Add NexoSecurityManager

gcatanese · gcatanese · commit a645484a01b6 · 2025-09-05T10:30:18.000+02:00
diff --git a/src/__tests__/security/nexoSecurityManager.spec.ts b/src/__tests__/security/nexoSecurityManager.spec.ts
@@ -0,0 +1,142 @@
+/*
+ *                       ######
+ *                       ######
+ * ############    ####( ######  #####. ######  ############   ############
+ * #############  #####( ######  #####. ######  #############  #############
+ *        ######  #####( ######  #####. ######  #####  ######  #####  ######
+ * ###### ######  #####( ######  #####. ######  #####  #####   #####  ######
+ * ###### ######  #####( ######  #####. ######  #####          #####  ######
+ * #############  #############  #############  #############  #####  ######
+ *  ############   ############  #############   ############  #####  ######
+ *                                      ######
+ *                               #############
+ *                               ############
+ * Adyen NodeJS API Library
+ * Copyright (c) 2025 Adyen B.V.
+ * This file is open source and available under the MIT license.
+ * See the LICENSE file for more info.
+ */
+
+import NexoSecurityManager from "../../security/nexoSecurityManager";
+import { EncryptionCredentialDetails } from "../../security/encryptionCredentialDetails";
+import { MessageHeader, SaleToPOISecuredMessage, MessageCategoryType, MessageClassType, MessageType } from "../../typings/cloudDevice/models";
+import InvalidSecurityKeyException from "../../security/exception/invalidSecurityKeyException";
+import NexoCryptoException from "../../services/exception/nexoCryptoException";
+
+describe("NexoSecurityManager", (): void => {
+    const credentials: EncryptionCredentialDetails = {
+        KeyIdentifier: "SpecTest",
+        KeyVersion: 1,
+        Passphrase: "spec-test-passphrase",
+        AdyenCryptoVersion: 1,
+    };
+
+    const messageHeader: MessageHeader = {
+        MessageCategory: MessageCategoryType.Payment,
+        MessageClass: MessageClassType.Service,
+        MessageType: MessageType.Request,
+        POIID: "P400Plus-123456789",
+        ProtocolVersion: "3.0",
+        SaleID: "001",
+        ServiceID: "001",
+    };
+
+    const saleToPoiMessageJson = JSON.stringify({
+        PaymentRequest: {
+            SaleData: {
+                SaleTransactionID: {
+                    TransactionID: "001",
+                    TimeStamp: "2025-01-01T00:00:00.000Z",
+                },
+            },
+        },
+    });
+
+    it("should encrypt and decrypt a message successfully", (): void => {
+        // Encrypt
+        const securedMessage: SaleToPOISecuredMessage = NexoSecurityManager.encrypt(
+            messageHeader,
+            saleToPoiMessageJson,
+            credentials,
+        );
+
+        expect(securedMessage).toBeDefined();
+        expect(securedMessage.MessageHeader).toEqual(messageHeader);
+        expect(securedMessage.NexoBlob).toBeDefined();
+        expect(typeof securedMessage.NexoBlob).toBe("string");
+        expect(securedMessage.SecurityTrailer).toBeDefined();
+        expect(securedMessage.SecurityTrailer.KeyIdentifier).toBe(credentials.KeyIdentifier);
+        expect(securedMessage.SecurityTrailer.KeyVersion).toBe(credentials.KeyVersion);
+        expect(securedMessage.SecurityTrailer.AdyenCryptoVersion).toBe(credentials.AdyenCryptoVersion);
+        expect(typeof securedMessage.SecurityTrailer.Hmac).toBe("string");
+        expect(typeof securedMessage.SecurityTrailer.Nonce).toBe("string");
+
+        // Decrypt
+        const decryptedJson = NexoSecurityManager.decrypt(securedMessage, credentials);
+
+        expect(decryptedJson).toBe(saleToPoiMessageJson);
+    });
+
+    it("should throw InvalidSecurityKeyException on decrypt with invalid credentials", (): void => {
+        const invalidCredentials: any[] = [
+            {},
+            { ...credentials, Passphrase: "" },
+            { ...credentials, KeyIdentifier: "" },
+            { ...credentials, KeyVersion: NaN },
+            { ...credentials, AdyenCryptoVersion: NaN },
+            null,
+            undefined,
+        ];
+
+        const securedMessage: SaleToPOISecuredMessage = NexoSecurityManager.encrypt(
+            messageHeader,
+            saleToPoiMessageJson,
+            credentials,
+        );
+
+        invalidCredentials.forEach((cred): void => {
+            expect((): string => NexoSecurityManager.decrypt(securedMessage, cred)).toThrow(
+                new InvalidSecurityKeyException("Invalid Encryption Credentials")
+            );
+        });
+
+
+    });
+
+    it("should throw NexoCryptoException on decrypt with wrong HMAC", (): void => {
+        const securedMessage: SaleToPOISecuredMessage = NexoSecurityManager.encrypt(
+            messageHeader,
+            saleToPoiMessageJson,
+            credentials,
+        );
+
+        // Tamper with the HMAC
+        const tamperedMessage = {
+            ...securedMessage,
+            SecurityTrailer: {
+                ...securedMessage.SecurityTrailer,
+                Hmac: "dGFtcGVyZWRIbWFj", // "tamperedHmac" in base64
+            },
+        };
+
+        expect((): string => NexoSecurityManager.decrypt(tamperedMessage, credentials))
+            .toThrow(NexoCryptoException);
+    });
+
+    it("should throw NexoCryptoException on decrypt with wrong passphrase", (): void => {
+        const securedMessage: SaleToPOISecuredMessage = NexoSecurityManager.encrypt(
+            messageHeader,
+            saleToPoiMessageJson,
+            credentials,
+        );
+
+        const wrongCredentials = {
+            ...credentials,
+            Passphrase: "wrong-passphrase",
+        };
+
+        expect((): string => NexoSecurityManager.decrypt(securedMessage, wrongCredentials))
+            .toThrow(NexoCryptoException);
+    
+    });
+});
diff --git a/src/security/nexoSecurityManager.ts b/src/security/nexoSecurityManager.ts
@@ -24,7 +24,7 @@ import {
     NexoDerivedKey,
     SaleToPOISecuredMessage,
     SecurityTrailer,
-} from "../typings/terminal/models";
+} from "../typings/cloudDevice/models";
 import { EncryptionCredentialDetails } from "./encryptionCredentialDetails";
 import InvalidSecurityKeyException from "./exception/invalidSecurityKeyException";
 import NexoDerivedKeyGenerator from "./nexoDerivedKeyGenerator";
@@ -45,43 +45,54 @@ enum Modes {
  * - Constructs and validates {@link SecurityTrailer}
  */
 class NexoSecurityManager {
+
     /**
      * Encrypts a SaleToPOI message.
      *
      * @param messageHeader - The Nexo message header
      * @param saleToPoiMessageJson - The message body in JSON string format
      * @param credentials - The encryption credentials
-     * @returns A secured SaleToPOI message with encrypted payload and security trailer
+     * @returns A instance of SaleToPOISecuredMessage with  MessageHeader, NexoBlob (the encrypted payload) and SecurityTrailer
      */
     public static encrypt(
         messageHeader: MessageHeader,
         saleToPoiMessageJson: string,
         credentials: EncryptionCredentialDetails,
     ): SaleToPOISecuredMessage {
-        const derivedKey: NexoDerivedKey = NexoDerivedKeyGenerator.deriveKeyMaterial(credentials.Passphrase);
-        const saleToPoiMessageByteArray = Buffer.from(saleToPoiMessageJson, "utf-8");
-        const ivNonce = NexoSecurityManager.generateRandomIvNonce();
-        const encryptedSaleToPoiMessage = NexoSecurityManager.crypt(
-            saleToPoiMessageByteArray,
-            derivedKey,
-            ivNonce,
-            Modes.ENCRYPT,
-        );
-        const encryptedSaleToPoiMessageHmac = NexoSecurityManager.hmac(saleToPoiMessageByteArray, derivedKey);
-
-        const securityTrailer: SecurityTrailer = {
-            AdyenCryptoVersion: credentials.AdyenCryptoVersion,
-            Hmac: encryptedSaleToPoiMessageHmac.toString("base64"),
-            KeyIdentifier: credentials.KeyIdentifier,
-            KeyVersion: credentials.KeyVersion,
-            Nonce: ivNonce.toString("base64"),
-        };
-
-        return {
-            MessageHeader: messageHeader,
-            NexoBlob: encryptedSaleToPoiMessage.toString("base64"),
-            SecurityTrailer: securityTrailer,
-        };
+
+        try {
+
+            const derivedKey: NexoDerivedKey = NexoDerivedKeyGenerator.deriveKeyMaterial(credentials.Passphrase);
+            const saleToPoiMessageByteArray = Buffer.from(saleToPoiMessageJson, "utf-8");
+            const ivNonce = NexoSecurityManager.generateRandomIvNonce();
+            const encryptedSaleToPoiMessage = NexoSecurityManager.crypt(
+                saleToPoiMessageByteArray,
+                derivedKey,
+                ivNonce,
+                Modes.ENCRYPT,
+            );
+            const encryptedSaleToPoiMessageHmac = NexoSecurityManager.hmac(saleToPoiMessageByteArray, derivedKey);
+
+            const securityTrailer: SecurityTrailer = {
+                AdyenCryptoVersion: credentials.AdyenCryptoVersion,
+                Hmac: encryptedSaleToPoiMessageHmac.toString("base64"),
+                KeyIdentifier: credentials.KeyIdentifier,
+                KeyVersion: credentials.KeyVersion,
+                Nonce: ivNonce.toString("base64"),
+            };
+
+            return {
+                MessageHeader: messageHeader,
+                NexoBlob: encryptedSaleToPoiMessage.toString("base64"),
+                SecurityTrailer: securityTrailer,
+            };
+
+        } catch (err: any) {
+            // an error has occurred
+            console.error(err);
+            throw new NexoCryptoException(err?.message || "Unknown error during encryption");
+        }
+
     }
 
     /**
@@ -90,29 +101,40 @@ class NexoSecurityManager {
      * @param saleToPoiSecureMessage - The secured message to decrypt
      * @param credentials - The encryption credentials
      * @throws {InvalidSecurityKeyException} If the credentials are invalid
-     * @throws {NexoCryptoException} If HMAC validation fails
+     * @throws {NexoCryptoException} When an error occurs
      * @returns The decrypted SaleToPOI message as a UTF-8 string
      */
     public static decrypt(
         saleToPoiSecureMessage: SaleToPOISecuredMessage,
         credentials: EncryptionCredentialDetails,
     ): string {
-        NexoSecurityManager.validateEncryptionCredentials(credentials);
-
-        const encryptedSaleToPoiMessageByteArray = Buffer.from(saleToPoiSecureMessage.NexoBlob, "base64");
-        const derivedKey = NexoDerivedKeyGenerator.deriveKeyMaterial(credentials.Passphrase);
-        const ivNonce = Buffer.from(saleToPoiSecureMessage.SecurityTrailer.Nonce, "base64");
-        const decryptedSaleToPoiMessageByteArray = NexoSecurityManager.crypt(
-            encryptedSaleToPoiMessageByteArray,
-            derivedKey,
-            ivNonce,
-            Modes.DECRYPT,
-        );
-
-        const receivedHmac = Buffer.from(saleToPoiSecureMessage.SecurityTrailer.Hmac, "base64");
-        NexoSecurityManager.validateHmac(receivedHmac, decryptedSaleToPoiMessageByteArray, derivedKey);
-
-        return decryptedSaleToPoiMessageByteArray.toString("utf-8");
+
+        try {
+            NexoSecurityManager.validateEncryptionCredentials(credentials);
+
+            // decrypt content of NexoBlob
+            const encryptedSaleToPoiMessageByteArray = Buffer.from(saleToPoiSecureMessage.NexoBlob, "base64");
+            
+            const derivedKey = NexoDerivedKeyGenerator.deriveKeyMaterial(credentials.Passphrase);
+            const ivNonce = Buffer.from(saleToPoiSecureMessage.SecurityTrailer.Nonce, "base64");
+            const decryptedSaleToPoiMessageByteArray = NexoSecurityManager.crypt(
+                encryptedSaleToPoiMessageByteArray,
+                derivedKey,
+                ivNonce,
+                Modes.DECRYPT,
+            );
+
+            const receivedHmac = Buffer.from(saleToPoiSecureMessage.SecurityTrailer.Hmac, "base64");
+            NexoSecurityManager.validateHmac(receivedHmac, decryptedSaleToPoiMessageByteArray, derivedKey);
+
+            return decryptedSaleToPoiMessageByteArray.toString("utf-8");
+
+        } catch (err: any) {
+            // an error has occurred
+            console.error(err);
+            throw new NexoCryptoException(err?.message || "Unknown error during decryption");
+        }
+
     }
 
     private static validateEncryptionCredentials(credentials: EncryptionCredentialDetails): void {
@@ -127,19 +149,36 @@ class NexoSecurityManager {
         }
     }
 
+    /**
+     * Performs AES-256-CBC encryption or decryption.
+     *
+     * @param bytes The data to be encrypted or decrypted.
+     * @param dk The derived key containing the cipher key and IV.
+     * @param ivNonce The random nonce to be XORed with the IV.
+     * @param mode The operation mode (ENCRYPT or DECRYPT).
+     * @throws {NexoCryptoException} If an error occurs during the cryptographic operation.
+     * @returns The resulting encrypted or decrypted data as a Buffer.
+     */
     private static crypt(bytes: Buffer, dk: NexoDerivedKey, ivNonce: Buffer, mode: Modes): Buffer {
-        const actualIV = Buffer.alloc(NexoEnum.IV_LENGTH);
-        for (let i = 0; i < NexoEnum.IV_LENGTH; i++) {
-            actualIV[i] = dk.iv[i] ^ ivNonce[i];
+        try {
+            const actualIV = Buffer.alloc(NexoEnum.IV_LENGTH);
+            for (let i = 0; i < NexoEnum.IV_LENGTH; i++) {
+                actualIV[i] = dk.iv[i] ^ ivNonce[i];
+            }
+
+            const cipher = mode === Modes.ENCRYPT
+                ? createCipheriv("aes-256-cbc", dk.cipherKey, actualIV)
+                : createDecipheriv("aes-256-cbc", dk.cipherKey, actualIV);
+
+            let encrypted = (cipher as Cipher).update(bytes);
+            encrypted = Buffer.concat([encrypted, cipher.final()]);
+            return encrypted;
+
+        } catch (err: any) {
+            // an error has occurred
+            console.error(err);
+            throw new NexoCryptoException(err?.message || "Unknown error during AES encryption or decryption");
         }
-
-        const cipher = mode === Modes.ENCRYPT
-            ? createCipheriv("aes-256-cbc", dk.cipherKey, actualIV)
-            : createDecipheriv("aes-256-cbc", dk.cipherKey, actualIV);
-
-        let encrypted = (cipher as Cipher).update(bytes);
-        encrypted = Buffer.concat([encrypted, cipher.final()]);
-        return encrypted;
     }
 
     private static hmac(bytes: Buffer, derivedKey: NexoDerivedKey): Buffer {
