paypro: verify chain refactor.

11 years ago · 4a12d5a491
1 changed files with 9 additions and 15 deletions
--- a/lib/PayPro.js
+++ b/lib/PayPro.js
@ -71,13 +71,9 @@ PayPro.prototype.x509Verify = function() {
  // 2. Extract signature from current certificate.
  // 3. If current cert is not trusted, verify that the current cert is signed
  //    by NEXT by the certificate.
-  // 4. XXX What to do when the certificate is revoked?
+  // NOTE: XXX What to do when the certificate is revoked?

-  var blen = +type.replace(/[^\d]+/g, '');
-  if (blen === 1) blen = 20;
-  if (blen === 256) blen = 32;
-
-  chain.forEach(function(cert, i) {
+  var chainVerified = chain.every(function(cert, i) {
    var der = cert.toString('hex');
    var pem = self._DERtoPEM(der, 'CERTIFICATE');
    var name = RootCerts.getTrusted(pem);
@ -85,36 +81,34 @@ PayPro.prototype.x509Verify = function() {
    var ncert = chain[i + 1];
    // The root cert, check if it's trusted:
    if (!ncert || name) {
-      return;
+      chain.length = 0;
+      return true;
    }
    var nder = ncert.toString('hex');
    var npem = self._DERtoPEM(nder, 'CERTIFICATE');

-    // Get public key from next certificate.
+    // Get public key from next certificate:
    var data = new Buffer(nder, 'hex');
    var nc = Certificate.decode(data, 'der');
    var npubKey = nc.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.data;
    npubKey = self._DERtoPEM(npubKey, 'RSA PUBLIC KEY');

-    // Get signature from current certificate.
+    // Get signature from current certificate:
    var data = new Buffer(der, 'hex');
    var c = Certificate.decode(data, 'der');
    var sig = c.signature.data;

    var verifier = crypto.createVerify('RSA-' + type);

-    // Create a To-Be-Signed Certificate using asn1.js:
+    // Create a To-Be-Signed Certificate to verify using asn1.js:
    // Fails at Issuer:
    var tbs = rfc3280.TBSCertificate.encode(c.tbsCertificate, 'der');
    verifier.update(tbs);

-    var v = verifier.verify(npubKey, sig);
-    if (!v) {
-      verified = false;
-    }
+    return verifier.verify(npubKey, sig);
  });

-  return verified;
+  return verified && chainVerified;
 };

 module.exports = PayPro;