From 46969c6f3a514981cc4c71ba77aa648fc58253c4 Mon Sep 17 00:00:00 2001 From: Christopher Jeffrey Date: Fri, 22 Jul 2016 21:57:42 -0700 Subject: [PATCH] bip70: fix signing. --- lib/bcoin/bip70/index.js | 45 ++++++++++++++++++++++------------------ lib/bcoin/bip70/x509.js | 17 +++++++++++++++ 2 files changed, 42 insertions(+), 20 deletions(-) diff --git a/lib/bcoin/bip70/index.js b/lib/bcoin/bip70/index.js index c56dc505..c6891220 100644 --- a/lib/bcoin/bip70/index.js +++ b/lib/bcoin/bip70/index.js @@ -55,7 +55,7 @@ PaymentRequest.prototype.fromOptions = function fromOptions(options) { } if (options.chain) - this.setChain(this.pkiType, options.chain); + this.setChain(options.chain); return this; }; @@ -122,7 +122,7 @@ PaymentRequest.prototype.getAlgorithm = function getAlgorithm() { if (parts[1] !== 'sha1' && parts[1] !== 'sha256') return; - return { key: 'rsa', hash: parts[1] }; + return { key: parts[0], hash: parts[1] }; }; PaymentRequest.prototype.signatureData = function signatureData() { @@ -144,20 +144,21 @@ PaymentRequest.prototype.signatureHash = function signatureHash() { return utils.hash(alg.hash, this.signatureData()); }; -PaymentRequest.prototype.setChain = function setChain(pkiType, chain) { +PaymentRequest.prototype.setChain = function setChain(chain) { var p = new ProtoWriter(); - var i, cert; + var i, cert, pem; - assert(pkiType === 'x509+sha1' || pkiType === 'x509+sha256'); - assert(Array.isArray(chain)); - - this.pkiType = pkiType; + if (!Array.isArray(chain)) + chain = [chain]; for (i = 0; i < chain.length; i++) { cert = chain[i]; - if (typeof cert === 'string') - cert = asn1.fromPEM(cert).data; - assert(Buffer.isBuffer(cert), 'Bad cert format.'); + if (typeof cert === 'string') { + pem = asn1.fromPEM(cert); + assert(pem.type === 'certificate', 'Bad certificate PEM.'); + cert = pem.data; + } + assert(Buffer.isBuffer(cert), 'Certificates must be PEM or DER.'); p.writeFieldBytes(1, cert); } @@ -179,24 +180,26 @@ PaymentRequest.prototype.getChain = function getChain() { return chain; }; -PaymentRequest.prototype.sign = function sign(key) { - var alg, msg; +PaymentRequest.prototype.sign = function sign(key, chain) { + var alg, msg, chain; - if (!this.pkiType || this.pkiType === 'none') { - this.signature = null; - return; - } + if (chain) + this.setChain(chain); + + if (!this.pkiType) + this.pkiType = 'x509+sha256'; alg = this.getAlgorithm(); assert(alg, 'No hash algorithm available.'); msg = this.signatureData(); + chain = this.getChain(); - this.signature = x509.sign(alg.hash, msg, key); + this.signature = x509.signSubject(alg.hash, msg, key, chain); }; PaymentRequest.prototype.verify = function verify() { - var alg, msg, ver, der, pem; + var alg, msg, sig, chain; if (!this.pkiType || this.pkiType === 'none') return true; @@ -210,8 +213,10 @@ PaymentRequest.prototype.verify = function verify() { return false; msg = this.signatureData(); + sig = this.signature; + chain = this.getChain(); - return x509.verifySubject(alg.hash, msg, this.signature, this.getChain()); + return x509.verifySubject(alg.hash, msg, sig, chain); }; PaymentRequest.prototype.verifyChain = function verifyChain(ignoreTime) { diff --git a/lib/bcoin/bip70/x509.js b/lib/bcoin/bip70/x509.js index 41a70624..42f82cc3 100644 --- a/lib/bcoin/bip70/x509.js +++ b/lib/bcoin/bip70/x509.js @@ -126,6 +126,23 @@ x509.verifyTime = function verifyTime(cert) { return now > time.notBefore && now < time.notAfter; }; +x509.signSubject = function signSubject(hash, msg, key, chain) { + var cert, alg; + + assert(chain.length !== 0, 'No chain available.'); + + cert = x509.parse(chain[0]); + assert(cert, 'Could not parse certificate.'); + + alg = x509.getKeyAlgorithm(cert); + assert(alg, 'Certificate uses an unknown algorithm.'); + + if (Buffer.isBuffer(key)) + key = asn1.toPEM(key, alg.key + ' PRIVATE KEY'); + + return x509.sign(alg.key, hash, msg, key); +}; + x509.verifySubject = function verifySubject(hash, msg, sig, chain) { var cert, key, alg;