chore(cards): add configuration option to change the decryption scheme locker (#5140)

Co-authored-by: Shakthidhar Bhaskar <shakthidhar.bhaskar@juspay.in>

crates/router/src/configs/defaults.rs

@@ -69,6 +69,7 @@ impl Default for super::settings::Locker {
             locker_enabled: true,
             //Time to live for storage entries in locker
             ttl_for_storage_in_secs: 60 * 60 * 24 * 365 * 7,
+            decryption_scheme: Default::default(),
         }
     }
 }

crates/router/src/configs/settings.rs

@@ -497,6 +497,16 @@ pub struct Locker {
     pub locker_signing_key_id: String,
     pub locker_enabled: bool,
     pub ttl_for_storage_in_secs: i64,
+    pub decryption_scheme: DecryptionScheme,
+}
+
+#[derive(Debug, Deserialize, Clone, Default)]
+pub enum DecryptionScheme {
+    #[default]
+    #[serde(rename = "RSA-OAEP")]
+    RsaOaep,
+    #[serde(rename = "RSA-OAEP-256")]
+    RsaOaep256,
 }
 
 #[derive(Debug, Deserialize, Clone)]

crates/router/src/core/blocklist/transformers.rs

@@ -144,8 +144,12 @@ async fn call_to_locker_for_fingerprint(
         .get_response_inner("JweBody")
         .change_context(errors::VaultError::GenerateFingerprintFailed)?;
 
-    let decrypted_payload =
-        decrypt_generate_fingerprint_response_payload(jwekey, jwe_body, Some(locker_choice))
+    let decrypted_payload = decrypt_generate_fingerprint_response_payload(
+        jwekey,
+        jwe_body,
+        Some(locker_choice),
+        locker.decryption_scheme.clone(),
+    )
     .await
     .change_context(errors::VaultError::GenerateFingerprintFailed)
     .attach_printable("Error getting decrypted fingerprint response payload")?;
@@ -159,9 +163,9 @@ async fn call_to_locker_for_fingerprint(
 
 async fn decrypt_generate_fingerprint_response_payload(
     jwekey: &settings::Jwekey,
-
     jwe_body: encryption::JweBody,
     locker_choice: Option<api_enums::LockerChoice>,
+    decryption_scheme: settings::DecryptionScheme,
 ) -> CustomResult<String, errors::VaultError> {
     let target_locker = locker_choice.unwrap_or(api_enums::LockerChoice::HyperswitchCardVault);
 
@@ -174,7 +178,10 @@ async fn decrypt_generate_fingerprint_response_payload(
     let private_key = jwekey.vault_private_key.peek().as_bytes();
 
     let jwt = payment_methods::get_dotted_jwe(jwe_body);
-    let alg = jwe::RSA_OAEP;
+    let alg = match decryption_scheme {
+        settings::DecryptionScheme::RsaOaep => jwe::RSA_OAEP,
+        settings::DecryptionScheme::RsaOaep256 => jwe::RSA_OAEP_256,
+    };
 
     let jwe_decrypted = encryption::decrypt_jwe(
         &jwt,

crates/router/src/core/payment_methods/cards.rs

@@ -1325,8 +1325,12 @@ pub async fn get_payment_method_from_hs_locker<'a>(
         let jwe_body: services::JweBody = response
             .get_response_inner("JweBody")
             .change_context(errors::VaultError::FetchPaymentMethodFailed)?;
-        let decrypted_payload =
-            payment_methods::get_decrypted_response_payload(jwekey, jwe_body, locker_choice)
+        let decrypted_payload = payment_methods::get_decrypted_response_payload(
+            jwekey,
+            jwe_body,
+            locker_choice,
+            locker.decryption_scheme.clone(),
+        )
         .await
         .change_context(errors::VaultError::FetchPaymentMethodFailed)
         .attach_printable("Error getting decrypted response payload for get card")?;
@@ -1378,8 +1382,12 @@ pub async fn call_to_locker_hs<'a>(
             .get_response_inner("JweBody")
             .change_context(errors::VaultError::FetchCardFailed)?;
 
-        let decrypted_payload =
-            payment_methods::get_decrypted_response_payload(jwekey, jwe_body, Some(locker_choice))
+        let decrypted_payload = payment_methods::get_decrypted_response_payload(
+            jwekey,
+            jwe_body,
+            Some(locker_choice),
+            locker.decryption_scheme.clone(),
+        )
         .await
         .change_context(errors::VaultError::SaveCardFailed)
         .attach_printable("Error getting decrypted response payload")?;
@@ -1459,8 +1467,12 @@ pub async fn get_card_from_hs_locker<'a>(
         let jwe_body: services::JweBody = response
             .get_response_inner("JweBody")
             .change_context(errors::VaultError::FetchCardFailed)?;
-        let decrypted_payload =
-            payment_methods::get_decrypted_response_payload(jwekey, jwe_body, Some(locker_choice))
+        let decrypted_payload = payment_methods::get_decrypted_response_payload(
+            jwekey,
+            jwe_body,
+            Some(locker_choice),
+            locker.decryption_scheme.clone(),
+        )
         .await
         .change_context(errors::VaultError::FetchCardFailed)
         .attach_printable("Error getting decrypted response payload for get card")?;
@@ -1513,6 +1525,7 @@ pub async fn delete_card_from_hs_locker<'a>(
             jwekey,
             jwe_body,
             Some(api_enums::LockerChoice::HyperswitchCardVault),
+            locker.decryption_scheme.clone(),
         )
         .await
         .change_context(errors::ApiErrorResponse::InternalServerError)

crates/router/src/core/payment_methods/transformers.rs

@@ -199,6 +199,7 @@ pub async fn get_decrypted_response_payload(
     jwekey: &settings::Jwekey,
     jwe_body: encryption::JweBody,
     locker_choice: Option<api_enums::LockerChoice>,
+    decryption_scheme: settings::DecryptionScheme,
 ) -> CustomResult<String, errors::VaultError> {
     let target_locker = locker_choice.unwrap_or(api_enums::LockerChoice::HyperswitchCardVault);
 
@@ -211,7 +212,10 @@ pub async fn get_decrypted_response_payload(
     let private_key = jwekey.vault_private_key.peek().as_bytes();
 
     let jwt = get_dotted_jwe(jwe_body);
-    let alg = jwe::RSA_OAEP;
+    let alg = match decryption_scheme {
+        settings::DecryptionScheme::RsaOaep => jwe::RSA_OAEP,
+        settings::DecryptionScheme::RsaOaep256 => jwe::RSA_OAEP_256,
+    };
 
     let jwe_decrypted = encryption::decrypt_jwe(
         &jwt,