2014-07-02 11:39:21 -07:00
|
|
|
'use strict';
|
2014-07-21 14:34:56 -07:00
|
|
|
|
2014-07-02 22:08:06 -07:00
|
|
|
var Message = Message || require('./Message');
|
2014-07-02 11:39:21 -07:00
|
|
|
|
2014-07-21 13:52:09 -07:00
|
|
|
var RootCerts = require('./common/RootCerts');
|
2014-07-16 17:58:47 -07:00
|
|
|
|
2014-07-21 14:34:56 -07:00
|
|
|
var PayPro = require('./common/PayPro');
|
2014-07-02 22:08:06 -07:00
|
|
|
|
2014-08-21 16:13:34 -07:00
|
|
|
var KJUR = require('jsrsasign');
|
|
|
|
|
|
2014-08-22 00:31:20 -07:00
|
|
|
var asn1 = require('asn1.js');
|
|
|
|
|
var rfc3280 = require('asn1.js/rfc/3280');
|
|
|
|
|
var Certificate = rfc3280.Certificate;
|
|
|
|
|
|
2014-07-21 11:17:38 -07:00
|
|
|
PayPro.prototype.x509Sign = function(key) {
|
2014-07-21 13:02:22 -07:00
|
|
|
var self = this;
|
2014-07-21 11:17:38 -07:00
|
|
|
var crypto = require('crypto');
|
2014-07-21 11:30:32 -07:00
|
|
|
var pki_type = this.get('pki_type');
|
2014-07-21 11:17:38 -07:00
|
|
|
var pki_data = this.get('pki_data'); // contains one or more x509 certs
|
2014-07-23 14:22:56 -07:00
|
|
|
pki_data = PayPro.X509Certificates.decode(pki_data);
|
|
|
|
|
pki_data = pki_data.certificate;
|
2014-07-21 11:17:38 -07:00
|
|
|
var details = this.get('serialized_payment_details');
|
|
|
|
|
var type = pki_type.split('+')[1].toUpperCase();
|
|
|
|
|
|
2014-07-24 17:40:56 -07:00
|
|
|
var trusted = pki_data.map(function(cert) {
|
2014-07-21 11:17:38 -07:00
|
|
|
var der = cert.toString('hex');
|
2014-07-21 13:02:22 -07:00
|
|
|
var pem = self._DERtoPEM(der, 'CERTIFICATE');
|
2014-07-24 17:40:56 -07:00
|
|
|
return RootCerts.getTrusted(pem);
|
2014-07-21 11:17:38 -07:00
|
|
|
});
|
|
|
|
|
|
2014-07-24 17:40:56 -07:00
|
|
|
// XXX Figure out what to do here
|
|
|
|
|
if (!trusted.length) {
|
2014-07-21 11:17:38 -07:00
|
|
|
// throw new Error('Unstrusted certificate.');
|
2014-07-24 17:40:56 -07:00
|
|
|
} else {
|
|
|
|
|
trusted.forEach(function(name) {
|
|
|
|
|
// console.log('Certificate: %s', name);
|
|
|
|
|
});
|
2014-07-21 11:17:38 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var signature = crypto.createSign('RSA-' + type);
|
|
|
|
|
var buf = this.serializeForSig();
|
|
|
|
|
signature.update(buf);
|
|
|
|
|
var sig = signature.sign(key);
|
|
|
|
|
return sig;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
PayPro.prototype.x509Verify = function() {
|
2014-07-21 13:02:22 -07:00
|
|
|
var self = this;
|
2014-07-21 11:17:38 -07:00
|
|
|
var crypto = require('crypto');
|
2014-07-21 11:30:32 -07:00
|
|
|
var pki_type = this.get('pki_type');
|
2014-07-21 11:17:38 -07:00
|
|
|
var sig = this.get('signature');
|
|
|
|
|
var pki_data = this.get('pki_data');
|
2014-07-23 14:22:56 -07:00
|
|
|
pki_data = PayPro.X509Certificates.decode(pki_data);
|
|
|
|
|
pki_data = pki_data.certificate;
|
2014-07-21 11:17:38 -07:00
|
|
|
var details = this.get('serialized_payment_details');
|
|
|
|
|
var buf = this.serializeForSig();
|
|
|
|
|
var type = pki_type.split('+')[1].toUpperCase();
|
|
|
|
|
|
|
|
|
|
var verifier = crypto.createVerify('RSA-' + type);
|
|
|
|
|
verifier.update(buf);
|
|
|
|
|
|
2014-08-21 16:13:34 -07:00
|
|
|
var signedCert = pki_data[0];
|
|
|
|
|
var der = signedCert.toString('hex');
|
|
|
|
|
var pem = this._DERtoPEM(der, 'CERTIFICATE');
|
|
|
|
|
var verified = verifier.verify(pem, sig);
|
|
|
|
|
|
|
|
|
|
var chain = pki_data;
|
|
|
|
|
|
|
|
|
|
// Verifying the cert chain:
|
|
|
|
|
// 1. Extract public key from next certificate.
|
|
|
|
|
// 2. Extract signature from current certificate.
|
|
|
|
|
// 3. If current cert is not trusted, verify that the current cert is signed
|
|
|
|
|
// by NEXT by the certificate.
|
2014-08-22 08:38:19 -07:00
|
|
|
// NOTE: XXX What to do when the certificate is revoked?
|
2014-08-21 16:13:34 -07:00
|
|
|
|
2014-08-22 08:38:19 -07:00
|
|
|
var chainVerified = chain.every(function(cert, i) {
|
2014-07-21 11:17:38 -07:00
|
|
|
var der = cert.toString('hex');
|
2014-07-21 13:02:22 -07:00
|
|
|
var pem = self._DERtoPEM(der, 'CERTIFICATE');
|
2014-07-24 17:40:56 -07:00
|
|
|
var name = RootCerts.getTrusted(pem);
|
2014-08-21 16:13:34 -07:00
|
|
|
|
|
|
|
|
var ncert = chain[i + 1];
|
|
|
|
|
// The root cert, check if it's trusted:
|
|
|
|
|
if (!ncert || name) {
|
2014-08-22 08:38:19 -07:00
|
|
|
chain.length = 0;
|
|
|
|
|
return true;
|
2014-07-21 11:17:38 -07:00
|
|
|
}
|
2014-08-21 16:13:34 -07:00
|
|
|
var nder = ncert.toString('hex');
|
|
|
|
|
var npem = self._DERtoPEM(nder, 'CERTIFICATE');
|
2014-07-21 11:17:38 -07:00
|
|
|
|
2014-08-22 08:38:19 -07:00
|
|
|
// Get public key from next certificate:
|
2014-08-22 00:31:20 -07:00
|
|
|
var data = new Buffer(nder, 'hex');
|
|
|
|
|
var nc = Certificate.decode(data, 'der');
|
|
|
|
|
var npubKey = nc.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.data;
|
|
|
|
|
npubKey = self._DERtoPEM(npubKey, 'RSA PUBLIC KEY');
|
|
|
|
|
|
2014-08-22 08:38:19 -07:00
|
|
|
// Get signature from current certificate:
|
2014-08-22 00:31:20 -07:00
|
|
|
var data = new Buffer(der, 'hex');
|
|
|
|
|
var c = Certificate.decode(data, 'der');
|
|
|
|
|
var sig = c.signature.data;
|
2014-08-21 16:13:34 -07:00
|
|
|
|
|
|
|
|
var verifier = crypto.createVerify('RSA-' + type);
|
|
|
|
|
|
2014-08-22 08:38:19 -07:00
|
|
|
// Create a To-Be-Signed Certificate to verify using asn1.js:
|
2014-08-22 00:34:41 -07:00
|
|
|
// Fails at Issuer:
|
|
|
|
|
var tbs = rfc3280.TBSCertificate.encode(c.tbsCertificate, 'der');
|
|
|
|
|
verifier.update(tbs);
|
2014-08-21 16:13:34 -07:00
|
|
|
|
2014-08-22 08:38:19 -07:00
|
|
|
return verifier.verify(npubKey, sig);
|
2014-07-21 11:17:38 -07:00
|
|
|
});
|
2014-08-21 16:13:34 -07:00
|
|
|
|
2014-08-22 08:38:19 -07:00
|
|
|
return verified && chainVerified;
|
2014-07-21 11:17:38 -07:00
|
|
|
};
|
|
|
|
|
|
2014-07-12 03:14:56 -07:00
|
|
|
module.exports = PayPro;
|
