Decrypting Credentials
Follow these steps to decrypt the encrypted credential payload. The result will be the plaintext credential payload.
NOTE: The steps below assume that the OpenSSL library is available for your platform. If that is not the case, the specific steps may vary, but the outcome should be the same.
If you set the parameter onboardingVersion to 2, then the payload will be returned in plaintext. To verify that the sender is Amazon however, please follow these steps:
- Next URLDecode the publicKeyId value from the payload.
- RSA-Decrypt the value obtained, making sure to specify the algorithm as RSA, using the private key.
- Base64decode the result and confirm that the value is what you expected.
- Continue to the How to process plaintext credentials section.
Otherwise, if you did not set the onboardingVersion parameter (or set it to 1), please follow the steps below to decrypt the encrypted response:
- First validate that the request came from Amazon Pay.
- Retrieve sigKeyId from the encrypted credential payload.
- Make a HEAD or GET request to
https://payments.amazon.com/register/getpublickey , passing
sigKeyId from Step a via the sigkey_id parameter.
Example:
https://payments.amazon.com/register/getpublickey?sigkey_id=sigKey82015
Note: The example uses a North American payment region URL; please adjust as needed for your region.
- You will receive a public key in the response, which is used to validate the signature.
- Base64decode the signature from the encrypted credential payload.
- Use the verify function of the openSSL package (specifying the SHA256 algorithm), and pass in the result of 1d (base 64 decoded signature) and 1c (public key).
- Confirm that the verify command is successful.
- Next decrypt the encryptedKey value from the encrypted credential payload. This gives you the key that was used to encrypt the encryptedPayload value.
- Base64decode the encryptedKey value from the encrypted credential payload.
- Use the private decrypt function of the openSSL package (specifying the OPENSSL_PKCS1_OAEP_PADDING algorithm), to decrypt the result of 2a, passing in the private key that was generated on opening the workflow.
- Next decrypt the encryptedPayload using the result of 2b.
- Base64decode the encryptedPayload value from the original received request.
- Base64decode the iv value from the original received request.
- Use the mcrypt_cbc function of the mcrypt package to decode the result of 3a by specifying
the MCRYPT_RIJNDAEL_128 algorithm and the result of 3b.
NOTE: For a working example in PHP, view the decryptPayload function in our Magento extensions.
- Continue to the How to process plaintext credentials section.
Following the completion of these steps you will have the merchant credentials in a plaintext JSON object (see an example in the Payload data structures section).