Coder Social home page Coder Social logo

paytm_node_checksum's Introduction

paytm_node_checksum's People

Contributors

aabhishekgoyal avatar lalitchaudhary1 avatar mohit-aggarwal1 avatar paytm-payments-admin avatar rahul2bisht avatar rahulverma0008 avatar vidisha-goel avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar

paytm_node_checksum's Issues

Typescript support

There are no typings files in the package. Please include this feature as well.
I am using firebase, node.js, and typescript. I believe this would be a problem for many others as well.

paytmchecksum Cannot read properties of undefined (reading 'generateSignature' )

HI Team,
Please update this dependency,
and add @type/paytmchecksum

I havd added :
paytmchecksum.d.ts file with below decleration:
declare module "paytmchecksum"

It resolved my issue of paytmchecksum not found, but during running I am getting:

{"severity":"ERROR","message":"Unhandled error TypeError: Cannot read properties of undefined (reading 'generateSignature')

Though It works If I use below code:
const PaytmChecksum = require("./../../../node_modules/paytmchecksum/PaytmChecksum.js");

But limitation is I can't use require for deployment to firebase functions.

Please help me asap.
Thanks

Getting this error while validating checksum. Can anyone help

TypeError [ERR_INVALID_ARG_TYPE]: The "data" argument must be of type string or an instance of Buffer, TypedArray, or DataView. Received undefined
at new NodeError (node:internal/errors:372:5)
at Decipheriv.update (node:internal/crypto/cipher:176:11)
at Function.decrypt (D:\MERN-STACK\server\paytm\PaytmChecksum.js:15:28)
at Function.verifySignatureByString (D:\MERN-STACK\server\paytm\PaytmChecksum.js:56:34)
at Function.verifySignature (D:\MERN-STACK\server\paytm\PaytmChecksum.js:47:24)
at paytmResponse (file:///D:/MERN-STACK/server/controller/payment-controller.js:27:41)
at Layer.handle [as handle_request] (D:\MERN-STACK\server\node_modules\express\lib\router\layer.js:95:5)
at next (D:\MERN-STACK\server\node_modules\express\lib\router\route.js:144:13)
at Route.dispatch (D:\MERN-STACK\server\node_modules\express\lib\router\route.js:114:3)
at Layer.handle [as handle_request] (D:\MERN-STACK\server\node_modules\express\lib\router\layer.js:95:5)

Security | Static IV

tl;dr

Issue #8 that mentions the use of constant IV has not yet been resolved for over 9 months since the issue was originally reported.
This is not a security issue however, it defeats the point of using CBC (mode of operation) for AES.

Explaination

The encryption used here is AES-128-CBC for encrypting and decrypting the transactions. The mode of operation for AES is CBC i.e. Cipher Block Chaining. It uses a IV (Initialization Vector) which is then XORed with the plaintext block. The result is then encrypted using AES and key 'k' and a Ciphertext-block is generated.

Now Say, The key used to encrypt the result of IV XOR Plaintext-Block is same for all encryptions (which is generally the case).

  • If the IV is random, two same plaintext-block will always result in two different ciphertext-block.
    Psuedo Example: aes_encrypt("hello world" XOR IV_1, secret_key) and aes_encrypt("hello world" XOR IV_2, secret_key) will result in two completely different ciphertext-blocks.
  • If the IV is constant, two same plaintext-block will always result in the same ciphertext block provided the key used to encrypt was same. Psuedo Example: aes_encrypt("hello world" XOR IV, secret_key) and aes_encrypt("hello world" XOR IV, secret_key) will result in two same ciphertext-blocks.

Proposed Solution

Generate the IV everytime a encryption is performed. The IV could be passed in with the checksum to decrypt at the other side. This way the integrity is still maintained. : )

Additional Note

You should also consider upgrading from AES-128-CBC with 128-bit key size to something much more secure key length of 256-bit or even GCM if possible for newer systems.

Invalid Key Length

Getting invalid Key Length error when trying to create checksum

Error: Invalid key length
at Cipheriv.createCipherBase (internal/crypto/cipher.js:103:19)
at Cipheriv.createCipherWithIV (internal/crypto/cipher.js:121:20)
at new Cipheriv (internal/crypto/cipher.js:227:22)
at Object.createCipheriv (crypto.js:123:10)
at Function.encrypt (/Users/arjusmoon/NodeApps/playground/paytm/node_modules/paytmchecksum/PaytmChecksum.js:9:23)
at Function.calculateChecksum (/Users/arjusmoon/NodeApps/playground/paytm/node_modules/paytmchecksum/PaytmChecksum.js:94:24)
at Function.generateSignatureByString (/Users/arjusmoon/NodeApps/playground/paytm/node_modules/paytmchecksum/PaytmChecksum.js:56:24)

var PaytmChecksum = require("paytmchecksum");

var paytmParams = {};

paytmParams["MID"] = "XXXXXXXXXX";
paytmParams["ORDERID"] = "232442453";

var paytmChecksum = PaytmChecksum.generateSignature(paytmParams, "XXXXXXXXXX");
paytmChecksum.then(function (checksum) {
console.log("generateSignature Returns: " + checksum);
}).catch(function (error) {
console.log(error);
});

Same Initialisation Vector

Its more of a suggestion than an issue that please use a new IV for every encryptions. this is even recommended by CTR security. Because reusing an IV leaks some information about the first block of plaintext

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.