bip70/x509: only store cert fingerprints.
This commit is contained in:
parent
83bab4d382
commit
6a760136a9
@ -226,7 +226,7 @@ PaymentRequest.prototype.verifyChain = function verifyChain() {
|
|||||||
};
|
};
|
||||||
|
|
||||||
PaymentRequest.prototype.getCA = function getCA() {
|
PaymentRequest.prototype.getCA = function getCA() {
|
||||||
var chain, root, ca;
|
var chain, root;
|
||||||
|
|
||||||
if (!this.pkiType || this.pkiType === 'none')
|
if (!this.pkiType || this.pkiType === 'none')
|
||||||
return;
|
return;
|
||||||
@ -241,14 +241,9 @@ PaymentRequest.prototype.getCA = function getCA() {
|
|||||||
if (!root)
|
if (!root)
|
||||||
return;
|
return;
|
||||||
|
|
||||||
ca = x509.getTrusted(root);
|
|
||||||
|
|
||||||
if (!ca)
|
|
||||||
return;
|
|
||||||
|
|
||||||
return {
|
return {
|
||||||
name: x509.getCAName(root),
|
name: x509.getCAName(root),
|
||||||
fingerprint: ca.fingerprint,
|
trusted: x509.isTrusted(root),
|
||||||
cert: root
|
cert: root
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|||||||
@ -12,15 +12,6 @@ var asn1 = require('./asn1');
|
|||||||
var utils = require('../utils');
|
var utils = require('../utils');
|
||||||
var x509 = exports;
|
var x509 = exports;
|
||||||
|
|
||||||
x509.certs = [];
|
|
||||||
x509.trusted = {};
|
|
||||||
|
|
||||||
x509.getTrusted = function getTrusted(cert) {
|
|
||||||
var fingerprint = utils.sha256(cert.raw);
|
|
||||||
var hash = fingerprint.toString('hex');
|
|
||||||
return x509.trusted[hash];
|
|
||||||
};
|
|
||||||
|
|
||||||
x509.getSubjectOID = function getSubjectOID(cert, oid) {
|
x509.getSubjectOID = function getSubjectOID(cert, oid) {
|
||||||
var subject = cert.tbs.subject;
|
var subject = cert.tbs.subject;
|
||||||
var i, entry;
|
var i, entry;
|
||||||
@ -48,8 +39,17 @@ x509.getCAName = function getCAName(cert) {
|
|||||||
|| 'Unknown';
|
|| 'Unknown';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
x509.trusted = {};
|
||||||
|
x509.allowUntrusted = false;
|
||||||
|
|
||||||
|
x509.isTrusted = function isTrusted(cert) {
|
||||||
|
var fingerprint = utils.sha256(cert.raw);
|
||||||
|
var hash = fingerprint.toString('hex');
|
||||||
|
return x509.trusted[hash] === true;
|
||||||
|
};
|
||||||
|
|
||||||
x509.setTrust = function setTrust(certs) {
|
x509.setTrust = function setTrust(certs) {
|
||||||
var i, cert, pem, fingerprint, hash, trust;
|
var i, cert, pem, hash;
|
||||||
|
|
||||||
if (!Array.isArray(certs))
|
if (!Array.isArray(certs))
|
||||||
certs = [certs];
|
certs = [certs];
|
||||||
@ -61,19 +61,8 @@ x509.setTrust = function setTrust(certs) {
|
|||||||
if (!Buffer.isBuffer(cert))
|
if (!Buffer.isBuffer(cert))
|
||||||
cert = new Buffer(cert, 'hex');
|
cert = new Buffer(cert, 'hex');
|
||||||
|
|
||||||
fingerprint = cert;
|
hash = cert.toString('hex');
|
||||||
hash = fingerprint.toString('hex');
|
x509.trusted[hash] = true;
|
||||||
|
|
||||||
if (x509.trusted[hash])
|
|
||||||
continue;
|
|
||||||
|
|
||||||
trust = {
|
|
||||||
name: 'Unknown',
|
|
||||||
fingerprint: fingerprint
|
|
||||||
};
|
|
||||||
|
|
||||||
x509.certs.push(trust);
|
|
||||||
x509.trusted[hash] = trust;
|
|
||||||
|
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
@ -89,19 +78,8 @@ x509.setTrust = function setTrust(certs) {
|
|||||||
cert = x509.parse(cert);
|
cert = x509.parse(cert);
|
||||||
assert(cert, 'Could not parse certificate.');
|
assert(cert, 'Could not parse certificate.');
|
||||||
|
|
||||||
fingerprint = utils.sha256(cert.raw);
|
hash = utils.sha256(cert.raw).toString('hex');
|
||||||
hash = fingerprint.toString('hex');
|
x509.trusted[hash] = true;
|
||||||
|
|
||||||
if (x509.trusted[hash])
|
|
||||||
continue;
|
|
||||||
|
|
||||||
trust = {
|
|
||||||
name: x509.getCAName(cert),
|
|
||||||
fingerprint: fingerprint
|
|
||||||
};
|
|
||||||
|
|
||||||
x509.certs.push(trust);
|
|
||||||
x509.trusted[hash] = trust;
|
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -269,7 +247,7 @@ x509.verifyChain = function verifyChain(chain) {
|
|||||||
|
|
||||||
// If trust hasn't been
|
// If trust hasn't been
|
||||||
// setup, just return.
|
// setup, just return.
|
||||||
if (x509.certs.length === 0)
|
if (x509.allowUntrusted)
|
||||||
return true;
|
return true;
|
||||||
|
|
||||||
// Make sure we trust one
|
// Make sure we trust one
|
||||||
@ -280,7 +258,7 @@ x509.verifyChain = function verifyChain(chain) {
|
|||||||
// If any certificate in the chain
|
// If any certificate in the chain
|
||||||
// is trusted, assume we also trust
|
// is trusted, assume we also trust
|
||||||
// the parent.
|
// the parent.
|
||||||
if (x509.getTrusted(child))
|
if (x509.isTrusted(child))
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -334,3 +312,5 @@ function isHash(data) {
|
|||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
x509.setTrust(require('../../../etc/certs.json'));
|
||||||
|
|||||||
@ -11,14 +11,13 @@ sha256() {
|
|||||||
getcerts() {
|
getcerts() {
|
||||||
local buf=''
|
local buf=''
|
||||||
echo "$json" | sed 's/\\/\\\\/g' | while read line; do
|
echo "$json" | sed 's/\\/\\\\/g' | while read line; do
|
||||||
if echo "$line" | grep "BEGIN CERT" > /dev/null; then
|
if echo "$line" | grep 'BEGIN CERT' > /dev/null; then
|
||||||
buf="$line"
|
buf="$line"
|
||||||
continue
|
continue
|
||||||
fi
|
fi
|
||||||
if echo "$line" | grep "END CERT" > /dev/null; then
|
if echo "$line" | grep 'END CERT' > /dev/null; then
|
||||||
buf="$buf$line"
|
buf="$buf$line"
|
||||||
buf=$(echo "$buf" | sed 's/"//g' | sed 's/,//g')
|
echo "$buf" | sed 's/"//g' | sed 's/,//g'
|
||||||
echo ' "'"${buf}"'",'
|
|
||||||
continue
|
continue
|
||||||
fi
|
fi
|
||||||
buf="$buf$line"
|
buf="$buf$line"
|
||||||
@ -28,30 +27,35 @@ getcerts() {
|
|||||||
gethashes() {
|
gethashes() {
|
||||||
local buf=''
|
local buf=''
|
||||||
echo "$json" | sed 's/\\n/:/g' | while read line; do
|
echo "$json" | sed 's/\\n/:/g' | while read line; do
|
||||||
if echo "$line" | grep "BEGIN CERT" > /dev/null; then
|
if echo "$line" | grep 'BEGIN CERT' > /dev/null; then
|
||||||
buf="$line"
|
buf="$line"
|
||||||
continue
|
continue
|
||||||
fi
|
fi
|
||||||
if echo "$line" | grep "END CERT" > /dev/null; then
|
if echo "$line" | grep 'END CERT' > /dev/null; then
|
||||||
buf="$buf$line"
|
buf="$buf$line"
|
||||||
buf=$(echo "$buf" | sed 's/"//g' | sed 's/,//g' | tr ':' '\n')
|
echo "$buf" \
|
||||||
buf=$(echo "$buf" | openssl x509 -outform DER | sha256)
|
| sed 's/"//g' \
|
||||||
echo ' "'"${buf}"'",'
|
| sed 's/,//g' \
|
||||||
|
| tr ':' '\n' \
|
||||||
|
| openssl x509 -outform DER \
|
||||||
|
| sha256
|
||||||
continue
|
continue
|
||||||
fi
|
fi
|
||||||
buf="$buf$line"
|
buf="$buf$line"
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
format() {
|
tojson() {
|
||||||
local data=$(cat)
|
local data=$(cat)
|
||||||
local body=$(echo "$data" | head -n -1)
|
local body=$(echo "$data" | head -n -1)
|
||||||
local last=$(echo "$data" | tail -n 1)
|
local last=$(echo "$data" | tail -n 1)
|
||||||
echo '['
|
echo '['
|
||||||
echo "$body"
|
echo "$body" | while read line; do
|
||||||
echo "$last" | rev | cut -c 2- | rev
|
echo ' "'"${line}"'",'
|
||||||
|
done
|
||||||
|
echo ' "'"${last}"'"'
|
||||||
echo ']'
|
echo ']'
|
||||||
}
|
}
|
||||||
|
|
||||||
# getcerts | format > "${dir}/../certs.json"
|
# getcerts | tojson > "${dir}/../etc/certs.json"
|
||||||
gethashes | format > "${dir}/../etc/certs.json"
|
gethashes | tojson > "${dir}/../etc/certs.json"
|
||||||
|
|||||||
@ -20,6 +20,9 @@ tests.ca = {
|
|||||||
pub: new Buffer(tests.ca.pub, 'hex')
|
pub: new Buffer(tests.ca.pub, 'hex')
|
||||||
};
|
};
|
||||||
|
|
||||||
|
x509.allowUntrusted = true;
|
||||||
|
x509.trusted = {};
|
||||||
|
|
||||||
describe('BIP70', function() {
|
describe('BIP70', function() {
|
||||||
function testRequest(data) {
|
function testRequest(data) {
|
||||||
var request = bip70.PaymentRequest.fromRaw(data);
|
var request = bip70.PaymentRequest.fromRaw(data);
|
||||||
@ -98,7 +101,7 @@ describe('BIP70', function() {
|
|||||||
});
|
});
|
||||||
|
|
||||||
it('should fail to verify cert signatures when enforcing trust', function() {
|
it('should fail to verify cert signatures when enforcing trust', function() {
|
||||||
x509.certs.push({});
|
x509.allowUntrusted = false;
|
||||||
var request = bip70.PaymentRequest.fromRaw(tests.valid);
|
var request = bip70.PaymentRequest.fromRaw(tests.valid);
|
||||||
assert(!request.verifyChain());
|
assert(!request.verifyChain());
|
||||||
var request = bip70.PaymentRequest.fromRaw(tests.invalid);
|
var request = bip70.PaymentRequest.fromRaw(tests.invalid);
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user