MCPcopy Index your code
hub / github.com/Mastercard/client-encryption-java

github.com/Mastercard/client-encryption-java @v1.8.8

Chat with this repo
repository ↗ · DeepWiki ↗ · release v1.8.8 ↗ · + Follow
571 symbols 3,259 edges 86 files 77 documented · 13%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

client-encryption-java

mastercard developers logo

Table of Contents

Overview

Library for Mastercard API compliant payload encryption/decryption.

Compatibility

Java 11+

References

Versioning and Deprecation Policy

Usage

Prerequisites

Before using this library, you will need to set up a project in the Mastercard Developers Portal.

As part of this set up, you'll receive: * A public request encryption certificate (aka Client Encryption Keys) * A private response decryption key (aka Mastercard Encryption Keys)

Adding the Library to Your Project

Maven

<dependency>
    <groupId>com.mastercard.developer</groupId>
    <artifactId>client-encryption</artifactId>
    <version>${client-encryption-version}</version>
</dependency>

Gradle

dependencies {
    implementation "com.mastercard.developer:client-encryption:$clientEncryptionVersion"
}   

Other Dependency Managers

See: https://search..org/artifact/com.mastercard.developer/client-encryption

Selecting a JSON Engine

This library requires one of the following dependencies to be added to your classpath:

You can either let the library choose for you, or force the one to be used by calling withJsonEngine on the JsonParser class. Example:

JsonParser.withJsonEngine(new JettisonJsonEngine());

Available engine classes: * GsonJsonEngine * JacksonJsonEngine * JettisonJsonEngine * JsonOrgJsonEngine * JsonSmartJsonEngine

Loading the Encryption Certificate

A Certificate object can be created from a file by calling EncryptionUtils.loadEncryptionCertificate:

Certificate encryptionCertificate = EncryptionUtils.loadEncryptionCertificate("<insert certificate file path>");

Supported certificate formats: PEM, DER.

Loading the Decryption Key

From a PKCS#12 Key Store

A PrivateKey object can be created from a PKCS#12 key store by calling EncryptionUtils.loadDecryptionKey the following way:

PrivateKey decryptionKey = EncryptionUtils.loadDecryptionKey(
                                    "<insert PKCS#12 key file path>", 
                                    "<insert key alias>", 
                                    "<insert key password>");

From an Unencrypted Key File

A PrivateKey object can be created from an unencrypted key file by calling EncryptionUtils.loadDecryptionKey the following way:

PrivateKey decryptionKey = EncryptionUtils.loadDecryptionKey("<insert key file path>");

Supported RSA key formats: * PKCS#1 PEM (starts with "-----BEGIN RSA PRIVATE KEY-----") * PKCS#8 PEM (starts with "-----BEGIN PRIVATE KEY-----") * Binary DER-encoded PKCS#8

Performing Payload Encryption and Decryption

Introduction

This library supports two types of encryption/decryption, both of which support field level and entire payload encryption: JWE encryption and what the library refers to as Field Level Encryption (Mastercard encryption), a scheme used by many services hosted on Mastercard Developers before the library added support for JWE.

JWE Encryption and Decryption

• Introduction

This library uses JWE compact serialization for the encryption of sensitive data. The core methods responsible for payload encryption and decryption are encryptPayload and decryptPayload in the JweEncryption class.

  • encryptPayload usage:
String encryptedRequestPayload = JweEncryption.encryptPayload(requestPayload, config);

  • decryptPayload usage:
String responsePayload = JweEncryption.decryptPayload(encryptedResponsePayload, config);
• Configuring the JWE Encryption

Use the JweConfigBuilder to create JweConfig instances. Example:

JweConfig config = JweConfigBuilder.aJweEncryptionConfig()
    .withEncryptionCertificate(encryptionCertificate)
    .withDecryptionKey(decryptionKey)
    .withEncryptionPath("$.path.to.foo", "$.path.to.encryptedFoo")
    .withDecryptionPath("$.path.to.encryptedFoo.encryptedValue", "$.path.to.foo")
    .withEncryptedValueFieldName("encryptedValue")
    .withIVSize(16) // available values are 12 or 16. If not specified, default value is 16.
    .build();
• Performing JWE Encryption

Call JweEncryption.encryptPayload with a JSON request payload and a JweConfig instance.

Example using the configuration above:

String payload = "{" +
    "    \"path\": {" +
    "        \"to\": {" +
    "            \"foo\": {" +
    "                \"sensitiveField1\": \"sensitiveValue1\"," +
    "                \"sensitiveField2\": \"sensitiveValue2\"" +
    "            }" +
    "        }" +
    "    }" +
    "}";
String encryptedPayload = JweEncryption.encryptPayload(payload, config);
System.out.println(new GsonBuilder().setPrettyPrinting().create().toJson(new JsonParser().parse(encryptedPayload)));

Output:

{
    "path": {
        "to": {
            "encryptedFoo": {
                "encryptedValue": "eyJraWQiOiI3NjFiMDAzYzFlYWRlM….Y+oPYKZEMTKyYcSIVEgtQw"
            }
        }
    }
}
• Performing JWE Decryption

Call JweEncryption.decryptPayload with a JSON response payload and a JweConfig instance.

Example using the configuration above:

String encryptedPayload = "{" +
    "    \"path\": {" +
    "        \"to\": {" +
    "            \"encryptedFoo\": {" +
    "                \"encryptedValue\": \"eyJraWQiOiI3NjFiMDAzYzFlYWRlM….Y+oPYKZEMTKyYcSIVEgtQw\"" +
    "            }" +
    "        }" +
    "    }" +
    "}";
String payload = JweEncryption.decryptPayload(encryptedPayload, config);
System.out.println(new GsonBuilder().setPrettyPrinting().create().toJson(new JsonParser().parse(payload)));

Output:

{
    "path": {
        "to": {
            "foo": {
                "sensitiveField1": "sensitiveValue1",
                "sensitiveField2": "sensitiveValue2"
            }
        }
    }
}
• Encrypting Entire Payloads

Entire payloads can be encrypted using the "$" operator as encryption path:

JweConfig config = JweConfigBuilder.aJweEncryptionConfig()
    .withEncryptionCertificate(encryptionCertificate)
    .withEncryptionPath("$", "$")
    // …
    .build();

Example:

String payload = "{" +
    "    \"sensitiveField1\": \"sensitiveValue1\"," +
    "    \"sensitiveField2\": \"sensitiveValue2\"" +
    "}";
String encryptedPayload = JweEncryption.encryptPayload(payload, config);
System.out.println(new GsonBuilder().setPrettyPrinting().create().toJson(new JsonParser().parse(encryptedPayload)));

Output:

{
    "encryptedValue": "eyJraWQiOiI3NjFiMDAzYzFlYWRlM….Y+oPYKZEMTKyYcSIVEgtQw"
}
• Decrypting Entire Payloads

Entire payloads can be decrypted using the "$" operator as decryption path:

JweConfig config = JweConfigBuilder.aJweEncryptionConfig()
    .withDecryptionKey(decryptionKey)
    .withDecryptionPath("$.encryptedValue", "$")
    // …
    .build();

Example:

String encryptedPayload = "{" +
    "  \"encryptedValue\": \"eyJraWQiOiI3NjFiMDAzYzFlYWRlM….Y+oPYKZEMTKyYcSIVEgtQw\"" +
    "}";
String payload = JweEncryption.decryptPayload(encryptedPayload, config);
System.out.println(new GsonBuilder().setPrettyPrinting().create().toJson(new JsonParser().parse(payload)));

Output:

{
    "sensitiveField1": "sensitiveValue1",
    "sensitiveField2": "sensitiveValue2"
}
• Encrypting Payloads with Wildcards

Wildcards can be encrypted using the "[*]" operator as part of encryption path:

JweConfig config = JweConfigBuilder.aJweEncryptionConfig()
    .withEncryptionCertificate(encryptionCertificate)
    .withEncryptionPath("$.list[*]sensitiveField1", "$.list[*]encryptedField")
    // …
    .build();

Example:

String payload = "{ \"list\": [ " +
    "   { \"sensitiveField1\" : \"sensitiveValue1\"}, "+
    "   { \"sensitiveField1\" : \"sensitiveValue2\"} " +
    "]}";
String encryptedPayload = JweEncryption.encryptPayload(payload, config);
System.out.println(new GsonBuilder().setPrettyPrinting().create().toJson(new JsonParser().parse(encryptedPayload)));

Output:

{
  "list": [
    {"encryptedField": "eyJraWQiOiI3NjFiMDAzYzFlYWRlM….Y+oPYKZEMTKyYcSIVEgtQw"},
    {"encryptedField": "eyJraWQiOiI3NjFiMDAzYzFlYWRlM….Y+asdvarvasdvfdvakmkmm"}
  ]
}
• Decrypting Payloads with Wildcards

Wildcards can be decrypted using the "[*]" operator as part of decryption path:

JweConfig config = JweConfigBuilder.aJweEncryptionConfig()
    .withDecryptionKey(decryptionKey)
    .withDecryptionPath("$.list[*]encryptedField", "$.list[*]sensitiveField1")
    // …
    .build();

Example:

String encryptedPayload = "{ \"list\": [ " +
        " { \"encryptedField\": \"eyJraWQiOiI3NjFiMDAzYzFlYWRlM….Y+oPYKZEMTKyYcSIVEgtQw\"}, " +
        " { \"encryptedField\": \"eyJraWQiOiI3NjFiMDAzYzFlYWRlM….Y+asdvarvasdvfdvakmkmm\"} " +
        " ]}";
String payload = JweEncryption.decryptPayload(encryptedPayload, config);
System.out.println(new GsonBuilder().setPrettyPrinting().create().toJson(new JsonParser().parse(payload)));

Output: ```json { "list": [ {"sensitiveField1": "sensitiveValue1"}, {"sensitiveField2": "sensi

Core symbols most depended-on inside this repo

build
called by 207
src/main/java/com/mastercard/developer/encryption/JweConfigBuilder.java
withDecryptionPath
called by 82
src/main/java/com/mastercard/developer/encryption/JweConfigBuilder.java
withEncryptionPath
called by 75
src/main/java/com/mastercard/developer/encryption/JweConfigBuilder.java
intercept
called by 41
src/main/java/com/mastercard/developer/interceptors/HttpExecuteInterceptorChain.java
decryptPayload
called by 41
src/main/java/com/mastercard/developer/encryption/FieldLevelEncryption.java
withOaepPaddingDigestAlgorithm
called by 32
src/main/java/com/mastercard/developer/encryption/FieldLevelEncryptionConfigBuilder.java
encryptPayload
called by 31
src/main/java/com/mastercard/developer/encryption/FieldLevelEncryption.java
base64Decode
called by 30
src/main/java/com/mastercard/developer/utils/EncodingUtils.java

Shape

Method 483
Class 86
Enum 2

Languages

Java100%

Modules by API surface

src/test/java/com/mastercard/developer/encryption/FieldLevelEncryptionWithDefaultJsonEngineTest.java58 symbols
src/main/java/com/mastercard/developer/encryption/FieldLevelEncryptionConfigBuilder.java26 symbols
src/test/java/com/mastercard/developer/encryption/JweConfigBuilderTest.java21 symbols
src/test/java/com/mastercard/developer/encryption/FieldLevelEncryptionConfigBuilderTest.java21 symbols
src/test/java/com/mastercard/developer/test/TestUtils.java14 symbols
src/main/java/com/mastercard/developer/json/JsonEngine.java14 symbols
src/test/java/com/mastercard/developer/utils/EncodingUtilsTest.java12 symbols
src/main/java/com/mastercard/developer/encryption/jwe/JweObject.java12 symbols
src/main/java/com/mastercard/developer/encryption/JweConfigBuilder.java12 symbols
src/main/java/com/mastercard/developer/encryption/EncryptionConfig.java12 symbols
src/test/java/com/mastercard/developer/interceptors/OkHttpFieldLevelEncryptionInterceptorTest.java11 symbols
src/test/java/com/mastercard/developer/interceptors/OkHttp2FieldLevelEncryptionInterceptorTest.java11 symbols

For agents

$ claude mcp add client-encryption-java \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page