|
@ -6,8 +6,6 @@ var RootCerts = require('./common/RootCerts'); |
|
|
|
|
|
|
|
|
var PayPro = require('./common/PayPro'); |
|
|
var PayPro = require('./common/PayPro'); |
|
|
|
|
|
|
|
|
var KJUR = require('jsrsasign'); |
|
|
|
|
|
|
|
|
|
|
|
var asn1 = require('asn1.js'); |
|
|
var asn1 = require('asn1.js'); |
|
|
var rfc3280 = require('asn1.js/rfc/3280'); |
|
|
var rfc3280 = require('asn1.js/rfc/3280'); |
|
|
var rfc5280 = require('asn1.js/rfc/5280'); |
|
|
var rfc5280 = require('asn1.js/rfc/5280'); |
|
@ -71,7 +69,8 @@ PayPro.prototype.x509Verify = function() { |
|
|
// 2. Extract signature from current certificate.
|
|
|
// 2. Extract signature from current certificate.
|
|
|
// 3. If current cert is not trusted, verify that the current cert is signed
|
|
|
// 3. If current cert is not trusted, verify that the current cert is signed
|
|
|
// by NEXT by the certificate.
|
|
|
// by NEXT by the certificate.
|
|
|
// NOTE: XXX What to do when the certificate is revoked?
|
|
|
// NOTE: What to do when the certificate is
|
|
|
|
|
|
// revoked -> Hit CRL Distribution Points URL
|
|
|
|
|
|
|
|
|
var chainVerified = chain.every(function(cert, i) { |
|
|
var chainVerified = chain.every(function(cert, i) { |
|
|
var der = cert.toString('hex'); |
|
|
var der = cert.toString('hex'); |
|
@ -144,9 +143,6 @@ PayPro.prototype.x509Verify = function() { |
|
|
|
|
|
|
|
|
//
|
|
|
//
|
|
|
// Handle Cert Extensions
|
|
|
// Handle Cert Extensions
|
|
|
// http://www.ietf.org/rfc/rfc3280.txt
|
|
|
|
|
|
// http://www.ietf.org/rfc/rfc5280.txt
|
|
|
|
|
|
// http://tools.ietf.org/html/rfc5280#section-4.2
|
|
|
|
|
|
//
|
|
|
//
|
|
|
var extensions = rfc5280.decodeExtensions(c, 'der', { partial: false }); |
|
|
var extensions = rfc5280.decodeExtensions(c, 'der', { partial: false }); |
|
|
var extensionsVerified = extensions.verified; |
|
|
var extensionsVerified = extensions.verified; |
|
@ -170,68 +166,6 @@ PayPro.prototype.x509Verify = function() { |
|
|
nski.sha1Key = nski.decoded; |
|
|
nski.sha1Key = nski.decoded; |
|
|
var nku = nextensions.keyUsage; |
|
|
var nku = nextensions.keyUsage; |
|
|
|
|
|
|
|
|
// Subject Key was derived from Next Public Key
|
|
|
|
|
|
|
|
|
|
|
|
// Authority Key Identifier:
|
|
|
|
|
|
// { decoded: { _unknown: <Buffer 80 14 d2 c4 b0 d2 91 d4 4c 11 71 b3 61 cb 3d a1 fe dd a8 6a d4 e3> },
|
|
|
|
|
|
// raw: <Buffer 30 16 80 14 d2 c4 b0 d2 91 d4 4c 11 71 b3 61 cb 3d a1 fe dd a8 6a d4 e3> }
|
|
|
|
|
|
|
|
|
|
|
|
// ~/work/node_modules/asn1.js/lib/asn1/decoders/der.js
|
|
|
|
|
|
// ~/work/node_modules/asn1.js/lib/asn1/constants/der.js
|
|
|
|
|
|
|
|
|
|
|
|
// 0x30 - SEQ
|
|
|
|
|
|
// 0x16 - Octet Len = 22 - the sha is 20 bytes
|
|
|
|
|
|
// 0x80 - ??
|
|
|
|
|
|
// 0x14 - ??
|
|
|
|
|
|
// 0xd2 -
|
|
|
|
|
|
// 0xc4 -
|
|
|
|
|
|
// 0xb0 -
|
|
|
|
|
|
// 0xd2 -
|
|
|
|
|
|
// 0x91 -
|
|
|
|
|
|
// 0xd4 -
|
|
|
|
|
|
// 0x4c -
|
|
|
|
|
|
// 0x11 -
|
|
|
|
|
|
// 0x71 -
|
|
|
|
|
|
// 0xb3 -
|
|
|
|
|
|
// 0x61 -
|
|
|
|
|
|
// 0xcb -
|
|
|
|
|
|
// 0x3d -
|
|
|
|
|
|
// 0xa1 -
|
|
|
|
|
|
// 0xfe -
|
|
|
|
|
|
// 0xdd -
|
|
|
|
|
|
// 0xa8 -
|
|
|
|
|
|
// 0x6a -
|
|
|
|
|
|
// 0xd4 -
|
|
|
|
|
|
// 0xe3 -
|
|
|
|
|
|
|
|
|
|
|
|
// Subject Key Identifier
|
|
|
|
|
|
// { decoded: <Buffer 3a 9a 85 07 10 67 28 b6 ef f6 bd 05 41 6e 20 c1 94 da 0f de>,
|
|
|
|
|
|
// raw: <Buffer 04 14 3a 9a 85 07 10 67 28 b6 ef f6 bd 05 41 6e 20 c1 94 da 0f de> }
|
|
|
|
|
|
|
|
|
|
|
|
// 0x04 - octet string
|
|
|
|
|
|
// 0x14 = 20 bytes
|
|
|
|
|
|
// rest: sha1 (20 bytes)
|
|
|
|
|
|
|
|
|
|
|
|
// if (extensions.subjectDirectoryAttributes.decoded.cA) {
|
|
|
|
|
|
|
|
|
|
|
|
// followed by 0100 = 64 = 0x40 = exactly 7 bits
|
|
|
|
|
|
|
|
|
|
|
|
print('Authority Key Identifier:'); |
|
|
|
|
|
print(aki); |
|
|
|
|
|
print(''); |
|
|
|
|
|
print('Subject Key Identifier'); |
|
|
|
|
|
print(ski); |
|
|
|
|
|
print('Key Usage:'); |
|
|
|
|
|
print(ku); |
|
|
|
|
|
print(''); |
|
|
|
|
|
print('Next Authority Key Identifier:'); |
|
|
|
|
|
print(naki); |
|
|
|
|
|
print(''); |
|
|
|
|
|
print('Next Subject Key Identifier'); |
|
|
|
|
|
print(nski); |
|
|
|
|
|
print('Next Key Usage:'); |
|
|
|
|
|
print(nku); |
|
|
|
|
|
|
|
|
|
|
|
// Object.keys(extensions).forEach(function(key) {
|
|
|
// Object.keys(extensions).forEach(function(key) {
|
|
|
// if (extensions[key].execute) {
|
|
|
// if (extensions[key].execute) {
|
|
|
// c = extensions[key].execute(c);
|
|
|
// c = extensions[key].execute(c);
|
|
@ -248,40 +182,13 @@ PayPro.prototype.x509Verify = function() { |
|
|
verifier.update(tbs); |
|
|
verifier.update(tbs); |
|
|
var sigVerified = verifier.verify(npubKey, sig); |
|
|
var sigVerified = verifier.verify(npubKey, sig); |
|
|
|
|
|
|
|
|
// print(c);
|
|
|
|
|
|
// print(nc);
|
|
|
|
|
|
// print(extensions);
|
|
|
|
|
|
print('---'); |
|
|
|
|
|
print('validityVerified: %s', validityVerified); |
|
|
|
|
|
print('issuerVerified: %s', issuerVerified); |
|
|
|
|
|
print('extensionsVerified: %s', extensionsVerified); |
|
|
|
|
|
print('sigVerified: %s', sigVerified); |
|
|
|
|
|
|
|
|
|
|
|
return validityVerified |
|
|
return validityVerified |
|
|
&& issuerVerified |
|
|
&& issuerVerified |
|
|
&& extensionsVerified |
|
|
&& extensionsVerified |
|
|
&& (sigVerified || true); |
|
|
&& sigVerified; |
|
|
}); |
|
|
}); |
|
|
|
|
|
|
|
|
return verified && chainVerified; |
|
|
return verified && chainVerified; |
|
|
}; |
|
|
}; |
|
|
|
|
|
|
|
|
/** |
|
|
|
|
|
* Debug |
|
|
|
|
|
*/ |
|
|
|
|
|
|
|
|
|
|
|
var util = require('util'); |
|
|
|
|
|
|
|
|
|
|
|
function inspect(obj) { |
|
|
|
|
|
return typeof obj !== 'string' |
|
|
|
|
|
? util.inspect(obj, false, 20, true) |
|
|
|
|
|
: obj; |
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
function print(obj) { |
|
|
|
|
|
return typeof obj === 'object' |
|
|
|
|
|
? process.stdout.write(inspect(obj) + '\n') |
|
|
|
|
|
: console.log.apply(console, arguments); |
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
module.exports = PayPro; |
|
|
module.exports = PayPro; |
|
|