From eba2825f5a89a3686cfadb0a33ef116c2112cd80 Mon Sep 17 00:00:00 2001 From: Christopher Jeffrey Date: Thu, 28 Aug 2014 17:32:13 -0700 Subject: [PATCH] paypro: get chain validation working in the browser. --- lib/PayPro.js | 1 - lib/browser/PayPro.js | 83 ++++++++++++++++++++++++++++++++++--------- 2 files changed, 66 insertions(+), 18 deletions(-) diff --git a/lib/PayPro.js b/lib/PayPro.js index 024f8a4..9c51a44 100644 --- a/lib/PayPro.js +++ b/lib/PayPro.js @@ -8,7 +8,6 @@ var PayPro = require('./common/PayPro'); var asn1 = require('asn1.js'); var rfc3280 = require('asn1.js/rfc/3280'); -var rfc5280 = require('asn1.js/rfc/5280'); PayPro.prototype.x509Sign = function(key) { var self = this; diff --git a/lib/browser/PayPro.js b/lib/browser/PayPro.js index 202e139..65b1a0b 100644 --- a/lib/browser/PayPro.js +++ b/lib/browser/PayPro.js @@ -5,6 +5,7 @@ var KJUR = require('jsrsasign'); var assert = require('assert'); var PayPro = require('../common/PayPro'); var RootCerts = require('../common/RootCerts'); + var asn1 = require('asn1.js'); var rfc3280 = require('asn1.js/rfc/3280'); @@ -68,6 +69,7 @@ PayPro.prototype.x509Verify = function(key) { var signedCert = pki_data[0]; var der = signedCert.toString('hex'); + // var pem = self._DERtoPEM(der, 'CERTIFICATE'); var pem = KJUR.asn1.ASN1Util.getPEMStringFromHex(der, 'CERTIFICATE'); jsrsaSig.initVerifyByCertificatePEM(pem); jsrsaSig.updateHex(buf.toString('hex')); @@ -75,15 +77,9 @@ PayPro.prototype.x509Verify = function(key) { var chain = pki_data; - // Verifying the cert chain: - // 1. Extract public key from next certificate. - // 2. Extract signature from current certificate. - // 3. If current cert is not trusted, verify that the current cert is signed - // by NEXT by the certificate. - // NOTE: XXX What to do when the certificate is revoked? - var chainVerified = chain.every(function(cert, i) { var der = cert.toString('hex'); + // var pem = self._DERtoPEM(der, 'CERTIFICATE'); var pem = KJUR.asn1.ASN1Util.getPEMStringFromHex(der, 'CERTIFICATE'); var name = RootCerts.getTrusted(pem); @@ -97,15 +93,22 @@ PayPro.prototype.x509Verify = function(key) { return true; } var nder = ncert.toString('hex'); + // var npem = self._DERtoPEM(nder, 'CERTIFICATE'); var npem = KJUR.asn1.ASN1Util.getPEMStringFromHex(nder, 'CERTIFICATE'); - // Get public key from next certificate: - // var data = new Buffer(nder, 'hex'); - // var nc = rfc3280.Certificate.decode(data, 'der'); + // + // Get Public Key from next certificate: + // + // var ndata = new Buffer(nder, 'hex'); + // var nc = rfc3280.Certificate.decode(ndata, 'der'); + // var npubKeyAlg = PayPro.getAlgorithm( + // nc.tbsCertificate.subjectPublicKeyInfo.algorithm.algorithm); // var npubKey = nc.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.data; - // npubKey = KJUR.asn1.ASN1Util.getPEMStringFromHex(npubKey, 'RSA PUBLIC KEY'); + // // npubKey = self._DERtoPEM(npubKey, npubKeyAlg + ' PUBLIC KEY'); + // // npubKey = KJUR.asn1.ASN1Util.getPEMStringFromHex(npubKey.toString('hex'), 'PUBLIC KEY'); + // npubKey = KJUR.asn1.ASN1Util.getPEMStringFromHex(npubKey.toString('hex'), npubKeyAlg + ' PUBLIC KEY'); - // Get public key from next certificate via KJUR: + // Get public key from next certificate via KJUR since sane methods don't work: var js = new KJUR.crypto.Signature({ alg: type + 'withRSA', prov: 'cryptojs/jsrsa' @@ -113,23 +116,69 @@ PayPro.prototype.x509Verify = function(key) { js.initVerifyByCertificatePEM(npem); var npubKey = js.pubKey; - // Get signature from current certificate: + // + // Get Signature Value from current certificate: + // var data = new Buffer(der, 'hex'); var c = rfc3280.Certificate.decode(data, 'der'); + var sigAlg = PayPro.getAlgorithm(c.signatureAlgorithm.algorithm, 1); var sig = c.signature.data; + // + // Check Validity of Certificates + // + var validityVerified = true; + var now = Date.now(); + var cBefore = c.tbsCertificate.validity.notBefore.value; + var cAfter = c.tbsCertificate.validity.notAfter.value; + var nBefore = nc.tbsCertificate.validity.notBefore.value; + var nAfter = nc.tbsCertificate.validity.notAfter.value; + if (cBefore > now || cAfter < now || nBefore > now || nAfter < now) { + validityVerified = false; + } + + // + // Check the Issuer matches the Subject of the next certificate: + // + var issuer = c.tbsCertificate.issuer; + var subject = nc.tbsCertificate.subject; + var issuerVerified = issuer.type === subject.type && issuer.value.every(function(issuerArray, i) { + var subjectArray = subject.value[i]; + return issuerArray.every(function(issuerObject, i) { + var subjectObject = subjectArray[i]; + + var issuerObjectType = issuerObject.type.join('.'); + var subjectObjectType = subjectObject.type.join('.'); + + var issuerObjectValue = issuerObject.value.toString('hex'); + var subjectObjectValue = subjectObject.value.toString('hex'); + + return issuerObjectType === subjectObjectType + && issuerObjectValue === subjectObjectValue; + }); + }); + + // + // Verify current Certificate signature + // + var jsrsaSig = new KJUR.crypto.Signature({ alg: type + 'withRSA', prov: 'cryptojs/jsrsa' }); jsrsaSig.initVerifyByPublicKey(npubKey); - // Create a To-Be-Signed Certificate to verify using asn1.js: - // Fails at Issuer: - var tbs = rfc3280.TBSCertificate.encode(c.tbsCertificate, 'der'); + // Get the raw DER TBSCertificate + // from the DER Certificate: + var tbs = PayPro.getTBSCertificate(data); + jsrsaSig.updateHex(tbs.toString('hex')); - return jsrsaSig.verify(sig.toString('hex')); + var sigVerified = jsrsaSig.verify(sig.toString('hex')); + + return validityVerified + && issuerVerified + && sigVerified; }); return verified && chainVerified;