Authorization in Apple Pay for the smallest

Attention will be paid to a specific point - this is the receipt of a cryptogram by Apple after the buyer has passed TouchID or FaceID. The language on the backend is PHP.

My name is Alexander, I am a junior PHP programmer at Moguta, and I had to come across on my way with the integration of Apple Pay into our Moguta.CMS. Today I’ll tell you how to authorize yourself through Apple Pay to make a payment without understanding the hardware of secure connections and certificates, as I didn’t have enough material at the beginning of my journey.

Introduction

I will not write here the entire sheet for the introduction of Apple Pay on your site. Instructions on how to register an Apple developer account, where to make a Payment Processing certificate, where to send the response received, are complete on runet, just ask Google for “apple pay integration to the site” and choose a attracted payment aggregator, who will give you detailed steps actions.

Short review

The minimum requirement for this manual will be to have MacOS for working with keys, since working with certificates on other OSs is already a separate material, which I will not pay attention to here.

Let's first navigate where the place of our hostilities will be. The algorithm is as follows:

1. The user begins the process of paying through Apple Pay in the online store;
2. The online store sends payment information to Apple;
3. Apple sends back a link to which the seller’s details should be sent;
4. The online store sends the seller’s data via a link via Two-Way TLS;
5. Apple sends data containing PaymentData;
6. The online store redirects PaymentData to the payment gateway and processes the response;

We are interested in the 4th point, since the usual cURL query is not enough.

We get certificates

In order for Apple to believe that it is dealing with us personally, you first need to have a Merchant Identify certificate (not to be confused with Payment Processing, it is needed for a payment gateway). For a start, we will create a request for a certificate according to official instructions . The resulting file is attached to the Apple Pay Merchant Identity Certificate of your Merchant ID.

In response, we get merchant_id.cer, which we add to the bundle. We generate on the basis of its private key a .p12 file. To do this, call the context menu of the private key and select "Export ..."

We take out the key with the following command (the password that the terminal requests will be the password for the key, we need it when connecting to Apple)

openssl pkcs12 -in <  >.p12 -out ApplePay.key.pem -nocerts -nodes 

and overtake our certificate in pem

  openssl x509 -inform der -in merchant_id.cer -out merchant_id.pem 

Now we have all the necessary files with which we will prove to the apple server that we are who we say we are.

Send request

We omit the moment of receiving the reference to validation ( read more in another article on Habré ), proceed to the moment when the JS script in Safari sent our server a request for authorization to Apple.

For this we use PHP with cURL. Code example:

 $ch = curl_init(); $data = '{"merchantIdentifier":"<,      Merchan ID>", "domainName":"< ->", "displayName":"< -,       TouchID/FaceID>"}'; curl_setopt($ch, CURLOPT_URL, '<  Apple,   validationURL>'); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $data); curl_setopt($ch, CURLOPT_CERTINFO, true); curl_setopt($ch, CURLOPT_VERBOSE, true); curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); curl_setopt($ch, CURLOPT_SSLCERT, '<  >.pem'); curl_setopt($ch, CURLOPT_SSLKEY, '<  >.pem'>); curl_setopt($ch, CURLOPT_SSLKEYPASSWD, '<  >'); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); curl_setopt($ch, CURLOPT_HTTPHEADER, array("Content-Type: application/json")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $res = curl_exec($ch); curl_close($ch); echo json_encode($res); 

From the received answer we pull out paymentData and send it to our payment gateway. Congratulations, authorization passed, you can row the money.

Note

Fate did not give me a long time to rejoice at the established connection, and Apple gave me the following answer:

 Payment Services Exception merchantId=< > unauthorized to service on behalf of merchantId=<  > reason=\"The latter is not registered for Apple Pay on the web\"" 

The text of the message is not obvious enough, as we would like. Information on the network again, no. As it turned out, this most likely means that you simply entered an incorrect value in the merchantIdentifier field.

Total

I would be glad to hear in the comments suggestions, advice or criticism.

I hope that the article will benefit the same lost souls as I do.