PayPal encrypted buttons (EWP)

[impiastro]

I would like to share with you my experience of PayPal form data encryption.

In our new ecommerce website we are using the PayPal Payment module.
We were able to configure this module and use it in our orders management but we would like to secure the connection between our ecommerce and PayPal (PP) website.

We read about this possibility in the PP website, reading this document https://www.paypal.com/en_US/ebook/PP_WebsitePaymentsStandard_IntegrationGuide/encryptedwebpayments.html and also this one https://cms.paypal.com/us/cgi-bin/?&cmd=_render-content&content_ID=developer/e_howto_html_encryptedwebpayments#id08A3I0QC0X4__id08A3IL00L2L .

At the beginning it seems really simple but I was facing many problems during the entire process, so I decided to write some lines just to help anyone needs to encrypt his PP button using Java.

• Download the bouncycastle distribution called crypto-144.zip from http://www.bouncycastle.org/latest_releases.html


• Extract the files bcmail-jdk16-144.jar , bcpg-jdk16-144.jar , bcprov-jdk16-144.jar , bctest-jdk16-144.jar and putting them inside the web application classpath


• Check if you are using a JRE JVM and not a JDK, we need in fact a directory called security inside the lib directory of the $JAVA_HOME path


• Download the file jce_policy-6.zip from the Java download repository and extract its jar inside the directory security inside the lib directory of the $JAVA_HOME path


• Generate the public/private key and the export certificate using the command "openssl"

Code Select Expand



openssl genrsa -passout stdin -out my-prvkey.pem  1024 # write the password and press the enter key
openssl req -new -key my-prvkey.pem -x509 -days 365 -out my‑pubcert.pem
openssl pkcs12 -export -inkey my-prvkey.pem -in my‑pubcert.pem -out my-prvkey.p12



• Upload the file my-pubcert.pem to https://www.paypal.com/us/cgi-bin/webscr?cmd=_profile-website-cert (you need an account to PayPal) and save the certificate ID


• Download the file java.zip from https://www.paypal.com/us/cgi-bin/webscr?cmd=p/xcl/rec/ewp-code (you need an account to PayPal) and extract the file ClientSide.java putting it inside your application (or inside a jar in your application).



• Generate the encrypted button string using the following code

Code Select Expand


                ...
                String buttonString = null;

if (pDetails != null) {
NameValue[] parameters = pDetails.getParameters();

if (parameters != null) {
String data = "";
int i = 0;
for (NameValue parameter : parameters) {
if (i > 0) {
data += ",";
}

String value = parameter.getValue();

data += parameter.getName() + "=" + value;

i++;
}
data += ",cert_id=" + certId;

try {
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());

String keyPath = privateCertPkcs12Path;
String certPath = publicCertPath;
String paypalCertPath = paypalPublicCertPath;
String keyPass = privateCertPass;

buttonString = ClientSide.getButtonEncryptionValue(data, keyPath, certPath, paypalCertPath, keyPass);
} catch (Exception ppe) {
ppe.printStackTrace();
}
}
}


Where pDetails is the PaymentDetails object from your order, certId is the certificate ID of your public certificate generated by PayPal and privateCertPkcs12Path , publicCertPath , paypalPublicCertPath are the path to your private and public certificate and the paypal public certificate and privateCertPass is your private certificate password.

• Create a form using this syntax (velocity)

Code Select Expand


                <form action="$order.getPaymentDetails().requestUrl" method="$order.getPaymentDetails().postOrGet">

<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="encrypted" value="$buttonString">

<input type="image" src="https://www.paypal.com/en_US/i/btn/x-click-but23.gif" border="0" name="submit" style="width: 68px; border-width: 0px;">
</form>


Remember that a certificate lasts for a year, so you must repeat the certificate generation steps before this deadline.

Now you can see something like this:

Code Select Expand



<form method="post" action="https://www.sandbox.paypal.com/cgi-bin/webscr">

<input type="hidden" value="_s-xclick" name="cmd"/>
<input type="hidden" value="-----BEGIN PKCS7-----
MIAGCSqGSIb3DQEHA6CAMIACAQAxggE6MIIBNgIBADCBnjCBmDELMAkGA1UEBhMC
VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMRUwEwYD
VQQKEwxQYXlQYWwsIEluYy4xFjAUBgNVBAsUDXNhbmRib3hfY2VydHMxFDASBgNV
BAMUC3NhbmRib3hfYXBpMRwwGgYJKoZIhvcNAQkBFg1yZUBwYXlwYWwuY29tAgEA
MA0GCSqGSIb3DQEBAQUABIGAmblvsRCOPD0CRIA0k87NJn09+TuEnduDfoa9GQUz
kV8oiJTvgtOaRCkJREKNTNdtGWyPqDq26PnkwMNH1AShEze/ZSOo/T32bJMIU9e7
AiMRnnMOxYzESA44t4py8npipw1J1v0DClV5fpkyMMbEfNPZIEwJ6d2eDuUQpMHu
2OswgAYJKoZIhvcNAQcBMBQGCCqGSIb3DQMHBAh55OQy4V5w1KCABIID6HJ/jvre
bryfCAPB0p8KpVZ4MY3ZYqEWiIk4I/yjRyyxB9/F6SHs92abHfGY/HtXFHGto8Pt
nykXuk8mAVFjsZybch93RXTl9wff26SlvX1FVceppFJ0pPyzwNsS7KgBobVpVY2w
6RgMSDq37XUbyxSDfwgGeVwK6sKWGQ/a7TtMvNUlHqN3tIE3Mz5PxRpZVgkzoUB5
32mdZJ8MXJLdVZ5npcw1pjo6rR9uaWc5+7Gqaam8cPj7sZZ3F/sUuInbYq3ioGmN
85uEuE7Otnv3+07dFq86rot3dFs4NKxrdUGIqrytE/+Z1ZBHxKz+xuxT6UkjABzo
Q1jPjU8M1RO2J4YO6t+KGIJi0TdTbeqChlYHYbcmXndY6foRSQlGeCEqO+Lulgnp
egX+yKE65JqgqTqWoW/uAy5eHLPuaNYDjz/cMZUg9+FdF6Sj/ed5VPOn3/ENkD7+
c1gc+n2vOH4ZiQJ3i0x1SJRx0vpaIqSlkl7qsdW+5UHjwBqOJTTt7FiVnXQ38VR9
25uerqrzISm5gC1fylpmuzEyXcrvzmckWWf4RMicNPfo0/D4HAboSFA74ll95AOa
OEAj5noedKErbjGO4qfki1SqEowNinYJ6vXNc1HaXVAKVF3UEaVV686evZCRy4PY
cq9U9Yvf5EYDOVwybSgseppyFsXIWikdMmFIe1wc8XfLc2W9a9DyQw8sKP3XwMIh
hDcSDKJJ7x06eUsSxhBS2Nx7a5lKrpRvOTQLzlCX+JFi0BQD2atg1poMfbBHEjaf
fRS5vRkRRcyM/ZcM+C5E6cvcOFH44xB+Z2K4sucVMXM7z4dSCNqo7Y2/BdVovyAW
N06KOcCIhd3ND4gMIRMfQKh6ooRWYA+2tgV/Rjnl1WM/J01EuJDYWdoVHvt0BKzw
WEhS056PcZf6kTOmT/nydck9oRYCzjK5j7ssS1pfhcKhDo/JnToDA5Q7S1qtGt8P
2agm8Oo/XQFoIL8+I1dDRH2RygYbgrFbEiQMevXm7DkbAKx77w5Qs/HoINi22J3j
yuRphScX185u+v0tld+NyGXAAvsh5QlHmIv3rw0go855vSw+tg7QiFMaUMn35n8k
YdO9qncqvDIkcgLQOX/wItuK0YiqEQbjbInlP+fJGXFJsXWL7fP+AZ8pqlVHUtK5
5lK3lNjNRo3AY/nL83K/kAutUHfYYbrR1qoBFCy1zuWzMAXYQxJg/B15h5ZbC3t9
x7bK9SWto0SUL7/41xr3xFux4Opp3GM1d7j1GKlLCkNBoU+KBs7XfswlHAnhDZHn
0JMqc52Tp9bHiQIBBzDOiEmQUnO33MVj3LAnZyBwmN++s1YEggIICSTxhjxUna5K
Q2Hh/j1v2+kKDY044YYXvINBNLeTwwCXjl2INdmfMJP1OkGQh9EI3S4qV1A4Js+B
zCyq0hnXZ5pA5FYLzfUpAsDshnJ3IZOFp7tOmWaj3qqeZt0nJfBkQoFJetKxfjkD
/SZmMU+d1noyAWGP0t7d+/WL0ZecHhHociwlgnJlVmq9pUX0NvhIGJogI2AJCMGD
6jJZkD/DLxXztyeNgYWcxRIRvWSmscTpaqW/GdjF1vSEQYgh+po2a3g1TmI+IBCP
5yZq84XqcIKdXchIMzMlJEsbXG67WEKSsJmzmJ/SOPMampYsFg8BpIft5m+cZ/5R
oDbFIgqyZbPUR1z8HmpP0NP4UnyZzhRyuO6hs/Vx1/SchAjbecGoNVQN/6IBoyw/
ddqwaZ2FOFWfahCz6r1wi+MInPqBHAnURViZlrGs6QGDAk9acJhyn7//4UI7LJi1
Y2Y+N/dGzgRQteGJk60l74y+AXYP1JjuUsvAltd3H1XsySe0uPa932l1R189TSK5
HDh1P7AVNY3bnbGXwmPGNSP5/8zEY9eT5TbeuI9pIaDTFHLD5AXxjMfWJWbC/WYz
t314uZRCNL8WPyV3WIYvUBqFTYPNiLFTPvefqvgbvb2UGYVHZVE5/9pxE9Sn26sQ
n/pSnIe+dZbSEx0IReSbTwIGiY5fcNlbjzRTsLYvAAAAAAAAAAAAAAA=
-----END PKCS7-----
" name="encrypted"/>

<input type="image" border="0" style="border-width: 0px; width: 68px;" name="submit" src="https://www.paypal.com/en_US/i/btn/x-click-but23.gif"/>
</form>



If everything is ok PayPal should decrypt your "encrypted" variable and show the correct infos to the purchaser.