|
|
|
@ -5,6 +5,7 @@ var KJUR = require('jsrsasign'); |
|
|
|
var assert = require('assert'); |
|
|
|
var PayPro = require('../common/PayPro'); |
|
|
|
var RootCerts = require('../common/RootCerts'); |
|
|
|
|
|
|
|
var asn1 = require('asn1.js'); |
|
|
|
var rfc3280 = require('asn1.js/rfc/3280'); |
|
|
|
|
|
|
|
@ -68,6 +69,7 @@ PayPro.prototype.x509Verify = function(key) { |
|
|
|
|
|
|
|
var signedCert = pki_data[0]; |
|
|
|
var der = signedCert.toString('hex'); |
|
|
|
// var pem = self._DERtoPEM(der, 'CERTIFICATE');
|
|
|
|
var pem = KJUR.asn1.ASN1Util.getPEMStringFromHex(der, 'CERTIFICATE'); |
|
|
|
jsrsaSig.initVerifyByCertificatePEM(pem); |
|
|
|
jsrsaSig.updateHex(buf.toString('hex')); |
|
|
|
@ -75,15 +77,9 @@ PayPro.prototype.x509Verify = function(key) { |
|
|
|
|
|
|
|
var chain = pki_data; |
|
|
|
|
|
|
|
// Verifying the cert chain:
|
|
|
|
// 1. Extract public key from next certificate.
|
|
|
|
// 2. Extract signature from current certificate.
|
|
|
|
// 3. If current cert is not trusted, verify that the current cert is signed
|
|
|
|
// by NEXT by the certificate.
|
|
|
|
// NOTE: XXX What to do when the certificate is revoked?
|
|
|
|
|
|
|
|
var chainVerified = chain.every(function(cert, i) { |
|
|
|
var der = cert.toString('hex'); |
|
|
|
// var pem = self._DERtoPEM(der, 'CERTIFICATE');
|
|
|
|
var pem = KJUR.asn1.ASN1Util.getPEMStringFromHex(der, 'CERTIFICATE'); |
|
|
|
var name = RootCerts.getTrusted(pem); |
|
|
|
|
|
|
|
@ -97,15 +93,22 @@ PayPro.prototype.x509Verify = function(key) { |
|
|
|
return true; |
|
|
|
} |
|
|
|
var nder = ncert.toString('hex'); |
|
|
|
// var npem = self._DERtoPEM(nder, 'CERTIFICATE');
|
|
|
|
var npem = KJUR.asn1.ASN1Util.getPEMStringFromHex(nder, 'CERTIFICATE'); |
|
|
|
|
|
|
|
// Get public key from next certificate:
|
|
|
|
// var data = new Buffer(nder, 'hex');
|
|
|
|
// var nc = rfc3280.Certificate.decode(data, 'der');
|
|
|
|
//
|
|
|
|
// Get Public Key from next certificate:
|
|
|
|
//
|
|
|
|
// var ndata = new Buffer(nder, 'hex');
|
|
|
|
// var nc = rfc3280.Certificate.decode(ndata, 'der');
|
|
|
|
// var npubKeyAlg = PayPro.getAlgorithm(
|
|
|
|
// nc.tbsCertificate.subjectPublicKeyInfo.algorithm.algorithm);
|
|
|
|
// var npubKey = nc.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.data;
|
|
|
|
// npubKey = KJUR.asn1.ASN1Util.getPEMStringFromHex(npubKey, 'RSA PUBLIC KEY');
|
|
|
|
// // npubKey = self._DERtoPEM(npubKey, npubKeyAlg + ' PUBLIC KEY');
|
|
|
|
// // npubKey = KJUR.asn1.ASN1Util.getPEMStringFromHex(npubKey.toString('hex'), 'PUBLIC KEY');
|
|
|
|
// npubKey = KJUR.asn1.ASN1Util.getPEMStringFromHex(npubKey.toString('hex'), npubKeyAlg + ' PUBLIC KEY');
|
|
|
|
|
|
|
|
// Get public key from next certificate via KJUR:
|
|
|
|
// Get public key from next certificate via KJUR since sane methods don't work:
|
|
|
|
var js = new KJUR.crypto.Signature({ |
|
|
|
alg: type + 'withRSA', |
|
|
|
prov: 'cryptojs/jsrsa' |
|
|
|
@ -113,23 +116,69 @@ PayPro.prototype.x509Verify = function(key) { |
|
|
|
js.initVerifyByCertificatePEM(npem); |
|
|
|
var npubKey = js.pubKey; |
|
|
|
|
|
|
|
// Get signature from current certificate:
|
|
|
|
//
|
|
|
|
// Get Signature Value from current certificate:
|
|
|
|
//
|
|
|
|
var data = new Buffer(der, 'hex'); |
|
|
|
var c = rfc3280.Certificate.decode(data, 'der'); |
|
|
|
var sigAlg = PayPro.getAlgorithm(c.signatureAlgorithm.algorithm, 1); |
|
|
|
var sig = c.signature.data; |
|
|
|
|
|
|
|
//
|
|
|
|
// Check Validity of Certificates
|
|
|
|
//
|
|
|
|
var validityVerified = true; |
|
|
|
var now = Date.now(); |
|
|
|
var cBefore = c.tbsCertificate.validity.notBefore.value; |
|
|
|
var cAfter = c.tbsCertificate.validity.notAfter.value; |
|
|
|
var nBefore = nc.tbsCertificate.validity.notBefore.value; |
|
|
|
var nAfter = nc.tbsCertificate.validity.notAfter.value; |
|
|
|
if (cBefore > now || cAfter < now || nBefore > now || nAfter < now) { |
|
|
|
validityVerified = false; |
|
|
|
} |
|
|
|
|
|
|
|
//
|
|
|
|
// Check the Issuer matches the Subject of the next certificate:
|
|
|
|
//
|
|
|
|
var issuer = c.tbsCertificate.issuer; |
|
|
|
var subject = nc.tbsCertificate.subject; |
|
|
|
var issuerVerified = issuer.type === subject.type && issuer.value.every(function(issuerArray, i) { |
|
|
|
var subjectArray = subject.value[i]; |
|
|
|
return issuerArray.every(function(issuerObject, i) { |
|
|
|
var subjectObject = subjectArray[i]; |
|
|
|
|
|
|
|
var issuerObjectType = issuerObject.type.join('.'); |
|
|
|
var subjectObjectType = subjectObject.type.join('.'); |
|
|
|
|
|
|
|
var issuerObjectValue = issuerObject.value.toString('hex'); |
|
|
|
var subjectObjectValue = subjectObject.value.toString('hex'); |
|
|
|
|
|
|
|
return issuerObjectType === subjectObjectType |
|
|
|
&& issuerObjectValue === subjectObjectValue; |
|
|
|
}); |
|
|
|
}); |
|
|
|
|
|
|
|
//
|
|
|
|
// Verify current Certificate signature
|
|
|
|
//
|
|
|
|
|
|
|
|
var jsrsaSig = new KJUR.crypto.Signature({ |
|
|
|
alg: type + 'withRSA', |
|
|
|
prov: 'cryptojs/jsrsa' |
|
|
|
}); |
|
|
|
jsrsaSig.initVerifyByPublicKey(npubKey); |
|
|
|
|
|
|
|
// Create a To-Be-Signed Certificate to verify using asn1.js:
|
|
|
|
// Fails at Issuer:
|
|
|
|
var tbs = rfc3280.TBSCertificate.encode(c.tbsCertificate, 'der'); |
|
|
|
// Get the raw DER TBSCertificate
|
|
|
|
// from the DER Certificate:
|
|
|
|
var tbs = PayPro.getTBSCertificate(data); |
|
|
|
|
|
|
|
jsrsaSig.updateHex(tbs.toString('hex')); |
|
|
|
|
|
|
|
return jsrsaSig.verify(sig.toString('hex')); |
|
|
|
var sigVerified = jsrsaSig.verify(sig.toString('hex')); |
|
|
|
|
|
|
|
return validityVerified |
|
|
|
&& issuerVerified |
|
|
|
&& sigVerified; |
|
|
|
}); |
|
|
|
|
|
|
|
return verified && chainVerified; |
|
|
|
|
Christopher Jeffrey
10 years ago