From 4e883ceba6020820dab631924d24d18cff23ea12 Mon Sep 17 00:00:00 2001 From: Christopher Jeffrey Date: Fri, 29 Aug 2014 20:02:20 -0700 Subject: [PATCH 1/5] paypro: grab npubKeyAlg in browser. --- lib/browser/PayPro.js | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/browser/PayPro.js b/lib/browser/PayPro.js index 3058284..780f4ef 100644 --- a/lib/browser/PayPro.js +++ b/lib/browser/PayPro.js @@ -146,6 +146,8 @@ PayPro.prototype.x509Verify = function(returnTrust) { // var ndata = new Buffer(nder, 'hex'); var nc = rfc3280.Certificate.decode(ndata, 'der'); + var npubKeyAlg = PayPro.getAlgorithm( + nc.tbsCertificate.subjectPublicKeyInfo.algorithm.algorithm); // // Get Public Key from next certificate (via KJUR because it's a mess): @@ -156,6 +158,7 @@ PayPro.prototype.x509Verify = function(returnTrust) { }); js.initVerifyByCertificatePEM(npem); var npubKey = js.pubKey; + // XXX Somehow change the pubKey format to npubKeyAlg. // // Get Signature Value from current certificate: From a73699ba644125eb5f57ffe60ae7868cd107ebda Mon Sep 17 00:00:00 2001 From: Christopher Jeffrey Date: Fri, 29 Aug 2014 20:05:35 -0700 Subject: [PATCH 2/5] paypro: add PayPro.verifyCertChain. --- lib/PayPro.js | 32 ++++++++++++++++++-------------- lib/browser/PayPro.js | 32 ++++++++++++++++++-------------- 2 files changed, 36 insertions(+), 28 deletions(-) diff --git a/lib/PayPro.js b/lib/PayPro.js index eb0cd7a..2289491 100644 --- a/lib/PayPro.js +++ b/lib/PayPro.js @@ -107,7 +107,24 @@ PayPro.prototype.x509Verify = function(returnTrust) { return verified; } - var chainVerified = chain.every(function(cert, i) { + var chainVerified = PayPro.verifyCertChain(chain, type); + + if (returnTrust) { + return { + selfSigned: 0, // no + isChain: true, + verified: verified, + caTrusted: !!caName, + caName: caName || null, + chainVerified: chainVerified + }; + } + + return verified && chainVerified; +}; + +PayPro.verifyCertChain = function(chain, type) { + return chain.every(function(cert, i) { var der = cert.toString('hex'); var pem = PayPro.DERtoPEM(der, 'CERTIFICATE'); var name = RootCerts.getTrusted(pem); @@ -168,19 +185,6 @@ PayPro.prototype.x509Verify = function(returnTrust) { && issuerVerified && sigVerified; }); - - if (returnTrust) { - return { - selfSigned: 0, // no - isChain: true, - verified: verified, - caTrusted: !!caName, - caName: caName || null, - chainVerified: chainVerified - }; - } - - return verified && chainVerified; }; module.exports = PayPro; diff --git a/lib/browser/PayPro.js b/lib/browser/PayPro.js index 780f4ef..44aa424 100644 --- a/lib/browser/PayPro.js +++ b/lib/browser/PayPro.js @@ -122,7 +122,24 @@ PayPro.prototype.x509Verify = function(returnTrust) { return verified; } - var chainVerified = chain.every(function(cert, i) { + var chainVerified = PayPro.verifyCertChain(chain, type); + + if (returnTrust) { + return { + selfSigned: 0, // no + isChain: true, + verified: verified, + caTrusted: !!caName, + caName: caName || null, + chainVerified: chainVerified + }; + } + + return verified && chainVerified; +}; + +PayPro.verifyCertChain = function(chain, type) { + return chain.every(function(cert, i) { var der = cert.toString('hex'); // var pem = self._DERtoPEM(der, 'CERTIFICATE'); var pem = KJUR.asn1.ASN1Util.getPEMStringFromHex(der, 'CERTIFICATE'); @@ -200,19 +217,6 @@ PayPro.prototype.x509Verify = function(returnTrust) { && issuerVerified && sigVerified; }); - - if (returnTrust) { - return { - selfSigned: 0, // no - isChain: true, - verified: verified, - caTrusted: !!caName, - caName: caName || null, - chainVerified: chainVerified - }; - } - - return verified && chainVerified; }; module.exports = PayPro; From a50b9ed3a31c723dd1b1fdfe3db77fae9dff5780 Mon Sep 17 00:00:00 2001 From: Christopher Jeffrey Date: Fri, 29 Aug 2014 20:31:27 -0700 Subject: [PATCH 3/5] paypro: implement "none" pki_type. --- lib/PayPro.js | 40 ++++++++++++------- lib/browser/PayPro.js | 91 +++++++++++++++++++++++++------------------ 2 files changed, 80 insertions(+), 51 deletions(-) diff --git a/lib/PayPro.js b/lib/PayPro.js index 2289491..9d3f5d3 100644 --- a/lib/PayPro.js +++ b/lib/PayPro.js @@ -17,12 +17,19 @@ PayPro.prototype.x509Sign = function(key, returnTrust) { pki_data = PayPro.X509Certificates.decode(pki_data); pki_data = pki_data.certificate; var details = this.get('serialized_payment_details'); - var type = pki_type.split('+')[1].toUpperCase(); + var type = pki_type !== 'none' + ? pki_type.split('+')[1].toUpperCase() + : pki_type; - var signature = crypto.createSign('RSA-' + type); - var buf = this.serializeForSig(); - signature.update(buf); - var sig = signature.sign(key); + if (type !== 'none') { + var signature = crypto.createSign('RSA-' + type); + var buf = this.serializeForSig(); + signature.update(buf); + var sig = signature.sign(key); + } else { + var buf = this.serializeForSig(); + var sig = ''; + } if (returnTrust) { var cert = pki_data[pki_data.length - 1]; @@ -57,15 +64,20 @@ PayPro.prototype.x509Verify = function(returnTrust) { pki_data = pki_data.certificate; var details = this.get('serialized_payment_details'); var buf = this.serializeForSig(); - var type = pki_type.split('+')[1].toUpperCase(); + var type = pki_type !== 'none' + ? pki_type.split('+')[1].toUpperCase() + : pki_type; - var verifier = crypto.createVerify('RSA-' + type); - verifier.update(buf); - - var signedCert = pki_data[0]; - var der = signedCert.toString('hex'); - var pem = PayPro.DERtoPEM(der, 'CERTIFICATE'); - var verified = verifier.verify(pem, sig); + if (type !== 'none') { + var verifier = crypto.createVerify('RSA-' + type); + verifier.update(buf); + var signedCert = pki_data[0]; + var der = signedCert.toString('hex'); + var pem = PayPro.DERtoPEM(der, 'CERTIFICATE'); + var verified = verifier.verify(pem, sig); + } else { + var verified = true; + } var chain = pki_data; @@ -177,7 +189,7 @@ PayPro.verifyCertChain = function(chain, type) { // from the DER Certificate: var tbs = PayPro.getTBSCertificate(data); - var verifier = crypto.createVerify('RSA-' + sigAlg); + var verifier = crypto.createVerify(type ? 'RSA-' + type : 'RSA'); verifier.update(tbs); var sigVerified = verifier.verify(npubKey, sig); diff --git a/lib/browser/PayPro.js b/lib/browser/PayPro.js index 44aa424..f62e125 100644 --- a/lib/browser/PayPro.js +++ b/lib/browser/PayPro.js @@ -18,23 +18,29 @@ PayPro.prototype.x509Sign = function(key, returnTrust) { var pki_data = this.get('pki_data'); // contains one or more x509 certs pki_data = PayPro.X509Certificates.decode(pki_data); pki_data = pki_data.certificate; - var type = pki_type.split('+')[1].toUpperCase(); + var type = pki_type !== 'none' + ? pki_type.split('+')[1].toUpperCase() + : pki_type; var buf = this.serializeForSig(); var rsa = new KJUR.RSAKey(); rsa.readPrivateKeyFromPEMString(key.toString()); key = rsa; - var jsrsaSig = new KJUR.crypto.Signature({ - alg: type + 'withRSA', - prov: 'cryptojs/jsrsa' - }); + if (type !== 'none') { + var jsrsaSig = new KJUR.crypto.Signature({ + alg: type + 'withRSA', + prov: 'cryptojs/jsrsa' + }); - jsrsaSig.init(key); + jsrsaSig.init(key); - jsrsaSig.updateHex(buf.toString('hex')); + jsrsaSig.updateHex(buf.toString('hex')); - var sig = new Buffer(jsrsaSig.sign(), 'hex'); + var sig = new Buffer(jsrsaSig.sign(), 'hex'); + } else { + var sig = ''; + } if (returnTrust) { var cert = pki_data[pki_data.length - 1]; @@ -66,20 +72,25 @@ PayPro.prototype.x509Verify = function(returnTrust) { pki_data = PayPro.X509Certificates.decode(pki_data); pki_data = pki_data.certificate; var buf = this.serializeForSig(); - var type = pki_type.split('+')[1].toUpperCase(); + var type = pki_type !== 'none' + ? pki_type.split('+')[1].toUpperCase() + : pki_type; - var jsrsaSig = new KJUR.crypto.Signature({ - alg: type + 'withRSA', - prov: 'cryptojs/jsrsa' - }); - - var signedCert = pki_data[0]; - var der = signedCert.toString('hex'); - // var pem = self._DERtoPEM(der, 'CERTIFICATE'); - var pem = KJUR.asn1.ASN1Util.getPEMStringFromHex(der, 'CERTIFICATE'); - jsrsaSig.initVerifyByCertificatePEM(pem); - jsrsaSig.updateHex(buf.toString('hex')); - var verified = jsrsaSig.verify(sig.toString('hex')); + if (type !== 'none') { + var jsrsaSig = new KJUR.crypto.Signature({ + alg: type + 'withRSA', + prov: 'cryptojs/jsrsa' + }); + var signedCert = pki_data[0]; + var der = signedCert.toString('hex'); + // var pem = self._DERtoPEM(der, 'CERTIFICATE'); + var pem = KJUR.asn1.ASN1Util.getPEMStringFromHex(der, 'CERTIFICATE'); + jsrsaSig.initVerifyByCertificatePEM(pem); + jsrsaSig.updateHex(buf.toString('hex')); + var verified = jsrsaSig.verify(sig.toString('hex')); + } else { + var verified = true; + } var chain = pki_data; @@ -169,12 +180,14 @@ PayPro.verifyCertChain = function(chain, type) { // // Get Public Key from next certificate (via KJUR because it's a mess): // - var js = new KJUR.crypto.Signature({ - alg: type + 'withRSA', - prov: 'cryptojs/jsrsa' - }); - js.initVerifyByCertificatePEM(npem); - var npubKey = js.pubKey; + if (type !== 'none') { + var js = new KJUR.crypto.Signature({ + alg: type + 'withRSA', + prov: 'cryptojs/jsrsa' + }); + js.initVerifyByCertificatePEM(npem); + var npubKey = js.pubKey; + } // XXX Somehow change the pubKey format to npubKeyAlg. // @@ -199,19 +212,23 @@ PayPro.verifyCertChain = function(chain, type) { // Verify current Certificate signature // - var jsrsaSig = new KJUR.crypto.Signature({ - alg: type + 'withRSA', - prov: 'cryptojs/jsrsa' - }); - jsrsaSig.initVerifyByPublicKey(npubKey); + if (type !== 'none') { + var jsrsaSig = new KJUR.crypto.Signature({ + alg: type + 'withRSA', + prov: 'cryptojs/jsrsa' + }); + jsrsaSig.initVerifyByPublicKey(npubKey); - // Get the raw DER TBSCertificate - // from the DER Certificate: - var tbs = PayPro.getTBSCertificate(data); + // Get the raw DER TBSCertificate + // from the DER Certificate: + var tbs = PayPro.getTBSCertificate(data); - jsrsaSig.updateHex(tbs.toString('hex')); + jsrsaSig.updateHex(tbs.toString('hex')); - var sigVerified = jsrsaSig.verify(sig.toString('hex')); + var sigVerified = jsrsaSig.verify(sig.toString('hex')); + } else { + var sigVerified = true; + } return validityVerified && issuerVerified From b53e285a7cf61b6167f5e11b2695baf81db9218b Mon Sep 17 00:00:00 2001 From: Christopher Jeffrey Date: Tue, 2 Sep 2014 19:31:44 -0700 Subject: [PATCH 4/5] paypro: rename type to sigHashAlg. --- lib/PayPro.js | 7 +++++-- lib/browser/PayPro.js | 13 ++++++++----- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/lib/PayPro.js b/lib/PayPro.js index 9d3f5d3..c1e6d7b 100644 --- a/lib/PayPro.js +++ b/lib/PayPro.js @@ -135,7 +135,10 @@ PayPro.prototype.x509Verify = function(returnTrust) { return verified && chainVerified; }; -PayPro.verifyCertChain = function(chain, type) { +PayPro.verifyCertChain = function(chain, sigHashAlg) { + if (sigHashAlg === 'none') { + return true; + } return chain.every(function(cert, i) { var der = cert.toString('hex'); var pem = PayPro.DERtoPEM(der, 'CERTIFICATE'); @@ -189,7 +192,7 @@ PayPro.verifyCertChain = function(chain, type) { // from the DER Certificate: var tbs = PayPro.getTBSCertificate(data); - var verifier = crypto.createVerify(type ? 'RSA-' + type : 'RSA'); + var verifier = crypto.createVerify('RSA-' + sigHashAlg); verifier.update(tbs); var sigVerified = verifier.verify(npubKey, sig); diff --git a/lib/browser/PayPro.js b/lib/browser/PayPro.js index f62e125..011950d 100644 --- a/lib/browser/PayPro.js +++ b/lib/browser/PayPro.js @@ -149,7 +149,10 @@ PayPro.prototype.x509Verify = function(returnTrust) { return verified && chainVerified; }; -PayPro.verifyCertChain = function(chain, type) { +PayPro.verifyCertChain = function(chain, sigHashAlg) { + if (sigHashAlg === 'none') { + return true; + } return chain.every(function(cert, i) { var der = cert.toString('hex'); // var pem = self._DERtoPEM(der, 'CERTIFICATE'); @@ -180,9 +183,9 @@ PayPro.verifyCertChain = function(chain, type) { // // Get Public Key from next certificate (via KJUR because it's a mess): // - if (type !== 'none') { + if (sigHashAlg !== 'none') { var js = new KJUR.crypto.Signature({ - alg: type + 'withRSA', + alg: sigHashAlg + 'withRSA', prov: 'cryptojs/jsrsa' }); js.initVerifyByCertificatePEM(npem); @@ -212,9 +215,9 @@ PayPro.verifyCertChain = function(chain, type) { // Verify current Certificate signature // - if (type !== 'none') { + if (sigHashAlg !== 'none') { var jsrsaSig = new KJUR.crypto.Signature({ - alg: type + 'withRSA', + alg: sigHashAlg + 'withRSA', prov: 'cryptojs/jsrsa' }); jsrsaSig.initVerifyByPublicKey(npubKey); From b0f680ccdaf5dc78cbd024c2df240d64a575f80f Mon Sep 17 00:00:00 2001 From: Christopher Jeffrey Date: Thu, 4 Sep 2014 15:31:43 -0700 Subject: [PATCH 5/5] payro: fix crypto module require. --- lib/PayPro.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/PayPro.js b/lib/PayPro.js index c1e6d7b..ff1027a 100644 --- a/lib/PayPro.js +++ b/lib/PayPro.js @@ -1,5 +1,7 @@ 'use strict'; +var crypto = require('crypto'); + var Message = Message || require('./Message'); var RootCerts = require('./common/RootCerts'); @@ -11,7 +13,6 @@ var rfc3280 = require('asn1.js/rfc/3280'); PayPro.prototype.x509Sign = function(key, returnTrust) { var self = this; - var crypto = require('crypto'); var pki_type = this.get('pki_type'); var pki_data = this.get('pki_data'); pki_data = PayPro.X509Certificates.decode(pki_data); @@ -56,7 +57,6 @@ PayPro.prototype.x509Sign = function(key, returnTrust) { PayPro.prototype.x509Verify = function(returnTrust) { var self = this; - var crypto = require('crypto'); var pki_type = this.get('pki_type'); var sig = this.get('signature'); var pki_data = this.get('pki_data');