[ic] Credit card info encrypted twice by GPG!

Ed LaFrance interchange-users@interchange.redhat.com
Wed Aug 22 11:24:00 2001


At 08:39 PM 08/21/2001 -0400, you wrote:
>Quoting Ed LaFrance (edl@newmediaems.com):
> > At 06:07 PM 08/21/2001 -0400, you wrote:
> > >Quoting Ed LaFrance (edl@newmediaems.com):
> > > > GPG:    gpg (GnuPG) 1.0.6
> > > > IC:     4.7.4
> > > > OS:     Yellowdog linux 1.3
> > > >
> > > > GPG is double-encrypting the credit card info - It has to be passed
> > > through
> > > > decryption twice to get down to the plain text.  This only happens 
> when
> > > the
> > > > encryption is handled by IC as part of the submission process; a text
> > > > encryption with the same command string and options in the shell works
> > > > fine.  I've looked at Order.pm and the Route's and nothing is 
> jumping out
> > > > at me.  Ideas anyone?
> > >
> > >Sounds like both "encrypt" and "credit_card" are set in the route.
> > >
> > >--
> > >Red Hat, Inc., 3005 Nichols Rd., Hamilton, OH  45013
> > >phone +1.513.523.7621      <mheins@redhat.com>
> >
> > Hmmm... encrypt is set to 0 in all routes; credit_card is set to 1 in the
> > last route (main) and is omitted from all others.  This is exactly the way
> > the foundation demo was distributed with 4.7.4.
> >
> > Setting credit_card to 0 in the last route did the trick.  So when both
> > credit_card and encrypt are set to 0, but an encryptor is supplied, the
> > credit card info is encrypted. Never would have thought as such... boolean
> > logic re-invented, I guess ;-}
>
>Hmm. It is supposed to detect that the CC is already encrypted, as in
>
>         &credit_card=standard
>
>without the "keep". Perhaps the detection regex is wrong... Try changint
>the detection regex in Order.pm from
>
>     $::Values->{mv_credit_card_info} =~ /BEGIN\s+PGP\s+MESSAGE/
>         and $pre_encrypted = 1;
>
>to
>
>     $::Values->{mv_credit_card_info} =~ /BEGIN\s+[PG][GP][PG]\s+MESSAGE/
>         and $pre_encrypted = 1;
>
>and see if that makes a difference.
>

That is probably the crux of the problem - this check is not present in 
Order.pm in IC 4.7.4.  I imagine it would go in sub encrypt_cc(), which 
obligingly encrypts whatever it is passed to it in its current state.  I 
don't want to mess with the customer's installation right now because they 
have gone live, but it looks like this would do the trick.  I assume that 
the 4.8.x releases already have it.

FWIW, your revision of the regex is not necessary; the first line of a GPG 
block is equivalent to that of PGP:

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

hQIOA3AMRDXaPVSuEAf+KXjRtt8G0GS4Zd8uCrxbm4j6K99+iOLh/ixsSZclC5RZ
mg0Z53Fq/dMLtjkA9+sDTd4/0TP25PAgF2K1YatSVG99PpTZHp6U8rpDyqk5o/Nr
+8wAN5pF2s/ZPhEjTLtEav9/k5CGnX52jFb8scmhrKE/tbxJH/YtGIfMMBjzG+gH
...
=yKNT
-----END PGP MESSAGE-----

Not trying to be a pain, but I still don't understand the logic behind the 
encrypt and credit_card parameters for route (0 + 0 = 1).

- Ed L.


===============================================================
New Media E.M.S.               Software Solutions for Business
463 Main St., Suite D          eCommerce | Consulting | Hosting
Placerville, CA  95667         edl@newmediaems.com
(530) 622-9421                 http://www.newmediaems.com
(866) 519-4680 Toll-Free       (530) 622-9426 Fax
===============================================================