paypro: check issuer. ignore fixed asn1.js bug.

2014-08-24 13:01:01 -07:00 · 2014-08-24 13:01:01 -07:00 · 18d72309eb
parent 203b605ebf
commit 18d72309eb
1 changed files with 22 additions and 17 deletions
--- a/lib/PayPro.js
+++ b/lib/PayPro.js
@ -107,33 +107,38 @@ PayPro.prototype.x509Verify = function() {
    var sigAlg = PayPro.getAlgorithm(c.signatureAlgorithm.algorithm, 1);
    var sig = c.signature.data;

-    // NOTE - check this in the future:
-    // c.tbsCertificate.issuer === nc.tbsCertificate.subject;
+    //
+    // Check the Issuer matches the Subject of the next certificate:
+    //
+    var issuer = c.tbsCertificate.issuer;
+    var subject = nc.tbsCertificate.subject;
+    var issuerVerified = issuer.type === subject.type && issuer.value.every(function(issuerArray, i) {
+      var subjectArray = subject.value[i];
+      return issuerArray.every(function(issuerObject, i) {
+        var subjectObject = subjectArray[i];
+
+        var issuerObjectType = issuerObject.type.join('.');
+        var subjectObjectType = subjectObject.type.join('.');
+
+        var issuerObjectValue = issuerObject.value.toString('hex');
+        var subjectObjectValue = subjectObject.value.toString('hex');
+
+        return issuerObjectType === subjectObjectType
+          && issuerObjectValue === subjectObjectValue;
+      });
+    });

    //
    // Create a To-Be-Signed Certificate to verify using asn1.js:
-    // XXX The signature algorithm seems to get mangled here.
    //
-    // var tbs = rfc3280.TBSCertificate.encode(c.tbsCertificate, 'der');
-    var tbs = rfc3280.TBSCertificate.encode({
-      version: c.tbsCertificate.version,
-      serialNumber: c.tbsCertificate.serialNumber,
-      // XXX signature algorithm is different for some reason.
-      signature: { algorithm: [ 1, 2, 840, 113549, 1, 1, 11 ] },
-      //signature: c.tbsCertificate.signature,
-      issuer: c.tbsCertificate.issuer,
-      validity: c.tbsCertificate.validity,
-      subject: c.tbsCertificate.subject,
-      subjectPublicKeyInfo: c.tbsCertificate.subjectPublicKeyInfo,
-      extensions: c.tbsCertificate.extensions
-    }, 'der');
+    var tbs = rfc3280.TBSCertificate.encode(c.tbsCertificate, 'der');

    //
    // Verify current certificate signature:
    //
    var verifier = crypto.createVerify('RSA-' + sigAlg);
    verifier.update(tbs);
-    return verifier.verify(npubKey, sig);
+    return verifier.verify(npubKey, sig) && issuerVerified;
  });

  return verified && chainVerified;