption;
 use Mastercard\Developer\Utils\EncodingUtils;
-use phpseclib\Crypt\Hash;
 use phpseclib\Crypt\RSA;
 
 /**
@@ -17,20 +16,14 @@ class FieldLevelEncryptionParams {
     private $ivValue;
     private $encryptedKeyValue;
     private $oaepPaddingDigestAlgorithmValue;
-    private $encryptionCertificateFingerprintValue;
-    private $encryptionKeyFingerprintValue;
     private $config;
     private $secretKey;
     private $iv;
 
-    public function __construct($config, $ivValue, $encryptedKeyValue,
-                                $oaepPaddingDigestAlgorithmValue = null, $encryptionCertificateFingerprintValue = null,
-                                $encryptionKeyFingerprintValue = null) {
+    public function __construct($config, $ivValue, $encryptedKeyValue, $oaepPaddingDigestAlgorithmValue = null) {
         $this->ivValue = $ivValue;
         $this->encryptedKeyValue = $encryptedKeyValue;
         $this->oaepPaddingDigestAlgorithmValue = $oaepPaddingDigestAlgorithmValue;
-        $this->encryptionCertificateFingerprintValue = $encryptionCertificateFingerprintValue;
-        $this->encryptionKeyFingerprintValue = $encryptionKeyFingerprintValue;
         $this->config = $config;
     }
 
@@ -54,13 +47,10 @@ public static function generate($config) {
         $encryptedSecretKeyBytes = self::wrapSecretKey($config, $secretKey);
         $encryptedKeyValue = EncodingUtils::encodeBytes($encryptedSecretKeyBytes, $config->fieldValueEncoding);
 
-        // Compute fingerprints and OAEP padding digest algorithm
-        $encryptionCertificateFingerprintValue = self::getOrComputeEncryptionCertificateFingerprint($config);
-        $encryptionKeyFingerprintValue = self::getOrComputeEncryptionKeyFingerprint($config);
+        // Compute the OAEP padding digest algorithm
         $oaepPaddingDigestAlgorithmValue = str_replace('-', '', $config->oaepPaddingDigestAlgorithm);
 
-        $params = new FieldLevelEncryptionParams($config, $ivValue, $encryptedKeyValue, $oaepPaddingDigestAlgorithmValue,
-            $encryptionCertificateFingerprintValue, $encryptionKeyFingerprintValue);
+        $params = new FieldLevelEncryptionParams($config, $ivValue, $encryptedKeyValue, $oaepPaddingDigestAlgorithmValue);
         $params->secretKey = $secretKey;
         $params->iv = $iv;
         return $params;
@@ -74,14 +64,6 @@ public function getEncryptedKeyValue() {
         return $this->encryptedKeyValue;
     }
 
-    public function getEncryptionCertificateFingerprintValue() {
-        return $this->encryptionCertificateFingerprintValue;
-    }
-
-    public function getEncryptionKeyFingerprintValue() {
-        return $this->encryptionKeyFingerprintValue;
-    }
-
     public function getOaepPaddingDigestAlgorithmValue() {
         return $this->oaepPaddingDigestAlgorithmValue;
     }
@@ -171,41 +153,4 @@ private static function toDsigXmlPrivateKey($raw) {
             '  <D>' . base64_encode($raw['d']) . "</D>\r\n" .
             '</RSAKeyValue>';
     }
-
-    /**
-     * @throws EncryptionException
-     */
-    private static function getOrComputeEncryptionCertificateFingerprint($config) {
-        try {
-            $providedCertificateFingerprintValue = $config->encryptionCertificateFingerprint;
-            if (!empty($providedCertificateFingerprintValue)) {
-                return $providedCertificateFingerprintValue;
-            } else {
-                $encryptionCertificate = $config->encryptionCertificate;
-                return openssl_x509_fingerprint($encryptionCertificate, 'sha256');
-            }
-        } catch (\Exception $e) {
-            throw new EncryptionException('Failed to compute encryption certificate fingerprint!', $e);
-        }
-    }
-
-    /**
-     * @throws EncryptionException
-     */
-    private static function getOrComputeEncryptionKeyFingerprint($config) {
-        try {
-            $providedKeyFingerprintValue = $config->encryptionKeyFingerprint;
-            if (!empty($providedKeyFingerprintValue)) {
-                return $providedKeyFingerprintValue;
-            } else {
-                $encryptionCertificate = $config->encryptionCertificate;
-                $publicKeyPem = openssl_pkey_get_details(openssl_pkey_get_public($encryptionCertificate))['key'];
-                $publicKeyDer = EncodingUtils::pemToDer($publicKeyPem, '-----BEGIN PUBLIC KEY-----', '-----END PUBLIC KEY-----');
-                $hash = new Hash('sha256');
-                return EncodingUtils::encodeBytes($hash->hash($publicKeyDer), FieldValueEncoding::HEX);
-            }
-        } catch (\Exception $e) {
-            throw new EncryptionException('Failed to compute encryption key fingerprint!', $e);
-        }
-    }
 }

src/Developer/Interceptors/PsrHttpMessageEncryptionInterceptor.php

@@ -45,8 +45,8 @@ public function interceptRequest(RequestInterface &$request) {
                 $params = FieldLevelEncryptionParams::generate($this->config);
                 self::updateHeader($request, $this->config->getIvHeaderName(), $params->getIvValue());
                 self::updateHeader($request, $this->config->getEncryptedKeyHeaderName(), $params->getEncryptedKeyValue());
-                self::updateHeader($request, $this->config->getEncryptionCertificateFingerprintHeaderName(), $params->getEncryptionCertificateFingerprintValue());
-                self::updateHeader($request, $this->config->getEncryptionKeyFingerprintHeaderName(), $params->getEncryptionKeyFingerprintValue());
+                self::updateHeader($request, $this->config->getEncryptionCertificateFingerprintHeaderName(), $this->config->getEncryptionCertificateFingerprint());
+                self::updateHeader($request, $this->config->getEncryptionKeyFingerprintHeaderName(), $this->config->getEncryptionKeyFingerprint());
                 self::updateHeader($request, $this->config->getOaepPaddingDigestAlgorithmHeaderName(), $params->getOaepPaddingDigestAlgorithmValue());
                 $encryptedPayload = FieldLevelEncryption::encryptPayload($payload, $this->config, $params);
             } else {

tests/Developer/Encryption/FieldLevelEncryptionConfigBuilderTest.php

@@ -8,6 +8,61 @@
 
 class FieldLevelEncryptionConfigBuilderTest extends TestCase {
 
+    public function testBuild_Nominal() {
+        $config = FieldLevelEncryptionConfigBuilder::aFieldLevelEncryptionConfig()
+            ->withEncryptionPath('$.payload', '$.encryptedPayload')
+            ->withEncryptionCertificate(TestUtils::getTestEncryptionCertificate())
+            ->withEncryptionCertificateFingerprint('97A2FFE9F0D48960EF31E87FCD7A55BF7843FB4A9EEEF01BDB6032AD6FEF146B')
+            ->withEncryptionKeyFingerprint('F806B26BC4870E26986C70B6590AF87BAF4C2B56BB50622C51B12212DAFF2810')
+            ->withEncryptionCertificateFingerprintFieldName('publicCertificateFingerprint')
+            ->withEncryptionCertificateFingerprintHeaderName('x-public-certificate-fingerprint')
+            ->withEncryptionKeyFingerprintFieldName('publicKeyFingerprint')
+            ->withEncryptionKeyFingerprintHeaderName('x-public-key-fingerprint')
+            ->withDecryptionPath('$.encryptedPayload', '$.payload')
+            ->withDecryptionKey(TestUtils::getTestDecryptionKey())
+            ->withOaepPaddingDigestAlgorithm('SHA-512')
+            ->withOaepPaddingDigestAlgorithmFieldName('oaepPaddingDigestAlgorithm')
+            ->withOaepPaddingDigestAlgorithmHeaderName('x-oaep-padding-digest-algorithm')
+            ->withEncryptedValueFieldName('encryptedValue')
+            ->withEncryptedKeyFieldName('encryptedKey')
+            ->withEncryptedKeyHeaderName('x-encrypted-key')
+            ->withIvFieldName('iv')
+            ->withIvHeaderName('x-iv')
+            ->withFieldValueEncoding(FieldValueEncoding::BASE64)
+            ->build();
+        $this->assertNotEmpty($config);
+        $this->assertEquals(1, sizeof($config->encryptionPaths));
+        $this->assertNotEmpty($config->encryptionCertificate);
+        $this->assertEquals('97A2FFE9F0D48960EF31E87FCD7A55BF7843FB4A9EEEF01BDB6032AD6FEF146B', $config->encryptionCertificateFingerprint);
+        $this->assertEquals('F806B26BC4870E26986C70B6590AF87BAF4C2B56BB50622C51B12212DAFF2810', $config->encryptionKeyFingerprint);
+        $this->assertEquals('publicCertificateFingerprint', $config->encryptionCertificateFingerprintFieldName);
+        $this->assertEquals('x-public-certificate-fingerprint', $config->encryptionCertificateFingerprintHeaderName);
+        $this->assertEquals('publicKeyFingerprint', $config->encryptionKeyFingerprintFieldName);
+        $this->assertEquals('x-public-key-fingerprint', $config->encryptionKeyFingerprintHeaderName);
+        $this->assertEquals(1, sizeof($config->decryptionPaths));
+        $this->assertNotEmpty($config->decryptionKey);
+        $this->assertEquals('SHA-512', $config->oaepPaddingDigestAlgorithm);
+        $this->assertEquals('encryptedValue', $config->encryptedValueFieldName);
+        $this->assertEquals('encryptedKey', $config->encryptedKeyFieldName);
+        $this->assertEquals('x-encrypted-key', $config->encryptedKeyHeaderName);
+        $this->assertEquals('iv', $config->ivFieldName);
+        $this->assertEquals('x-iv', $config->ivHeaderName);
+        $this->assertEquals('oaepPaddingDigestAlgorithm', $config->oaepPaddingDigestAlgorithmFieldName);
+        $this->assertEquals('x-oaep-padding-digest-algorithm', $config->oaepPaddingDigestAlgorithmHeaderName);
+        $this->assertEquals(FieldValueEncoding::BASE64, $config->fieldValueEncoding);
+    }
+
+    public function testBuild_ShouldComputeCertificateAndKeyFingerprints_WhenFingerprintsNotSet() {
+        $config = TestUtils::getTestFieldLevelEncryptionConfigBuilder()
+            ->withEncryptionCertificateFingerprint(null)
+            ->withEncryptionKeyFingerprint(null)
+            ->withEncryptionCertificate(TestUtils::getTestEncryptionCertificate())
+            ->withDecryptionKey(TestUtils::getTestDecryptionKey())
+            ->build();
+        $this->assertEquals('761b003c1eade3a5490e5000d37887baa5e6ec0e226c07706e599451fc032a79', $config->encryptionKeyFingerprint);
+        $this->assertEquals('80810fc13a8319fcf0e2ec322c82a4c304b782cc3ce671176343cfe8160c2279', $config->encryptionCertificateFingerprint);
+    }
+
     public function testBuild_ShouldThrowInvalidArgumentException_WhenNotDefiniteDecryptionPath() {
         $this->expectException(\InvalidArgumentException::class);
         $this->expectExceptionMessage('JSON paths for decryption must point to a single item!');
@@ -140,48 +195,4 @@ public function testBuild_ShouldThrowInvalidArgumentException_WhenEncryptedKeyAn
             ->withFieldValueEncoding(FieldValueEncoding::HEX)
             ->build();
     }
-
-    public function testBuild_Nominal() {
-        $config = FieldLevelEncryptionConfigBuilder::aFieldLevelEncryptionConfig()
-            ->withEncryptionPath('$.payload', '$.encryptedPayload')
-            ->withEncryptionCertificate(TestUtils::getTestEncryptionCertificate())
-            ->withEncryptionCertificateFingerprint('97A2FFE9F0D48960EF31E87FCD7A55BF7843FB4A9EEEF01BDB6032AD6FEF146B')
-            ->withEncryptionKeyFingerprint('F806B26BC4870E26986C70B6590AF87BAF4C2B56BB50622C51B12212DAFF2810')
-            ->withEncryptionCertificateFingerprintFieldName('publicCertificateFingerprint')
-            ->withEncryptionCertificateFingerprintHeaderName('x-public-certificate-fingerprint')
-            ->withEncryptionKeyFingerprintFieldName('publicKeyFingerprint')
-            ->withEncryptionKeyFingerprintHeaderName('x-public-key-fingerprint')
-            ->withDecryptionPath('$.encryptedPayload', '$.payload')
-            ->withDecryptionKey(TestUtils::getTestDecryptionKey())
-            ->withOaepPaddingDigestAlgorithm('SHA-512')
-            ->withOaepPaddingDigestAlgorithmFieldName('oaepPaddingDigestAlgorithm')
-            ->withOaepPaddingDigestAlgorithmHeaderName('x-oaep-padding-digest-algorithm')
-            ->withEncryptedValueFieldName('encryptedValue')
-            ->withEncryptedKeyFieldName('encryptedKey')
-            ->withEncryptedKeyHeaderName('x-encrypted-key')
-            ->withIvFieldName('iv')
-            ->withIvHeaderName('x-iv')
-            ->withFieldValueEncoding(FieldValueEncoding::BASE64)
-            ->build();
-        $this->assertNotEmpty($config);
-        $this->assertEquals(1, sizeof($config->encryptionPaths));
-        $this->assertNotEmpty($config->encryptionCertificate);
-        $this->assertEquals('97A2FFE9F0D48960EF31E87FCD7A55BF7843FB4A9EEEF01BDB6032AD6FEF146B', $config->encryptionCertificateFingerprint);
-        $this->assertEquals('F806B26BC4870E26986C70B6590AF87BAF4C2B56BB50622C51B12212DAFF2810', $config->encryptionKeyFingerprint);
-        $this->assertEquals('publicCertificateFingerprint', $config->encryptionCertificateFingerprintFieldName);
-        $this->assertEquals('x-public-certificate-fingerprint', $config->encryptionCertificateFingerprintHeaderName);
-        $this->assertEquals('publicKeyFingerprint', $config->encryptionKeyFingerprintFieldName);
-        $this->assertEquals('x-public-key-fingerprint', $config->encryptionKeyFingerprintHeaderName);
-        $this->assertEquals(1, sizeof($config->decryptionPaths));
-        $this->assertNotEmpty($config->decryptionKey);
-        $this->assertEquals('SHA-512', $config->oaepPaddingDigestAlgorithm);
-        $this->assertEquals('encryptedValue', $config->encryptedValueFieldName);
-        $this->assertEquals('encryptedKey', $config->encryptedKeyFieldName);
-        $this->assertEquals('x-encrypted-key', $config->encryptedKeyHeaderName);
-        $this->assertEquals('iv', $config->ivFieldName);
-        $this->assertEquals('x-iv', $config->ivHeaderName);
-        $this->assertEquals('oaepPaddingDigestAlgorithm', $config->oaepPaddingDigestAlgorithmFieldName);
-        $this->assertEquals('x-oaep-padding-digest-algorithm', $config->oaepPaddingDigestAlgorithmHeaderName);
-        $this->assertEquals(FieldValueEncoding::BASE64, $config->fieldValueEncoding);
-    }
 }