RanchiMall/flocore
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

paypro: get chain validation working in the browser.

Browse Source
This commit is contained in:
Christopher Jeffrey 2014-08-28 17:32:13 -07:00
parent a39aeeb446
commit eba2825f5a
2 changed files with 66 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lib/PayPro.js
View File

@ -8,7 +8,6 @@ var PayPro = require('./common/PayPro');
var asn1 = require('asn1.js');
var rfc3280 = require('asn1.js/rfc/3280');
var rfc5280 = require('asn1.js/rfc/5280');
PayPro.prototype.x509Sign = function(key) {
var self = this;

83
lib/browser/PayPro.js
View File

@ -5,6 +5,7 @@ var KJUR = require('jsrsasign');
var assert = require('assert');
var PayPro = require('../common/PayPro');
var RootCerts = require('../common/RootCerts');
var asn1 = require('asn1.js');
var rfc3280 = require('asn1.js/rfc/3280');
@ -68,6 +69,7 @@ PayPro.prototype.x509Verify = function(key) {
var signedCert = pki_data[0];
var der = signedCert.toString('hex');
// var pem = self._DERtoPEM(der, 'CERTIFICATE');
var pem = KJUR.asn1.ASN1Util.getPEMStringFromHex(der, 'CERTIFICATE');
jsrsaSig.initVerifyByCertificatePEM(pem);
jsrsaSig.updateHex(buf.toString('hex'));
@ -75,15 +77,9 @@ PayPro.prototype.x509Verify = function(key) {
var chain = pki_data;
// Verifying the cert chain:
// 1. Extract public key from next certificate.
// 2. Extract signature from current certificate.
// 3. If current cert is not trusted, verify that the current cert is signed
// by NEXT by the certificate.
// NOTE: XXX What to do when the certificate is revoked?
var chainVerified = chain.every(function(cert, i) {
var der = cert.toString('hex');
// var pem = self._DERtoPEM(der, 'CERTIFICATE');
var pem = KJUR.asn1.ASN1Util.getPEMStringFromHex(der, 'CERTIFICATE');
var name = RootCerts.getTrusted(pem);
@ -97,15 +93,22 @@ PayPro.prototype.x509Verify = function(key) {
return true;
}
var nder = ncert.toString('hex');
// var npem = self._DERtoPEM(nder, 'CERTIFICATE');
var npem = KJUR.asn1.ASN1Util.getPEMStringFromHex(nder, 'CERTIFICATE');
// Get public key from next certificate:
// var data = new Buffer(nder, 'hex');
// var nc = rfc3280.Certificate.decode(data, 'der');
//
// Get Public Key from next certificate:
//
// var ndata = new Buffer(nder, 'hex');
// var nc = rfc3280.Certificate.decode(ndata, 'der');
// var npubKeyAlg = PayPro.getAlgorithm(
// nc.tbsCertificate.subjectPublicKeyInfo.algorithm.algorithm);
// var npubKey = nc.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.data;
// npubKey = KJUR.asn1.ASN1Util.getPEMStringFromHex(npubKey, 'RSA PUBLIC KEY');
// // npubKey = self._DERtoPEM(npubKey, npubKeyAlg + ' PUBLIC KEY');
// // npubKey = KJUR.asn1.ASN1Util.getPEMStringFromHex(npubKey.toString('hex'), 'PUBLIC KEY');
// npubKey = KJUR.asn1.ASN1Util.getPEMStringFromHex(npubKey.toString('hex'), npubKeyAlg + ' PUBLIC KEY');
// Get public key from next certificate via KJUR:
// Get public key from next certificate via KJUR since sane methods don't work:
var js = new KJUR.crypto.Signature({
alg: type + 'withRSA',
prov: 'cryptojs/jsrsa'
@ -113,23 +116,69 @@ PayPro.prototype.x509Verify = function(key) {
js.initVerifyByCertificatePEM(npem);
var npubKey = js.pubKey;
// Get signature from current certificate:
//
// Get Signature Value from current certificate:
//
var data = new Buffer(der, 'hex');
var c = rfc3280.Certificate.decode(data, 'der');
var sigAlg = PayPro.getAlgorithm(c.signatureAlgorithm.algorithm, 1);
var sig = c.signature.data;
//
// Check Validity of Certificates
//
var validityVerified = true;
var now = Date.now();
var cBefore = c.tbsCertificate.validity.notBefore.value;
var cAfter = c.tbsCertificate.validity.notAfter.value;
var nBefore = nc.tbsCertificate.validity.notBefore.value;
var nAfter = nc.tbsCertificate.validity.notAfter.value;
if (cBefore > now || cAfter < now || nBefore > now || nAfter < now) {
validityVerified = false;
}
//
// Check the Issuer matches the Subject of the next certificate:
//
var issuer = c.tbsCertificate.issuer;
var subject = nc.tbsCertificate.subject;
var issuerVerified = issuer.type === subject.type && issuer.value.every(function(issuerArray, i) {
var subjectArray = subject.value[i];
return issuerArray.every(function(issuerObject, i) {
var subjectObject = subjectArray[i];
var issuerObjectType = issuerObject.type.join('.');
var subjectObjectType = subjectObject.type.join('.');
var issuerObjectValue = issuerObject.value.toString('hex');
var subjectObjectValue = subjectObject.value.toString('hex');
return issuerObjectType === subjectObjectType
&& issuerObjectValue === subjectObjectValue;
});
});
//
// Verify current Certificate signature
//
var jsrsaSig = new KJUR.crypto.Signature({
alg: type + 'withRSA',
prov: 'cryptojs/jsrsa'
});
jsrsaSig.initVerifyByPublicKey(npubKey);
// Create a To-Be-Signed Certificate to verify using asn1.js:
// Fails at Issuer:
var tbs = rfc3280.TBSCertificate.encode(c.tbsCertificate, 'der');
// Get the raw DER TBSCertificate
// from the DER Certificate:
var tbs = PayPro.getTBSCertificate(data);
jsrsaSig.updateHex(tbs.toString('hex'));
return jsrsaSig.verify(sig.toString('hex'));
var sigVerified = jsrsaSig.verify(sig.toString('hex'));
return validityVerified
&& issuerVerified
&& sigVerified;
});
return verified && chainVerified;