diff --git a/lib/PayPro.js b/lib/PayPro.js index 02a87b9..857d789 100644 --- a/lib/PayPro.js +++ b/lib/PayPro.js @@ -107,33 +107,38 @@ PayPro.prototype.x509Verify = function() { var sigAlg = PayPro.getAlgorithm(c.signatureAlgorithm.algorithm, 1); var sig = c.signature.data; - // NOTE - check this in the future: - // c.tbsCertificate.issuer === nc.tbsCertificate.subject; + // + // Check the Issuer matches the Subject of the next certificate: + // + var issuer = c.tbsCertificate.issuer; + var subject = nc.tbsCertificate.subject; + var issuerVerified = issuer.type === subject.type && issuer.value.every(function(issuerArray, i) { + var subjectArray = subject.value[i]; + return issuerArray.every(function(issuerObject, i) { + var subjectObject = subjectArray[i]; + + var issuerObjectType = issuerObject.type.join('.'); + var subjectObjectType = subjectObject.type.join('.'); + + var issuerObjectValue = issuerObject.value.toString('hex'); + var subjectObjectValue = subjectObject.value.toString('hex'); + + return issuerObjectType === subjectObjectType + && issuerObjectValue === subjectObjectValue; + }); + }); // // Create a To-Be-Signed Certificate to verify using asn1.js: - // XXX The signature algorithm seems to get mangled here. // - // var tbs = rfc3280.TBSCertificate.encode(c.tbsCertificate, 'der'); - var tbs = rfc3280.TBSCertificate.encode({ - version: c.tbsCertificate.version, - serialNumber: c.tbsCertificate.serialNumber, - // XXX signature algorithm is different for some reason. - signature: { algorithm: [ 1, 2, 840, 113549, 1, 1, 11 ] }, - //signature: c.tbsCertificate.signature, - issuer: c.tbsCertificate.issuer, - validity: c.tbsCertificate.validity, - subject: c.tbsCertificate.subject, - subjectPublicKeyInfo: c.tbsCertificate.subjectPublicKeyInfo, - extensions: c.tbsCertificate.extensions - }, 'der'); + var tbs = rfc3280.TBSCertificate.encode(c.tbsCertificate, 'der'); // // Verify current certificate signature: // var verifier = crypto.createVerify('RSA-' + sigAlg); verifier.update(tbs); - return verifier.verify(npubKey, sig); + return verifier.verify(npubKey, sig) && issuerVerified; }); return verified && chainVerified;