Decryption and Signing

[sujeets-protean]

For Signing Key Pair Generation,

• Generate Key Pair from Random using Ed25519 in Base64 Format

For Signing

• String signingString = "value_of_request_id"; // This is for /subscribe - initial registration (ops_1,ops_2,ops_3,ops_4,ops_5)
• String signingString = "country|domain|type|city|subscriberId"; // This is for /lookup(ops_1,ops_2,ops_3,ops_4,ops_5)
• Use Ed25519Signer for signing in BASE 64 Format

Encryption/Decryption Key Pair Generation

• Step 0 Generate Key Pair from Random using X25519 Keys in Base64 Format. X25519 an elliptic curve Diffie-Hellman key exchange using Curve25519.

For Decryption,

• Step 1: For PreProd, use ONDC Public Key as "MCowBQYDK2VuAyEAa9Wbpvd9SsrpOZFcynyt/TO3x0Yrqyys4NUGIvyxX2Q="
• Step 2: Use Network Participants Private Key that is generated in Step 0 of Encryption Key Pair Generation
• Step 3: Decrypt using above two keys by using AES Encryption

[sujeets-protean]

Code Snippet for Decryption

          import java.nio.charset.StandardCharsets;
          import java.security.KeyFactory;
          import java.security.KeyPair;
          import java.security.KeyPairGenerator;
          import java.security.NoSuchAlgorithmException;
          import java.security.NoSuchProviderException;
          import java.security.PrivateKey;
          import java.security.PublicKey;
          import java.security.Security;
          import java.security.spec.PKCS8EncodedKeySpec;
          import java.security.spec.X509EncodedKeySpec;
          import java.util.Base64;
          
          import javax.crypto.Cipher;
          import javax.crypto.KeyAgreement;
          import javax.crypto.SecretKey;
          ........................
          ......................../* Removed Code for brevity
          ........................
           byte[] dataBytes = Base64.getDecoder().decode(ONDCPublicKey);
          PublicKey publicKey = getPublicKey("X25519", dataBytes);
          dataBytes = Base64.getDecoder().decode(MyParticipantPrivateKey());
          PrivateKey privateKey = getPrivateKey("X25519", dataBytes);
          KeyAgreement atServer1 = KeyAgreement.getInstance("X25519", BouncyCastleProvider.PROVIDER_NAME);
          atServer1.init(privateKey); 
          atServer1.doPhase(publicKey, true); 
          SecretKey key1 = atServer1.generateSecret(secretKey); 
          Cipher cipher2 = Cipher.getInstance("AES", BouncyCastleProvider.PROVIDER_NAME);
          cipher2.init(Cipher.DECRYPT_MODE, key1); 
          byte[] decrypted2 = cipher2.doFinal(Base64.getDecoder().decode(request.getValue())); 
          return new String(decrypted2);

[evital-manav]

Has anyone implemented this in nodejs?

[KMJ-007]

@evital-manav have you implemented in nodejs ?

how did you did ?

It would be great help.

[evital-manav]

It is not possible to implement this in node js. I used APIs to generate keys and decrypt the challenge.

To generate keys: https://pilot-gateway-1.beckn.nsdl.co.in/crypto/encrypt/decrypt/key

To decrypt the challenge: https://preprod.registry.ondc.org/ondc/challenge/decrypt/text
```
const headers = { 'content-type': 'application/json' }
const body = {
"challenge": "YOUR_CHALLANGE",
"client_private_key": "YOUR_PRIVATE_KEY"
}

[KMJ-007]

hey, thanks man,

I truly appreciate your help,

but decrypt api is not working,

We are building Seller app for ondc, and have some doubt,

I also participated in ondc-hackathon in jan, our team was in top 10,

It would be great if i can contact you somehow, what is the best way to reach out to you?

[evital-manav]

Decrypt API is working for me. here is the curl request.

var options = {
  'method': 'POST',
  'url': 'https://preprod.registry.ondc.org/ondc/challenge/decrypt/text',
  'headers': {
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    "challenge": "oAG2bLQ3SemO9SziQsnHzUMAUKEfrdEvMPj41Bw8z0F356KuC3O9jBz9DVAhTIL0",
    "client_private_key": "YOUR_PRIVATE_KEY"
  })

};
request(options, function (error, response) {
  if (error) throw new Error(error);
  console.log(response.body);
});```
you can contact me at [email protected]

[sujeets-protean]

Sample Encryption Key Pairs, Plain Text Challenge String, Encrypted Challenge String, ONDC Public Key

• Network participant's Encryption Key-pair
  "publicKey": "MCowBQYDK2VuAyEAWkmlPlCA/8O1ph7IaEgtIH0KYspuK9uNv67yjUszRF4=",
  "privateKey": "MFECAQEwBQYDK2VuBCIEIEheaFdloBrTgXWPb0H97kVjieQGuOBhP+U9s/EtjZtzgSEAWkmlPlCA/8O1ph7IaEgtIH0KYspuK9uNv67yjUszRF4="
• ONDC Public Key
  "ONDCPublicKey": "MCowBQYDK2VuAyEAAwwCFnED/FC0DlCsAVF8mHN9tx3pSCjpkOTbsGHFyjE="
• Plain Challenge Text : "c678e22f-f11e-4beb-8a75-dca4d7aad834"
• Encrypted Challenge Text : "UhNzZ4opNofhdHgSfA549e09QX7WGVNk/J0m22099exz1N4AU//FGyOoE75Gkkob"

[ganeshfosgen]

ONDC new Public Key
"ONDCPublicKey": "MCowBQYDK2VuAyEAa9Wbpvd9SsrpOZFcynyt/TO3x0Yrqyys4NUGIvyxX2Q="

[nirmay]

I am trying to use the sample data above with the following API, and the response is empty
{ "answer": ""}

The endpoint url is
https://preprod.registry.ondc.org/ondc/challenge/decrypt/text

with request payload as below
{ "challenge": "UhNzZ4opNofhdHgSfA549e09QX7WGVNk/J0m22099exz1N4AU//FGyOoE75Gkkob", "client_private_key": "MFECAQEwBQYDK2VuBCIEIEheaFdloBrTgXWPb0H97kVjieQGuOBhP+U9s/EtjZtzgSEAWkmlPlCA/8O1ph7IaEgtIH0KYspuK9uNv67yjUszRF4=" }

@sujeets-protean @krishna-404 can you pls help??

[krishna-404]

Hi @nirmay , Its my best understanding so far that, the private key should be 88 characters... Again I'm not completely sure yet...

I Have been able to create auth-header with privatekey of 88 characters, that's the basis of my reading...

Your private key has 112 characters... with which I have been unable to create an auth-header... have you been able to create auth-header with this private key?

[nirmay]

Thanks @krishna-404

I am using the key given in the sample data.

and are you referring to signing keys (since you mentioned auth header)?, I am referring to decryption.

[krishna-404]

I understand that you are referring to decryption. but if we are using the same protocol throughout, shouldnt the keys have same length? somehow keys with 112 characters don't seem to work any where. Like I said, Im deducing a lot of this stuff. :|

[sujeets-protean]

NPs can generate X25519 Encryption Key Pairs

========================================

openssl genpkey -algorithm x25519 -out x25519-priv.pem

openssl pkey -in x25519-priv.pem -pubout -out x25519-pub.pem

cat x25519-pub.pem

cat x25519-priv.pem

[krishna-404]

People on macOS might find challenges implementing this... here is a solution suggested on SO for the same

https://stackoverflow.com/a/67770463

[krishna-404]

@sujeets-protean using the keys generated using above method, when we try to create auth headers using in nodejs (as described here https://docs.google.com/document/d/1gfbhbhFMKnsRUHkJq9FfZ-9-KjNS0uCiW0kBkwTAOfA/edit?usp=sharing ) or using python ( as described here https://github.com/ONDC-Official/Pre-production/tree/main/signing_and_verification), we are getting the error invalid privateKey length

The private key generated using the openssl method described here is of 64 characters, whereas the scripts (python & nodejs) above are expecting a key of 88 characters. Pls advise.

[sujeets-protean]

These are steps to generate ENCRYPTION key pairs that are used during registration and amendments.
For Auth Header creation, please generate and use SIGNING key pairs.

[sujeets-protean]

These are steps to generate ENCRYPTION key pairs that are used during registration and amendments. For Header creation, please generate and use SIGNING key pairs. Warm Regards, Sujeet From: krishna404 ***@***.***> Sent: 03 September 2022 21:29 To: ONDC-Official/Pre-production ***@***.***> Cc: Sujeet Suryawanshi ***@***.***>; Mention ***@***.***> Subject: [External] Re: [ONDC-Official/Pre-production] Decryption and Signing (Discussion #2) @sujeets-protean<https://github.com/sujeets-protean> using the keys generated using above method, when we try to create auth headers using in nodejs (as described here https://docs.google.com/document/d/1gfbhbhFMKnsRUHkJq9FfZ-9-KjNS0uCiW0kBkwTAOfA/edit?usp=sharing ) or using python ( as described here https://github.com/ONDC-Official/Pre-production/tree/main/signing_and_verification), we are getting the error invalid privateKey length The private key generated using the openssl method described here is of 64 characters, whereas the scripts (python & nodejs) above are expecting a key of 88 characters. Pls advise. — Reply to this email directly, view it on GitHub<#2 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AZUOXBLTYLBL65BYQTGRB7TV4NYUXANCNFSM53CDA7TA>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>> [ { ***@***.***": "http://schema.org", ***@***.***": "EmailMessage", "potentialAction": { ***@***.***": "ViewAction", "target": "#2 (reply in thread)", "url": "#2 (reply in thread)", "name": "View Discussion" }, "description": "View this Discussion on GitHub", "publisher": { ***@***.***": "Organization", "name": "GitHub", "url": "https://github.com" } } ] ****************************************************************************************************************************************************************************************************************This message is for the named addresses' use only. It may contain NSDL confidential, proprietary or legally privileged information. If you receive this message in error, please immediately delete it. You must not, directly or indirectly,use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Unless otherwise stated, any commercial information given in this message does not constitute an offer to deal on any terms quoted. Any reference to the terms of executed transactions should be treated as preliminary only and subject to our formal written confirmation. *******************************************************************************************************************************************************************************************

[krishna-404]

Can you suggest the right way to create the auth headers please.

The method mentioned there is looking for a sigining private key of 88 characters & OpenSSL method creates one with 64 characters.

Thanks!

[sujeets-protean]

@krishna-404 For which environment you are trying to create auth header ?

[krishna-404]

@sujeets-protean for staging env

[krishna-404]

@sujeets-protean probably your question was about tech-stack? In that case, we are using node-js.