JPC, PayPal and SSL

[trefrog]

I'm new to SSL. PayPal has plenty of info about using their backend integration services (PDT, IPN, etc.), but I'm stuck with wrapping my head around SSL. They need you to upload your public certificate. They provide some instructions to generate your own certificate using OpenSSL, which I have on my localhost testing server (apache2triad). I can execute the first command (genrsa...) that generates a file... the second command (req...) gives an error though. Maybe I need to run this command in telnet on my web server (which I know nothing about yet)...?

I know JPC has SSL for shared hosting. Can I somehow generate and download a public certificate from that? I don't care about having a padlock on my site, though it would be nice to see one on my subscription page. All I want SSL for is to have a custom logo on PayPal (already set up), and to send Payment Data Transfer info and IPN-type stuff to PayPal.

[jason]

The PayPal public certificate and an actual SSL certificate for securing your site are two separate things. The certificate that you upload to paypal allows you to encrypt the contents of your payment buttons. Without encryption they are sent in clear text that a user can view and potentially change.

For example, a standard button would look something like this (line breaks added for clarity):

Code:

https://www.paypal.com/cgi-bin/webscr?
cmd=_xclick&business=you%40yourdomain%2ecom&
item_name=Widget&item_number=widget1&amount=19%2e99&
no_shipping=0&no_note=1&currency_code=USD&lc=US&bn=PP%2dBuyNowBF&
charset=UTF%2d8

As you can see, all of the infomation about the item can be viewed from this URL and since it isn't encrypted, a user could change it at will. For example, I could easily change the amount=19%2e99 (amout = 19.99) to amount=0%2e99 (amount = 0.99) and buy the item for 99 cents instead of $19.99. Encrypting your buttons prevents this. The same data, encrypted, would look like this:

Code:

-----BEGIN PKCS7-----MIIHRwYJKoZIhvcNAQcEoIIHODCCBzQCAQExggEwMIIBLA
IBADCBlDCBjjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYD
VQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtQYXlQYWwgSW
5jLjETMBEGA1UECxQKbGl2ZV9jZXJ0czERMA8GA1UEAxQIbGl2ZV9hcGk
xHDAaBgkqhkiG9w0BCQEWDXJlQHBheXBhbC5jb20CAQAwDQYJKoZIhv
cNAQEBBQAEgYAw7fdZuwbsdP3mGgFUknpHx8esRdZGEqRFjyP0eJsIPE
l94bkXY0unqWzUrAMSgO7hOzbmU/i9K6MScoOC4VQcN0BKgFuaUndwU
GEc+D/Xxr1c+h6OT8GigUHJm2X5fx/215PgB16hMXW88bWVidLL99HW
I9BhKXxcgcqwmfrlKTELMAkGBSsOAwIaBQAwgcQGCSqGSIb3DQEHATA
UBggqhkiG9w0DBwQIAXNOhhfcoXWAgaD2YIgVEmcxzdOzwKKA6FfEf3
k7go4SdYDVu4iz8pVvlsDpyXrsjwGspeziLJ1fkviwCbt8UitV1HDaNrR5f+y
ukAKSboC7hMLIbrVIhZ7wxqCfiGyEp4orgpJkq7jMi8BzwQvaBICH5aAhx7
rP8KOll3Br26bBpRB3vAM+tfQ6vgG2uFlGb5aoi+ACJ7FJpDJmb0kMZe8oq
EseJwVFxIO1oIIDhzCCA4MwggLsoAMCAQICAQAwDQYJKoZIhvcNAQEF
BQAwgY4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UE
BxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLUGF5UGFsIEluYy4xEzAR
BgNVBAsUCmxpdmVfY2VydHMxETAPBgNVBAMUCGxpdmVfYXBpMRwwG
gYJKoZIhvcNAQkBFg1yZUBwYXlwYWwuY29tMB4XDTA0MDIxMzEwMTM
xNVoXDTM1MDIxMzEwMTMxNVowgY4xCzAJBgNVBAYTAlVTMQswCQY
DVQQIEwJDQTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1U
EChMLUGF5UGFsIEluYy4xEzARBgNVBAsUCmxpdmVfY2VydHMxETAPBg
NVBAMUCGxpdmVfYXBpMRwwGgYJKoZIhvcNAQkBFg1yZUBwYXlwYW
wuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBR07d/ET
MS1ycjtkpkvjXZe9k+6CieLuLsPumsJ7QC1odNz3sJiCbs2wC0nLE0uLG
aEtXynIgRqIddYCHx88pb5HTXv4SZeuv0Rqq4+axW9PLAAATU8w04q
qjaSXgbGLP3NmohqM6bV9kZZwZLR/klDaQGo1u9uDb9lr4Yn+rBQIDAQA
Bo4HuMIHrMB0GA1UdDgQWBBSWn3y7xm8XvVk/UtcKG+wQ1mSUazCB
uwYDVR0jBIGzMIGwgBSWn3y7xm8XvVk/UtcKG+wQ1mSUa6GBlKSBkTC
BjjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRQwEgYDVQQKEwtQYXlQYWwgSW5jLjETMBEG
A1UECxQKbGl2ZV9jZXJ0czERMA8GA1UEAxQIbGl2ZV9hcGkxHDAaBgkqh
kiG9w0BCQEWDXJlQHBheXBhbC5jb22CAQAwDAYDVR0TBAUwAwEB/zA
NBgkqhkiG9w0BAQUFAAOBgQCBXzpWmoBa5e9fo6ujionW1hUhPkOBak
Tr3YCDjbYfvJEiv/2P+IobhOGJr85+XHhN0v4gUkEDI8r2/rNk1m0GA8HKd
dvTjyGw/XqXa+LSTlDYkqI8OwR8GEYj4efEtcRpRYBxV8KxAW93YDWzF
GvruKnnLbDAF6VR5w/cCMn5hzGCAZowggGWAgEBMIGUMIGOMQswC
QYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50Y
WluIFZpZXcxFDASBgNVBAoTC1BheVBhbCBJbmMuMRMwEQYDVQQLFA
psaXZlX2NlcnRzMREwDwYDVQQDFAhsaXZlX2FwaTEcMBoGCSqGSIb3
DQEJARYNcmVAcGF5cGFsLmNvbQIBADAJBgUrDgMCGgUAoF0wGAYJKo
ZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDYw
MzIzMTkwNDI2WjAjBgkqhkiG9w0BCQQxFgQUJ8dvCZ5qxPSyKWntMEH9
VJ1IWdQwDQYJKoZIhvcNAQEBBQAEgYBHH3xOh3jcwimrIsntZKHE2nLpU
bdesdxNNwbVIoN65sMu/T6/+gEP0NTSm6Nu6/2xFfwsPpvvGJDSQL1EBR
DvjjGFR3UyeeAyMn3h8TUikS7CcsB/XbDuCtl4fxr7Yi8vziSUyzhKvKxVpZR
/Oxth32I9dmOOWn7LeeSztgXNjQ==-----END PKCS7-----

In this example it is impossible to change the values of any fields unless you know how to decrypt that data. If you are encrypting your own buttons then PayPal needs your public key in order to do that.

I've generated a public key for use on PayPal from my JPC server, following PayPal's instructions, and it has worked fine. Before you can do this you'll need to ask support (through a ticket) to enable SSH access for your account. Once that's done you'll need an SSH client (like PuTTY) to be able to log in. JPC doesn't support telnet for security reasons, but SSH works exactly the same way--it just encrypts everything for improved security.

An actual SSL certificate secures the connection between you and your users by encrypting the data sent in a manner similar to the way PayPal works. Simply encrypting your PayPal buttons won't encrypt the transactions betweem your site and your user.

JPC does offer a shared SSL certificate for securing your site. To use it point your links need to know the SSL url for your server--something like https://secureXX.nocdirect.com/~USERNAME, where XX is a two-digit server number (see your welcome email for your seerver's number, or contact support) and USERNAME is your cPanel username). You can also purchase an SSL certificate from a third party if you'd like to use your own domain name in your links (looks more professional if you are running an online business).

When you buy an SSL certificate you generate what's known as a certificate signing request that you send to the company that's issuing the certificate. The process for doing this is similar to that for generating the PayPal public/private keys and this is where the confusion lies with many people.

--Jason

[trefrog]

Thanks. That should be all I need to know to start me off.

[bitarcade]

Along the same lines for encrypting price information in a PayPal button as described in this thread, I have the following situation.

Using PHP, I would like to dynamically encrypt my button information since the prices on my site change depending on many factors (time of year, weeknight or weekend, etc.). I have all the encyption key stuff solved, know how to get PHP involved and know what to do once I have the encrypted data...but how to generate the data on the server via a PHP system($command, $result) or the like is where I'm stumped.

Regarding the PHP system command, PayPal offers two ButtonEncryption "API's" for generating the button on the fly, one based on windows and the other JAVA. I'm assuming I'd have to go with JAVA since my shared server is not windows based and the $command for above would be "java ButtonEncryption certfile pkcs12file ..." However, doing a "java -version" from my Putty command prompt tells me java is not there.

Is there a solution? Is it as easy as loading JRE to my shell? Or, am I making this too difficult; is there an easier way? Any suggestions appreciated.

[Gwaihir]

Holy crap. Why is that code so long? I've coded something just like that this Monday but my encoded data is barely longer than the unecrypted data is.

Note that SSL for your site requires two things: the certificate and a unique IP (i.e. one tied specifically to your site). The latter is $1/month, IIRC.

[jason]

I've been using this code from PayPalTech.com in my experiments. Its all done in PHP. You are right that Java is not on the servers.

--Jason

[jason]

Holy crap. Why is that code so long?

I created that almost two months ago and I don't quite remember what I did. I think I did it with PayPal's normal "create a web payment button" code on their site. The ones that I've created using my own certificate and the PHP code noted in my last post have been much shorter.

When I posted it I thought it seemed too long, too, but it is what PayPal gave me.

--Jason

[bitarcade]

Thank you for your helpful replies, Jason; that looks like it will work perfectly.

I had done some more digging in the mean time and it looks like additional code can be found from PayPal's PHP SDK:

https://www.paypal.com/cgi-bin/websc...DevKit-outside

If you look for and dig a little into the file: EWPServices.php from one of the available PHP downloads; they use the PHP openssl_pkcs7_sign and openssl_pkcs7_encryp methods to create the button and then format for html.

Think just a few changes are needed to make their dynamic variables suit my static variables (i.e., my cert_id, etc.) and this should be a completely PHP (admittedly less elegant) way to create Paypal EWP buttons on the fly.

Thanks again.