fix(router): add choice to use the appropriate key for jws verification (#2917)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-11-02 21:07:58 +08:00 · 2023-11-17 21:19:41 +05:30
parent 1d48a83c48
commit 606daa9367
2 changed files with 38 additions and 18 deletions
--- a/crates/router/src/core/payment_methods/cards.rs
+++ b/crates/router/src/core/payment_methods/cards.rs
@ -440,10 +440,11 @@ pub async fn get_payment_method_from_hs_locker<'a>(
        let jwe_body: services::JweBody = response
            .get_response_inner("JweBody")
            .change_context(errors::VaultError::FetchPaymentMethodFailed)?;
-        let decrypted_payload = payment_methods::get_decrypted_response_payload(jwekey, jwe_body)
-            .await
-            .change_context(errors::VaultError::FetchPaymentMethodFailed)
-            .attach_printable("Error getting decrypted response payload for get card")?;
+        let decrypted_payload =
+            payment_methods::get_decrypted_response_payload(jwekey, jwe_body, locker_choice)
+                .await
+                .change_context(errors::VaultError::FetchPaymentMethodFailed)
+                .attach_printable("Error getting decrypted response payload for get card")?;
        let get_card_resp: payment_methods::RetrieveCardResp = decrypted_payload
            .parse_struct("RetrieveCardResp")
            .change_context(errors::VaultError::FetchPaymentMethodFailed)?;
@ -490,10 +491,11 @@ pub async fn call_to_locker_hs<'a>(
            .get_response_inner("JweBody")
            .change_context(errors::VaultError::FetchCardFailed)?;

-        let decrypted_payload = payment_methods::get_decrypted_response_payload(jwekey, jwe_body)
-            .await
-            .change_context(errors::VaultError::SaveCardFailed)
-            .attach_printable("Error getting decrypted response payload")?;
+        let decrypted_payload =
+            payment_methods::get_decrypted_response_payload(jwekey, jwe_body, Some(locker_choice))
+                .await
+                .change_context(errors::VaultError::SaveCardFailed)
+                .attach_printable("Error getting decrypted response payload")?;
        let stored_card_resp: payment_methods::StoreCardResp = decrypted_payload
            .parse_struct("StoreCardResp")
            .change_context(errors::VaultError::ResponseDeserializationFailed)?;
@ -557,10 +559,11 @@ pub async fn get_card_from_hs_locker<'a>(
        let jwe_body: services::JweBody = response
            .get_response_inner("JweBody")
            .change_context(errors::VaultError::FetchCardFailed)?;
-        let decrypted_payload = payment_methods::get_decrypted_response_payload(jwekey, jwe_body)
-            .await
-            .change_context(errors::VaultError::FetchCardFailed)
-            .attach_printable("Error getting decrypted response payload for get card")?;
+        let decrypted_payload =
+            payment_methods::get_decrypted_response_payload(jwekey, jwe_body, Some(locker_choice))
+                .await
+                .change_context(errors::VaultError::FetchCardFailed)
+                .attach_printable("Error getting decrypted response payload for get card")?;
        let get_card_resp: payment_methods::RetrieveCardResp = decrypted_payload
            .parse_struct("RetrieveCardResp")
            .change_context(errors::VaultError::FetchCardFailed)?;
@ -609,10 +612,14 @@ pub async fn delete_card_from_hs_locker<'a>(
            .change_context(errors::ApiErrorResponse::InternalServerError)
            .attach_printable("Failed while executing call_connector_api for delete card");
        let jwe_body: services::JweBody = response.get_response_inner("JweBody")?;
-        let decrypted_payload = payment_methods::get_decrypted_response_payload(jwekey, jwe_body)
-            .await
-            .change_context(errors::ApiErrorResponse::InternalServerError)
-            .attach_printable("Error getting decrypted response payload for delete card")?;
+        let decrypted_payload = payment_methods::get_decrypted_response_payload(
+            jwekey,
+            jwe_body,
+            Some(api_enums::LockerChoice::Basilisk),
+        )
+        .await
+        .change_context(errors::ApiErrorResponse::InternalServerError)
+        .attach_printable("Error getting decrypted response payload for delete card")?;
        let delete_card_resp: payment_methods::DeleteCardResp = decrypted_payload
            .parse_struct("DeleteCardResp")
            .change_context(errors::ApiErrorResponse::InternalServerError)?;
--- a/crates/router/src/core/payment_methods/transformers.rs
+++ b/crates/router/src/core/payment_methods/transformers.rs
@ -189,14 +189,27 @@ pub async fn get_decrypted_response_payload(
    #[cfg(not(feature = "kms"))] jwekey: &settings::Jwekey,
    #[cfg(feature = "kms")] jwekey: &settings::ActiveKmsSecrets,
    jwe_body: encryption::JweBody,
+    locker_choice: Option<api_enums::LockerChoice>,
 ) -> CustomResult<String, errors::VaultError> {
+    let target_locker = locker_choice.unwrap_or(api_enums::LockerChoice::Basilisk);
+
    #[cfg(feature = "kms")]
-    let public_key = jwekey.jwekey.peek().vault_encryption_key.as_bytes();
+    let public_key = match target_locker {
+        api_enums::LockerChoice::Basilisk => jwekey.jwekey.peek().vault_encryption_key.as_bytes(),
+        api_enums::LockerChoice::Tartarus => {
+            jwekey.jwekey.peek().rust_locker_encryption_key.as_bytes()
+        }
+    };
+
    #[cfg(feature = "kms")]
    let private_key = jwekey.jwekey.peek().vault_private_key.as_bytes();

    #[cfg(not(feature = "kms"))]
-    let public_key = jwekey.vault_encryption_key.as_bytes();
+    let public_key = match target_locker {
+        api_enums::LockerChoice::Basilisk => jwekey.vault_encryption_key.as_bytes(),
+        api_enums::LockerChoice::Tartarus => jwekey.rust_locker_encryption_key.as_bytes(),
+    };
+
    #[cfg(not(feature = "kms"))]
    let private_key = jwekey.vault_private_key.as_bytes();