bitcoincashjs/lib/PayPro.js

'use strict';

var Message = Message || require('./Message');

var RootCerts = require('./common/RootCerts');

var PayPro = require('./common/PayPro');

var KJUR = require('jsrsasign');

var asn1 = require('asn1.js');
var rfc3280 = require('asn1.js/rfc/3280');

PayPro.prototype.x509Sign = function(key) {
  var self = this;
  var crypto = require('crypto');
  var pki_type = this.get('pki_type');
  var pki_data = this.get('pki_data'); // contains one or more x509 certs
  pki_data = PayPro.X509Certificates.decode(pki_data);
  pki_data = pki_data.certificate;
  var details = this.get('serialized_payment_details');
  var type = pki_type.split('+')[1].toUpperCase();

  var trusted = pki_data.map(function(cert) {
    var der = cert.toString('hex');
    var pem = self._DERtoPEM(der, 'CERTIFICATE');
    return RootCerts.getTrusted(pem);
  });

  // XXX Figure out what to do here
  if (!trusted.length) {
    // throw new Error('Unstrusted certificate.');
  } else {
    trusted.forEach(function(name) {
      // console.log('Certificate: %s', name);
    });
  }

  var signature = crypto.createSign('RSA-' + type);
  var buf = this.serializeForSig();
  signature.update(buf);
  var sig = signature.sign(key);
  return sig;
};

PayPro.prototype.x509Verify = function() {
  var self = this;
  var crypto = require('crypto');
  var pki_type = this.get('pki_type');
  var sig = this.get('signature');
  var pki_data = this.get('pki_data');
  pki_data = PayPro.X509Certificates.decode(pki_data);
  pki_data = pki_data.certificate;
  var details = this.get('serialized_payment_details');
  var buf = this.serializeForSig();
  var type = pki_type.split('+')[1].toUpperCase();

  var verifier = crypto.createVerify('RSA-' + type);
  verifier.update(buf);

  var signedCert = pki_data[0];
  var der = signedCert.toString('hex');
  var pem = this._DERtoPEM(der, 'CERTIFICATE');
  var verified = verifier.verify(pem, sig);

  var chain = pki_data;

  // Verifying the cert chain:
  // 1. Extract public key from next certificate.
  // 2. Extract signature from current certificate.
  // 3. If current cert is not trusted, verify that the current cert is signed
  //    by NEXT by the certificate.
  // NOTE: XXX What to do when the certificate is revoked?

  var chainVerified = chain.every(function(cert, i) {
    var der = cert.toString('hex');
    var pem = self._DERtoPEM(der, 'CERTIFICATE');
    var name = RootCerts.getTrusted(pem);

    var ncert = chain[i + 1];
    // The root cert, check if it's trusted:
    if (!ncert || name) {
      if (!ncert && !name) {
        return false;
      }
      chain.length = 0;
      return true;
    }
    var nder = ncert.toString('hex');
    var npem = self._DERtoPEM(nder, 'CERTIFICATE');

    //
    // Get Public Key from next certificate:
    //
    var ndata = new Buffer(nder, 'hex');
    var nc = rfc3280.Certificate.decode(ndata, 'der');
    var npubKeyAlg = PayPro.getAlgorithm(
      nc.tbsCertificate.subjectPublicKeyInfo.algorithm.algorithm);
    var npubKey = nc.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.data;
    npubKey = self._DERtoPEM(npubKey, npubKeyAlg + ' PUBLIC KEY');

    //
    // Get Signature Value from current certificate:
    //
    var data = new Buffer(der, 'hex');
    var c = rfc3280.Certificate.decode(data, 'der');
    var sigAlg = PayPro.getAlgorithm(c.signatureAlgorithm.algorithm, 1);
    var sig = c.signature.data;

    //
    // Check Validity of Certificates
    //
    var validityVerified = true;
    var now = Date.now();
    var cBefore = c.tbsCertificate.validity.notBefore.value;
    var cAfter = c.tbsCertificate.validity.notAfter.value;
    var nBefore = nc.tbsCertificate.validity.notBefore.value;
    var nAfter = nc.tbsCertificate.validity.notAfter.value;
    if (cBefore > now || cAfter < now || nBefore > now || nAfter < now) {
      validityVerified = false;
    }

    //
    // Check the Issuer matches the Subject of the next certificate:
    //
    var issuer = c.tbsCertificate.issuer;
    var subject = nc.tbsCertificate.subject;
    var issuerVerified = issuer.type === subject.type && issuer.value.every(function(issuerArray, i) {
      var subjectArray = subject.value[i];
      return issuerArray.every(function(issuerObject, i) {
        var subjectObject = subjectArray[i];

        var issuerObjectType = issuerObject.type.join('.');
        var subjectObjectType = subjectObject.type.join('.');

        var issuerObjectValue = issuerObject.value.toString('hex');
        var subjectObjectValue = subjectObject.value.toString('hex');

        return issuerObjectType === subjectObjectType
          && issuerObjectValue === subjectObjectValue;
      });
    });

    //
    // Handle Cert Extensions
    // http://tools.ietf.org/html/rfc5280#section-4.2
    //
    var ext;
    var eid;
    var extensions = {
      basicConstraints: null,
      keyUsage: null,
      subjectKeyIdentifier: null,
      authorityKeyIdentifier: null,
      CRLDistributionPoints: null,
      certificatePolicies: null,
      standardUnknown: [],
      unknown: [],
    };

    for (var i = 0; i < nc.tbsCertificate.extensions.length; i++) {
      ext = nc.tbsCertificate.extensions[i];
      eid = ext.extnID;
      if (eid.length === 4 && eid[0] === 2 && eid[1] === 5 && eid[2] === 29) {
        switch (eid[3]) {
          // Basic Constraints
          case 19:
            extensions.basicConstraints = ext.extnValue;
            break;
          // Key Usage
          case 15:
            extensions.keyUsage = ext.extnValue;
            break;
          // Subject Key Identifier
          case 14:
            extensions.subjectKeyIdentifier = ext.extnValue;
            break;
          // Authority Key Identifier
          case 35:
            extensions.authorityKeyIdentifier = ext.extnValue;
            break;
          // CRL Distribution Points
          case 31:
            extensions.CRLDistributionPoints = ext.extnValue;
            break;
          // Certificate Policies
          case 32:
            extensions.certificatePolicies = ext.extnValue;
            break;
          // Unknown Extension (not documented anywhere, probably non-standard)
          default:
            extensions.unknown.push(ext);
            extensions.standardUnknown.push(ext);
            break;
        }
      } else {
        extensions.unknown.push(ext);
      }
    }

    var extensionsVerified = !extensions.unknown.filter(function(ext) {
      return ext.critical;
    }).length;

    //
    // Execute Extension Behavior
    //

    if (extensions.authorityKeyIdentifier) {
      extensions.authorityKeyIdentifier = rfc5280.AuthorityKeyIdentifier.decode(
        extensions.authorityKeyIdentifier,
        'der');
      print(extensions.authorityKeyIdentifier);
    }

    // if (extensions.subjectKeyIdentifier) {
    //   extensions.subjectKeyIdentifier = rfc5280.SubjectKeyIdentifier.decode(
    //     extensions.subjectKeyIdentifier,
    //     'der');
    //   print(extensions.subjectKeyIdentifier);
    // }

    if (extensions.keyUsage) {
      data = rfc5280.KeyUsage.decode(
        extensions.keyUsage,
        'der').data[0];
      extensions.keyUsage = {
        digitalSignature: !!((data >> 0) & 1),
        nonRepudiation: !!((data >> 1) & 1),
        // nonRepudiation renamed to contentCommitment:
        contentCommitment: !!((data >> 1) & 1),
        keyEncipherment: !!((data >> 2) & 1),
        dataEncipherment: !!((data >> 3) & 1),
        keyAgreement: !!((data >> 4) & 1),
        keyCertSign: !!((data >> 5) & 1),
        cRLSign: !!((data >> 6) & 1),
        encipherOnly: !!((data >> 7) & 1),
        decipherOnly: !!((data >> 8) & 1)
      };
      print(extensions.keyUsage);
    }

    //
    // Verify current certificate signature
    //

    // Create a To-Be-Signed Certificate to verify using asn1.js:
    var tbs = rfc3280.TBSCertificate.encode(c.tbsCertificate, 'der');
    var verifier = crypto.createVerify('RSA-' + sigAlg);
    verifier.update(tbs);
    var sigVerified = verifier.verify(npubKey, sig);

    // print(c);
    // print(nc);
    // print(extensions);
    print('---');
    print('validityVerified: %s', validityVerified);
    print('issuerVerified: %s', issuerVerified);
    print('extensionsVerified: %s', extensionsVerified);
    print('sigVerified: %s', sigVerified);

    return validityVerified
      && issuerVerified
      && extensionsVerified
      && (sigVerified || true);
  });

  return verified && chainVerified;
};

/**
 * RFC5280 X509 Extension Definitions
 */

var rfc5280 = {};

var AuthorityKeyIdentifier =
rfc5280.AuthorityKeyIdentifier = asn1.define('AuthorityKeyIdentifier', function() {
  this.seq().obj(
    this.key('keyIdentifier').optional().octstr(),
    this.key('authorityCertIssuer').optional().octstr(),
    this.key('authorityCertSerialNumber').optional().octstr()
  );
});

var GeneralNames =
rfc5280.GeneralNames = asn1.define('GeneralNames', function() {
  this.seq().obj(
    this.key('generalNames').use(rfc5280.GeneralName)
  );
});

var GeneralName =
rfc5280.GeneralName = asn1.define('GeneralName', function() {
  this.choice({
    otherName: this.use(OtherName),
    rfc822Name: this.use(IA5String),
    dNSName: this.use(IA5String),
    x400Address: this.use(ORAddress),
    directoryName: this.use(rfc3280.Name),
    ediPartyName: this.use(EDIPartyName),
    uniformResourceIdentifier: this.use(IA5String),
    iPAddress: this.octstr(),
    registeredID: this.objid()
  });
});

var OtherName =
rfc5280.OtherName = asn1.define('OtherName', function() {
  this.seq().obj(
    this.key('typeId').objid(),
    this.key('value')
  );
});

// https://www.google.com/search?q=IA5String
// https://en.wikipedia.org/wiki/IA5STRING
// http://msdn.microsoft.com/en-us/library/windows/desktop/bb540805(v=vs.85).aspx
var IA5String =
rfc5280.IA5String = asn1.define('IA5String', function() {
  this.octstr(); // unsure
});

var ORAddress =
rfc5280.ORAddress = asn1.define('ORAddress', function() {
  this.seq().obj(
    this.key('builtInStandardAttributes').use(BuiltInStandardAttributes),
    this.key('builtInDomainDefinedAttributes').optional().use(BuiltInDomainDefinedAttributes),
    this.key('extensionAttributes').optional().use(ExtensionAttributes)
  );
});

var BuiltInStandardAttributes =
rfc5280.BuiltInStandardAttributes = asn1.define('BuiltInStandardAttributes', function() {
  ;
});

var BuiltInDomainDefinedAttributes =
rfc5280.BuiltInDomainDefinedAttributes = asn1.define('BuiltInDomainDefinedAttributes', function() {
  ;
});

var ExtensionAttributes =
rfc5280.ExtensionAttributes = asn1.define('ExtensionAttributes', function() {
  ;
});

var EDIPartyName = rfc5280.EDIPartyName = asn1.define('EDIPartyName', function() {
  this.seq().obj(
    this.key('nameAssigner').optional().use(DirectoryString),
    this.key('partyName').use(DirectoryString)
  );
});

var DirectoryString = rfc5280.DirectoryString = asn1.define('DirectoryString', function() {
  this.choice({
    teletexString: this.use(TeletexString),
    printableString: this.use(PrintableString),
    universalString: this.use(UniversalString),
    utf8String: this.use(UTF8String),
    bmpString: this.use(BMPString)
  });
});

var TeletexString =
rfc5280.TeletexString = asn1.define('TeletexString', function() {
  ;
});

var PrintableString =
rfc5280.PrintableString = asn1.define('PrintableString', function() {
  ;
});

var UniversalString =
rfc5280.UniversalString = asn1.define('UniversalString', function() {
  ;
});

var UTF8String =
rfc5280.UTF8String = asn1.define('UTF8String', function() {
  ;
});

var BMPString =
rfc5280.BMPString = asn1.define('BMPString', function() {
  ;
});

// rfc5280.SubjectKeyIdentifier = asn1.define('SubjectKeyIdentifier', function() {
//   this.seq().obj(
//     this.key('keyIdentifier').optional().octstr(),
//     this.key('authorityCertIssuer').optional().octstr(),
//     this.key('authorityCertSerialNumber').optional().octstr()
//   );
// });

rfc5280.KeyUsage = asn1.define('KeyUsage', function() {
  this.bitstr();
});

// rfc5280.KeyUsage = asn1.define('KeyUsage', function() {
//   this.seq().obj(
//     this.key('digitalSignature').bitstr(),
//     this.key('nonRepudiation').bitstr(),
//     this.key('keyEncipherment').bitstr(),
//     this.key('dataEncipherment').bitstr(),
//     this.key('keyAgreement').bitstr(),
//     this.key('keyCertSign').bitstr(),
//     this.key('cRLSign').bitstr(),
//     this.key('encipherOnly').bitstr(),
//     this.key('decipherOnly').bitstr()
//   );
// });

/**
 * Debug
 */

var util = require('util');

function inspect(obj) {
  return typeof obj !== 'string'
    ? util.inspect(obj, false, 20, true)
    : obj;
}

function print(obj) {
  return typeof obj === 'object'
    ? process.stdout.write(inspect(obj) + '\n')
    : console.log.apply(console, arguments);
}

module.exports = PayPro;
add BIP70 protobuf features in new PayPro lib file ...and add to the "main" bundle, but not the "all" bundle, since it adds hundreds of kilobytes to the bundle. 11 years ago			`'use strict';`
paypro: split up paypro into node/browser/common. 11 years ago
add sign/verify with pki_type SIN ...which is much easier to implement than X.509 certificates. 11 years ago			`var Message = Message \|\| require('./Message');`
add BIP70 protobuf features in new PayPro lib file ...and add to the "main" bundle, but not the "all" bundle, since it adds hundreds of kilobytes to the bundle. 11 years ago
paypro: move root certs to common. 11 years ago			`var RootCerts = require('./common/RootCerts');`
paypro: stat using jsrsasign to convert DER to PEM and derive public keys for sig verification. 11 years ago
paypro: split up paypro into node/browser/common. 11 years ago			`var PayPro = require('./common/PayPro');`
add sign/verify with pki_type SIN ...which is much easier to implement than X.509 certificates. 11 years ago
paypro: verify the certificate chain. 11 years ago			`var KJUR = require('jsrsasign');`

paypro: use fedor's asn1.js to deal with DER certificates. 11 years ago			`var asn1 = require('asn1.js');`
			`var rfc3280 = require('asn1.js/rfc/3280');`

paypro: move x509 sign and verify to their own methods. 11 years ago			`PayPro.prototype.x509Sign = function(key) {`
paypro: start using our own DERtoPEM functions so we don't have to require jsrsasign. 11 years ago			`var self = this;`
paypro: move x509 sign and verify to their own methods. 11 years ago			`var crypto = require('crypto');`
paypro: temporarily fix tests. 11 years ago			`var pki_type = this.get('pki_type');`
paypro: move x509 sign and verify to their own methods. 11 years ago			`var pki_data = this.get('pki_data'); // contains one or more x509 certs`
paypro: fix handling of pki_data - cert arrays. 11 years ago			`pki_data = PayPro.X509Certificates.decode(pki_data);`
			`pki_data = pki_data.certificate;`
paypro: move x509 sign and verify to their own methods. 11 years ago			`var details = this.get('serialized_payment_details');`
			`var type = pki_type.split('+')[1].toUpperCase();`

paypro: get root cert names. 11 years ago			`var trusted = pki_data.map(function(cert) {`
paypro: move x509 sign and verify to their own methods. 11 years ago			`var der = cert.toString('hex');`
paypro: start using our own DERtoPEM functions so we don't have to require jsrsasign. 11 years ago			`var pem = self._DERtoPEM(der, 'CERTIFICATE');`
paypro: get root cert names. 11 years ago			`return RootCerts.getTrusted(pem);`
paypro: move x509 sign and verify to their own methods. 11 years ago			`});`

paypro: get root cert names. 11 years ago			`// XXX Figure out what to do here`
			`if (!trusted.length) {`
paypro: move x509 sign and verify to their own methods. 11 years ago			`// throw new Error('Unstrusted certificate.');`
paypro: get root cert names. 11 years ago			`} else {`
			`trusted.forEach(function(name) {`
			`// console.log('Certificate: %s', name);`
			`});`
paypro: move x509 sign and verify to their own methods. 11 years ago			`}`

			`var signature = crypto.createSign('RSA-' + type);`
			`var buf = this.serializeForSig();`
			`signature.update(buf);`
			`var sig = signature.sign(key);`
			`return sig;`
			`};`

			`PayPro.prototype.x509Verify = function() {`
paypro: start using our own DERtoPEM functions so we don't have to require jsrsasign. 11 years ago			`var self = this;`
paypro: move x509 sign and verify to their own methods. 11 years ago			`var crypto = require('crypto');`
paypro: temporarily fix tests. 11 years ago			`var pki_type = this.get('pki_type');`
paypro: move x509 sign and verify to their own methods. 11 years ago			`var sig = this.get('signature');`
			`var pki_data = this.get('pki_data');`
paypro: fix handling of pki_data - cert arrays. 11 years ago			`pki_data = PayPro.X509Certificates.decode(pki_data);`
			`pki_data = pki_data.certificate;`
paypro: move x509 sign and verify to their own methods. 11 years ago			`var details = this.get('serialized_payment_details');`
			`var buf = this.serializeForSig();`
			`var type = pki_type.split('+')[1].toUpperCase();`

			`var verifier = crypto.createVerify('RSA-' + type);`
			`verifier.update(buf);`

paypro: verify the certificate chain. 11 years ago			`var signedCert = pki_data[0];`
			`var der = signedCert.toString('hex');`
			`var pem = this._DERtoPEM(der, 'CERTIFICATE');`
			`var verified = verifier.verify(pem, sig);`

			`var chain = pki_data;`

			`// Verifying the cert chain:`
			`// 1. Extract public key from next certificate.`
			`// 2. Extract signature from current certificate.`
			`// 3. If current cert is not trusted, verify that the current cert is signed`
			`// by NEXT by the certificate.`
paypro: verify chain refactor. 11 years ago			`// NOTE: XXX What to do when the certificate is revoked?`
paypro: verify the certificate chain. 11 years ago
paypro: verify chain refactor. 11 years ago			`var chainVerified = chain.every(function(cert, i) {`
paypro: move x509 sign and verify to their own methods. 11 years ago			`var der = cert.toString('hex');`
paypro: start using our own DERtoPEM functions so we don't have to require jsrsasign. 11 years ago			`var pem = self._DERtoPEM(der, 'CERTIFICATE');`
paypro: get root cert names. 11 years ago			`var name = RootCerts.getTrusted(pem);`
paypro: verify the certificate chain. 11 years ago
			`var ncert = chain[i + 1];`
			`// The root cert, check if it's trusted:`
			`if (!ncert \|\| name) {`
paypro: fix root cert check. 11 years ago			`if (!ncert && !name) {`
			`return false;`
			`}`
paypro: verify chain refactor. 11 years ago			`chain.length = 0;`
			`return true;`
paypro: move x509 sign and verify to their own methods. 11 years ago			`}`
paypro: verify the certificate chain. 11 years ago			`var nder = ncert.toString('hex');`
			`var npem = self._DERtoPEM(nder, 'CERTIFICATE');`
paypro: move x509 sign and verify to their own methods. 11 years ago
paypro: debugging and sigAlg/pubKey formats. 11 years ago			`//`
			`// Get Public Key from next certificate:`
			`//`
			`var ndata = new Buffer(nder, 'hex');`
			`var nc = rfc3280.Certificate.decode(ndata, 'der');`
			`var npubKeyAlg = PayPro.getAlgorithm(`
			`nc.tbsCertificate.subjectPublicKeyInfo.algorithm.algorithm);`
paypro: remove debug code. 11 years ago			`var npubKey = nc.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.data;`
			`npubKey = self._DERtoPEM(npubKey, npubKeyAlg + ' PUBLIC KEY');`
paypro: debugging and sigAlg/pubKey formats. 11 years ago
			`//`
			`// Get Signature Value from current certificate:`
			`//`
paypro: use fedor's asn1.js to deal with DER certificates. 11 years ago			`var data = new Buffer(der, 'hex');`
paypro: use asn1.js in browser paypro. 11 years ago			`var c = rfc3280.Certificate.decode(data, 'der');`
paypro: debugging and sigAlg/pubKey formats. 11 years ago			`var sigAlg = PayPro.getAlgorithm(c.signatureAlgorithm.algorithm, 1);`
paypro: use fedor's asn1.js to deal with DER certificates. 11 years ago			`var sig = c.signature.data;`
paypro: verify the certificate chain. 11 years ago
paypro: check validity time - cert expiration. 11 years ago			`//`
			`// Check Validity of Certificates`
			`//`
			`var validityVerified = true;`
			`var now = Date.now();`
			`var cBefore = c.tbsCertificate.validity.notBefore.value;`
			`var cAfter = c.tbsCertificate.validity.notAfter.value;`
			`var nBefore = nc.tbsCertificate.validity.notBefore.value;`
			`var nAfter = nc.tbsCertificate.validity.notAfter.value;`
			`if (cBefore > now \|\| cAfter < now \|\| nBefore > now \|\| nAfter < now) {`
			`validityVerified = false;`
			`}`

paypro: check issuer. ignore fixed asn1.js bug. 11 years ago			`//`
			`// Check the Issuer matches the Subject of the next certificate:`
			`//`
			`var issuer = c.tbsCertificate.issuer;`
			`var subject = nc.tbsCertificate.subject;`
			`var issuerVerified = issuer.type === subject.type && issuer.value.every(function(issuerArray, i) {`
			`var subjectArray = subject.value[i];`
			`return issuerArray.every(function(issuerObject, i) {`
			`var subjectObject = subjectArray[i];`

			`var issuerObjectType = issuerObject.type.join('.');`
			`var subjectObjectType = subjectObject.type.join('.');`

			`var issuerObjectValue = issuerObject.value.toString('hex');`
			`var subjectObjectValue = subjectObject.value.toString('hex');`

			`return issuerObjectType === subjectObjectType`
			`&& issuerObjectValue === subjectObjectValue;`
			`});`
			`});`
paypro: verify the certificate chain. 11 years ago
paypro: start handling certificate extensions. 11 years ago			`//`
			`// Handle Cert Extensions`
			`// http://tools.ietf.org/html/rfc5280#section-4.2`
			`//`
paypro: better extension parsing with more debugging. 11 years ago			`var ext;`
			`var eid;`
			`var extensions = {`
			`basicConstraints: null,`
			`keyUsage: null,`
			`subjectKeyIdentifier: null,`
paypro: start implementing rfc5280 ext definitions. 11 years ago			`authorityKeyIdentifier: null,`
paypro: better extension parsing with more debugging. 11 years ago			`CRLDistributionPoints: null,`
			`certificatePolicies: null,`
			`standardUnknown: [],`
			`unknown: [],`
			`};`

			`for (var i = 0; i < nc.tbsCertificate.extensions.length; i++) {`
			`ext = nc.tbsCertificate.extensions[i];`
			`eid = ext.extnID;`
			`if (eid.length === 4 && eid[0] === 2 && eid[1] === 5 && eid[2] === 29) {`
			`switch (eid[3]) {`
			`// Basic Constraints`
			`case 19:`
paypro: check validity time - cert expiration. 11 years ago			`extensions.basicConstraints = ext.extnValue;`
paypro: better extension parsing with more debugging. 11 years ago			`break;`
			`// Key Usage`
			`case 15:`
paypro: check validity time - cert expiration. 11 years ago			`extensions.keyUsage = ext.extnValue;`
paypro: better extension parsing with more debugging. 11 years ago			`break;`
			`// Subject Key Identifier`
			`case 14:`
paypro: check validity time - cert expiration. 11 years ago			`extensions.subjectKeyIdentifier = ext.extnValue;`
paypro: better extension parsing with more debugging. 11 years ago			`break;`
			`// Authority Key Identifier`
			`case 35:`
paypro: start implementing rfc5280 ext definitions. 11 years ago			`extensions.authorityKeyIdentifier = ext.extnValue;`
paypro: better extension parsing with more debugging. 11 years ago			`break;`
			`// CRL Distribution Points`
			`case 31:`
paypro: check validity time - cert expiration. 11 years ago			`extensions.CRLDistributionPoints = ext.extnValue;`
paypro: better extension parsing with more debugging. 11 years ago			`break;`
			`// Certificate Policies`
			`case 32:`
paypro: check validity time - cert expiration. 11 years ago			`extensions.certificatePolicies = ext.extnValue;`
paypro: better extension parsing with more debugging. 11 years ago			`break;`
			`// Unknown Extension (not documented anywhere, probably non-standard)`
			`default:`
paypro: check validity time - cert expiration. 11 years ago			`extensions.unknown.push(ext);`
paypro: better extension parsing with more debugging. 11 years ago			`extensions.standardUnknown.push(ext);`
			`break;`
			`}`
			`} else {`
			`extensions.unknown.push(ext);`
			`}`
			`}`

paypro: refactor verification. 11 years ago			`var extensionsVerified = !extensions.unknown.filter(function(ext) {`
paypro: check validity time - cert expiration. 11 years ago			`return ext.critical;`
			`}).length;`

paypro: debugging and sigAlg/pubKey formats. 11 years ago			`//`
paypro: start implementing rfc5280 ext definitions. 11 years ago			`// Execute Extension Behavior`
			`//`

			`if (extensions.authorityKeyIdentifier) {`
			`extensions.authorityKeyIdentifier = rfc5280.AuthorityKeyIdentifier.decode(`
			`extensions.authorityKeyIdentifier,`
			`'der');`
			`print(extensions.authorityKeyIdentifier);`
			`}`

paypro: debug KeyUsage extension. 11 years ago			`// if (extensions.subjectKeyIdentifier) {`
			`// extensions.subjectKeyIdentifier = rfc5280.SubjectKeyIdentifier.decode(`
			`// extensions.subjectKeyIdentifier,`
			`// 'der');`
			`// print(extensions.subjectKeyIdentifier);`
			`// }`

			`if (extensions.keyUsage) {`
paypro: parse keyUsage bit string properly. 11 years ago			`data = rfc5280.KeyUsage.decode(`
paypro: debug KeyUsage extension. 11 years ago			`extensions.keyUsage,`
paypro: parse keyUsage bit string properly. 11 years ago			`'der').data[0];`
			`extensions.keyUsage = {`
			`digitalSignature: !!((data >> 0) & 1),`
			`nonRepudiation: !!((data >> 1) & 1),`
			`// nonRepudiation renamed to contentCommitment:`
			`contentCommitment: !!((data >> 1) & 1),`
			`keyEncipherment: !!((data >> 2) & 1),`
			`dataEncipherment: !!((data >> 3) & 1),`
			`keyAgreement: !!((data >> 4) & 1),`
			`keyCertSign: !!((data >> 5) & 1),`
			`cRLSign: !!((data >> 6) & 1),`
			`encipherOnly: !!((data >> 7) & 1),`
			`decipherOnly: !!((data >> 8) & 1)`
			`};`
paypro: debug KeyUsage extension. 11 years ago			`print(extensions.keyUsage);`
			`}`

paypro: start implementing rfc5280 ext definitions. 11 years ago			`//`
			`// Verify current certificate signature`
paypro: debugging and sigAlg/pubKey formats. 11 years ago			`//`
paypro: refactor verification. 11 years ago
			`// Create a To-Be-Signed Certificate to verify using asn1.js:`
			`var tbs = rfc3280.TBSCertificate.encode(c.tbsCertificate, 'der');`
paypro: debugging and sigAlg/pubKey formats. 11 years ago			`var verifier = crypto.createVerify('RSA-' + sigAlg);`
			`verifier.update(tbs);`
paypro: refactor verification. 11 years ago			`var sigVerified = verifier.verify(npubKey, sig);`

paypro: start implementing rfc5280 ext definitions. 11 years ago			`// print(c);`
			`// print(nc);`
			`// print(extensions);`
			`print('---');`
paypro: refactor verification. 11 years ago			`print('validityVerified: %s', validityVerified);`
			`print('issuerVerified: %s', issuerVerified);`
			`print('extensionsVerified: %s', extensionsVerified);`
paypro: start implementing rfc5280 ext definitions. 11 years ago			`print('sigVerified: %s', sigVerified);`
paypro: refactor verification. 11 years ago
			`return validityVerified`
			`&& issuerVerified`
			`&& extensionsVerified`
paypro: start implementing rfc5280 ext definitions. 11 years ago			`&& (sigVerified \|\| true);`
paypro: move x509 sign and verify to their own methods. 11 years ago			`});`
paypro: verify the certificate chain. 11 years ago
paypro: verify chain refactor. 11 years ago			`return verified && chainVerified;`
paypro: move x509 sign and verify to their own methods. 11 years ago			`};`

paypro: start implementing rfc5280 ext definitions. 11 years ago			`/**`
			`* RFC5280 X509 Extension Definitions`
			`*/`

			`var rfc5280 = {};`
paypro: debug KeyUsage extension. 11 years ago
paypro: start implementing more rfc5280 definitions. 11 years ago			`var AuthorityKeyIdentifier =`
paypro: start implementing rfc5280 ext definitions. 11 years ago			`rfc5280.AuthorityKeyIdentifier = asn1.define('AuthorityKeyIdentifier', function() {`
			`this.seq().obj(`
			`this.key('keyIdentifier').optional().octstr(),`
			`this.key('authorityCertIssuer').optional().octstr(),`
			`this.key('authorityCertSerialNumber').optional().octstr()`
			`);`
			`});`

paypro: start implementing more rfc5280 definitions. 11 years ago			`var GeneralNames =`
			`rfc5280.GeneralNames = asn1.define('GeneralNames', function() {`
			`this.seq().obj(`
			`this.key('generalNames').use(rfc5280.GeneralName)`
			`);`
			`});`

			`var GeneralName =`
			`rfc5280.GeneralName = asn1.define('GeneralName', function() {`
			`this.choice({`
			`otherName: this.use(OtherName),`
			`rfc822Name: this.use(IA5String),`
			`dNSName: this.use(IA5String),`
			`x400Address: this.use(ORAddress),`
			`directoryName: this.use(rfc3280.Name),`
			`ediPartyName: this.use(EDIPartyName),`
			`uniformResourceIdentifier: this.use(IA5String),`
			`iPAddress: this.octstr(),`
			`registeredID: this.objid()`
			`});`
			`});`

			`var OtherName =`
			`rfc5280.OtherName = asn1.define('OtherName', function() {`
			`this.seq().obj(`
			`this.key('typeId').objid(),`
			`this.key('value')`
			`);`
			`});`

			`// https://www.google.com/search?q=IA5String`
			`// https://en.wikipedia.org/wiki/IA5STRING`
			`// http://msdn.microsoft.com/en-us/library/windows/desktop/bb540805(v=vs.85).aspx`
			`var IA5String =`
			`rfc5280.IA5String = asn1.define('IA5String', function() {`
			`this.octstr(); // unsure`
			`});`

			`var ORAddress =`
			`rfc5280.ORAddress = asn1.define('ORAddress', function() {`
			`this.seq().obj(`
			`this.key('builtInStandardAttributes').use(BuiltInStandardAttributes),`
			`this.key('builtInDomainDefinedAttributes').optional().use(BuiltInDomainDefinedAttributes),`
			`this.key('extensionAttributes').optional().use(ExtensionAttributes)`
			`);`
			`});`

			`var BuiltInStandardAttributes =`
			`rfc5280.BuiltInStandardAttributes = asn1.define('BuiltInStandardAttributes', function() {`
			`;`
			`});`

			`var BuiltInDomainDefinedAttributes =`
			`rfc5280.BuiltInDomainDefinedAttributes = asn1.define('BuiltInDomainDefinedAttributes', function() {`
			`;`
			`});`

			`var ExtensionAttributes =`
			`rfc5280.ExtensionAttributes = asn1.define('ExtensionAttributes', function() {`
			`;`
			`});`

			`var EDIPartyName = rfc5280.EDIPartyName = asn1.define('EDIPartyName', function() {`
			`this.seq().obj(`
			`this.key('nameAssigner').optional().use(DirectoryString),`
			`this.key('partyName').use(DirectoryString)`
			`);`
			`});`

			`var DirectoryString = rfc5280.DirectoryString = asn1.define('DirectoryString', function() {`
			`this.choice({`
			`teletexString: this.use(TeletexString),`
			`printableString: this.use(PrintableString),`
			`universalString: this.use(UniversalString),`
			`utf8String: this.use(UTF8String),`
			`bmpString: this.use(BMPString)`
			`});`
			`});`

			`var TeletexString =`
			`rfc5280.TeletexString = asn1.define('TeletexString', function() {`
			`;`
			`});`

			`var PrintableString =`
			`rfc5280.PrintableString = asn1.define('PrintableString', function() {`
			`;`
			`});`

			`var UniversalString =`
			`rfc5280.UniversalString = asn1.define('UniversalString', function() {`
			`;`
			`});`

			`var UTF8String =`
			`rfc5280.UTF8String = asn1.define('UTF8String', function() {`
			`;`
			`});`

			`var BMPString =`
			`rfc5280.BMPString = asn1.define('BMPString', function() {`
			`;`
			`});`

paypro: debug KeyUsage extension. 11 years ago			`// rfc5280.SubjectKeyIdentifier = asn1.define('SubjectKeyIdentifier', function() {`
			`// this.seq().obj(`
			`// this.key('keyIdentifier').optional().octstr(),`
			`// this.key('authorityCertIssuer').optional().octstr(),`
			`// this.key('authorityCertSerialNumber').optional().octstr()`
			`// );`
			`// });`

			`rfc5280.KeyUsage = asn1.define('KeyUsage', function() {`
			`this.bitstr();`
			`});`

paypro: parse keyUsage bit string properly. 11 years ago			`// rfc5280.KeyUsage = asn1.define('KeyUsage', function() {`
			`// this.seq().obj(`
			`// this.key('digitalSignature').bitstr(),`
			`// this.key('nonRepudiation').bitstr(),`
			`// this.key('keyEncipherment').bitstr(),`
			`// this.key('dataEncipherment').bitstr(),`
			`// this.key('keyAgreement').bitstr(),`
			`// this.key('keyCertSign').bitstr(),`
			`// this.key('cRLSign').bitstr(),`
			`// this.key('encipherOnly').bitstr(),`
			`// this.key('decipherOnly').bitstr()`
			`// );`
			`// });`
paypro: debug KeyUsage extension. 11 years ago
paypro: start implementing rfc5280 ext definitions. 11 years ago			`/**`
			`* Debug`
			`*/`

paypro: better extension parsing with more debugging. 11 years ago			`var util = require('util');`
paypro: start implementing rfc5280 ext definitions. 11 years ago
paypro: better extension parsing with more debugging. 11 years ago			`function inspect(obj) {`
			`return typeof obj !== 'string'`
			`? util.inspect(obj, false, 20, true)`
			`: obj;`
			`}`
paypro: start implementing rfc5280 ext definitions. 11 years ago
paypro: better extension parsing with more debugging. 11 years ago			`function print(obj) {`
			`return typeof obj === 'object'`
			`? process.stdout.write(inspect(obj) + '\n')`
			`: console.log.apply(console, arguments);`
			`}`

cleanup after removal of soop Removed some unnecessary parenthesise that hung around after the merge of #417 11 years ago			`module.exports = PayPro;`