paypro: lots of debugging. parse raw DER to get raw tbsCertificate.
This commit is contained in:
Christopher Jeffrey
parent
e86b70fd4a
commit
852ee54e36
@ -64,6 +64,20 @@ PayPro.prototype.x509Verify = function() {
|
|||||||
|
|
||||||
var chain = pki_data;
|
var chain = pki_data;
|
||||||
|
|
||||||
|
/*
|
||||||
|
var anchor = rfc3280.Certificate.decode(
|
||||||
|
new Buffer(chain[0].toString('hex'), 'hex'), 'der');
|
||||||
|
var anSigAlg = PayPro.getAlgorithm(anchor.signatureAlgorithm.algorithm, 1);
|
||||||
|
var anSig = anchor.signature.data;
|
||||||
|
|
||||||
|
var ca = rfc3280.Certificate.decode(
|
||||||
|
new Buffer(chain[chain.length - 1].toString('hex'), 'hex'), 'der');
|
||||||
|
var caPubKeyAlg = PayPro.getAlgorithm(
|
||||||
|
ca.tbsCertificate.subjectPublicKeyInfo.algorithm.algorithm);
|
||||||
|
var caPubKey = ca.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.data;
|
||||||
|
caPubKey = self._DERtoPEM(caPubKey, caPubKeyAlg + ' PUBLIC KEY');
|
||||||
|
*/
|
||||||
|
|
||||||
// Verifying the cert chain:
|
// Verifying the cert chain:
|
||||||
// 1. Extract public key from next certificate.
|
// 1. Extract public key from next certificate.
|
||||||
// 2. Extract signature from current certificate.
|
// 2. Extract signature from current certificate.
|
||||||
@ -151,20 +165,20 @@ PayPro.prototype.x509Verify = function() {
|
|||||||
// "The keyIdentifier field of the authorityKeyIdentifier extension MUST be
|
// "The keyIdentifier field of the authorityKeyIdentifier extension MUST be
|
||||||
// included in all certificates generated by conforming CAs to facilitate
|
// included in all certificates generated by conforming CAs to facilitate
|
||||||
// certification path construction."
|
// certification path construction."
|
||||||
var aki = extensions.authorityKeyIdentifier;
|
// var aki = extensions.authorityKeyIdentifier;
|
||||||
aki.sha1Key = aki.raw.slice(4, 24);
|
// aki.sha1Key = aki.raw.slice(4, 24);
|
||||||
var ski = extensions.subjectKeyIdentifier;
|
// var ski = extensions.subjectKeyIdentifier;
|
||||||
ski.sha1Key = ski.decoded;
|
// ski.sha1Key = ski.decoded;
|
||||||
var ku = extensions.keyUsage;
|
// var ku = extensions.keyUsage;
|
||||||
|
|
||||||
// Next Extensions:
|
// Next Extensions:
|
||||||
var nextensions = rfc5280.decodeExtensions(nc, 'der', { partial: false });
|
// var nextensions = rfc5280.decodeExtensions(nc, 'der', { partial: false });
|
||||||
var nextensionsVerified = nextensions.verified;
|
// var nextensionsVerified = nextensions.verified;
|
||||||
var naki = nextensions.authorityKeyIdentifier;
|
// var naki = nextensions.authorityKeyIdentifier;
|
||||||
naki.sha1Key = naki.raw.slice(4, 24);
|
// naki.sha1Key = naki.raw.slice(4, 24);
|
||||||
var nski = nextensions.subjectKeyIdentifier;
|
// var nski = nextensions.subjectKeyIdentifier;
|
||||||
nski.sha1Key = nski.decoded;
|
// nski.sha1Key = nski.decoded;
|
||||||
var nku = nextensions.keyUsage;
|
// var nku = nextensions.keyUsage;
|
||||||
|
|
||||||
// Object.keys(extensions).forEach(function(key) {
|
// Object.keys(extensions).forEach(function(key) {
|
||||||
// if (extensions[key].execute) {
|
// if (extensions[key].execute) {
|
||||||
@ -177,17 +191,66 @@ PayPro.prototype.x509Verify = function() {
|
|||||||
//
|
//
|
||||||
|
|
||||||
// Create a To-Be-Signed Certificate to verify using asn1.js:
|
// Create a To-Be-Signed Certificate to verify using asn1.js:
|
||||||
var tbs = rfc3280.TBSCertificate.encode(c.tbsCertificate, 'der');
|
//var tbs = rfc3280.TBSCertificate.encode(c.tbsCertificate, 'der');
|
||||||
|
var start = 0;
|
||||||
|
var starts = 0;
|
||||||
|
for (var start = 0; start < data.length; start++) {
|
||||||
|
if (starts === 1 && data[start] === 48) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
if (starts < 1 && data[start] === 48) {
|
||||||
|
starts++;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
var end = 0;
|
||||||
|
var ends = 0;
|
||||||
|
for (var end = data.length - 1; end > 0; end--) {
|
||||||
|
if (ends === 2 && data[end] === 48) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
if (ends < 2 && data[end] === 0) {
|
||||||
|
ends++;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
console.log(Array.prototype.slice.call(data.slice(1040)));
|
||||||
|
console.log(Array.prototype.slice.call(data.slice(0, 10)));
|
||||||
|
console.log(data[1039]);
|
||||||
|
|
||||||
|
// start: 4
|
||||||
|
// end: 1040
|
||||||
|
/*
|
||||||
|
for (var start = 0; start < data.length; start++) {
|
||||||
|
for (var end = 0; end < data.length + 1; end++) {
|
||||||
|
var tbs = data.slice(start, end);
|
||||||
|
var verifier = crypto.createVerify('RSA-' + sigAlg);
|
||||||
|
verifier.update(tbs);
|
||||||
|
var sigVerified = verifier.verify(npubKey, sig);
|
||||||
|
if (sigVerified) {
|
||||||
|
console.log('start: %d', start);
|
||||||
|
console.log('end: %d', end);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
*/
|
||||||
|
|
||||||
|
var tbs = data.slice(start, end);
|
||||||
|
|
||||||
var verifier = crypto.createVerify('RSA-' + sigAlg);
|
var verifier = crypto.createVerify('RSA-' + sigAlg);
|
||||||
verifier.update(tbs);
|
verifier.update(tbs);
|
||||||
var sigVerified = verifier.verify(npubKey, sig);
|
var sigVerified = verifier.verify(npubKey, sig);
|
||||||
|
|
||||||
|
console.log('sigVerified: %s', sigVerified);
|
||||||
|
|
||||||
return validityVerified
|
return validityVerified
|
||||||
&& issuerVerified
|
&& issuerVerified
|
||||||
&& extensionsVerified
|
&& extensionsVerified
|
||||||
&& sigVerified;
|
&& sigVerified;
|
||||||
});
|
});
|
||||||
|
|
||||||
|
console.log('verified && chainVerified:', verified && chainVerified);
|
||||||
|
|
||||||
return verified && chainVerified;
|
return verified && chainVerified;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user