Use openssl for aes-256-gcm decryption

This lets us drop the (unmaintained) aead dependency, but limits
Ruby support to v2.4 and greater.

Closes spreedly#11
Closes spreedly#9

Author: dankimio

.circleci/config.yml

@@ -1,22 +1,15 @@
 version: 2
 jobs:
-  ruby-2.1:
+  ruby-2.4:
     docker:
-      - image: circleci/ruby:2.1.10
+      - image: circleci/ruby:2.4.4
     steps:
       - checkout
       - run: bundle
       - run: rake test
-  ruby-2.2:
+  ruby-2.5:
     docker:
-      - image: circleci/ruby:2.2.10
-    steps:
-      - checkout
-      - run: bundle
-      - run: rake test
-  ruby-2.3:
-    docker:
-      - image: circleci/ruby:2.3.7
+      - image: circleci/ruby:2.5.1
     steps:
       - checkout
       - run: bundle
@@ -25,6 +18,5 @@ workflows:
   version: 2
   rubies:
     jobs:
-      - ruby-2.1
-      - ruby-2.2
-      - ruby-2.3
+      - ruby-2.4
+      - ruby-2.5

Gemfile

@@ -1,3 +1,3 @@
-gemspec
+source 'https://rubygems.org'
 
-gem 'aead', git: 'https://github.com/Shopify/aead.git', ref: '340e7718d8bd9c1fcf3c443e32f439436ea2b70d'
+gemspec

Gemfile.lock

@@ -1,35 +1,24 @@
-GIT
-  remote: https://github.com/Shopify/aead.git
-  revision: 340e7718d8bd9c1fcf3c443e32f439436ea2b70d
-  ref: 340e7718d8bd9c1fcf3c443e32f439436ea2b70d
-  specs:
-    aead (1.8.2)
-      macaddr (~> 1)
-
 PATH
   remote: .
   specs:
-    gala (0.3.1)
-      aead (~> 1.8)
+    gala (0.3.2)
+      openssl (~> 2.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    macaddr (1.7.1)
-      systemu (~> 2.6.2)
     minitest (5.11.3)
-    rake (12.0.0)
-    systemu (2.6.5)
+    openssl (2.1.0)
+    rake (12.3.1)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  aead!
   bundler (~> 1.14)
   gala!
   minitest
   rake (~> 12.0)
 
 BUNDLED WITH
-   1.15.4
+   1.16.1

gala.gemspec

@@ -17,11 +17,11 @@ Gem::Specification.new do |spec|
   spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test)/}) }
   spec.test_files    = `git ls-files -- test/*`.split("\n")
   spec.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
-  spec.require_paths = ["lib"]
+  spec.require_paths = ['lib']
 
-  spec.required_ruby_version = ">= 1.8.7"
+  spec.required_ruby_version = '>= 2.4.0'
 
-  spec.add_runtime_dependency 'aead', '~> 1.8'
+  spec.add_runtime_dependency 'openssl', '~> 2.0'
 
   spec.add_development_dependency 'bundler', '~> 1.14'
   spec.add_development_dependency 'rake', '~> 12.0'

lib/gala/payment_token.rb

@@ -1,6 +1,5 @@
 require 'openssl'
 require 'base64'
-require 'aead'
 
 module Gala
   class PaymentToken
@@ -111,11 +110,26 @@ def generate_symmetric_key(merchant_id, shared_secret)
       end
 
       def decrypt(encrypted_data, symmetric_key)
-        init_length = 16
-        init_vector = 0.chr * init_length
-        mode = ::AEAD::Cipher.new('aes-256-gcm')
-        cipher = mode.new(symmetric_key, iv_len: init_length)
-        cipher.decrypt(init_vector, '', encrypted_data)
+        # Initialization vector of 16 null bytes
+        iv_length = 16
+        # 0.chr => "\x00"
+        iv = 0.chr * iv_length
+
+        # Last 16 bytes (iv_length) of encrypted data
+        tag = encrypted_data[-iv_length..-1]
+        # Data without tag
+        encrypted_data = encrypted_data[0..(-iv_length - 1)]
+
+        cipher = OpenSSL::Cipher.new("aes-256-gcm").decrypt
+        cipher.key = symmetric_key
+        cipher.iv_len = iv_length
+        cipher.iv = iv
+
+        # Decipher without associated authentication data
+        cipher.auth_tag = tag
+        cipher.auth_data = ''
+
+        cipher.update(encrypted_data) + cipher.final
       end
     end
   end