paypro: more comments. debug.
This commit is contained in:
Christopher Jeffrey
parent
852ee54e36
commit
12c56854b9
@ -64,28 +64,6 @@ PayPro.prototype.x509Verify = function() {
|
||||
|
||||
var chain = pki_data;
|
||||
|
||||
/*
|
||||
var anchor = rfc3280.Certificate.decode(
|
||||
new Buffer(chain[0].toString('hex'), 'hex'), 'der');
|
||||
var anSigAlg = PayPro.getAlgorithm(anchor.signatureAlgorithm.algorithm, 1);
|
||||
var anSig = anchor.signature.data;
|
||||
|
||||
var ca = rfc3280.Certificate.decode(
|
||||
new Buffer(chain[chain.length - 1].toString('hex'), 'hex'), 'der');
|
||||
var caPubKeyAlg = PayPro.getAlgorithm(
|
||||
ca.tbsCertificate.subjectPublicKeyInfo.algorithm.algorithm);
|
||||
var caPubKey = ca.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.data;
|
||||
caPubKey = self._DERtoPEM(caPubKey, caPubKeyAlg + ' PUBLIC KEY');
|
||||
*/
|
||||
|
||||
// Verifying the cert chain:
|
||||
// 1. Extract public key from next certificate.
|
||||
// 2. Extract signature from current certificate.
|
||||
// 3. If current cert is not trusted, verify that the current cert is signed
|
||||
// by NEXT by the certificate.
|
||||
// NOTE: What to do when the certificate is
|
||||
// revoked -> Hit CRL Distribution Points URL
|
||||
|
||||
var chainVerified = chain.every(function(cert, i) {
|
||||
var der = cert.toString('hex');
|
||||
var pem = self._DERtoPEM(der, 'CERTIFICATE');
|
||||
@ -155,43 +133,13 @@ PayPro.prototype.x509Verify = function() {
|
||||
});
|
||||
});
|
||||
|
||||
//
|
||||
// Handle Cert Extensions
|
||||
//
|
||||
var extensions = rfc5280.decodeExtensions(c, 'der', { partial: false });
|
||||
var extensionsVerified = extensions.verified;
|
||||
|
||||
// The two most important extensions:
|
||||
// "The keyIdentifier field of the authorityKeyIdentifier extension MUST be
|
||||
// included in all certificates generated by conforming CAs to facilitate
|
||||
// certification path construction."
|
||||
// var aki = extensions.authorityKeyIdentifier;
|
||||
// aki.sha1Key = aki.raw.slice(4, 24);
|
||||
// var ski = extensions.subjectKeyIdentifier;
|
||||
// ski.sha1Key = ski.decoded;
|
||||
// var ku = extensions.keyUsage;
|
||||
|
||||
// Next Extensions:
|
||||
// var nextensions = rfc5280.decodeExtensions(nc, 'der', { partial: false });
|
||||
// var nextensionsVerified = nextensions.verified;
|
||||
// var naki = nextensions.authorityKeyIdentifier;
|
||||
// naki.sha1Key = naki.raw.slice(4, 24);
|
||||
// var nski = nextensions.subjectKeyIdentifier;
|
||||
// nski.sha1Key = nski.decoded;
|
||||
// var nku = nextensions.keyUsage;
|
||||
|
||||
// Object.keys(extensions).forEach(function(key) {
|
||||
// if (extensions[key].execute) {
|
||||
// c = extensions[key].execute(c);
|
||||
// }
|
||||
// });
|
||||
|
||||
//
|
||||
// Verify current certificate signature
|
||||
//
|
||||
|
||||
// Create a To-Be-Signed Certificate to verify using asn1.js:
|
||||
//var tbs = rfc3280.TBSCertificate.encode(c.tbsCertificate, 'der');
|
||||
// Grab the raw DER To-Be-Signed Certificate to verify:
|
||||
// First 10 bytes usually look like:
|
||||
// [ 48, 130, 5, 32, 48, 130, 4, 8, 160, 3 ]
|
||||
var start = 0;
|
||||
var starts = 0;
|
||||
for (var start = 0; start < data.length; start++) {
|
||||
@ -203,6 +151,14 @@ PayPro.prototype.x509Verify = function() {
|
||||
}
|
||||
}
|
||||
|
||||
// The bytes *after* the TBS (including the last TBS byte) will look like
|
||||
// (note the 48 - the start of the sig, and the 122 - the end of the TBS):
|
||||
// [ 122, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 11, 5, 0, 3, ... ]
|
||||
|
||||
// The certificate in these examples has a `start` of 4, and an `end` of
|
||||
// 1040. The 4 bytes is the DER SEQ of the Certificate, right before the
|
||||
// SEQ of the TBSCertificate.
|
||||
|
||||
var end = 0;
|
||||
var ends = 0;
|
||||
for (var end = data.length - 1; end > 0; end--) {
|
||||
@ -214,26 +170,9 @@ PayPro.prototype.x509Verify = function() {
|
||||
}
|
||||
}
|
||||
|
||||
console.log(Array.prototype.slice.call(data.slice(1040)));
|
||||
console.log(Array.prototype.slice.call(data.slice(0, 10)));
|
||||
console.log(data[1039]);
|
||||
|
||||
// start: 4
|
||||
// end: 1040
|
||||
/*
|
||||
for (var start = 0; start < data.length; start++) {
|
||||
for (var end = 0; end < data.length + 1; end++) {
|
||||
var tbs = data.slice(start, end);
|
||||
var verifier = crypto.createVerify('RSA-' + sigAlg);
|
||||
verifier.update(tbs);
|
||||
var sigVerified = verifier.verify(npubKey, sig);
|
||||
if (sigVerified) {
|
||||
console.log('start: %d', start);
|
||||
console.log('end: %d', end);
|
||||
}
|
||||
}
|
||||
}
|
||||
*/
|
||||
console.log(Array.prototype.slice.call(data.slice(end - 1)));
|
||||
console.log(Array.prototype.slice.call(data.slice(0, start + 6)));
|
||||
console.log('start=%d, end=%d', start, end);
|
||||
|
||||
var tbs = data.slice(start, end);
|
||||
|
||||
@ -241,11 +180,8 @@ PayPro.prototype.x509Verify = function() {
|
||||
verifier.update(tbs);
|
||||
var sigVerified = verifier.verify(npubKey, sig);
|
||||
|
||||
console.log('sigVerified: %s', sigVerified);
|
||||
|
||||
return validityVerified
|
||||
&& issuerVerified
|
||||
&& extensionsVerified
|
||||
&& sigVerified;
|
||||
});
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user