2

I am trying to implement the Google Pay using direct integration and in the google docs it is mentioned that merchants have to manually rotate the keys. During rotation it is mentioned that Caution: You must support the old private key for decryption of payment methods for eight days after you remove the old public key.

Does this mean I need to support old private key even after deleting the old public key?

I found out that Google uses Elliptic Curve Digital Signature which is asymmetric. As far as I know in case of asymmetric algorithms only one key pair will be involved (public and private). Why does Google recommend to support old private key up to 8 days?

James Z
  • 12,209
  • 10
  • 24
  • 44
Developer
  • 21
  • 1

1 Answers1

1

The workflow is the following:

  • define/upload a new key pair (recommended annually)

  • support both new and old keys during decryption

     String decryptedMessage =
  new PaymentMethodTokenRecipient.Builder()
     .addRecipientPrivateKey(newPrivateKey)
     .addRecipientPrivateKey(oldPrivateKey);

  • remove old key

This is a common approach as the platform might require some time to propagate the new keys and make sure the old ones are no longer used. You need to support the old key deploying the code above (supporting both signatures) for some time (at least 8 days according to Google's note) and ideally

confirm that the old public key is no longer used to encrypt any transactions.

Beppe C
  • 11,256
  • 2
  • 19
  • 41
  • Thanks a lot for the answer @Beppe C. Once I generate the new key pair and add the new public key in business console, does this mean even though If I send the new public key as part of payment request from the client side, still Google may use the old public key for encryption so that's why I need to support for old private key for up to 8 days?. Please explain this point. – Developer Apr 19 '22 at 11:35
  • Payment data should be encrypted with a new public key, however it is possible that the previous key is still in use (for a lapse of time), hence must be able to support both for a period of time – Beppe C Apr 19 '22 at 13:46