bip70/x509: only store cert fingerprints.

This commit is contained in:
Christopher Jeffrey 2016-07-23 07:05:58 -07:00
parent 83bab4d382
commit 6a760136a9
No known key found for this signature in database
GPG Key ID: 8962AB9DE6666BBD
4 changed files with 42 additions and 60 deletions

View File

@ -226,7 +226,7 @@ PaymentRequest.prototype.verifyChain = function verifyChain() {
}; };
PaymentRequest.prototype.getCA = function getCA() { PaymentRequest.prototype.getCA = function getCA() {
var chain, root, ca; var chain, root;
if (!this.pkiType || this.pkiType === 'none') if (!this.pkiType || this.pkiType === 'none')
return; return;
@ -241,14 +241,9 @@ PaymentRequest.prototype.getCA = function getCA() {
if (!root) if (!root)
return; return;
ca = x509.getTrusted(root);
if (!ca)
return;
return { return {
name: x509.getCAName(root), name: x509.getCAName(root),
fingerprint: ca.fingerprint, trusted: x509.isTrusted(root),
cert: root cert: root
}; };
}; };

View File

@ -12,15 +12,6 @@ var asn1 = require('./asn1');
var utils = require('../utils'); var utils = require('../utils');
var x509 = exports; var x509 = exports;
x509.certs = [];
x509.trusted = {};
x509.getTrusted = function getTrusted(cert) {
var fingerprint = utils.sha256(cert.raw);
var hash = fingerprint.toString('hex');
return x509.trusted[hash];
};
x509.getSubjectOID = function getSubjectOID(cert, oid) { x509.getSubjectOID = function getSubjectOID(cert, oid) {
var subject = cert.tbs.subject; var subject = cert.tbs.subject;
var i, entry; var i, entry;
@ -48,8 +39,17 @@ x509.getCAName = function getCAName(cert) {
|| 'Unknown'; || 'Unknown';
}; };
x509.trusted = {};
x509.allowUntrusted = false;
x509.isTrusted = function isTrusted(cert) {
var fingerprint = utils.sha256(cert.raw);
var hash = fingerprint.toString('hex');
return x509.trusted[hash] === true;
};
x509.setTrust = function setTrust(certs) { x509.setTrust = function setTrust(certs) {
var i, cert, pem, fingerprint, hash, trust; var i, cert, pem, hash;
if (!Array.isArray(certs)) if (!Array.isArray(certs))
certs = [certs]; certs = [certs];
@ -61,19 +61,8 @@ x509.setTrust = function setTrust(certs) {
if (!Buffer.isBuffer(cert)) if (!Buffer.isBuffer(cert))
cert = new Buffer(cert, 'hex'); cert = new Buffer(cert, 'hex');
fingerprint = cert; hash = cert.toString('hex');
hash = fingerprint.toString('hex'); x509.trusted[hash] = true;
if (x509.trusted[hash])
continue;
trust = {
name: 'Unknown',
fingerprint: fingerprint
};
x509.certs.push(trust);
x509.trusted[hash] = trust;
continue; continue;
} }
@ -89,19 +78,8 @@ x509.setTrust = function setTrust(certs) {
cert = x509.parse(cert); cert = x509.parse(cert);
assert(cert, 'Could not parse certificate.'); assert(cert, 'Could not parse certificate.');
fingerprint = utils.sha256(cert.raw); hash = utils.sha256(cert.raw).toString('hex');
hash = fingerprint.toString('hex'); x509.trusted[hash] = true;
if (x509.trusted[hash])
continue;
trust = {
name: x509.getCAName(cert),
fingerprint: fingerprint
};
x509.certs.push(trust);
x509.trusted[hash] = trust;
} }
}; };
@ -269,7 +247,7 @@ x509.verifyChain = function verifyChain(chain) {
// If trust hasn't been // If trust hasn't been
// setup, just return. // setup, just return.
if (x509.certs.length === 0) if (x509.allowUntrusted)
return true; return true;
// Make sure we trust one // Make sure we trust one
@ -280,7 +258,7 @@ x509.verifyChain = function verifyChain(chain) {
// If any certificate in the chain // If any certificate in the chain
// is trusted, assume we also trust // is trusted, assume we also trust
// the parent. // the parent.
if (x509.getTrusted(child)) if (x509.isTrusted(child))
return true; return true;
} }
@ -334,3 +312,5 @@ function isHash(data) {
return false; return false;
} }
x509.setTrust(require('../../../etc/certs.json'));

View File

@ -11,14 +11,13 @@ sha256() {
getcerts() { getcerts() {
local buf='' local buf=''
echo "$json" | sed 's/\\/\\\\/g' | while read line; do echo "$json" | sed 's/\\/\\\\/g' | while read line; do
if echo "$line" | grep "BEGIN CERT" > /dev/null; then if echo "$line" | grep 'BEGIN CERT' > /dev/null; then
buf="$line" buf="$line"
continue continue
fi fi
if echo "$line" | grep "END CERT" > /dev/null; then if echo "$line" | grep 'END CERT' > /dev/null; then
buf="$buf$line" buf="$buf$line"
buf=$(echo "$buf" | sed 's/"//g' | sed 's/,//g') echo "$buf" | sed 's/"//g' | sed 's/,//g'
echo ' "'"${buf}"'",'
continue continue
fi fi
buf="$buf$line" buf="$buf$line"
@ -28,30 +27,35 @@ getcerts() {
gethashes() { gethashes() {
local buf='' local buf=''
echo "$json" | sed 's/\\n/:/g' | while read line; do echo "$json" | sed 's/\\n/:/g' | while read line; do
if echo "$line" | grep "BEGIN CERT" > /dev/null; then if echo "$line" | grep 'BEGIN CERT' > /dev/null; then
buf="$line" buf="$line"
continue continue
fi fi
if echo "$line" | grep "END CERT" > /dev/null; then if echo "$line" | grep 'END CERT' > /dev/null; then
buf="$buf$line" buf="$buf$line"
buf=$(echo "$buf" | sed 's/"//g' | sed 's/,//g' | tr ':' '\n') echo "$buf" \
buf=$(echo "$buf" | openssl x509 -outform DER | sha256) | sed 's/"//g' \
echo ' "'"${buf}"'",' | sed 's/,//g' \
| tr ':' '\n' \
| openssl x509 -outform DER \
| sha256
continue continue
fi fi
buf="$buf$line" buf="$buf$line"
done done
} }
format() { tojson() {
local data=$(cat) local data=$(cat)
local body=$(echo "$data" | head -n -1) local body=$(echo "$data" | head -n -1)
local last=$(echo "$data" | tail -n 1) local last=$(echo "$data" | tail -n 1)
echo '[' echo '['
echo "$body" echo "$body" | while read line; do
echo "$last" | rev | cut -c 2- | rev echo ' "'"${line}"'",'
done
echo ' "'"${last}"'"'
echo ']' echo ']'
} }
# getcerts | format > "${dir}/../certs.json" # getcerts | tojson > "${dir}/../etc/certs.json"
gethashes | format > "${dir}/../etc/certs.json" gethashes | tojson > "${dir}/../etc/certs.json"

View File

@ -20,6 +20,9 @@ tests.ca = {
pub: new Buffer(tests.ca.pub, 'hex') pub: new Buffer(tests.ca.pub, 'hex')
}; };
x509.allowUntrusted = true;
x509.trusted = {};
describe('BIP70', function() { describe('BIP70', function() {
function testRequest(data) { function testRequest(data) {
var request = bip70.PaymentRequest.fromRaw(data); var request = bip70.PaymentRequest.fromRaw(data);
@ -98,7 +101,7 @@ describe('BIP70', function() {
}); });
it('should fail to verify cert signatures when enforcing trust', function() { it('should fail to verify cert signatures when enforcing trust', function() {
x509.certs.push({}); x509.allowUntrusted = false;
var request = bip70.PaymentRequest.fromRaw(tests.valid); var request = bip70.PaymentRequest.fromRaw(tests.valid);
assert(!request.verifyChain()); assert(!request.verifyChain());
var request = bip70.PaymentRequest.fromRaw(tests.invalid); var request = bip70.PaymentRequest.fromRaw(tests.invalid);