Add payment cryptography emulation operations, recipes, and validation guardrails#2334
Open
J8k3 wants to merge 113 commits into
Open
Add payment cryptography emulation operations, recipes, and validation guardrails#2334J8k3 wants to merge 113 commits into
J8k3 wants to merge 113 commits into
Conversation
Added a section for Payment Cryptography Extensions detailing the scope, future extensions, non-goals, and organization of custom operations.
|
|
Merged into a broader workflow that also does builds.
Added steps to install brotli and decompress build files.
Updated links and descriptions for CyberChef Payments.
Revise README for CyberChef Payments updates
- Fix operations path: payment-crypto/ subdirectory never existed; ops live in src/core/operations/ - Fix UI category name: "Payment Cryptography" -> "Payments" - Replace stale future-extensions list with accurate current coverage (DUKPT, PIN blocks, MAC/KCV, EMV, card validation, PAN tools all implemented) - Keep only genuine remaining future work: TR-31 KBPK decryption and AES DUKPT Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ary tests Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…sts; fix bcrypt node test - PIN Block Translate Encrypted: new operation with 5 tests; registered in Payments category - CBOR v9: fix Encoder streaming/Buffer pool issue; JSDoc on helpers - EMV Generate MAC: fix empty-input hex parse, stale 3-arg test, missing padding method in verify test - parseHexBytes: accept empty string as valid 0-byte hex - bcrypt node test: accept $2a prefix from bcryptjs v2.4.3 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- AGENTS.md: add APC cross-reference, security constraint, ESLint, and gap-filing instructions - PAYMENT_RECIPES.md: DUKPT AES key status to Externally cross-checked; VISA PVV APC results updated with second key cross-check - README.md: PIN Block Translate Encrypted in coverage list and recipe links Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
XOR key ceremony helpers: split a key into 2-8 components and recombine. Chains cleanly with Key Generate and wrap/encrypt operations. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…tyle rule to AGENTS.md Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Updated links for PIN and EMV generation recipes.
Updated the README to reflect the focus on payment cryptography operations, clarified the development status, and modified section headings.
Corrected typos and improved clarity in the README.
- EMV Build ARQC Data: assembles 10-field CDOL1 preimage from args; outputs hex (chainable into EMV Generate ARQC), JSON, or annotated TLV - EMV Parse ARQC Data: inverse; parses flat 33-byte CDOL1 hex back into named fields - Parse EMV TLV: BER-TLV parser with 102-entry EMV tag dictionary; handles constructed/nested tags, 1- and 2-byte tags, long-form lengths; dictionary mode lists all known tags - Shared libs: EmvCdol.mjs (CDOL1 field defs), EmvTlv.mjs (parser), EmvTlvDictionary.mjs (tag dict) - 12 new tests in Payment.mjs covering all three operations Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- EMV Build ARPC Data: assembles ARPC preimage from named fields; Method 1 (Visa/Amex/Discover: ARQC+ARC, 10 bytes) and Method 2 (Mastercard: ARQC+CSU+optional PAD, 12-20 bytes); outputs hex (chainable into EMV Generate ARPC), JSON, or annotated - EMV Parse ARPC Data: inverse; parses hex preimage back into named fields by method - Shared lib EmvArpc.mjs with build/parse/format functions - 6 new tests in Payment.mjs Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Also fixes expectedError test format (OperationErrors surface as result strings, not result.error) and updates PAYMENT_RECIPES.md docs. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The one-way rule (CyberChef gaps → GitHub issue) didn't cover the return path. New paragraph: discoveries from CyberChef sessions (PCI rules, algorithm edge cases, HSM commands) must be written back into the MCP server in the same session. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…nebreak 11 ESLint errors across 6 files introduced in the ARQC/ARPC/TLV/Script ops. Also document the constructor-JSDoc and operator-linebreak rules in AGENTS.md to prevent recurrence. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
eslint:tests catches Payment.mjs too — document that npx grunt eslint runs all five targets, not just eslint:core. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Updated EMV-related recipes in the README.
Domain prefix must come first per AGENTS.md convention. All references updated: op file, Categories.json, tests, PAYMENT_RECIPES.md, lib comment. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…berChef-Payments - Update opening: workflow-oriented tooling for engineering, debugging, interoperability, development, QA — replaces narrow regulated-env framing - Add explicit links to CyberChef-Payments (workflow catalog) and Payments (KB) near the top - Replace verbose recipe list (24 entries) with 7 representative examples; redirect to J8k3/CyberChef-Payments for the full catalog and screenshots - Fix typo: "Current coverage includes:h" -> "Current coverage includes:" - Rewrite validation section: remove "unfinished product" and "best validation we can do" — replace with scoped statement on standards, vectors, and APC comparison where APIs are comparable - Restructure: What this fork adds / Scope / Validation / Non-goals / Recipes Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
PAYMENT_RECIPES.md was duplicating content now maintained in J8k3/CyberChef-Payments (recipe catalog, chaining patterns, validation status). Trimmed to: naming conventions, operation registry, raw APC comparison test vectors + results. Added pointer to CyberChef-Payments. AGENTS.md updated: - Pre-commit checklist now says: update PAYMENT_RECIPES.md operation registry + CyberChef-Payments README if op appears in catalog - Added paragraph clarifying the two-file split (dev vs. user-facing) - Naming convention step now explicitly calls out CyberChef-Payments Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…operations AES DUKPT IK JSON was missing ksn, iki, counter; working key was missing ksn. TDES DUKPT IPEK and session key JSON were missing ksn and bdk. Both now mirror the full derivation context, making json=true self-contained for debugging and cross-validation. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ES cipher profiles
JSON output shape (covering recent ksn/bdk additions):
- DUKPT Derive AES Key: IK JSON output includes ksn, iki, counter
- DUKPT Derive TDES Key: IPEK JSON output includes ksn and bdk
Payment cipher coverage (previously only AES CBC was tested):
- Payment Encrypt/Decrypt Data: TDES ECB (APC cross-validated block 1)
- Payment Encrypt/Decrypt Data: TDES CBC (derived from passing re-encrypt chain)
- Payment Encrypt Data: DUKPT TDES ECB Data variant (ANSI X9.24-1; APC variant
mismatch documented in test comment and PAYMENT_RECIPES.md)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…DES CBC Covers the remaining untested cipher profiles in PaymentEncryptData / PaymentDecryptData. Values are pinned from a clean run against the forge upstream library, catching regressions in mode selection, IV wiring, and padding behaviour without re-deriving cryptographic outputs. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Align wording with the shared standard used across all four repos in this project family. No behavioral change — same rules, consistent text. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds a payment-focused extension surface to CyberChef for software emulation, testing, interoperability work, and education.
It is intentionally documented as software-only tooling rather than a certified HSM or production key-custody surface. AI was used to ensure payment functionality is implemented per specifications or as close to as is possible with publicly available documentation.
What This Adds
Paymentscategory with payment-facing operations for:PAYMENT_RECIPES.mdAWS_PAYMENT_CRYPTOGRAPHY_RECIPES.mdPAYMENT_SIM_RECIPES.mdPAYMENT_VALIDATION_AUDIT.mdValidation / Guardrails
The payment operations are explicitly classified in
PAYMENT_VALIDATION_AUDIT.mdas:That status is also surfaced inline on higher-risk operations so users can see scope and limitations in the recipe UI.
Scope Notes
Verification
tests/operations/tests/Payment.mjs.