Giter Club home page Giter Club logo

wp-pronamic-pay-ideal-advanced-v3's Introduction

WordPress Pay Gateway: iDEAL Advanced v3

iDEAL Advanced v3 driver for the WordPress payment processing library.

Build Status Coverage Status Latest Stable Version Total Downloads Latest Unstable Version License Built with Grunt

Providers

  • ING
  • Rabobank

Documentation

Title Language Version Date
iDEAL Merchant Integration Guide EN 3.3.1 2015-02
iDEAL Merchant Integratie Gids NL 3.3.1 2015-02
iDEAL Merchant Integration Guide EN 3.3.1 2012-11
Rabobank - Handleiding iDEAL Professional NL 3.0 2019-02
iDEAL Merchant Integratie Gids (NL) NL 3.6 2020-10-09
iDEAL Merchant Integration Guide (EN) NL 3.6 2020-10-09

Signing iDEAL messages

All messages that are sent by the Merchant to the Acquirer (DirectoryRequest, TransactionRequest and StatusRequest) have to be signed by the Merchant. Messages are signed in accordance with the "XML Signature Syntax and Processing (2nd Edition) W3C Recommendation” of 10 June 20084, with the following settings and restrictions applied:

  1. The entire XML message5 must be signed.

  2. For the purpose of generating the digest of the main message, the inclusive canonicalization algorithm must be used6. This method of canonicalization of the main message is not (always) explicitly indicated in the iDEAL XML messages. For this reason this transform has not been included in the example messages in this document. Merchants are not required to explicitly indicate this transform in their messages.

  3. For the purpose of generating the signature value, the exclusive7 canonicalization algorithm must be used.

  4. The syntax for an enveloped8 signature must be used. The signature itself must be removed from the XML message using the default transformation prescribed for this purpose.

  5. For hashing purposes the SHA-2569 algorithm must be used.

  6. For signature purposes the RSAWithSHA25610 algorithm must be used. RSA keys must be 2,048 bits long.

  7. The public key must be referenced using a fingerprint of an X.509 certificate. The fingerprint must be calculated according to the following formula HEX(SHA-1(DER certificate)) 11.

    Note: the key reference is backwards compatible with all previous versions of iDEAL.

    Note: According to Base64 specifications line breaks are allowed to be inserted after each 76 characters using a CR/LF12.

In general Merchants don’t need to have extensive knowledge of RSA since most programming languages have libraries available that implement XML Digital Signature processing. It is strongly recommended to use these standard libraries. Standard functionality for creation and verification of RSAWithSHA256 digital signatures is available in commonly used software platforms, from the following versions and higher: PHP version 5.3.0, Microsoft .NET version 3.5 sp1 en Java version 1.6 u18.

This functionality may also be available in earlier versions of these platforms and in other platforms (e.g. Python, Ruby).

For information about creating the public and private key pair please refer to paragraph 8.4.

4 http://www.w3.org/TR/xmldsig-core/
5 XML Signature reference to the signed info URI is left blank, see example messages in Appendix B
6 http://www.w3.org/TR/2001/REC-xml-c14n-20010315
7 http://www.w3.org/2001/10/xml-exc-c14n
8 http://www.w3.org/TR/xmldsig-core/#sec-EnvelopedSignature
9 http://www.w3.org/2001/04/xmlenc#sha256
10 http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/#sec-SHA256
11 See example messages in Appendix B
12 http://tools.ietf.org/html/rfc2045#section-6.8

wp-pronamic-pay-ideal-advanced-v3's People

Contributors

remcotolsma avatar rvdsteege avatar

Stargazers

avatar avatar

Watchers

avatar avatar avatar avatar avatar

wp-pronamic-pay-ideal-advanced-v3's Issues

Conflicting issuers possible with equal configuration settings

To cache issuers, we're using a cache key based on the configuration settings:

wp-pronamic-pay-ideal-advanced-v3/src/Gateway.php

Lines 76 to 87 in f0adb78

$ideal_issuer_field = new IDealIssuerSelectField( 'ideal-issuer' );
$ideal_issuer_field->set_required( true );
$ideal_issuer_field->set_options(
new CachedCallbackOptions(
function () {
return $this->get_ideal_issuers();
},
'pronamic_pay_ideal_issuers_' . \md5( (string) \wp_json_encode( $config ) )
)
);

wp-pronamic-pay-ideal-advanced-v3/src/Config.php

Lines 209 to 224 in f0adb78

/**
* Serialize to JSON.
*
* @link https://www.w3.org/TR/json-ld11/#specifying-the-type
* @return object
*/
public function jsonSerialize(): object {
return (object) [
'@type' => __CLASS__,
'merchant_id' => (string) $this->merchant_id,
'sub_id' => (string) $this->sub_id,
'private_key' => (string) $this->private_key,
'private_key_password' => (string) $this->private_key_password,
'certificate' => (string) $this->certificate,
];
}

I ran into an issue today where test issuers were listed in a live configuration. This can occur (and vice versa) if the same private key and certificate are used for test and production. Differentiating elements would then be the gateway ID or payment server URL, but none of these are included in the cache key.

Internal Help Scout ticket: https://secure.helpscout.net/conversation/2531684119/26982

Fatal error in XML signer on PHP < 8.0

We've received a fatal error message from a user on PHP version 7.4.33.

Uncaught TypeError: Argument 2 passed to Pronamic\WordPress\Pay\Gateways\IDealAdvancedV3\XmlSigner::__construct() must be an instance of OpenSSLAsymmetricKey, resource given, called in /www/wp-content/plugins/pronamic-ideal/vendor/wp-pay-gateways/ideal-advanced-v3/src/Client.php on line 290 and defined in /www/wp-content/plugins/pronamic-ideal/vendor/wp-pay-gateways/ideal-advanced-v3/src/XmlSigner.php:41

Stack trace:
#0 /www/wp-content/plugins/pronamic-ideal/vendor/wp-pay-gateways/ideal-advanced-v3/src/Client.php(290): Pronamic\WordPress\Pay\Gateways\IDealAdvancedV3\XmlSigner->__construct('FBF2ED03D19A2B3...', Resource id #501)
#1 /www/wp-content/plugins/pronamic-ideal/vendor/wp-pay-gateways/ideal-advanced-v3/src/Client.php(129): Pronamic\WordPress\Pay\Gateways\IDealAdvancedV3\Client->sign_document(Object(DOMDocument))
#2 /www/wp-content/plugins/pronamic-ideal/vendor/wp-pay-gateways/ideal-advanced-v3/src/Client.php(205): Pronamic\WordPress\Pay\Gateways\IDealAdvancedV3\Client->send_message(…

The issue is caused by the new XML signer expecting the private key parameter of type OpenSSLAsymmetricKey, but receiving a resource instead. OpenSSLAsymmetricKey was introduced in PHP 8.0.

Naming "Private Key" and "Private Certificate" incorrect / unclear

The naming of the "Private Key" and "Private Certificate" setting fields are a bit unclear. Rabobank refers to a 'secret key' and a 'public key' (the certificate).

wp-pronamic-pay-ideal-advanced-v3/src/Integration.php

Lines 192 to 203 in f96220d

// Private Key.
$fields[] = array(
'section' => 'general',
'filter' => FILTER_SANITIZE_STRING,
'group' => 'pk-cert',
'meta_key' => '_pronamic_gateway_ideal_private_key',
'title' => __( 'Private Key', 'pronamic_ideal' ),
'type' => 'textarea',
'callback' => array( $this, 'field_private_key' ),
'classes' => array( 'code' ),
'tooltip' => __( 'The private key is used for secure communication with the payment provider. If left empty, the private key will be generated using the given private key password.', 'pronamic_ideal' ),
);

wp-pronamic-pay-ideal-advanced-v3/src/Integration.php

Lines 205 to 216 in f96220d

// Private Certificate.
$fields[] = array(
'section' => 'general',
'filter' => FILTER_SANITIZE_STRING,
'group' => 'pk-cert',
'meta_key' => '_pronamic_gateway_ideal_private_certificate',
'title' => __( 'Private Certificate', 'pronamic_ideal' ),
'type' => 'textarea',
'callback' => array( $this, 'field_private_certificate' ),
'classes' => array( 'code' ),
'tooltip' => __( 'The certificate is used for secure communication with the payment provider. If left empty, the certificate will be generated using the private key and given organization details.', 'pronamic_ideal' ),
);

Testcertificaat uploaden

Testtransacties die u naar de iDEAL testomgeving stuurt dienen voorzien te zijn van een elektronische handtekening. Deze handtekening wordt berekend met het geheime deel van uw certificaat.

Om de elektronische handtekening te kunnen controleren dient het niet geheime deel van het certificaat (de public key) ingeladen te worden in de testomgeving van het Rabobank iDEAL Dashboard. Hiervoor dient u uiteraard eerst in te loggen via https://idealtest.rabobank.nl.

Voor informatie over het maken van een sleutelpaar, kunt u de Merchant Integratie Gids hoofdstuk 8 raadplegen.

Het geheime deel van het certificaat (secret key) wordt in uw iDEAL implementatie gebruikt om de betaalverzoeken vanuit uw website te beveiligen met een digitale handtekening.
Het openbare deel van het certificaat (public key) kunt u uploaden in het Rabobank iDEAL Dashboard, via het tabblad Certificaat/sleutel instellen. Rabobank kan hiermee met zekerheid controleren dat de betaalverzoeken vanuit uw website zijn ingestuurd.

Na het indrukken van de “Services” knop kunt u onderaan na het openklappen van het Certificaten deel met de knop “Nieuw certificaat” en “Bladeren” een public key selecteren om deze toe te voegen aan de testomgeving. Het gekozen certificaat dient u hierna onderaan met de knop “Bevestigen” te bevestigen. Denk er aan dat het te kiezen certificaatbestand de extensie .cer moet hebben.
Na succesvol uploaden verschijnt er bovenin het scherm een groene succesmelding.

N.B.: Voordat u daadwerkelijk in productie kunt gaan, dient u deze stap opnieuw uit te voeren aan de productiekant van het iDEAL Dashboard (https://ideal.rabobank.nl) voor het inladen van een productiecertificaat. Let er altijd op dat het gebruikte geheime certificaat in uw website hoort bij de opgevoerde public key in het iDEAL Dashboard.

Suggestion:

  • Change Private Key Password to Secret Key Password
  • Change Private Key to Secret Key
  • Change Private Certificate to Certificate

Manual "Rabobank iDEAL Professional" outdated

The manual on https://www.pronamic.nl/support/pronamic-ideal-koppelen-met-rabobank-ideal-professional-v3/ is outdated.

Privé sleutel en certificaat instellen

  1. Ga naar het iDEAL Dashboard en kies Profiel » Tabblad ‘Beveiliging’;
  2. upload het zojuist aangemaakte bestand bestandsnaam.cer;
  3. open in het WordPress dashboard nu opnieuw de pagina van de aangemaakte iDEAL-configuratie. Als bovenaan op de pagina geen foutmeldingen door Pronamic iDEAL worden getoond, is het certificaat succesvol ingesteld.

@kjtolsma you were in the process of restructuring/merging the manual? Can i change https://www.pronamic.nl/support/pronamic-ideal-koppelen-met-rabobank-ideal-professional-v3/ or should this be done in another way?

We had a customer who accidentally uploaded the certificate on the "Rabo iDEAL Dashboard → Merchant data → General customer data" (Dutch: "Rabo iDEAL Dashboard → Acceptant beheer → Algemene klantgegevens") page.

English:
Rabo iDEAL Dashboard → Merchant data → iDEAL Service data

ideal rabobank nl_msp_nl_modmerchantsubscription_idealsubscriptionfinder_fb9875d5115e41cce0a4d9cd8567603ca699770f4b1ed97271cc0c06e3babd8c=19d8ba110e462c48e0c719decc48ed7453974d8943d329ac948091baf2e89c4a(iPad Air)

Dutch:
Rabo iDEAL Dashboard → Acceptant beheer → iDEAL Service data

ideal rabobank nl_msp_nl_modmerchantsubscription_idealsubscriptionfinder_fb9875d5115e41cce0a4d9cd8567603ca699770f4b1ed97271cc0c06e3babd8c=19d8ba110e462c48e0c719decc48ed7453974d8943d329ac948091baf2e89c4a t_lb=t(iPad Air)

CC: @rvdsteege

Authentication of iDEAL messages

To ensure the status of a transaction the Merchant has to verify the signature of the Acquirer in the Response messages.

To verify the signature in the SignatureValue field it is recommended that merchants use standard XML Digital Signature libraries available in most (web) programming languages.

Source: https://www.pronamic.eu/wp-content/uploads/sites/2/2016/06/Merchant-Integration-Guide-v3-3-1-ENG-February-2015.pdf

Internal Basecamp to-do: https://basecamp.com/1810084/projects/10966871/todos/305910650

Fatal error in gateway settings if function `escapeshellarg()` is undefined

From customer:

Fatal error: Uncaught Error: Call to undefined function Pronamic\WordPress\Pay\Gateways\IDealAdvancedV3\escapeshellarg() in /wp-content/plugins/pronamic-ideal/vendor/wp-pay-gateways/ideal-advanced-v3/src/Integration.php:285

The program execution functions (like escapeshellarg()) are probably disabled in the hosting environment for security reasons.

Internal Help Scout ticket: https://secure.helpscout.net/conversation/2088187850/24884

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.