diff --git a/lib/bcoin/bip70/index.js b/lib/bcoin/bip70/index.js index 06b7d895..e7d59f64 100644 --- a/lib/bcoin/bip70/index.js +++ b/lib/bcoin/bip70/index.js @@ -226,7 +226,7 @@ PaymentRequest.prototype.verifyChain = function verifyChain() { }; PaymentRequest.prototype.getCA = function getCA() { - var chain, root, ca; + var chain, root; if (!this.pkiType || this.pkiType === 'none') return; @@ -241,14 +241,9 @@ PaymentRequest.prototype.getCA = function getCA() { if (!root) return; - ca = x509.getTrusted(root); - - if (!ca) - return; - return { name: x509.getCAName(root), - fingerprint: ca.fingerprint, + trusted: x509.isTrusted(root), cert: root }; }; diff --git a/lib/bcoin/bip70/x509.js b/lib/bcoin/bip70/x509.js index fae2ce75..973cca92 100644 --- a/lib/bcoin/bip70/x509.js +++ b/lib/bcoin/bip70/x509.js @@ -12,15 +12,6 @@ var asn1 = require('./asn1'); var utils = require('../utils'); var x509 = exports; -x509.certs = []; -x509.trusted = {}; - -x509.getTrusted = function getTrusted(cert) { - var fingerprint = utils.sha256(cert.raw); - var hash = fingerprint.toString('hex'); - return x509.trusted[hash]; -}; - x509.getSubjectOID = function getSubjectOID(cert, oid) { var subject = cert.tbs.subject; var i, entry; @@ -48,8 +39,17 @@ x509.getCAName = function getCAName(cert) { || 'Unknown'; }; +x509.trusted = {}; +x509.allowUntrusted = false; + +x509.isTrusted = function isTrusted(cert) { + var fingerprint = utils.sha256(cert.raw); + var hash = fingerprint.toString('hex'); + return x509.trusted[hash] === true; +}; + x509.setTrust = function setTrust(certs) { - var i, cert, pem, fingerprint, hash, trust; + var i, cert, pem, hash; if (!Array.isArray(certs)) certs = [certs]; @@ -61,19 +61,8 @@ x509.setTrust = function setTrust(certs) { if (!Buffer.isBuffer(cert)) cert = new Buffer(cert, 'hex'); - fingerprint = cert; - hash = fingerprint.toString('hex'); - - if (x509.trusted[hash]) - continue; - - trust = { - name: 'Unknown', - fingerprint: fingerprint - }; - - x509.certs.push(trust); - x509.trusted[hash] = trust; + hash = cert.toString('hex'); + x509.trusted[hash] = true; continue; } @@ -89,19 +78,8 @@ x509.setTrust = function setTrust(certs) { cert = x509.parse(cert); assert(cert, 'Could not parse certificate.'); - fingerprint = utils.sha256(cert.raw); - hash = fingerprint.toString('hex'); - - if (x509.trusted[hash]) - continue; - - trust = { - name: x509.getCAName(cert), - fingerprint: fingerprint - }; - - x509.certs.push(trust); - x509.trusted[hash] = trust; + hash = utils.sha256(cert.raw).toString('hex'); + x509.trusted[hash] = true; } }; @@ -269,7 +247,7 @@ x509.verifyChain = function verifyChain(chain) { // If trust hasn't been // setup, just return. - if (x509.certs.length === 0) + if (x509.allowUntrusted) return true; // Make sure we trust one @@ -280,7 +258,7 @@ x509.verifyChain = function verifyChain(chain) { // If any certificate in the chain // is trusted, assume we also trust // the parent. - if (x509.getTrusted(child)) + if (x509.isTrusted(child)) return true; } @@ -334,3 +312,5 @@ function isHash(data) { return false; } + +x509.setTrust(require('../../../etc/certs.json')); diff --git a/scripts/certs.sh b/scripts/certs.sh index 83279a18..ef685ffb 100755 --- a/scripts/certs.sh +++ b/scripts/certs.sh @@ -11,14 +11,13 @@ sha256() { getcerts() { local buf='' echo "$json" | sed 's/\\/\\\\/g' | while read line; do - if echo "$line" | grep "BEGIN CERT" > /dev/null; then + if echo "$line" | grep 'BEGIN CERT' > /dev/null; then buf="$line" continue fi - if echo "$line" | grep "END CERT" > /dev/null; then + if echo "$line" | grep 'END CERT' > /dev/null; then buf="$buf$line" - buf=$(echo "$buf" | sed 's/"//g' | sed 's/,//g') - echo ' "'"${buf}"'",' + echo "$buf" | sed 's/"//g' | sed 's/,//g' continue fi buf="$buf$line" @@ -28,30 +27,35 @@ getcerts() { gethashes() { local buf='' echo "$json" | sed 's/\\n/:/g' | while read line; do - if echo "$line" | grep "BEGIN CERT" > /dev/null; then + if echo "$line" | grep 'BEGIN CERT' > /dev/null; then buf="$line" continue fi - if echo "$line" | grep "END CERT" > /dev/null; then + if echo "$line" | grep 'END CERT' > /dev/null; then buf="$buf$line" - buf=$(echo "$buf" | sed 's/"//g' | sed 's/,//g' | tr ':' '\n') - buf=$(echo "$buf" | openssl x509 -outform DER | sha256) - echo ' "'"${buf}"'",' + echo "$buf" \ + | sed 's/"//g' \ + | sed 's/,//g' \ + | tr ':' '\n' \ + | openssl x509 -outform DER \ + | sha256 continue fi buf="$buf$line" done } -format() { +tojson() { local data=$(cat) local body=$(echo "$data" | head -n -1) local last=$(echo "$data" | tail -n 1) echo '[' - echo "$body" - echo "$last" | rev | cut -c 2- | rev + echo "$body" | while read line; do + echo ' "'"${line}"'",' + done + echo ' "'"${last}"'"' echo ']' } -# getcerts | format > "${dir}/../certs.json" -gethashes | format > "${dir}/../etc/certs.json" +# getcerts | tojson > "${dir}/../etc/certs.json" +gethashes | tojson > "${dir}/../etc/certs.json" diff --git a/test/bip70-test.js b/test/bip70-test.js index d7f37744..796ad27f 100644 --- a/test/bip70-test.js +++ b/test/bip70-test.js @@ -20,6 +20,9 @@ tests.ca = { pub: new Buffer(tests.ca.pub, 'hex') }; +x509.allowUntrusted = true; +x509.trusted = {}; + describe('BIP70', function() { function testRequest(data) { var request = bip70.PaymentRequest.fromRaw(data); @@ -98,7 +101,7 @@ describe('BIP70', function() { }); it('should fail to verify cert signatures when enforcing trust', function() { - x509.certs.push({}); + x509.allowUntrusted = false; var request = bip70.PaymentRequest.fromRaw(tests.valid); assert(!request.verifyChain()); var request = bip70.PaymentRequest.fromRaw(tests.invalid);