Skip to content

fix: use random nonce per call in AES-GCM onboarding signature#411

Merged
ankitdas13 merged 1 commit into
masterfrom
fix/aes-gcm-nonce-reuse
Jun 8, 2026
Merged

fix: use random nonce per call in AES-GCM onboarding signature#411
ankitdas13 merged 1 commit into
masterfrom
fix/aes-gcm-nonce-reuse

Conversation

@rzp-slash

@rzp-slash rzp-slash Bot commented May 31, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

  • Updated generateOnboardingSignature to use a random 12-byte IV per encryption call instead of a static IV.
  • New output format: hex(iv[12 bytes] || ciphertext || tag[16 bytes])

Changes

  • src/Utility.php: generate fresh 12-byte IV per encryption call; prepend IV to ciphertext output
  • tests/OAuthTokenClientTest.php: update assertions to match new output format and verify uniqueness across calls

Companion PRs (same fix across all partner SDKs)

Test plan

  • Verify generateOnboardingSignature produces a different hex string on every call with the same input
  • Verify Razorpay backend successfully decrypts the new format
  • Existing integration tests pass with updated assertions

🤖 Generated with Claude Code

@ankitdas13
fix: use random nonce per call in AES-GCM encryption (ISS-2528895)
a689aa5 
Static IV derived from the key (substr($key, 0, 12)) was reused for
every encryption call, enabling keystream recovery and authentication
tag forgery via the GHASH Forbidden Attack with just two captured
onboarding_signature values.

Fix: replace static IV with random_bytes(12) and prepend the IV to the
ciphertext output (iv || ciphertext || tag) so receivers can extract the
IV for decryption. Output format is unchanged (hex string), but now
includes a 12-byte IV prefix (first 24 hex chars).

Server-side validation at auth.razorpay.com must be updated to read the
first 24 hex chars as the IV before decrypting. Partners should also
rotate their client_secret as previously captured signatures remain
exploitable under the old key material.

Co-authored-by: ankitdas13 <ankit.das@razorpay.com>
This was referenced Jun 2, 2026
Merged
Open
Merged
ankitdas13
ankitdas13 approved these changes Jun 8, 2026
View reviewed changes

@ankitdas13 ankitdas13 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ankitdas13 ankitdas13 added the TestingNotRequired TestingNotRequired label for BVT label Jun 8, 2026
@ankitdas13 ankitdas13 merged commit d6fb04b into master Jun 8, 2026
2 of 3 checks passed
@ankitdas13 ankitdas13 mentioned this pull request Jun 8, 2026
Merged
2 tasks
@rzp-slash rzp-slash Bot changed the title fix: use random nonce per call in AES-GCM onboarding signature (ISS-2528895) fix: use random nonce per call in AES-GCM onboarding signature Jun 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ankitdas13 ankitdas13 ankitdas13 approved these changes

Assignees

@ankitdas13 ankitdas13

Labels

TestingNotRequired TestingNotRequired label for BVT

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ankitdas13