paypro: handle untrusted certs on browser and node.

11 years ago · f7e89b6a58
2 changed files with 35 additions and 1 deletions
--- a/lib/PayPro.js
+++ b/lib/PayPro.js
@ -3,6 +3,14 @@ var protobufjs = protobufjs || require('protobufjs/dist/ProtoBuf');
 var Message = Message || require('./Message');

 var KJUR = require('jsrsasign');
+var Trusted = require('./RootCerts');
+
+// Use hash table for efficiency:
+Trusted = Trusted.reduce(function(out, cert) {
+  cert = cert.replace(/\s+/g, '');
+  trusted[cert] = true;
+  return trusted;
+}, {});

 // BIP 70 - payment protocol
 function PayPro() {
@ -215,6 +223,19 @@ PayPro.prototype.sign = function(key) {
    var pki_data = this.get('pki_data'); // contains one or more x509 certs
    var details = this.get('serialized_payment_details');
    var type = pki_type.split('+')[1].toUpperCase();
+
+    pki_data = pki_data && Array.isArray(pki_data)
+      ? pki_data[0]
+      : pki_data;
+
+    var der = pki_data.toString('hex');
+    var pem = KJUR.asn1.ASN1Util.getPEMStringFromHex(der, 'CERTIFICATE');
+    // var pub = KJUR.KEYUTIL.getHexFromPEM(pem, 'PUBLIC KEY')
+
+    if (!Trusted[pem.replace(/\s+/g, '')]) {
+      throw new Error('Unstrusted certificate.');
+    }
+
    var signature = crypto.createSign('RSA-' + type);
    var buf = this.serializeForSig();
    signature.update(buf);
@ -245,10 +266,11 @@ PayPro.prototype.verify = function() {
    var details = this.get('serialized_payment_details');
    var buf = this.serializeForSig();
    var type = pki_type.split('+')[1].toUpperCase();
+
    var verifier = crypto.createVerify('RSA-' + type);
    verifier.update(buf);

-    pki_data = pki_data && pki_data.unshift
+    pki_data = Array.isArray(pki_data)
      ? pki_data[0]
      : pki_data;

@ -256,6 +278,10 @@ PayPro.prototype.verify = function() {
    var pem = KJUR.asn1.ASN1Util.getPEMStringFromHex(der, 'CERTIFICATE');
    // var pub = KJUR.KEYUTIL.getHexFromPEM(pem, 'PUBLIC KEY')

+    if (!Trusted[pem.replace(/\s+/g, '')]) {
+      throw new Error('Unstrusted certificate.');
+    }
+
    // return verifier.verify(pub, sig);
    return verifier.verify(pem, sig);
  } else if (pki_type === 'none') {
--- a/lib/browser/PayPro.js
+++ b/lib/browser/PayPro.js
@ -37,6 +37,10 @@ PayPro.sign = function(key) {
    var pem = KJUR.asn1.ASN1Util.getPEMStringFromHex(der, 'CERTIFICATE');
    // var pub = KJUR.KEYUTIL.getHexFromPEM(pem, 'PUBLIC KEY')

+    if (!Trusted[pem.replace(/\s+/g, '')]) {
+      throw new Error('Unstrusted certificate.');
+    }
+
    var jsrsaSig = new KJUR.crypto.Signature({
      alg: type + 'withRSA',
      prov: 'cryptojs/jsrsa'
@ -84,6 +88,10 @@ PayPro.verify = function() {
    var pem = KJUR.asn1.ASN1Util.getPEMStringFromHex(der, 'CERTIFICATE');
    // var pub = KJUR.KEYUTIL.getHexFromPEM(pem, 'PUBLIC KEY')

+    if (!Trusted[pem.replace(/\s+/g, '')]) {
+      throw new Error('Unstrusted certificate.');
+    }
+
    jsrsaSig.initVerifyByCertificatePEM(pem);

    jsrsaSig.updateHex(buf.toString('hex'));