From f0757498b68ef4a4c228d4f31e82592ece809983 Mon Sep 17 00:00:00 2001 From: Christopher Jeffrey Date: Fri, 22 Aug 2014 08:56:08 -0700 Subject: [PATCH] paypro: use asn1.js in browser paypro. --- lib/PayPro.js | 5 ++-- lib/browser/PayPro.js | 60 +++++++++++++++++-------------------------- 2 files changed, 25 insertions(+), 40 deletions(-) diff --git a/lib/PayPro.js b/lib/PayPro.js index 5f34cf4..fbcf291 100644 --- a/lib/PayPro.js +++ b/lib/PayPro.js @@ -10,7 +10,6 @@ var KJUR = require('jsrsasign'); var asn1 = require('asn1.js'); var rfc3280 = require('asn1.js/rfc/3280'); -var Certificate = rfc3280.Certificate; PayPro.prototype.x509Sign = function(key) { var self = this; @@ -89,13 +88,13 @@ PayPro.prototype.x509Verify = function() { // Get public key from next certificate: var data = new Buffer(nder, 'hex'); - var nc = Certificate.decode(data, 'der'); + var nc = rfc3280.Certificate.decode(data, 'der'); var npubKey = nc.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.data; npubKey = self._DERtoPEM(npubKey, 'RSA PUBLIC KEY'); // Get signature from current certificate: var data = new Buffer(der, 'hex'); - var c = Certificate.decode(data, 'der'); + var c = rfc3280.Certificate.decode(data, 'der'); var sig = c.signature.data; var verifier = crypto.createVerify('RSA-' + type); diff --git a/lib/browser/PayPro.js b/lib/browser/PayPro.js index 9269308..fe5d565 100644 --- a/lib/browser/PayPro.js +++ b/lib/browser/PayPro.js @@ -5,6 +5,8 @@ var KJUR = require('jsrsasign'); var assert = require('assert'); var PayPro = require('../common/PayPro'); var RootCerts = require('../common/RootCerts'); +var asn1 = require('asn1.js'); +var rfc3280 = require('asn1.js/rfc/3280'); // Documentation: // http://kjur.github.io/jsrsasign/api/symbols/KJUR.crypto.Signature.html#.sign @@ -78,13 +80,9 @@ PayPro.prototype.x509Verify = function(key) { // 2. Extract signature from current certificate. // 3. If current cert is not trusted, verify that the current cert is signed // by NEXT by the certificate. - // 4. XXX What to do when the certificate is revoked? + // NOTE: XXX What to do when the certificate is revoked? - var blen = +type.replace(/[^\d]+/g, ''); - if (blen === 1) blen = 20; - if (blen === 256) blen = 32; - - chain.forEach(function(cert, i) { + var chainVerified = chain.every(function(cert, i) { var der = cert.toString('hex'); var pem = KJUR.asn1.ASN1Util.getPEMStringFromHex(der, 'CERTIFICATE'); var name = RootCerts.getTrusted(pem); @@ -92,50 +90,38 @@ PayPro.prototype.x509Verify = function(key) { var ncert = chain[i + 1]; // The root cert, check if it's trusted: if (!ncert || name) { - if (!name) { - // console.log('Untrusted certificate.'); - } else { - // console.log('Certificate: %s', name); - } - return; + chain.length = 0; + return true; } var nder = ncert.toString('hex'); var npem = KJUR.asn1.ASN1Util.getPEMStringFromHex(nder, 'CERTIFICATE'); - // get sig from current cert - BAD - var sig = der.slice(-(blen * 2)); - - // Should work but doesn't: - // get sig from current cert - // var o = new KJUR.asn1.cms.SignerInfo(); - // o.setSignerIdentifier(pem); - // var sig = new Buffer(o.getEncodedHex(), 'hex'); + // Get public key from next certificate: + var data = new Buffer(nder, 'hex'); + var nc = rfc3280.Certificate.decode(data, 'der'); + var npubKey = nc.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.data; + npubKey = self._DERtoPEM(npubKey, 'RSA PUBLIC KEY'); - // get public key from next cert - var js = new KJUR.crypto.Signature({ - alg: type + 'withRSA', - prov: 'cryptojs/jsrsa' - }); - js.initVerifyByCertificatePEM(npem); - var npubKey = KJUR.KEYUTIL.getPEM(js.pubKey); + // Get signature from current certificate: + var data = new Buffer(der, 'hex'); + var c = rfc3280.Certificate.decode(data, 'der'); + var sig = c.signature.data; var jsrsaSig = new KJUR.crypto.Signature({ alg: type + 'withRSA', prov: 'cryptojs/jsrsa' }); jsrsaSig.initVerifyByPublicKey(npubKey); - // NOTE: We need to slice off the signatureAlgorithm and signatureValue - - // consult the x509 spec: - // https://www.ietf.org/rfc/rfc2459 - jsrsaSig.updateHex(der); - var v = jsrsaSig.verify(sig); - if (!v) { - // console.log(i + ' not verified.'); - verified = false; - } + + // Create a To-Be-Signed Certificate to verify using asn1.js: + // Fails at Issuer: + var tbs = rfc3280.TBSCertificate.encode(c.tbsCertificate, 'der'); + jsrsaSig.updateHex(tbs); + + return jsrsaSig.verify(sig); }); - return verified; + return verified && chainVerified; }; module.exports = PayPro;