bitcore-lib-zcash/lib/PayPro.js

'use strict';

var Message = Message || require('./Message');

var RootCerts = require('./common/RootCerts');

var PayPro = require('./common/PayPro');

var KJUR = require('jsrsasign');

var asn1 = require('asn1.js');
var rfc3280 = require('asn1.js/rfc/3280');

PayPro.prototype.x509Sign = function(key) {
  var self = this;
  var crypto = require('crypto');
  var pki_type = this.get('pki_type');
  var pki_data = this.get('pki_data'); // contains one or more x509 certs
  pki_data = PayPro.X509Certificates.decode(pki_data);
  pki_data = pki_data.certificate;
  var details = this.get('serialized_payment_details');
  var type = pki_type.split('+')[1].toUpperCase();

  var trusted = pki_data.map(function(cert) {
    var der = cert.toString('hex');
    var pem = self._DERtoPEM(der, 'CERTIFICATE');
    return RootCerts.getTrusted(pem);
  });

  // XXX Figure out what to do here
  if (!trusted.length) {
    // throw new Error('Unstrusted certificate.');
  } else {
    trusted.forEach(function(name) {
      // console.log('Certificate: %s', name);
    });
  }

  var signature = crypto.createSign('RSA-' + type);
  var buf = this.serializeForSig();
  signature.update(buf);
  var sig = signature.sign(key);
  return sig;
};

PayPro.prototype.x509Verify = function() {
  var self = this;
  var crypto = require('crypto');
  var pki_type = this.get('pki_type');
  var sig = this.get('signature');
  var pki_data = this.get('pki_data');
  pki_data = PayPro.X509Certificates.decode(pki_data);
  pki_data = pki_data.certificate;
  var details = this.get('serialized_payment_details');
  var buf = this.serializeForSig();
  var type = pki_type.split('+')[1].toUpperCase();

  var verifier = crypto.createVerify('RSA-' + type);
  verifier.update(buf);

  var signedCert = pki_data[0];
  var der = signedCert.toString('hex');
  var pem = this._DERtoPEM(der, 'CERTIFICATE');
  var verified = verifier.verify(pem, sig);

  var chain = pki_data;

  // Verifying the cert chain:
  // 1. Extract public key from next certificate.
  // 2. Extract signature from current certificate.
  // 3. If current cert is not trusted, verify that the current cert is signed
  //    by NEXT by the certificate.
  // NOTE: XXX What to do when the certificate is revoked?

  var chainVerified = chain.every(function(cert, i) {
    var der = cert.toString('hex');
    var pem = self._DERtoPEM(der, 'CERTIFICATE');
    var name = RootCerts.getTrusted(pem);

    var ncert = chain[i + 1];
    // The root cert, check if it's trusted:
    if (!ncert || name) {
      if (!ncert && !name) {
        return false;
      }
      chain.length = 0;
      return true;
    }
    var nder = ncert.toString('hex');
    var npem = self._DERtoPEM(nder, 'CERTIFICATE');

    //
    // Get Public Key from next certificate:
    //
    var ndata = new Buffer(nder, 'hex');
    var nc = rfc3280.Certificate.decode(ndata, 'der');
    var npubKeyAlg = PayPro.getAlgorithm(
      nc.tbsCertificate.subjectPublicKeyInfo.algorithm.algorithm);
    var npubKey = nc.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.data;
    npubKey = self._DERtoPEM(npubKey, npubKeyAlg + ' PUBLIC KEY');

    //
    // Get Signature Value from current certificate:
    //
    var data = new Buffer(der, 'hex');
    var c = rfc3280.Certificate.decode(data, 'der');
    var sigAlg = PayPro.getAlgorithm(c.signatureAlgorithm.algorithm, 1);
    var sig = c.signature.data;

    //
    // Check Validity of Certificates
    //
    var validityVerified = true;
    var now = Date.now();
    var cBefore = c.tbsCertificate.validity.notBefore.value;
    var cAfter = c.tbsCertificate.validity.notAfter.value;
    var nBefore = nc.tbsCertificate.validity.notBefore.value;
    var nAfter = nc.tbsCertificate.validity.notAfter.value;
    if (cBefore > now || cAfter < now || nBefore > now || nAfter < now) {
      validityVerified = false;
    }

    //
    // Check the Issuer matches the Subject of the next certificate:
    //
    var issuer = c.tbsCertificate.issuer;
    var subject = nc.tbsCertificate.subject;
    var issuerVerified = issuer.type === subject.type && issuer.value.every(function(issuerArray, i) {
      var subjectArray = subject.value[i];
      return issuerArray.every(function(issuerObject, i) {
        var subjectObject = subjectArray[i];

        var issuerObjectType = issuerObject.type.join('.');
        var subjectObjectType = subjectObject.type.join('.');

        var issuerObjectValue = issuerObject.value.toString('hex');
        var subjectObjectValue = subjectObject.value.toString('hex');

        return issuerObjectType === subjectObjectType
          && issuerObjectValue === subjectObjectValue;
      });
    });

    //
    // Handle Cert Extensions
    // http://tools.ietf.org/html/rfc5280#section-4.2
    //
    var ext;
    var eid;
    var extensions = {
      basicConstraints: null,
      keyUsage: null,
      subjectKeyIdentifier: null,
      authKeyIdentifier: null,
      CRLDistributionPoints: null,
      certificatePolicies: null,
      standardUnknown: [],
      unknown: [],
    };

    for (var i = 0; i < nc.tbsCertificate.extensions.length; i++) {
      ext = nc.tbsCertificate.extensions[i];
      eid = ext.extnID;
      if (eid.length === 4 && eid[0] === 2 && eid[1] === 5 && eid[2] === 29) {
        switch (eid[3]) {
          // Basic Constraints
          case 19:
            extensions.basicConstraints = ext.extnValue;
            break;
          // Key Usage
          case 15:
            extensions.keyUsage = ext.extnValue;
            break;
          // Subject Key Identifier
          case 14:
            extensions.subjectKeyIdentifier = ext.extnValue;
            break;
          // Authority Key Identifier
          case 35:
            extensions.authKeyIdentifier = ext.extnValue;
            break;
          // CRL Distribution Points
          case 31:
            extensions.CRLDistributionPoints = ext.extnValue;
            break;
          // Certificate Policies
          case 32:
            extensions.certificatePolicies = ext.extnValue;
            break;
          // Unknown Extension (not documented anywhere, probably non-standard)
          default:
            extensions.unknown.push(ext);
            extensions.standardUnknown.push(ext);
            break;
        }
      } else {
        extensions.unknown.push(ext);
      }
    }

    var extensionsVerified = !extensions.unknown.filter(function(ext) {
      return ext.critical;
    }).length;

    //
    // Verify current certificate signature:
    //

    // Create a To-Be-Signed Certificate to verify using asn1.js:
    var tbs = rfc3280.TBSCertificate.encode(c.tbsCertificate, 'der');
    var verifier = crypto.createVerify('RSA-' + sigAlg);
    verifier.update(tbs);
    var sigVerified = verifier.verify(npubKey, sig);

    print(c);
    print(nc);
    print(extensions);
    print('validityVerified: %s', validityVerified);
    print('issuerVerified: %s', issuerVerified);
    print('extensionsVerified: %s', extensionsVerified);
    print('sigVerified: %s', validityVerified);

    return validityVerified
      && issuerVerified
      && extensionsVerified
      && sigVerified;
  });

  return verified && chainVerified;
};

var util = require('util');
function inspect(obj) {
  return typeof obj !== 'string'
    ? util.inspect(obj, false, 20, true)
    : obj;
}
function print(obj) {
  return typeof obj === 'object'
    ? process.stdout.write(inspect(obj) + '\n')
    : console.log.apply(console, arguments);
}

module.exports = PayPro;
add BIP70 protobuf features in new PayPro lib file ...and add to the "main" bundle, but not the "all" bundle, since it adds hundreds of kilobytes to the bundle. 2014-07-02 11:39:21 -07:00			`'use strict';`
paypro: split up paypro into node/browser/common. 2014-07-21 14:34:56 -07:00
add sign/verify with pki_type SIN ...which is much easier to implement than X.509 certificates. 2014-07-02 22:08:06 -07:00			`var Message = Message \|\| require('./Message');`
add BIP70 protobuf features in new PayPro lib file ...and add to the "main" bundle, but not the "all" bundle, since it adds hundreds of kilobytes to the bundle. 2014-07-02 11:39:21 -07:00
paypro: move root certs to common. 2014-07-21 13:52:09 -07:00			`var RootCerts = require('./common/RootCerts');`
paypro: stat using jsrsasign to convert DER to PEM and derive public keys for sig verification. 2014-07-16 17:58:47 -07:00
paypro: split up paypro into node/browser/common. 2014-07-21 14:34:56 -07:00			`var PayPro = require('./common/PayPro');`
add sign/verify with pki_type SIN ...which is much easier to implement than X.509 certificates. 2014-07-02 22:08:06 -07:00
paypro: verify the certificate chain. 2014-08-21 16:13:34 -07:00			`var KJUR = require('jsrsasign');`

paypro: use fedor's asn1.js to deal with DER certificates. 2014-08-22 00:31:20 -07:00			`var asn1 = require('asn1.js');`
			`var rfc3280 = require('asn1.js/rfc/3280');`

paypro: move x509 sign and verify to their own methods. 2014-07-21 11:17:38 -07:00			`PayPro.prototype.x509Sign = function(key) {`
paypro: start using our own DERtoPEM functions so we don't have to require jsrsasign. 2014-07-21 13:02:22 -07:00			`var self = this;`
paypro: move x509 sign and verify to their own methods. 2014-07-21 11:17:38 -07:00			`var crypto = require('crypto');`
paypro: temporarily fix tests. 2014-07-21 11:30:32 -07:00			`var pki_type = this.get('pki_type');`
paypro: move x509 sign and verify to their own methods. 2014-07-21 11:17:38 -07:00			`var pki_data = this.get('pki_data'); // contains one or more x509 certs`
paypro: fix handling of pki_data - cert arrays. 2014-07-23 14:22:56 -07:00			`pki_data = PayPro.X509Certificates.decode(pki_data);`
			`pki_data = pki_data.certificate;`
paypro: move x509 sign and verify to their own methods. 2014-07-21 11:17:38 -07:00			`var details = this.get('serialized_payment_details');`
			`var type = pki_type.split('+')[1].toUpperCase();`

paypro: get root cert names. 2014-07-24 17:40:56 -07:00			`var trusted = pki_data.map(function(cert) {`
paypro: move x509 sign and verify to their own methods. 2014-07-21 11:17:38 -07:00			`var der = cert.toString('hex');`
paypro: start using our own DERtoPEM functions so we don't have to require jsrsasign. 2014-07-21 13:02:22 -07:00			`var pem = self._DERtoPEM(der, 'CERTIFICATE');`
paypro: get root cert names. 2014-07-24 17:40:56 -07:00			`return RootCerts.getTrusted(pem);`
paypro: move x509 sign and verify to their own methods. 2014-07-21 11:17:38 -07:00			`});`

paypro: get root cert names. 2014-07-24 17:40:56 -07:00			`// XXX Figure out what to do here`
			`if (!trusted.length) {`
paypro: move x509 sign and verify to their own methods. 2014-07-21 11:17:38 -07:00			`// throw new Error('Unstrusted certificate.');`
paypro: get root cert names. 2014-07-24 17:40:56 -07:00			`} else {`
			`trusted.forEach(function(name) {`
			`// console.log('Certificate: %s', name);`
			`});`
paypro: move x509 sign and verify to their own methods. 2014-07-21 11:17:38 -07:00			`}`

			`var signature = crypto.createSign('RSA-' + type);`
			`var buf = this.serializeForSig();`
			`signature.update(buf);`
			`var sig = signature.sign(key);`
			`return sig;`
			`};`

			`PayPro.prototype.x509Verify = function() {`
paypro: start using our own DERtoPEM functions so we don't have to require jsrsasign. 2014-07-21 13:02:22 -07:00			`var self = this;`
paypro: move x509 sign and verify to their own methods. 2014-07-21 11:17:38 -07:00			`var crypto = require('crypto');`
paypro: temporarily fix tests. 2014-07-21 11:30:32 -07:00			`var pki_type = this.get('pki_type');`
paypro: move x509 sign and verify to their own methods. 2014-07-21 11:17:38 -07:00			`var sig = this.get('signature');`
			`var pki_data = this.get('pki_data');`
paypro: fix handling of pki_data - cert arrays. 2014-07-23 14:22:56 -07:00			`pki_data = PayPro.X509Certificates.decode(pki_data);`
			`pki_data = pki_data.certificate;`
paypro: move x509 sign and verify to their own methods. 2014-07-21 11:17:38 -07:00			`var details = this.get('serialized_payment_details');`
			`var buf = this.serializeForSig();`
			`var type = pki_type.split('+')[1].toUpperCase();`

			`var verifier = crypto.createVerify('RSA-' + type);`
			`verifier.update(buf);`

paypro: verify the certificate chain. 2014-08-21 16:13:34 -07:00			`var signedCert = pki_data[0];`
			`var der = signedCert.toString('hex');`
			`var pem = this._DERtoPEM(der, 'CERTIFICATE');`
			`var verified = verifier.verify(pem, sig);`

			`var chain = pki_data;`

			`// Verifying the cert chain:`
			`// 1. Extract public key from next certificate.`
			`// 2. Extract signature from current certificate.`
			`// 3. If current cert is not trusted, verify that the current cert is signed`
			`// by NEXT by the certificate.`
paypro: verify chain refactor. 2014-08-22 08:38:19 -07:00			`// NOTE: XXX What to do when the certificate is revoked?`
paypro: verify the certificate chain. 2014-08-21 16:13:34 -07:00
paypro: verify chain refactor. 2014-08-22 08:38:19 -07:00			`var chainVerified = chain.every(function(cert, i) {`
paypro: move x509 sign and verify to their own methods. 2014-07-21 11:17:38 -07:00			`var der = cert.toString('hex');`
paypro: start using our own DERtoPEM functions so we don't have to require jsrsasign. 2014-07-21 13:02:22 -07:00			`var pem = self._DERtoPEM(der, 'CERTIFICATE');`
paypro: get root cert names. 2014-07-24 17:40:56 -07:00			`var name = RootCerts.getTrusted(pem);`
paypro: verify the certificate chain. 2014-08-21 16:13:34 -07:00
			`var ncert = chain[i + 1];`
			`// The root cert, check if it's trusted:`
			`if (!ncert \|\| name) {`
paypro: fix root cert check. 2014-08-22 09:05:05 -07:00			`if (!ncert && !name) {`
			`return false;`
			`}`
paypro: verify chain refactor. 2014-08-22 08:38:19 -07:00			`chain.length = 0;`
			`return true;`
paypro: move x509 sign and verify to their own methods. 2014-07-21 11:17:38 -07:00			`}`
paypro: verify the certificate chain. 2014-08-21 16:13:34 -07:00			`var nder = ncert.toString('hex');`
			`var npem = self._DERtoPEM(nder, 'CERTIFICATE');`
paypro: move x509 sign and verify to their own methods. 2014-07-21 11:17:38 -07:00
paypro: debugging and sigAlg/pubKey formats. 2014-08-22 17:10:41 -07:00			`//`
			`// Get Public Key from next certificate:`
			`//`
			`var ndata = new Buffer(nder, 'hex');`
			`var nc = rfc3280.Certificate.decode(ndata, 'der');`
			`var npubKeyAlg = PayPro.getAlgorithm(`
			`nc.tbsCertificate.subjectPublicKeyInfo.algorithm.algorithm);`
paypro: remove debug code. 2014-08-22 17:33:58 -07:00			`var npubKey = nc.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.data;`
			`npubKey = self._DERtoPEM(npubKey, npubKeyAlg + ' PUBLIC KEY');`
paypro: debugging and sigAlg/pubKey formats. 2014-08-22 17:10:41 -07:00
			`//`
			`// Get Signature Value from current certificate:`
			`//`
paypro: use fedor's asn1.js to deal with DER certificates. 2014-08-22 00:31:20 -07:00			`var data = new Buffer(der, 'hex');`
paypro: use asn1.js in browser paypro. 2014-08-22 08:56:08 -07:00			`var c = rfc3280.Certificate.decode(data, 'der');`
paypro: debugging and sigAlg/pubKey formats. 2014-08-22 17:10:41 -07:00			`var sigAlg = PayPro.getAlgorithm(c.signatureAlgorithm.algorithm, 1);`
paypro: use fedor's asn1.js to deal with DER certificates. 2014-08-22 00:31:20 -07:00			`var sig = c.signature.data;`
paypro: verify the certificate chain. 2014-08-21 16:13:34 -07:00
paypro: check validity time - cert expiration. 2014-08-25 11:27:16 -07:00			`//`
			`// Check Validity of Certificates`
			`//`
			`var validityVerified = true;`
			`var now = Date.now();`
			`var cBefore = c.tbsCertificate.validity.notBefore.value;`
			`var cAfter = c.tbsCertificate.validity.notAfter.value;`
			`var nBefore = nc.tbsCertificate.validity.notBefore.value;`
			`var nAfter = nc.tbsCertificate.validity.notAfter.value;`
			`if (cBefore > now \|\| cAfter < now \|\| nBefore > now \|\| nAfter < now) {`
			`validityVerified = false;`
			`}`

paypro: check issuer. ignore fixed asn1.js bug. 2014-08-24 13:01:01 -07:00			`//`
			`// Check the Issuer matches the Subject of the next certificate:`
			`//`
			`var issuer = c.tbsCertificate.issuer;`
			`var subject = nc.tbsCertificate.subject;`
			`var issuerVerified = issuer.type === subject.type && issuer.value.every(function(issuerArray, i) {`
			`var subjectArray = subject.value[i];`
			`return issuerArray.every(function(issuerObject, i) {`
			`var subjectObject = subjectArray[i];`

			`var issuerObjectType = issuerObject.type.join('.');`
			`var subjectObjectType = subjectObject.type.join('.');`

			`var issuerObjectValue = issuerObject.value.toString('hex');`
			`var subjectObjectValue = subjectObject.value.toString('hex');`

			`return issuerObjectType === subjectObjectType`
			`&& issuerObjectValue === subjectObjectValue;`
			`});`
			`});`
paypro: verify the certificate chain. 2014-08-21 16:13:34 -07:00
paypro: start handling certificate extensions. 2014-08-24 13:02:07 -07:00			`//`
			`// Handle Cert Extensions`
			`// http://tools.ietf.org/html/rfc5280#section-4.2`
			`//`
paypro: better extension parsing with more debugging. 2014-08-25 11:18:24 -07:00			`var ext;`
			`var eid;`
			`var extensions = {`
			`basicConstraints: null,`
			`keyUsage: null,`
			`subjectKeyIdentifier: null,`
			`authKeyIdentifier: null,`
			`CRLDistributionPoints: null,`
			`certificatePolicies: null,`
			`standardUnknown: [],`
			`unknown: [],`
			`};`

			`for (var i = 0; i < nc.tbsCertificate.extensions.length; i++) {`
			`ext = nc.tbsCertificate.extensions[i];`
			`eid = ext.extnID;`
			`if (eid.length === 4 && eid[0] === 2 && eid[1] === 5 && eid[2] === 29) {`
			`switch (eid[3]) {`
			`// Basic Constraints`
			`case 19:`
paypro: check validity time - cert expiration. 2014-08-25 11:27:16 -07:00			`extensions.basicConstraints = ext.extnValue;`
paypro: better extension parsing with more debugging. 2014-08-25 11:18:24 -07:00			`break;`
			`// Key Usage`
			`case 15:`
paypro: check validity time - cert expiration. 2014-08-25 11:27:16 -07:00			`extensions.keyUsage = ext.extnValue;`
paypro: better extension parsing with more debugging. 2014-08-25 11:18:24 -07:00			`break;`
			`// Subject Key Identifier`
			`case 14:`
paypro: check validity time - cert expiration. 2014-08-25 11:27:16 -07:00			`extensions.subjectKeyIdentifier = ext.extnValue;`
paypro: better extension parsing with more debugging. 2014-08-25 11:18:24 -07:00			`break;`
			`// Authority Key Identifier`
			`case 35:`
paypro: check validity time - cert expiration. 2014-08-25 11:27:16 -07:00			`extensions.authKeyIdentifier = ext.extnValue;`
paypro: better extension parsing with more debugging. 2014-08-25 11:18:24 -07:00			`break;`
			`// CRL Distribution Points`
			`case 31:`
paypro: check validity time - cert expiration. 2014-08-25 11:27:16 -07:00			`extensions.CRLDistributionPoints = ext.extnValue;`
paypro: better extension parsing with more debugging. 2014-08-25 11:18:24 -07:00			`break;`
			`// Certificate Policies`
			`case 32:`
paypro: check validity time - cert expiration. 2014-08-25 11:27:16 -07:00			`extensions.certificatePolicies = ext.extnValue;`
paypro: better extension parsing with more debugging. 2014-08-25 11:18:24 -07:00			`break;`
			`// Unknown Extension (not documented anywhere, probably non-standard)`
			`default:`
paypro: check validity time - cert expiration. 2014-08-25 11:27:16 -07:00			`extensions.unknown.push(ext);`
paypro: better extension parsing with more debugging. 2014-08-25 11:18:24 -07:00			`extensions.standardUnknown.push(ext);`
			`break;`
			`}`
			`} else {`
			`extensions.unknown.push(ext);`
			`}`
			`}`

paypro: refactor verification. 2014-08-25 11:31:58 -07:00			`var extensionsVerified = !extensions.unknown.filter(function(ext) {`
paypro: check validity time - cert expiration. 2014-08-25 11:27:16 -07:00			`return ext.critical;`
			`}).length;`

paypro: debugging and sigAlg/pubKey formats. 2014-08-22 17:10:41 -07:00			`//`
			`// Verify current certificate signature:`
			`//`
paypro: refactor verification. 2014-08-25 11:31:58 -07:00
			`// Create a To-Be-Signed Certificate to verify using asn1.js:`
			`var tbs = rfc3280.TBSCertificate.encode(c.tbsCertificate, 'der');`
paypro: debugging and sigAlg/pubKey formats. 2014-08-22 17:10:41 -07:00			`var verifier = crypto.createVerify('RSA-' + sigAlg);`
			`verifier.update(tbs);`
paypro: refactor verification. 2014-08-25 11:31:58 -07:00			`var sigVerified = verifier.verify(npubKey, sig);`

			`print(c);`
			`print(nc);`
			`print(extensions);`
			`print('validityVerified: %s', validityVerified);`
			`print('issuerVerified: %s', issuerVerified);`
			`print('extensionsVerified: %s', extensionsVerified);`
			`print('sigVerified: %s', validityVerified);`

			`return validityVerified`
			`&& issuerVerified`
			`&& extensionsVerified`
			`&& sigVerified;`
paypro: move x509 sign and verify to their own methods. 2014-07-21 11:17:38 -07:00			`});`
paypro: verify the certificate chain. 2014-08-21 16:13:34 -07:00
paypro: verify chain refactor. 2014-08-22 08:38:19 -07:00			`return verified && chainVerified;`
paypro: move x509 sign and verify to their own methods. 2014-07-21 11:17:38 -07:00			`};`

paypro: better extension parsing with more debugging. 2014-08-25 11:18:24 -07:00			`var util = require('util');`
			`function inspect(obj) {`
			`return typeof obj !== 'string'`
			`? util.inspect(obj, false, 20, true)`
			`: obj;`
			`}`
			`function print(obj) {`
			`return typeof obj === 'object'`
			`? process.stdout.write(inspect(obj) + '\n')`
			`: console.log.apply(console, arguments);`
			`}`

cleanup after removal of soop Removed some unnecessary parenthesise that hung around after the merge of #417 2014-07-12 03:14:56 -07:00			`module.exports = PayPro;`