From 4a12d5a4918316ca4cab16faaf36a295a215a15b Mon Sep 17 00:00:00 2001
From: Christopher Jeffrey <chjjeffrey@gmail.com>
Date: Fri, 22 Aug 2014 08:38:19 -0700
Subject: [PATCH] paypro: verify chain refactor.

---
 lib/PayPro.js | 24 +++++++++---------------
 1 file changed, 9 insertions(+), 15 deletions(-)

diff --git a/lib/PayPro.js b/lib/PayPro.js
index 01b9c1a..5f34cf4 100644
--- a/lib/PayPro.js
+++ b/lib/PayPro.js
@@ -71,13 +71,9 @@ PayPro.prototype.x509Verify = function() {
   // 2. Extract signature from current certificate.
   // 3. If current cert is not trusted, verify that the current cert is signed
   //    by NEXT by the certificate.
-  // 4. XXX What to do when the certificate is revoked?
+  // NOTE: XXX What to do when the certificate is revoked?
 
-  var blen = +type.replace(/[^\d]+/g, '');
-  if (blen === 1) blen = 20;
-  if (blen === 256) blen = 32;
-
-  chain.forEach(function(cert, i) {
+  var chainVerified = chain.every(function(cert, i) {
     var der = cert.toString('hex');
     var pem = self._DERtoPEM(der, 'CERTIFICATE');
     var name = RootCerts.getTrusted(pem);
@@ -85,36 +81,34 @@ PayPro.prototype.x509Verify = function() {
     var ncert = chain[i + 1];
     // The root cert, check if it's trusted:
     if (!ncert || name) {
-      return;
+      chain.length = 0;
+      return true;
     }
     var nder = ncert.toString('hex');
     var npem = self._DERtoPEM(nder, 'CERTIFICATE');
 
-    // Get public key from next certificate.
+    // Get public key from next certificate:
     var data = new Buffer(nder, 'hex');
     var nc = Certificate.decode(data, 'der');
     var npubKey = nc.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.data;
     npubKey = self._DERtoPEM(npubKey, 'RSA PUBLIC KEY');
 
-    // Get signature from current certificate.
+    // Get signature from current certificate:
     var data = new Buffer(der, 'hex');
     var c = Certificate.decode(data, 'der');
     var sig = c.signature.data;
 
     var verifier = crypto.createVerify('RSA-' + type);
 
-    // Create a To-Be-Signed Certificate using asn1.js:
+    // Create a To-Be-Signed Certificate to verify using asn1.js:
     // Fails at Issuer:
     var tbs = rfc3280.TBSCertificate.encode(c.tbsCertificate, 'der');
     verifier.update(tbs);
 
-    var v = verifier.verify(npubKey, sig);
-    if (!v) {
-      verified = false;
-    }
+    return verifier.verify(npubKey, sig);
   });
 
-  return verified;
+  return verified && chainVerified;
 };
 
 module.exports = PayPro;