-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
publicKeyFingerprint SHA1 vs SHA256 #9
Comments
Hi @patrick7kelly, thanks for having opened this issue. Until now, SHA-256 is also the value displayed in the Mastercard Developers dashboard: https://developer.mastercard.com/platform/documentation/security-and-authentication/securing-sensitive-data-using-payload-encryption/#getting-keys-for-your-application Can you confirm SHA-256 values are rejected and you had to replace the SHA- 256 value with a SHA-1 value you compute yourself? SHA-1 has been on the way out for years. For that reason, I'm not sure about updating our set of libraries to compute SHA-1 fingerprints (even if in this case it's for key identification, not for digital signature purposes). An option with the current version of this package is to put already computed (SHA-1) fingerprint values in configuration. see: Thanks! |
Hi @jaaufauvre, Yes, MDES was rejecting the payload entirely when We can technically work around this using something like the code below:
My main concern is that I doubt we are alone. Anyone trying to use this library out-of-the-box for Issuer-Initiated Digitization would face similar issues. And once they realize the issue, the only workarounds involve overwriting the fingerprint generated by the libraries. It might make sense to add something like |
Hi, We double-checked with the Pre-Digitalization team and prefer not to introduce a new piece of configuration here. The "client-encryption" packages already allow to use a custom (SHA1) fingerprint value in configuration, and SHA1 fingerprints should be replaced with SHA-256 fingerprints in the future. Best regards, |
We recently went live with Issuer-Initiated Digitization for MDES.
The implementation wasn't flawless though. One issue that came up - it seems like MC is expecting
publicKeyFingerprint
to be the SHA1 fingerprint of the certificate. However, theFieldLevelEncryptionConfig.__compute_fingerprint
method only returns the SHA256 fingerprint.In the "MDES Issuer Implementation Guide" (dated 5/12/2021) on page 101, the example payload shows a SHA1 fingerprint in
publicKeyFingerprint
.I'm happy to submit a PR for this but wondering if any maintainers have feedback.
The text was updated successfully, but these errors were encountered: