bitcoincashjs/lib/PayPro.js

'use strict';

var Message = Message || require('./Message');

var RootCerts = require('./common/RootCerts');

var PayPro = require('./common/PayPro');

var KJUR = require('jsrsasign');

var asn1 = require('asn1.js');
var rfc3280 = require('asn1.js/rfc/3280');

PayPro.prototype.x509Sign = function(key) {
  var self = this;
  var crypto = require('crypto');
  var pki_type = this.get('pki_type');
  var pki_data = this.get('pki_data'); // contains one or more x509 certs
  pki_data = PayPro.X509Certificates.decode(pki_data);
  pki_data = pki_data.certificate;
  var details = this.get('serialized_payment_details');
  var type = pki_type.split('+')[1].toUpperCase();

  var trusted = pki_data.map(function(cert) {
    var der = cert.toString('hex');
    var pem = self._DERtoPEM(der, 'CERTIFICATE');
    return RootCerts.getTrusted(pem);
  });

  // XXX Figure out what to do here
  if (!trusted.length) {
    // throw new Error('Unstrusted certificate.');
  } else {
    trusted.forEach(function(name) {
      // console.log('Certificate: %s', name);
    });
  }

  var signature = crypto.createSign('RSA-' + type);
  var buf = this.serializeForSig();
  signature.update(buf);
  var sig = signature.sign(key);
  return sig;
};

PayPro.prototype.x509Verify = function() {
  var self = this;
  var crypto = require('crypto');
  var pki_type = this.get('pki_type');
  var sig = this.get('signature');
  var pki_data = this.get('pki_data');
  pki_data = PayPro.X509Certificates.decode(pki_data);
  pki_data = pki_data.certificate;
  var details = this.get('serialized_payment_details');
  var buf = this.serializeForSig();
  var type = pki_type.split('+')[1].toUpperCase();

  var verifier = crypto.createVerify('RSA-' + type);
  verifier.update(buf);

  var signedCert = pki_data[0];
  var der = signedCert.toString('hex');
  var pem = this._DERtoPEM(der, 'CERTIFICATE');
  var verified = verifier.verify(pem, sig);

  if (verified) {
    console.log('PaymentRequest verified (node)');
  } else {
    console.log('PaymentRequest not verified (node)');
  }

  var chain = pki_data;

  // Verifying the cert chain:
  // 1. Extract public key from next certificate.
  // 2. Extract signature from current certificate.
  // 3. If current cert is not trusted, verify that the current cert is signed
  //    by NEXT by the certificate.
  // NOTE: XXX What to do when the certificate is revoked?

  var chainVerified = chain.every(function(cert, i) {
    var der = cert.toString('hex');
    var pem = self._DERtoPEM(der, 'CERTIFICATE');
    var name = RootCerts.getTrusted(pem);

    var ncert = chain[i + 1];
    // The root cert, check if it's trusted:
    if (!ncert || name) {
      if (!ncert && !name) {
        return false;
      }
      chain.length = 0;
      return true;
    }
    var nder = ncert.toString('hex');
    var npem = self._DERtoPEM(nder, 'CERTIFICATE');

    //
    // Get Public Key from next certificate:
    //
    var ndata = new Buffer(nder, 'hex');
    var nc = rfc3280.Certificate.decode(ndata, 'der');
    var npubKeyAlg = PayPro.getAlgorithm(
      nc.tbsCertificate.subjectPublicKeyInfo.algorithm.algorithm);
    var fnpubKey = nc.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.data;
    fnpubKey = self._DERtoPEM(fnpubKey, npubKeyAlg + ' PUBLIC KEY');

    //
    // Get Public Key from next certificate via KJUR:
    //
    var js = new KJUR.crypto.Signature({
      alg: type + 'withRSA',
      prov: 'cryptojs/jsrsa'
    });
    js.initVerifyByCertificatePEM(npem);
    var kjrsapubKey = js.pubKey; // RSAKey
    var kjnpubKey = KJUR.KEYUTIL.getPEM(js.pubKey); // PEM

    //
    // NOTE: The asn1.js pubKey and KJUR pubKey differ for some reason (the
    // KJUR one is not RSA: consult docs, there may be an alternate method).
    //

    //
    // Get Signature Value from current certificate:
    //
    var data = new Buffer(der, 'hex');
    var c = rfc3280.Certificate.decode(data, 'der');
    var sigAlg = PayPro.getAlgorithm(c.signatureAlgorithm.algorithm, 1);
    var sig = c.signature.data;

    // NOTE:
    // CHECK: c.tbsCertificate.issuer === nc.tbsCertificate.subject;

    //
    // Create a To-Be-Signed Certificate to verify using asn1.js:
    //
    // var tbs = rfc3280.TBSCertificate.encode(c.tbsCertificate, 'der');
    var tbs = rfc3280.TBSCertificate.encode({
      version: c.tbsCertificate.version,
      serialNumber: c.tbsCertificate.serialNumber,
      // XXX signature algorithm is different for some reason.
      signature: { algorithm: [ 1, 2, 840, 113549, 1, 1, 11 ] },
      //signature: c.tbsCertificate.signature,
      issuer: c.tbsCertificate.issuer,
      validity: c.tbsCertificate.validity,
      subject: c.tbsCertificate.subject,
      subjectPublicKeyInfo: c.tbsCertificate.subjectPublicKeyInfo,
      extensions: c.tbsCertificate.extensions
    }, 'der');

    //
    // Debug
    //
    // print(c);
    // print(nc);

    //
    // Verify current certificate signature via KJUR:
    //
    // https://github.com/kjur/jsrsasign/wiki/Tutorial-to-sign-and-verify-with-RSAKey-extension
    // http://kjur.github.io/jsrsasign/api/symbols/KJUR.crypto.html
    // http://kjur.github.io/jsrsasign/api/symbols/KJUR.crypto.Signature.html
    if (0) {
      var jsrsaSig = new KJUR.crypto.Signature({
        alg: sigAlg + 'withRSA',
        prov: 'cryptojs/jsrsa'
      });
      jsrsaSig.initVerifyByPublicKey(kjrsapubKey); // Has to be an RSAKey.
      jsrsaSig.updateHex(tbs.toString('hex'));
      var v = jsrsaSig.verify(sig.toString('hex'));
      if (v) console.log(i + ' verified (KJUR)');
      else console.log(i + ' not verified (KJUR)');
      return true;
      return v;
    }

    //
    // Verify current certificate signature:
    //
    var verifier = crypto.createVerify('RSA-' + sigAlg);
    verifier.update(tbs);
    var v = verifier.verify(fnpubKey, sig);
    //var v = verifier.verify(kjnpubKey, sig);
    if (v) console.log(i + ' verified (node)');
    else console.log(i + ' not verified (node)');
    return true;
    return v;
  });

  return verified && chainVerified;
};

var util = require('util');
function inspect(obj) {
  return typeof obj !== 'string'
    ? util.inspect(obj, false, 20, true)
    : obj;
}
function print(obj) {
  return typeof obj === 'object'
    ? process.stdout.write(inspect(obj) + '\n')
    : console.log.apply(console, arguments);
}

module.exports = PayPro;
add BIP70 protobuf features in new PayPro lib file ...and add to the "main" bundle, but not the "all" bundle, since it adds hundreds of kilobytes to the bundle. 11 years ago			`'use strict';`
paypro: split up paypro into node/browser/common. 11 years ago
add sign/verify with pki_type SIN ...which is much easier to implement than X.509 certificates. 11 years ago			`var Message = Message \|\| require('./Message');`
add BIP70 protobuf features in new PayPro lib file ...and add to the "main" bundle, but not the "all" bundle, since it adds hundreds of kilobytes to the bundle. 11 years ago
paypro: move root certs to common. 11 years ago			`var RootCerts = require('./common/RootCerts');`
paypro: stat using jsrsasign to convert DER to PEM and derive public keys for sig verification. 11 years ago
paypro: split up paypro into node/browser/common. 11 years ago			`var PayPro = require('./common/PayPro');`
add sign/verify with pki_type SIN ...which is much easier to implement than X.509 certificates. 11 years ago
paypro: verify the certificate chain. 11 years ago			`var KJUR = require('jsrsasign');`

paypro: use fedor's asn1.js to deal with DER certificates. 11 years ago			`var asn1 = require('asn1.js');`
			`var rfc3280 = require('asn1.js/rfc/3280');`

paypro: move x509 sign and verify to their own methods. 11 years ago			`PayPro.prototype.x509Sign = function(key) {`
paypro: start using our own DERtoPEM functions so we don't have to require jsrsasign. 11 years ago			`var self = this;`
paypro: move x509 sign and verify to their own methods. 11 years ago			`var crypto = require('crypto');`
paypro: temporarily fix tests. 11 years ago			`var pki_type = this.get('pki_type');`
paypro: move x509 sign and verify to their own methods. 11 years ago			`var pki_data = this.get('pki_data'); // contains one or more x509 certs`
paypro: fix handling of pki_data - cert arrays. 11 years ago			`pki_data = PayPro.X509Certificates.decode(pki_data);`
			`pki_data = pki_data.certificate;`
paypro: move x509 sign and verify to their own methods. 11 years ago			`var details = this.get('serialized_payment_details');`
			`var type = pki_type.split('+')[1].toUpperCase();`

paypro: get root cert names. 11 years ago			`var trusted = pki_data.map(function(cert) {`
paypro: move x509 sign and verify to their own methods. 11 years ago			`var der = cert.toString('hex');`
paypro: start using our own DERtoPEM functions so we don't have to require jsrsasign. 11 years ago			`var pem = self._DERtoPEM(der, 'CERTIFICATE');`
paypro: get root cert names. 11 years ago			`return RootCerts.getTrusted(pem);`
paypro: move x509 sign and verify to their own methods. 11 years ago			`});`

paypro: get root cert names. 11 years ago			`// XXX Figure out what to do here`
			`if (!trusted.length) {`
paypro: move x509 sign and verify to their own methods. 11 years ago			`// throw new Error('Unstrusted certificate.');`
paypro: get root cert names. 11 years ago			`} else {`
			`trusted.forEach(function(name) {`
			`// console.log('Certificate: %s', name);`
			`});`
paypro: move x509 sign and verify to their own methods. 11 years ago			`}`

			`var signature = crypto.createSign('RSA-' + type);`
			`var buf = this.serializeForSig();`
			`signature.update(buf);`
			`var sig = signature.sign(key);`
			`return sig;`
			`};`

			`PayPro.prototype.x509Verify = function() {`
paypro: start using our own DERtoPEM functions so we don't have to require jsrsasign. 11 years ago			`var self = this;`
paypro: move x509 sign and verify to their own methods. 11 years ago			`var crypto = require('crypto');`
paypro: temporarily fix tests. 11 years ago			`var pki_type = this.get('pki_type');`
paypro: move x509 sign and verify to their own methods. 11 years ago			`var sig = this.get('signature');`
			`var pki_data = this.get('pki_data');`
paypro: fix handling of pki_data - cert arrays. 11 years ago			`pki_data = PayPro.X509Certificates.decode(pki_data);`
			`pki_data = pki_data.certificate;`
paypro: move x509 sign and verify to their own methods. 11 years ago			`var details = this.get('serialized_payment_details');`
			`var buf = this.serializeForSig();`
			`var type = pki_type.split('+')[1].toUpperCase();`

			`var verifier = crypto.createVerify('RSA-' + type);`
			`verifier.update(buf);`

paypro: verify the certificate chain. 11 years ago			`var signedCert = pki_data[0];`
			`var der = signedCert.toString('hex');`
			`var pem = this._DERtoPEM(der, 'CERTIFICATE');`
			`var verified = verifier.verify(pem, sig);`

paypro: debugging and sigAlg/pubKey formats. 11 years ago			`if (verified) {`
			`console.log('PaymentRequest verified (node)');`
			`} else {`
			`console.log('PaymentRequest not verified (node)');`
			`}`

paypro: verify the certificate chain. 11 years ago			`var chain = pki_data;`

			`// Verifying the cert chain:`
			`// 1. Extract public key from next certificate.`
			`// 2. Extract signature from current certificate.`
			`// 3. If current cert is not trusted, verify that the current cert is signed`
			`// by NEXT by the certificate.`
paypro: verify chain refactor. 11 years ago			`// NOTE: XXX What to do when the certificate is revoked?`
paypro: verify the certificate chain. 11 years ago
paypro: verify chain refactor. 11 years ago			`var chainVerified = chain.every(function(cert, i) {`
paypro: move x509 sign and verify to their own methods. 11 years ago			`var der = cert.toString('hex');`
paypro: start using our own DERtoPEM functions so we don't have to require jsrsasign. 11 years ago			`var pem = self._DERtoPEM(der, 'CERTIFICATE');`
paypro: get root cert names. 11 years ago			`var name = RootCerts.getTrusted(pem);`
paypro: verify the certificate chain. 11 years ago
			`var ncert = chain[i + 1];`
			`// The root cert, check if it's trusted:`
			`if (!ncert \|\| name) {`
paypro: fix root cert check. 11 years ago			`if (!ncert && !name) {`
			`return false;`
			`}`
paypro: verify chain refactor. 11 years ago			`chain.length = 0;`
			`return true;`
paypro: move x509 sign and verify to their own methods. 11 years ago			`}`
paypro: verify the certificate chain. 11 years ago			`var nder = ncert.toString('hex');`
			`var npem = self._DERtoPEM(nder, 'CERTIFICATE');`
paypro: move x509 sign and verify to their own methods. 11 years ago
paypro: debugging and sigAlg/pubKey formats. 11 years ago			`//`
			`// Get Public Key from next certificate:`
			`//`
			`var ndata = new Buffer(nder, 'hex');`
			`var nc = rfc3280.Certificate.decode(ndata, 'der');`
			`var npubKeyAlg = PayPro.getAlgorithm(`
			`nc.tbsCertificate.subjectPublicKeyInfo.algorithm.algorithm);`
			`var fnpubKey = nc.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.data;`
			`fnpubKey = self._DERtoPEM(fnpubKey, npubKeyAlg + ' PUBLIC KEY');`

			`//`
			`// Get Public Key from next certificate via KJUR:`
			`//`
			`var js = new KJUR.crypto.Signature({`
			`alg: type + 'withRSA',`
			`prov: 'cryptojs/jsrsa'`
			`});`
			`js.initVerifyByCertificatePEM(npem);`
			`var kjrsapubKey = js.pubKey; // RSAKey`
			`var kjnpubKey = KJUR.KEYUTIL.getPEM(js.pubKey); // PEM`

			`//`
			`// NOTE: The asn1.js pubKey and KJUR pubKey differ for some reason (the`
			`// KJUR one is not RSA: consult docs, there may be an alternate method).`
			`//`

			`//`
			`// Get Signature Value from current certificate:`
			`//`
paypro: use fedor's asn1.js to deal with DER certificates. 11 years ago			`var data = new Buffer(der, 'hex');`
paypro: use asn1.js in browser paypro. 11 years ago			`var c = rfc3280.Certificate.decode(data, 'der');`
paypro: debugging and sigAlg/pubKey formats. 11 years ago			`var sigAlg = PayPro.getAlgorithm(c.signatureAlgorithm.algorithm, 1);`
paypro: use fedor's asn1.js to deal with DER certificates. 11 years ago			`var sig = c.signature.data;`
paypro: verify the certificate chain. 11 years ago
paypro: debugging and sigAlg/pubKey formats. 11 years ago			`// NOTE:`
			`// CHECK: c.tbsCertificate.issuer === nc.tbsCertificate.subject;`
paypro: verify the certificate chain. 11 years ago
paypro: debugging and sigAlg/pubKey formats. 11 years ago			`//`
paypro: verify chain refactor. 11 years ago			`// Create a To-Be-Signed Certificate to verify using asn1.js:`
paypro: debugging and sigAlg/pubKey formats. 11 years ago			`//`
			`// var tbs = rfc3280.TBSCertificate.encode(c.tbsCertificate, 'der');`
			`var tbs = rfc3280.TBSCertificate.encode({`
			`version: c.tbsCertificate.version,`
			`serialNumber: c.tbsCertificate.serialNumber,`
			`// XXX signature algorithm is different for some reason.`
			`signature: { algorithm: [ 1, 2, 840, 113549, 1, 1, 11 ] },`
			`//signature: c.tbsCertificate.signature,`
			`issuer: c.tbsCertificate.issuer,`
			`validity: c.tbsCertificate.validity,`
			`subject: c.tbsCertificate.subject,`
			`subjectPublicKeyInfo: c.tbsCertificate.subjectPublicKeyInfo,`
			`extensions: c.tbsCertificate.extensions`
			`}, 'der');`

			`//`
			`// Debug`
			`//`
			`// print(c);`
			`// print(nc);`

			`//`
			`// Verify current certificate signature via KJUR:`
			`//`
			`// https://github.com/kjur/jsrsasign/wiki/Tutorial-to-sign-and-verify-with-RSAKey-extension`
			`// http://kjur.github.io/jsrsasign/api/symbols/KJUR.crypto.html`
			`// http://kjur.github.io/jsrsasign/api/symbols/KJUR.crypto.Signature.html`
			`if (0) {`
			`var jsrsaSig = new KJUR.crypto.Signature({`
			`alg: sigAlg + 'withRSA',`
			`prov: 'cryptojs/jsrsa'`
			`});`
			`jsrsaSig.initVerifyByPublicKey(kjrsapubKey); // Has to be an RSAKey.`
			`jsrsaSig.updateHex(tbs.toString('hex'));`
			`var v = jsrsaSig.verify(sig.toString('hex'));`
			`if (v) console.log(i + ' verified (KJUR)');`
			`else console.log(i + ' not verified (KJUR)');`
			`return true;`
			`return v;`
			`}`
paypro: verify the certificate chain. 11 years ago
paypro: debugging and sigAlg/pubKey formats. 11 years ago			`//`
			`// Verify current certificate signature:`
			`//`
			`var verifier = crypto.createVerify('RSA-' + sigAlg);`
			`verifier.update(tbs);`
			`var v = verifier.verify(fnpubKey, sig);`
			`//var v = verifier.verify(kjnpubKey, sig);`
			`if (v) console.log(i + ' verified (node)');`
			`else console.log(i + ' not verified (node)');`
			`return true;`
			`return v;`
paypro: move x509 sign and verify to their own methods. 11 years ago			`});`
paypro: verify the certificate chain. 11 years ago
paypro: verify chain refactor. 11 years ago			`return verified && chainVerified;`
paypro: move x509 sign and verify to their own methods. 11 years ago			`};`

paypro: debugging and sigAlg/pubKey formats. 11 years ago			`var util = require('util');`
			`function inspect(obj) {`
			`return typeof obj !== 'string'`
			`? util.inspect(obj, false, 20, true)`
			`: obj;`
			`}`
			`function print(obj) {`
			`return typeof obj === 'object'`
			`? process.stdout.write(inspect(obj) + '\n')`
			`: console.log.apply(console, arguments);`
			`}`

cleanup after removal of soop Removed some unnecessary parenthesise that hung around after the merge of #417 11 years ago			`module.exports = PayPro;`