From 852ee54e3651f3f2f86e36a9d7fafb1d468dc90f Mon Sep 17 00:00:00 2001
From: Christopher Jeffrey <chjjeffrey@gmail.com>
Date: Thu, 28 Aug 2014 16:35:27 -0700
Subject: [PATCH] paypro: lots of debugging. parse raw DER to get raw
 tbsCertificate.

---
 lib/PayPro.js | 89 +++++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 76 insertions(+), 13 deletions(-)

diff --git a/lib/PayPro.js b/lib/PayPro.js
index 7dbc308..5add732 100644
--- a/lib/PayPro.js
+++ b/lib/PayPro.js
@@ -64,6 +64,20 @@ PayPro.prototype.x509Verify = function() {
 
   var chain = pki_data;
 
+/*
+  var anchor = rfc3280.Certificate.decode(
+    new Buffer(chain[0].toString('hex'), 'hex'), 'der');
+  var anSigAlg = PayPro.getAlgorithm(anchor.signatureAlgorithm.algorithm, 1);
+  var anSig = anchor.signature.data;
+
+  var ca = rfc3280.Certificate.decode(
+    new Buffer(chain[chain.length - 1].toString('hex'), 'hex'), 'der');
+  var caPubKeyAlg = PayPro.getAlgorithm(
+    ca.tbsCertificate.subjectPublicKeyInfo.algorithm.algorithm);
+  var caPubKey = ca.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.data;
+  caPubKey = self._DERtoPEM(caPubKey, caPubKeyAlg + ' PUBLIC KEY');
+*/
+
   // Verifying the cert chain:
   // 1. Extract public key from next certificate.
   // 2. Extract signature from current certificate.
@@ -151,20 +165,20 @@ PayPro.prototype.x509Verify = function() {
     // "The keyIdentifier field of the authorityKeyIdentifier extension MUST be
     // included in all certificates generated by conforming CAs to facilitate
     // certification path construction."
-    var aki = extensions.authorityKeyIdentifier;
-    aki.sha1Key = aki.raw.slice(4, 24);
-    var ski = extensions.subjectKeyIdentifier;
-    ski.sha1Key = ski.decoded;
-    var ku = extensions.keyUsage;
+    // var aki = extensions.authorityKeyIdentifier;
+    // aki.sha1Key = aki.raw.slice(4, 24);
+    // var ski = extensions.subjectKeyIdentifier;
+    // ski.sha1Key = ski.decoded;
+    // var ku = extensions.keyUsage;
 
     // Next Extensions:
-    var nextensions = rfc5280.decodeExtensions(nc, 'der', { partial: false });
-    var nextensionsVerified = nextensions.verified;
-    var naki = nextensions.authorityKeyIdentifier;
-    naki.sha1Key = naki.raw.slice(4, 24);
-    var nski = nextensions.subjectKeyIdentifier;
-    nski.sha1Key = nski.decoded;
-    var nku = nextensions.keyUsage;
+    // var nextensions = rfc5280.decodeExtensions(nc, 'der', { partial: false });
+    // var nextensionsVerified = nextensions.verified;
+    // var naki = nextensions.authorityKeyIdentifier;
+    // naki.sha1Key = naki.raw.slice(4, 24);
+    // var nski = nextensions.subjectKeyIdentifier;
+    // nski.sha1Key = nski.decoded;
+    // var nku = nextensions.keyUsage;
 
     // Object.keys(extensions).forEach(function(key) {
     //   if (extensions[key].execute) {
@@ -177,17 +191,66 @@ PayPro.prototype.x509Verify = function() {
     //
 
     // Create a To-Be-Signed Certificate to verify using asn1.js:
-    var tbs = rfc3280.TBSCertificate.encode(c.tbsCertificate, 'der');
+    //var tbs = rfc3280.TBSCertificate.encode(c.tbsCertificate, 'der');
+    var start = 0;
+    var starts = 0;
+    for (var start = 0; start < data.length; start++) {
+      if (starts === 1 && data[start] === 48) {
+        break;
+      }
+      if (starts < 1 && data[start] === 48) {
+        starts++;
+      }
+    }
+
+    var end = 0;
+    var ends = 0;
+    for (var end = data.length - 1; end > 0; end--) {
+      if (ends === 2 && data[end] === 48) {
+        break;
+      }
+      if (ends < 2 && data[end] === 0) {
+        ends++;
+      }
+    }
+
+    console.log(Array.prototype.slice.call(data.slice(1040)));
+    console.log(Array.prototype.slice.call(data.slice(0, 10)));
+    console.log(data[1039]);
+
+    // start: 4
+    // end: 1040
+    /*
+    for (var start = 0; start < data.length; start++) {
+      for (var end = 0; end < data.length + 1; end++) {
+        var tbs = data.slice(start, end);
+        var verifier = crypto.createVerify('RSA-' + sigAlg);
+        verifier.update(tbs);
+        var sigVerified = verifier.verify(npubKey, sig);
+        if (sigVerified) {
+          console.log('start: %d', start);
+          console.log('end: %d', end);
+        }
+      }
+    }
+    */
+
+    var tbs = data.slice(start, end);
+
     var verifier = crypto.createVerify('RSA-' + sigAlg);
     verifier.update(tbs);
     var sigVerified = verifier.verify(npubKey, sig);
 
+    console.log('sigVerified: %s', sigVerified);
+
     return validityVerified
       && issuerVerified
       && extensionsVerified
       && sigVerified;
   });
 
+  console.log('verified && chainVerified:', verified && chainVerified);
+
   return verified && chainVerified;
 };