Pagsmile
  • Introduction
  • Reference
  • Payin API
    • Environments
    • All-In-One Checkout
      • Checkout Page (General)
      • Checkout Page (E-com)
    • Direct integration
      • Argentina
        • DebitCard
        • DEBIN
        • Khipu
        • QRCode
        • Rapipago
        • ❌Wallet
        • ❌Bank Transfer
        • ❌PagoFacil
      • Brazil
        • Credit Card
        • Credit Card Pre Auth
          • Capture
          • Void
          • Pagsmile JavaScript
        • Pix
        • Static Pix
        • Virtual PIX
          • Create Virtual PIX Account
          • Query Virtual PIX Account
          • Notification of Virtual PIX Account Payment
        • OpenFinance
        • Lottery
        • Boleto
        • Wallet
        • ❌Credit Card
        • ❌Deposit Express
      • Mexico
        • Credit Card
        • SPEI
        • Virtual SPEI
          • Create Virtual SPEI Account
          • Query Virtual SPEI Account
          • Cancel Virtual SPEI Account
          • Check Usage of Virtual SPEI Account
          • Notification of Virtual Account Payment
        • CoDi
        • OXXOPay
        • Cash
        • Dimo
        • Wallet
        • ❌OXXO
      • Colombia
        • PSE
        • Transfiya
        • Efecty
        • Bancolombia
        • SuRed
        • Wallet
        • Gana
        • ❌Baloto
      • Chile
        • Webpay
        • Khipu
        • Pago46
        • Bank Transfer
        • ❌Cash
        • Wallet
      • Peru
        • Credit Card
        • Bank Transfer
        • Cash
        • QRCode
        • ❌Pagoefectivo
      • Ecuador
        • Credit Card
        • Bank Transfer
        • Cash
      • Costa Rica
        • Cash
        • BNCR
        • ❌Bank Transfer
      • Panama
        • Cash
        • ❌Bank Transfer
      • Guatemala
        • Cash
        • ❌Bank Transfer
      • Bolivia
        • ❌Bank Transfer
      • Paraguay
        • ❌Bank Transfer
      • Uruguay
        • Cash
        • ❌Bank Transfer
      • El Salvador
        • ❌Cash
      • Nigeria
        • Bank Transfer
      • China
        • Wallet
        • Vault
      • Hongkong
        • Wallet
      • Taiwan
        • Bank Transfer
        • OTC
        • PostTransfer
        • Wallet
      • Indonesia
        • Bank Transfer
        • QRIS
        • Wallet
      • South Korea
        • Wallet
        • Bank Transfer
        • Virtual Account
      • Singapore
        • Wallet
      • Malaysia
        • Wallet
        • Vault
      • Philippines
        • AlipayPlus
        • QRPH
        • Wallet
        • Vault
      • Thailand
        • Wallet
      • Vietnam
        • QRCode
      • Türkiye
        • Wallet
      • Egypt
        • Credit Card
        • Wallet
        • Cash
        • Kiosk
      • Saudi Arabia
        • Credit Card
      • Kuwait
        • Credit Card
      • Qatar
        • Credit Card
      • Oman
        • Credit Card
      • United Arab Emirates
        • Credit Card
      • Bahrain
        • Credit Card
      • Kazakhstan
        • Credit Card
      • Uzbekistan
        • Credit Card
      • Europe
        • Credit Card
        • Wallet
      • North America
        • Credit Card
        • Wallet
    • Notification
      • Security
    • Recurring Payment
      • Support Target and Currency
    • PCI Direct Integration
      • Tokenization
      • Create Card Payment
      • Authorization
      • Capture
      • Void
    • Account Balance
    • Payin Detail
    • Refund
    • Plug-in & Tools
      • Pagsmile JavaScript
      • Pagsmile SDK
      • Get CreditCard Token
      • Supported Bank List Query
      • Installment Detail Query
      • Payin SFTP Report
    • Data
      • Bank list
        • Bank in Colombia
      • Country Code
      • Data for test (Sandbox)
      • Icon of methods
      • Payment Method
      • Payin Status
    • API Code
  • Payout API
    • Environments
    • Security
    • Submit a payout
      • Pagsmile Wallet
        • WebView Example
        • H5 Authorization
        • Native App Authorization
        • Send Prizes
      • PayPal
        • ❌Supported Countries
      • Argentina
        • Wallet
        • BankTransfer
      • Bolivia
        • ❌BankTransfer
      • Brazil
        • Pix
        • BankTransfer
      • Chile
        • Wallet
        • BankTransfer
      • Colombia
        • Wallet
        • Transfiya
        • BankTransfer
      • Costa Rica
        • ❌BankTransfer
      • Ecuador
        • BankTransfer
      • Guatemala
        • ❌BankTransfer
      • Mexico
        • SPEI
      • Panama
        • ❌BankTransfer
      • Peru
        • BankTransfer
        • Regions in Peru
      • Turkey
        • Wallet
        • BankTransfer
      • Uruguay
        • BankTransfer
      • Vietnam
        • BankTransfer
    • Notification
    • Payout DryRun
    • Checkout Page
    • Account Balance
    • Payout Proof
    • Payout Status
    • Payout Bank List
    • Payout List
    • Payout Detail
    • Payout SFTP Report
    • Payment Method
    • Data for test
    • Bank Code
      • Bank in Argentina
      • Bank in Bolivia
      • Bank in Brazil
        • Bank in Brazil (TED)
      • Bank in Chile
      • Bank in Colombia
      • Bank in Costa Rica
      • Bank in Ecuador
      • Bank in Guatemala
      • Bank in Mexico
      • Bank in Panama
      • Bank in Peru
      • Bank in Uruguay
    • API Code
  • Issuing Card API
    • Environments
    • Security
    • Common
    • Business
      • Partner
        • Create Deposit Order
        • Query Deposit Result
        • Transfer
        • Query Partner Balance
        • Query Partner Transactions
      • Cardholder
        • Create Cardholder
        • Update Cardholder
        • Query Cardholder
        • Upload Supporting Documents
        • Create Corporation Cardholder
        • Update Corporation Cardholder
        • Query Corporation Cardholder
      • Card
        • Apply For a Card
        • Query Apply Result
        • Query Card Information
        • Topup a Card
        • Card Balance Return
        • Query Card Balance
        • Update a Card
          • Revoke
          • Block a Card
          • UnBlock a Card
        • Retrieve Password
        • Query Transaction Detail information
        • Query Transactions
        • Query Authorizations
        • Card Limit
          • Create Card Limit
          • Update Card Limit
          • Query Card Limit
          • Query Default Card Limit
          • Query Remaining Card Limit
        • Query Available Card BINs
      • Webhook
        • Manage Webhook URL
          • Create Webhook URL
          • Update Webhook URL
          • Query Webhook URL
        • Apply Card Result Notification
        • Card Status Notification
        • Cardholder Audit Status Notification
        • Authorization Details Notification
        • OTP Information Notification
    • Data
      • Dictionary Item
        • CustomerType
        • CustomerAuditStatus
        • Customer Codes
        • Gender
        • IdType
        • CustomerStatus
        • RiskLevel
        • CardOrderStatus
        • CardType
        • CardSchema
        • CardStatus
        • TransactionType
        • TransationStatus
        • CardLog.logType
        • AccountStatus
        • AuthStatus
        • AuthSettleStatus
        • ProcessStatus
        • FeeMethod
        • FeeStatus
        • NotificationStatus
        • Currency
        • CustomerFileType
        • WebhookType
        • ResponseCode
        • CHARSETS
        • CountryCode
      • Trade Currency
  • Remittance API
    • Environments
    • Security
    • Common
    • Business
      • Onboard
        • Create Corporation
        • Update Corporation
        • Query Corporation
        • Create Individual
        • Update Individual
        • Query Individual
        • Add Shop
        • Delete Shop
        • Query Shops
      • Collection
        • Apply VA
        • Query Apply VA Result
        • Apply VA Result Notification
        • Collection Notification
        • Query Collections
        • Create Material
        • Upload Material Document
        • Submit Material Document
        • Query Materials
        • Material Audit Result Notification
        • Link Material and Collection
        • Query Linked Materials By Collection
        • Link Result Notification
      • Exchange
        • Query Support Currency Pairs
        • Query Quote
        • Create Exchange Order
        • Query Exchange Orders
      • Payment
        • Query Payment Fields
        • Add Payee
        • Update Payee
        • Delete Payee
        • Query Payee Detail
        • Create Payment Order
        • Query Payment Orders
        • Payment Result Notification
      • Withdrawal
        • Add Withdrawal Account
        • Update Withdrawal Account
        • Delete Withdrawal Account
        • Query Withdrawal Account Detail
        • Create Withdrawal Order
        • Query Withdrawal Orders
        • Withdrawal Result Notification
      • Transfer
        • Internal transfer
      • Account
        • Query Account Balance
        • Query Account Transactions
      • Partner
        • Create Topup Order
        • Query Topup Result
        • Query Partner Balance
        • Query Partner Transactions
      • Webhook
        • Webhook Common
        • Manage URL
          • Create Webhook URL
          • Update Webhook URL
          • Query Webhook URL
    • Data
      • Dictionary Item
        • Business Type
        • Business Category
        • Webhook Type
        • All Collection Status
        • Transaction Type
        • Transaction Status
        • Gender
        • Id Type
        • File Type
        • Fixed Side
        • Order Status
        • Pay Type
        • Payee Type
        • Currency
        • CHARSETS
        • Country Code
      • Trade Currency
  • E-com Platform
    • Shopify
    • Shoplazza
    • WIX
    • Woocommerce
  • Country Info
  • OTHER
    • Changelog
Powered by GitBook
On this page
  • Request Signature
  • Response Signature
  • Example

Was this helpful?

  1. Remittance API

Security

How to make safe issuing card requests.

Request Signature

1、Request header

Name
Type
Description

Content-Type*

string

application/json; chartset=UTF-8

2、Request body

{
    "app_id": "2017051914172236111",
    "partner_id": "000000000000001",
    "sub_partner_id": "",
    "timestamp": "2011-09-23 04:24:03",
    "version": "1.0",
    "random_key": "OvUp0Z7zhLfYdBR1lOK", //need to be encrypted
    "request_id": "jJT3+PR9CSowcR2QOK5OzMjVmTSjGoectzYbO8lENHnboElE",
    "sign_type": "RSA",
    "biz_data": {} //need to be encrypted
}

3、Signature

randomKey: This is encrypted by Pagsmile public key.

Step 1 : Randomly generate a 16-byte AES KEY;

Step 2 : Encrypt AES KEY with Pagsmile RSA public key;

Find the Pagsmile RSA public key in the config of the app under the App Management section of the Pagsmile Test Dashboard.

*The RSA key pairs are 2048 bits in length.

biz_Data:

Encrypt using the AES KEY generated in Step 1.

Response Signature

1、Response body

{
    "code": "10000",
    "msg": "Success",
    "data": { }, //need to be decrypted
    "total":1
    "random_key":"OvUp0Z7zhLfYdBR1lOK/F1fE0jKGiwsIea9XD9urkav",//need to be decrypted
    "sign_type": "RSA",
    "app_id": "2017051914172236111"
}

2、Signature

random_key:

It needs to be decrypted by Partner private key

data:

It needs to be decrypted by randomly generated AES KEY

Example


public class CryptoUtil {
    private static final byte[] HEX_ARRAY = "0123456789ABCDEF".getBytes(StandardCharsets.US_ASCII);
    public static IvParameterSpec generateIvValue() {
        return new IvParameterSpec(generateRandom16Chars().getBytes());
    }
    private static String generateRandom16Chars() {
        byte[] array = new byte[8];
        SecureRandom random = new SecureRandom();
        random.nextBytes(array);
        return bytesToHex(array);
    }
    private static String bytesToHex(byte[] bytes) {
        byte[] hexChars = new byte[bytes.length * 2];
        for (int j = 0; j < bytes.length; j++) {
            int v = bytes[j] & 0xFF;
            hexChars[j * 2] = HEX_ARRAY[v >>> 4];
            hexChars[j * 2 + 1] = HEX_ARRAY[v & 0x0F];
        }
        return new String(hexChars, StandardCharsets.UTF_8);
    }
}

public class CryptoExample {

    //encrypt random_key
    public static String encryptSecret(PublicKey publicKey, String secret) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
        Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding"); // PKCS1 or OAEP padding "RSA/ECB/OAEPWithSHA-256AndMGF1Padding" can be used
        cipher.init(Cipher.ENCRYPT_MODE, publicKey);
        byte[] encryptedSign = cipher.doFinal(secret.getBytes());
        return Base64.getEncoder().encodeToString(encryptedSign);
    }
    //encrypt biz_data
    public static String encryptContentMode(String content, String secret) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
        IvParameterSpec iv = CryptoUtil.generateIvValue();
        SecretKey secretKey = new SecretKeySpec(secret.getBytes(), "AES");
        Cipher dataCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
        dataCipher.init(Cipher.ENCRYPT_MODE, secretKey, iv);
        byte[] encryptedDataBytes = dataCipher.doFinal(content.getBytes());
        return new String(iv.getIV()) + Base64.getEncoder().encodeToString(encryptedDataBytes);
    }
    //decrypt random_key
    public static String decryptSecretMode(PrivateKey privateKey, String sign) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
        byte[] encryptedDataBytes = Base64.getDecoder().decode(sign);
        Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding"); // PKCS1 or OAEP padding "RSA/ECB/OAEPWithSHA-256AndMGF1Padding" can be used
        cipher.init(Cipher.DECRYPT_MODE, privateKey);
        byte[] secretByte = cipher.doFinal(encryptedDataBytes);
        return new String(secretByte);
    }
    //decrypt data
    public static String decryptContentMode(String encryptedContent, String secret) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
        String ivString = encryptedContent.substring(0, 16);
        String correctEncryptedData = encryptedContent.substring(16);
        byte[] encryptedDataBytes = Base64.getDecoder().decode(correctEncryptedData);
        IvParameterSpec iv = new IvParameterSpec(ivString.getBytes());
        SecretKey secretKey = new SecretKeySpec(secret.getBytes(), "AES");
        Cipher dataCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
        dataCipher.init(Cipher.DECRYPT_MODE, secretKey, iv);
        byte[] decryptedDataBytes = dataCipher.doFinal(encryptedDataBytes);
        return new String(decryptedDataBytes);
    }
}

Encryption algorithm in PHP-encrypt with RSA Public Key

<?php

// public key
$publicKey = 'public key';

function encryptSecret(string $secret, string $publicKey): string
{
  
    openssl_public_encrypt($secret, $encryptedData, $publicKey, OPENSSL_PKCS1_PADDING);

    return base64_encode($encryptedData);
}

function encryptContent(string $content, string $secret): string
{
    $iv = bin2hex(random_bytes(8));
    $encryptedData = openssl_encrypt($content, 'aes-256-cbc', $secret, OPENSSL_RAW_DATA, $iv);

    return $iv.base64_encode($encryptedData);
}

// usage
$secret = 'RandomString32CharactersLength12'; // 32 characters; must be randomly generated for every response 
$random_key = encryptSecret($secret, $publicKey); // add to 'random_key'
$biz_data = '{"responseCode":"00","billingAmount":"11186","holderAmount":"11186","availableBalance":100008814,"settledBalance":100020000}';
$encryptedContent = encryptContent($content, $secret); // set this to be the response body

// Optional outputs that show the result
echo $sign.PHP_EOL;
echo $encryptedContent.PHP_EOL;

Decryption algorithm in PHP

<?php

// Client private key
$privateKey = 'insert your private key here';
$encryptedContent = 'raw response body'; // Get from the webhook body

function decryptSecret(string $sign, string $privateKey): string
{
    // OPENSSL_PKCS1_OAEP_PADDING or OPENSSL_PKCS1_PADDING
    openssl_private_decrypt(base64_decode($sign), $secret, $privateKey, OPENSSL_PKCS1_OAEP_PADDING);

    return $secret;
}

function decryptContent(string $encryptedContent, string $secret): string
{
    $iv = substr($encryptedContent, 0, 16);
    $encryptedData = base64_decode(substr($encryptedContent, 16));

    return openssl_decrypt($encryptedData, 'aes-256-cbc', $secret, OPENSSL_RAW_DATA, $iv);
}

// usage
$decryptedSecret = decryptSecret($sign, $privateKey);
$decryptedContent = decryptContent($encryptedContent, $decryptedSecret);

// Optional output that shows the result
echo $decryptedContent.PHP_EOL;

Encryption algorithm in C# (MODE 2 - encrypt with RSA public key)


// ISAC public key
string publicKey = "insert ISAC public key here";

static string EncryptSecret(string secret, string publicKey)
{
    // OaepEncoding or Pkcs1Encoding
    var encryptEngine = new OaepEncoding(new RsaEngine());
    using (var reader = new StringReader(publicKey))
    {
        encryptEngine.Init(true, (AsymmetricKeyParameter)new PemReader(reader).ReadObject());
    }

    var data = Encoding.UTF8.GetBytes(secret);
    var encryptedData = encryptEngine.ProcessBlock(data, 0, data.Length);

    return Convert.ToBase64String(encryptedData);
}

static string EncryptContent(string content, string secret)
{
    var iv = Hex.Encode(new SecureRandom().GenerateSeed(8));

    var cipher = CipherUtilities.GetCipher("AES/CBC/PKCS7PADDING");
    var keyParam = new KeyParameter(Encoding.UTF8.GetBytes(secret));
    var keyParamWithIv = new ParametersWithIV(keyParam, iv, 0, 16);
    cipher.Init(true, keyParamWithIv);

    var encryptedData = cipher.DoFinal(Encoding.UTF8.GetBytes(content));

    return Encoding.UTF8.GetString(iv) + Convert.ToBase64String(encryptedData);
}

string secret = "RandomString32CharactersLength12"; // 32 characters; must be randomly generated for every response
string sign = EncryptSecret(secret, publicKey); //
string bizData = "{"responseCode":"00","billingAmount":"11186","holderAmount":"11186","availableBalance":100008814,"settledBalance":100020000}";
string encryptedContent = EncryptContent(content, secret); // set this to be the response body
// Optional outputs that show the result
Console.WriteLine(sign);
Console.WriteLine(encryptedContent);

Decryption algorithm in C#


// Client private key
string privateKey = "Client private key";

string sign = "response"; // Get from response 'random_Key'
string encryptedContent = "raw response body"; // Get from Get from response 'data'

static string DecryptSecret(string sign, string privateKey)
{
    // OaepEncoding or Pkcs1Encoding
    var decryptEngine = new OaepEncoding(new RsaEngine());
    using (var reader = new StringReader(privateKey))
    {
        decryptEngine.Init(false, (AsymmetricKeyParameter)new PemReader(reader).ReadObject());
    }

    var data = Convert.FromBase64String(sign);
    var decryptedData = decryptEngine.ProcessBlock(data, 0, data.Length);

    return Encoding.UTF8.GetString(decryptedData);
}

static string DecryptContent(string encryptedContent, string secret)
{
    var iv = Encoding.UTF8.GetBytes(encryptedContent.Substring(0, 16));
    var encryptedData = Convert.FromBase64String(encryptedContent.Substring(16));

    var cipher = CipherUtilities.GetCipher("AES/CBC/PKCS7PADDING");
    var keyParam = new KeyParameter(Encoding.UTF8.GetBytes(secret));
    var keyParamWithIv = new ParametersWithIV(keyParam, iv, 0, 16);
    cipher.Init(false, keyParamWithIv);

    var data = cipher.DoFinal(encryptedData);

    return Encoding.UTF8.GetString(data);
}

// usage
string decryptedSecret = DecryptSecret(sign, privateKey);
string decryptedContent = DecryptContent(encryptedContent, decryptedSecret);

// Optional output that shows the result
Console.WriteLine(decryptedContent);

Encryption algorithm in Node.js (MODE 2 - encrypt with RSA public key)

// Import necessary modules
const crypto = require('crypto');

// ISAC public key
const publicKey = `insert public key here`;

function encryptSecret(secret, publicKey) {

    const encryptedData = crypto.publicEncrypt({
        key: publicKey,
        padding: crypto.constants.RSA_PKCS1_PADDING
    }, Buffer.from(secret));

    return encryptedData.toString('base64');
}

function encryptContent(content, secret) {
    const iv = crypto.randomBytes(8).toString('hex');
    const cipher = crypto.createCipheriv('aes-256-cbc', secret, iv);

    let encryptedData = cipher.update(content, 'utf8', 'base64');
    encryptedData += cipher.final('base64');

    return iv + encryptedData;
}
// usage
const secret = 'RandomString32CharactersLength12'; // 32 characters; must be randomly generated for every response to a webhook
const sign = encryptSecret(secret, publicKey); // add to 'random_key'
const content = `{"responseCode":"00","billingAmount":"11186","holderAmount":"11186","availableBalance":100008814,"settledBalance":100020000}`;
const encryptedContent = encryptContent(content, secret); //  add to 'biz_data'

console.log(sign);
console.log(encryptedContent);

Decryption algorithm in Node.js

// Import necessary modules
const crypto = require('crypto');

//  private key
const publicKey = `insert your private key here`;
const sign = ``; // Get from response as 'random_key'
const encryptedContent = `raw response body`; // Get from response as 'data'

function decryptSecret(sign, privateKey) {
    // RSA_PKCS1_OAEP_PADDING or RSA_PKCS1_PADDING
    const decryptedData = crypto.privateDecrypt({
        key: privateKey,
        padding: crypto.constants.RSA_PKCS1_PADDING
    }, Buffer.from(sign, 'base64'));

    return decryptedData.toString();
}

function decryptContent(encryptedContent, secret) {
    const iv = encryptedContent.slice(0, 16);
    const encryptedData = Buffer.from(encryptedContent.slice(16), 'base64');

    const decipher = crypto.createDecipheriv('aes-256-cbc', secret, iv);
    decipher.setAutoPadding(false);
    let decryptedData = decipher.update(encryptedData);
    decryptedData = Buffer.concat([decryptedData, decipher.final()]);

    return decryptedData.toString();
}
// usage
decryptedSecret = decryptSecret(sign, privateKey);
decryptedContent = decryptContent(encryptedContent, decryptedSecret);
console.log(decryptedContent);

PreviousEnvironmentsNextCommon

Last updated 6 months ago

Was this helpful?