Merge pull request #558 from fgonzal/master

`SMAdapter`: add new operation to encrypt clear PIN under PEK.
jpos · Jul 28, 2023 · 9b0024f · 9b0024f
2 parents 6599972 + b15d9a3
commit 9b0024f
Show file tree

Hide file tree

Showing 4 changed files with 65 additions and 1 deletion.
diff --git a/jpos/src/main/java/org/jpos/security/BaseSMAdapter.java b/jpos/src/main/java/org/jpos/security/BaseSMAdapter.java
@@ -309,6 +309,30 @@ public EncryptedPIN encryptPIN (String pin, String accountNumber) throws SMExcep
         return encryptPIN(pin, accountNumber, true);
     }
 
+    @Override
+    public EncryptedPIN encryptPIN(String pin, String accountNumber, T pek) throws SMException {
+        accountNumber = EncryptedPIN.extractAccountNumberPart(accountNumber);
+        List<Loggeable> cmdParameters = new ArrayList<>();
+        cmdParameters.add(new SimpleMsg("parameter", "clear pin", pin));
+        cmdParameters.add(new SimpleMsg("parameter", "account number", accountNumber));
+        cmdParameters.add(new SimpleMsg("parameter", "pin encryption Key", pek));
+        LogEvent evt = new LogEvent(this, "s-m-operation");
+        evt.addMessage(new SimpleMsg("command", "Encrypt clear PIN under PEK", cmdParameters));
+        EncryptedPIN result = null;
+        try {
+            result = encryptPINImpl(pin, accountNumber, pek);
+            evt.addMessage(new SimpleMsg("result", "PIN under PEK", result));
+        } 
+        catch (Exception e) {
+            evt.addMessage(e);
+            throw e instanceof SMException ? (SMException) e : new SMException(e);
+        } 
+        finally {
+            Logger.log(evt);
+        }
+        return result;
+    }
+
     @Override
     public String decryptPIN (EncryptedPIN pinUnderLmk) throws SMException {
         List<Loggeable> cmdParameters = new ArrayList<>();
@@ -912,6 +936,9 @@ public boolean verifydCVV(String accountNo, T imkac, String dcvv,
                      String expDate, String serviceCode, byte[] atc, MKDMethod mkdm)
                      throws SMException {
 
+        if (accountNo == null || accountNo.trim().length() == 0)
+            throw new IllegalArgumentException("Account number not set.");
+
         List<Loggeable> cmdParameters = new ArrayList<>();
         cmdParameters.add(new SimpleMsg("parameter", "account number", accountNo));
         cmdParameters.add(new SimpleMsg("parameter", "imk-ac", imkac == null ? "" : imkac));
@@ -1578,6 +1605,19 @@ protected EncryptedPIN encryptPINImpl (String pin, String accountNumber) throws
         throw  new SMException("Operation not supported in: " + this.getClass().getName());
     }
 
+    /**
+     * Your SMAdapter should override this method if it has this functionality.
+     *
+     * @param pin
+     * @param accountNumber
+     * @param pek
+     * @return encrypted PIN under PEK.
+     * @throws SMException
+     */
+    protected EncryptedPIN encryptPINImpl(String pin, String accountNumber, T pek) throws SMException {
+        throw  new SMException("Operation not supported in: " + this.getClass().getName());
+    }
+
     /**
      * Your SMAdapter should override this method if it has this functionality
      * @param pinUnderLmk

diff --git a/jpos/src/main/java/org/jpos/security/SMAdapter.java b/jpos/src/main/java/org/jpos/security/SMAdapter.java
@@ -384,7 +384,7 @@ SecureKey exportKey(SecureKey kek, SecureKey key, SecureKeySpec keySpec)
      * Encrypts a clear pin under LMK.
      *
      * <p>CAUTION: The use of clear pin presents a significant security risk
-     * @param pin clear pin as entered by card holder
+     * @param pin clear pin as entered by cardholder
      * @param accountNumber if <code>extract</code> is false then account number, including BIN and the check digit
      *        or if parameter <code>extract</code> is true then 12 right-most digits of the account number, excluding the check digit
      * @param extract true to extract 12 right-most digits off the account number
@@ -393,6 +393,18 @@ SecureKey exportKey(SecureKey kek, SecureKey key, SecureKeySpec keySpec)
      */
     EncryptedPIN encryptPIN(String pin, String accountNumber, boolean extract) throws SMException;
 
+    /**
+     * Encrypts a clear PIN under PEK.
+     *
+     * <p>CAUTION: The use of clear PIN presents a significant security risk.
+     * @param pin Clear PIN as entered by cardholder.
+     * @param accountNumber account number, including BIN and the check digit.
+     * @param pek PIN encryption key.
+     * @return Return PIN under PEK.
+     * @throws SMException
+     */
+    EncryptedPIN encryptPIN(String pin, String accountNumber, T pek) throws SMException;
+
     /**
      * Decrypts an Encrypted PIN (under LMK).
      * <p>CAUTION: The use of clear pin presents a significant security risk

diff --git a/jpos/src/main/java/org/jpos/security/jceadapter/JCESecurityModule.java b/jpos/src/main/java/org/jpos/security/jceadapter/JCESecurityModule.java
@@ -274,6 +274,14 @@ public EncryptedPIN encryptPINImpl (String pin, String accountNumber) throws SME
         return new EncryptedPIN(translatedPINBlock, FORMAT00, accountNumber, false);
     }
 
+    @Override
+    protected EncryptedPIN encryptPINImpl(String pin, String accountNumber, SecureDESKey pek) throws SMException {
+        byte[] clearPINBlock = calculatePINBlock(pin, FORMAT00, accountNumber);
+        Key clearPEK = decryptFromLMK(pek);
+        byte[] translatedPINBlock = jceHandler.encryptData(clearPINBlock, clearPEK);
+        return new EncryptedPIN(translatedPINBlock, FORMAT00, accountNumber, false);
+    }
+
     @Override
     public String decryptPINImpl (EncryptedPIN pinUnderLmk) throws SMException {
         byte[] clearPINBlock = jceHandler.decryptData(pinUnderLmk.getPINBlock(),

diff --git a/jpos/src/test/java/org/jpos/security/jceadapter/JCESecurityModuleTest.java b/jpos/src/test/java/org/jpos/security/jceadapter/JCESecurityModuleTest.java
@@ -957,6 +957,8 @@ public void testVerifyDCVVImplException1() throws Throwable {
             jcesecmod.verifydCVV(accountNo, imkac, dcvv, expDate
                         ,serviceCode, atc, MKDMethod.OPTION_A);
             fail("Expected SMException to be thrown");
+        } catch (IllegalArgumentException ex) {
+            assertTrue(ex.getMessage().contains("Account"));
         } catch (SMException ex){
             if (isJavaVersionAtMost(JAVA_13)) {
                 assertEquals("String index out of range: -4", ex.getNested().getMessage(), "ex.getMessage()");
@@ -977,6 +979,8 @@ public void testVerifyDCVVImplException2() throws Throwable {
             jcesecmod.verifydCVV(accountNo, imkac, dcvv, expDate
                         ,serviceCode, atc, MKDMethod.OPTION_A);
             fail("Expected SMException to be thrown");
+        } catch (IllegalArgumentException ex) {
+            assertTrue(ex.getMessage().contains("Account"));
         } catch (SMException ex){
             if (isJavaVersionAtMost(JAVA_14)) {
                 assertNull(ex.getNested().getMessage(), "ex.getNested().getMessage()");