bip70/x509: only store cert fingerprints.

2016-07-23 07:05:58 -07:00 · 2016-07-23 07:05:58 -07:00 · 6a760136a9
commit 6a760136a9
parent 83bab4d382
4 changed files with 42 additions and 60 deletions
--- a/lib/bcoin/bip70/index.js
+++ b/lib/bcoin/bip70/index.js
@ -226,7 +226,7 @@ PaymentRequest.prototype.verifyChain = function verifyChain() {
 };

 PaymentRequest.prototype.getCA = function getCA() {
-  var chain, root, ca;
+  var chain, root;

  if (!this.pkiType || this.pkiType === 'none')
    return;
@ -241,14 +241,9 @@ PaymentRequest.prototype.getCA = function getCA() {
  if (!root)
    return;

-  ca = x509.getTrusted(root);
-
-  if (!ca)
-    return;
-
  return {
    name: x509.getCAName(root),
-    fingerprint: ca.fingerprint,
+    trusted: x509.isTrusted(root),
    cert: root
  };
 };
--- a/lib/bcoin/bip70/x509.js
+++ b/lib/bcoin/bip70/x509.js
@ -12,15 +12,6 @@ var asn1 = require('./asn1');
 var utils = require('../utils');
 var x509 = exports;

-x509.certs = [];
-x509.trusted = {};
-
-x509.getTrusted = function getTrusted(cert) {
-  var fingerprint = utils.sha256(cert.raw);
-  var hash = fingerprint.toString('hex');
-  return x509.trusted[hash];
-};
-
 x509.getSubjectOID = function getSubjectOID(cert, oid) {
  var subject = cert.tbs.subject;
  var i, entry;
@ -48,8 +39,17 @@ x509.getCAName = function getCAName(cert) {
    || 'Unknown';
 };

+x509.trusted = {};
+x509.allowUntrusted = false;
+
+x509.isTrusted = function isTrusted(cert) {
+  var fingerprint = utils.sha256(cert.raw);
+  var hash = fingerprint.toString('hex');
+  return x509.trusted[hash] === true;
+};
+
 x509.setTrust = function setTrust(certs) {
-  var i, cert, pem, fingerprint, hash, trust;
+  var i, cert, pem, hash;

  if (!Array.isArray(certs))
    certs = [certs];
@ -61,19 +61,8 @@ x509.setTrust = function setTrust(certs) {
      if (!Buffer.isBuffer(cert))
        cert = new Buffer(cert, 'hex');

-      fingerprint = cert;
-      hash = fingerprint.toString('hex');
-
-      if (x509.trusted[hash])
-        continue;
-
-      trust = {
-        name: 'Unknown',
-        fingerprint: fingerprint
-      };
-
-      x509.certs.push(trust);
-      x509.trusted[hash] = trust;
+      hash = cert.toString('hex');
+      x509.trusted[hash] = true;

      continue;
    }
@ -89,19 +78,8 @@ x509.setTrust = function setTrust(certs) {
    cert = x509.parse(cert);
    assert(cert, 'Could not parse certificate.');

-    fingerprint = utils.sha256(cert.raw);
-    hash = fingerprint.toString('hex');
-
-    if (x509.trusted[hash])
-      continue;
-
-    trust = {
-      name: x509.getCAName(cert),
-      fingerprint: fingerprint
-    };
-
-    x509.certs.push(trust);
-    x509.trusted[hash] = trust;
+    hash = utils.sha256(cert.raw).toString('hex');
+    x509.trusted[hash] = true;
  }
 };

@ -269,7 +247,7 @@ x509.verifyChain = function verifyChain(chain) {

  // If trust hasn't been
  // setup, just return.
-  if (x509.certs.length === 0)
+  if (x509.allowUntrusted)
    return true;

  // Make sure we trust one
@ -280,7 +258,7 @@ x509.verifyChain = function verifyChain(chain) {
    // If any certificate in the chain
    // is trusted, assume we also trust
    // the parent.
-    if (x509.getTrusted(child))
+    if (x509.isTrusted(child))
      return true;
  }

@ -334,3 +312,5 @@ function isHash(data) {

  return false;
 }
+
+x509.setTrust(require('../../../etc/certs.json'));
--- a/scripts/certs.sh
+++ b/scripts/certs.sh
@ -11,14 +11,13 @@ sha256() {
 getcerts() {
  local buf=''
  echo "$json" | sed 's/\\/\\\\/g' | while read line; do
-    if echo "$line" | grep "BEGIN CERT" > /dev/null; then
+    if echo "$line" | grep 'BEGIN CERT' > /dev/null; then
      buf="$line"
      continue
    fi
-    if echo "$line" | grep "END CERT" > /dev/null; then
+    if echo "$line" | grep 'END CERT' > /dev/null; then
      buf="$buf$line"
-      buf=$(echo "$buf" | sed 's/"//g' | sed 's/,//g')
-      echo '  "'"${buf}"'",'
+      echo "$buf" | sed 's/"//g' | sed 's/,//g'
      continue
    fi
    buf="$buf$line"
@ -28,30 +27,35 @@ getcerts() {
 gethashes() {
  local buf=''
  echo "$json" | sed 's/\\n/:/g' | while read line; do
-    if echo "$line" | grep "BEGIN CERT" > /dev/null; then
+    if echo "$line" | grep 'BEGIN CERT' > /dev/null; then
      buf="$line"
      continue
    fi
-    if echo "$line" | grep "END CERT" > /dev/null; then
+    if echo "$line" | grep 'END CERT' > /dev/null; then
      buf="$buf$line"
-      buf=$(echo "$buf" | sed 's/"//g' | sed 's/,//g' | tr ':' '\n')
-      buf=$(echo "$buf" | openssl x509 -outform DER | sha256)
-      echo '  "'"${buf}"'",'
+      echo "$buf" \
+        | sed 's/"//g' \
+        | sed 's/,//g' \
+        | tr ':' '\n' \
+        | openssl x509 -outform DER \
+        | sha256
      continue
    fi
    buf="$buf$line"
  done
 }

-format() {
+tojson() {
  local data=$(cat)
  local body=$(echo "$data" | head -n -1)
  local last=$(echo "$data" | tail -n 1)
  echo '['
-  echo "$body"
-  echo "$last" | rev | cut -c 2- | rev
+  echo "$body" | while read line; do
+    echo '  "'"${line}"'",'
+  done
+  echo '  "'"${last}"'"'
  echo ']'
 }

-# getcerts | format > "${dir}/../certs.json"
-gethashes | format > "${dir}/../etc/certs.json"
+# getcerts | tojson > "${dir}/../etc/certs.json"
+gethashes | tojson > "${dir}/../etc/certs.json"
--- a/test/bip70-test.js
+++ b/test/bip70-test.js
@ -20,6 +20,9 @@ tests.ca = {
  pub: new Buffer(tests.ca.pub, 'hex')
 };

+x509.allowUntrusted = true;
+x509.trusted = {};
+
 describe('BIP70', function() {
  function testRequest(data) {
    var request = bip70.PaymentRequest.fromRaw(data);
@ -98,7 +101,7 @@ describe('BIP70', function() {
  });

  it('should fail to verify cert signatures when enforcing trust', function() {
-    x509.certs.push({});
+    x509.allowUntrusted = false;
    var request = bip70.PaymentRequest.fromRaw(tests.valid);
    assert(!request.verifyChain());
    var request = bip70.PaymentRequest.fromRaw(tests.invalid);