diff --git a/lib/PayPro.js b/lib/PayPro.js index 5add732..6534fab 100644 --- a/lib/PayPro.js +++ b/lib/PayPro.js @@ -64,28 +64,6 @@ PayPro.prototype.x509Verify = function() { var chain = pki_data; -/* - var anchor = rfc3280.Certificate.decode( - new Buffer(chain[0].toString('hex'), 'hex'), 'der'); - var anSigAlg = PayPro.getAlgorithm(anchor.signatureAlgorithm.algorithm, 1); - var anSig = anchor.signature.data; - - var ca = rfc3280.Certificate.decode( - new Buffer(chain[chain.length - 1].toString('hex'), 'hex'), 'der'); - var caPubKeyAlg = PayPro.getAlgorithm( - ca.tbsCertificate.subjectPublicKeyInfo.algorithm.algorithm); - var caPubKey = ca.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.data; - caPubKey = self._DERtoPEM(caPubKey, caPubKeyAlg + ' PUBLIC KEY'); -*/ - - // Verifying the cert chain: - // 1. Extract public key from next certificate. - // 2. Extract signature from current certificate. - // 3. If current cert is not trusted, verify that the current cert is signed - // by NEXT by the certificate. - // NOTE: What to do when the certificate is - // revoked -> Hit CRL Distribution Points URL - var chainVerified = chain.every(function(cert, i) { var der = cert.toString('hex'); var pem = self._DERtoPEM(der, 'CERTIFICATE'); @@ -155,43 +133,13 @@ PayPro.prototype.x509Verify = function() { }); }); - // - // Handle Cert Extensions - // - var extensions = rfc5280.decodeExtensions(c, 'der', { partial: false }); - var extensionsVerified = extensions.verified; - - // The two most important extensions: - // "The keyIdentifier field of the authorityKeyIdentifier extension MUST be - // included in all certificates generated by conforming CAs to facilitate - // certification path construction." - // var aki = extensions.authorityKeyIdentifier; - // aki.sha1Key = aki.raw.slice(4, 24); - // var ski = extensions.subjectKeyIdentifier; - // ski.sha1Key = ski.decoded; - // var ku = extensions.keyUsage; - - // Next Extensions: - // var nextensions = rfc5280.decodeExtensions(nc, 'der', { partial: false }); - // var nextensionsVerified = nextensions.verified; - // var naki = nextensions.authorityKeyIdentifier; - // naki.sha1Key = naki.raw.slice(4, 24); - // var nski = nextensions.subjectKeyIdentifier; - // nski.sha1Key = nski.decoded; - // var nku = nextensions.keyUsage; - - // Object.keys(extensions).forEach(function(key) { - // if (extensions[key].execute) { - // c = extensions[key].execute(c); - // } - // }); - // // Verify current certificate signature // - // Create a To-Be-Signed Certificate to verify using asn1.js: - //var tbs = rfc3280.TBSCertificate.encode(c.tbsCertificate, 'der'); + // Grab the raw DER To-Be-Signed Certificate to verify: + // First 10 bytes usually look like: + // [ 48, 130, 5, 32, 48, 130, 4, 8, 160, 3 ] var start = 0; var starts = 0; for (var start = 0; start < data.length; start++) { @@ -203,6 +151,14 @@ PayPro.prototype.x509Verify = function() { } } + // The bytes *after* the TBS (including the last TBS byte) will look like + // (note the 48 - the start of the sig, and the 122 - the end of the TBS): + // [ 122, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 11, 5, 0, 3, ... ] + + // The certificate in these examples has a `start` of 4, and an `end` of + // 1040. The 4 bytes is the DER SEQ of the Certificate, right before the + // SEQ of the TBSCertificate. + var end = 0; var ends = 0; for (var end = data.length - 1; end > 0; end--) { @@ -214,26 +170,9 @@ PayPro.prototype.x509Verify = function() { } } - console.log(Array.prototype.slice.call(data.slice(1040))); - console.log(Array.prototype.slice.call(data.slice(0, 10))); - console.log(data[1039]); - - // start: 4 - // end: 1040 - /* - for (var start = 0; start < data.length; start++) { - for (var end = 0; end < data.length + 1; end++) { - var tbs = data.slice(start, end); - var verifier = crypto.createVerify('RSA-' + sigAlg); - verifier.update(tbs); - var sigVerified = verifier.verify(npubKey, sig); - if (sigVerified) { - console.log('start: %d', start); - console.log('end: %d', end); - } - } - } - */ + console.log(Array.prototype.slice.call(data.slice(end - 1))); + console.log(Array.prototype.slice.call(data.slice(0, start + 6))); + console.log('start=%d, end=%d', start, end); var tbs = data.slice(start, end); @@ -241,11 +180,8 @@ PayPro.prototype.x509Verify = function() { verifier.update(tbs); var sigVerified = verifier.verify(npubKey, sig); - console.log('sigVerified: %s', sigVerified); - return validityVerified && issuerVerified - && extensionsVerified && sigVerified; });