paypro: immediately detect self signed certs and untrusted CAs.

11 years ago · dea39d1c72
2 changed files with 87 additions and 2 deletions
--- a/lib/PayPro.js
+++ b/lib/PayPro.js
@ -63,6 +63,44 @@ PayPro.prototype.x509Verify = function(returnTrust) {

  var chain = pki_data;

+  //
+  // Get the CA cert's name
+  //
+  var issuer = chain[chain.length - 1];
+  der = issuer.toString('hex');
+  pem = this._DERtoPEM(der, 'CERTIFICATE');
+  var caName = RootCerts.getTrusted(pem);
+
+  if (chain.length === 1 && !caName) {
+    if (returnTrust) {
+      return {
+        selfSigned: 1, // yes
+        isChain: false,
+        verified: verified,
+        caTrusted: false,
+        caName: null,
+        chainVerified: false
+      };
+    }
+    return verified;
+  }
+
+  // If there's no trusted root cert, don't
+  // bother validating the cert chain.
+  if (!caName) {
+    if (returnTrust) {
+      return {
+        selfSigned: -1, // unknown
+        isChain: chain.length > 1,
+        verified: verified,
+        caTrusted: false,
+        caName: null,
+        chainVerified: false
+      };
+    }
+    return verified;
+  }
+
  var chainVerified = chain.every(function(cert, i) {
    var der = cert.toString('hex');
    var pem = self._DERtoPEM(der, 'CERTIFICATE');
@ -71,7 +109,7 @@ PayPro.prototype.x509Verify = function(returnTrust) {
    var ncert = chain[i + 1];
    // The root cert, check if it's trusted:
    if (!ncert || name) {
-      if (!ncert && !name) {
+      if (!name) {
        return false;
      }
      chain.length = 0;
@ -127,7 +165,11 @@ PayPro.prototype.x509Verify = function(returnTrust) {

  if (returnTrust) {
    return {
+      selfSigned: 0, // no
+      isChain: true,
      verified: verified,
+      caTrusted: !!caName,
+      caName: caName || null,
      chainVerified: chainVerified
    };
  }
--- a/lib/browser/PayPro.js
+++ b/lib/browser/PayPro.js
@ -77,6 +77,45 @@ PayPro.prototype.x509Verify = function(returnTrust) {

  var chain = pki_data;

+  //
+  // Get the CA cert's name
+  //
+  var issuer = chain[chain.length - 1];
+  der = issuer.toString('hex');
+  // pem = this._DERtoPEM(der, 'CERTIFICATE');
+  pem = KJUR.asn1.ASN1Util.getPEMStringFromHex(der, 'CERTIFICATE');
+  var caName = RootCerts.getTrusted(pem);
+
+  if (chain.length === 1 && !caName) {
+    if (returnTrust) {
+      return {
+        selfSigned: 1, // yes
+        isChain: false,
+        verified: verified,
+        caTrusted: false,
+        caName: null,
+        chainVerified: false
+      };
+    }
+    return verified;
+  }
+
+  // If there's no trusted root cert, don't
+  // bother validating the cert chain.
+  if (!caName) {
+    if (returnTrust) {
+      return {
+        selfSigned: -1, // unknown
+        isChain: chain.length > 1,
+        verified: verified,
+        caTrusted: false,
+        caName: null,
+        chainVerified: false
+      };
+    }
+    return verified;
+  }
+
  var chainVerified = chain.every(function(cert, i) {
    var der = cert.toString('hex');
    // var pem = self._DERtoPEM(der, 'CERTIFICATE');
@ -86,7 +125,7 @@ PayPro.prototype.x509Verify = function(returnTrust) {
    var ncert = chain[i + 1];
    // The root cert, check if it's trusted:
    if (!ncert || name) {
-      if (!ncert && !name) {
+      if (!name) {
        return false;
      }
      chain.length = 0;
@ -149,7 +188,11 @@ PayPro.prototype.x509Verify = function(returnTrust) {

  if (returnTrust) {
    return {
+      selfSigned: 0, // no
+      isChain: true,
      verified: verified,
+      caTrusted: !!caName,
+      caName: caName || null,
      chainVerified: chainVerified
    };
  }