paypro: lots of debugging. parse raw DER to get raw tbsCertificate.

2014-08-28 16:35:27 -07:00 · 2014-08-28 16:35:27 -07:00 · 852ee54e36
commit 852ee54e36
parent e86b70fd4a
1 changed files with 76 additions and 13 deletions
--- a/lib/PayPro.js
+++ b/lib/PayPro.js
@ -64,6 +64,20 @@ PayPro.prototype.x509Verify = function() {

  var chain = pki_data;

+/*
+  var anchor = rfc3280.Certificate.decode(
+    new Buffer(chain[0].toString('hex'), 'hex'), 'der');
+  var anSigAlg = PayPro.getAlgorithm(anchor.signatureAlgorithm.algorithm, 1);
+  var anSig = anchor.signature.data;
+
+  var ca = rfc3280.Certificate.decode(
+    new Buffer(chain[chain.length - 1].toString('hex'), 'hex'), 'der');
+  var caPubKeyAlg = PayPro.getAlgorithm(
+    ca.tbsCertificate.subjectPublicKeyInfo.algorithm.algorithm);
+  var caPubKey = ca.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.data;
+  caPubKey = self._DERtoPEM(caPubKey, caPubKeyAlg + ' PUBLIC KEY');
+*/
+
  // Verifying the cert chain:
  // 1. Extract public key from next certificate.
  // 2. Extract signature from current certificate.
@ -151,20 +165,20 @@ PayPro.prototype.x509Verify = function() {
    // "The keyIdentifier field of the authorityKeyIdentifier extension MUST be
    // included in all certificates generated by conforming CAs to facilitate
    // certification path construction."
-    var aki = extensions.authorityKeyIdentifier;
-    aki.sha1Key = aki.raw.slice(4, 24);
-    var ski = extensions.subjectKeyIdentifier;
-    ski.sha1Key = ski.decoded;
-    var ku = extensions.keyUsage;
+    // var aki = extensions.authorityKeyIdentifier;
+    // aki.sha1Key = aki.raw.slice(4, 24);
+    // var ski = extensions.subjectKeyIdentifier;
+    // ski.sha1Key = ski.decoded;
+    // var ku = extensions.keyUsage;

    // Next Extensions:
-    var nextensions = rfc5280.decodeExtensions(nc, 'der', { partial: false });
-    var nextensionsVerified = nextensions.verified;
-    var naki = nextensions.authorityKeyIdentifier;
-    naki.sha1Key = naki.raw.slice(4, 24);
-    var nski = nextensions.subjectKeyIdentifier;
-    nski.sha1Key = nski.decoded;
-    var nku = nextensions.keyUsage;
+    // var nextensions = rfc5280.decodeExtensions(nc, 'der', { partial: false });
+    // var nextensionsVerified = nextensions.verified;
+    // var naki = nextensions.authorityKeyIdentifier;
+    // naki.sha1Key = naki.raw.slice(4, 24);
+    // var nski = nextensions.subjectKeyIdentifier;
+    // nski.sha1Key = nski.decoded;
+    // var nku = nextensions.keyUsage;

    // Object.keys(extensions).forEach(function(key) {
    //   if (extensions[key].execute) {
@ -177,17 +191,66 @@ PayPro.prototype.x509Verify = function() {
    //

    // Create a To-Be-Signed Certificate to verify using asn1.js:
-    var tbs = rfc3280.TBSCertificate.encode(c.tbsCertificate, 'der');
+    //var tbs = rfc3280.TBSCertificate.encode(c.tbsCertificate, 'der');
+    var start = 0;
+    var starts = 0;
+    for (var start = 0; start < data.length; start++) {
+      if (starts === 1 && data[start] === 48) {
+        break;
+      }
+      if (starts < 1 && data[start] === 48) {
+        starts++;
+      }
+    }
+
+    var end = 0;
+    var ends = 0;
+    for (var end = data.length - 1; end > 0; end--) {
+      if (ends === 2 && data[end] === 48) {
+        break;
+      }
+      if (ends < 2 && data[end] === 0) {
+        ends++;
+      }
+    }
+
+    console.log(Array.prototype.slice.call(data.slice(1040)));
+    console.log(Array.prototype.slice.call(data.slice(0, 10)));
+    console.log(data[1039]);
+
+    // start: 4
+    // end: 1040
+    /*
+    for (var start = 0; start < data.length; start++) {
+      for (var end = 0; end < data.length + 1; end++) {
+        var tbs = data.slice(start, end);
+        var verifier = crypto.createVerify('RSA-' + sigAlg);
+        verifier.update(tbs);
+        var sigVerified = verifier.verify(npubKey, sig);
+        if (sigVerified) {
+          console.log('start: %d', start);
+          console.log('end: %d', end);
+        }
+      }
+    }
+    */
+
+    var tbs = data.slice(start, end);
+
    var verifier = crypto.createVerify('RSA-' + sigAlg);
    verifier.update(tbs);
    var sigVerified = verifier.verify(npubKey, sig);

+    console.log('sigVerified: %s', sigVerified);
+
    return validityVerified
      && issuerVerified
      && extensionsVerified
      && sigVerified;
  });

+  console.log('verified && chainVerified:', verified && chainVerified);
+
  return verified && chainVerified;
 };