paypro: verify chain refactor.
This commit is contained in:
parent
16b646d0e7
commit
4a12d5a491
|
@ -71,13 +71,9 @@ PayPro.prototype.x509Verify = function() {
|
||||||
// 2. Extract signature from current certificate.
|
// 2. Extract signature from current certificate.
|
||||||
// 3. If current cert is not trusted, verify that the current cert is signed
|
// 3. If current cert is not trusted, verify that the current cert is signed
|
||||||
// by NEXT by the certificate.
|
// by NEXT by the certificate.
|
||||||
// 4. XXX What to do when the certificate is revoked?
|
// NOTE: XXX What to do when the certificate is revoked?
|
||||||
|
|
||||||
var blen = +type.replace(/[^\d]+/g, '');
|
var chainVerified = chain.every(function(cert, i) {
|
||||||
if (blen === 1) blen = 20;
|
|
||||||
if (blen === 256) blen = 32;
|
|
||||||
|
|
||||||
chain.forEach(function(cert, i) {
|
|
||||||
var der = cert.toString('hex');
|
var der = cert.toString('hex');
|
||||||
var pem = self._DERtoPEM(der, 'CERTIFICATE');
|
var pem = self._DERtoPEM(der, 'CERTIFICATE');
|
||||||
var name = RootCerts.getTrusted(pem);
|
var name = RootCerts.getTrusted(pem);
|
||||||
|
@ -85,36 +81,34 @@ PayPro.prototype.x509Verify = function() {
|
||||||
var ncert = chain[i + 1];
|
var ncert = chain[i + 1];
|
||||||
// The root cert, check if it's trusted:
|
// The root cert, check if it's trusted:
|
||||||
if (!ncert || name) {
|
if (!ncert || name) {
|
||||||
return;
|
chain.length = 0;
|
||||||
|
return true;
|
||||||
}
|
}
|
||||||
var nder = ncert.toString('hex');
|
var nder = ncert.toString('hex');
|
||||||
var npem = self._DERtoPEM(nder, 'CERTIFICATE');
|
var npem = self._DERtoPEM(nder, 'CERTIFICATE');
|
||||||
|
|
||||||
// Get public key from next certificate.
|
// Get public key from next certificate:
|
||||||
var data = new Buffer(nder, 'hex');
|
var data = new Buffer(nder, 'hex');
|
||||||
var nc = Certificate.decode(data, 'der');
|
var nc = Certificate.decode(data, 'der');
|
||||||
var npubKey = nc.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.data;
|
var npubKey = nc.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.data;
|
||||||
npubKey = self._DERtoPEM(npubKey, 'RSA PUBLIC KEY');
|
npubKey = self._DERtoPEM(npubKey, 'RSA PUBLIC KEY');
|
||||||
|
|
||||||
// Get signature from current certificate.
|
// Get signature from current certificate:
|
||||||
var data = new Buffer(der, 'hex');
|
var data = new Buffer(der, 'hex');
|
||||||
var c = Certificate.decode(data, 'der');
|
var c = Certificate.decode(data, 'der');
|
||||||
var sig = c.signature.data;
|
var sig = c.signature.data;
|
||||||
|
|
||||||
var verifier = crypto.createVerify('RSA-' + type);
|
var verifier = crypto.createVerify('RSA-' + type);
|
||||||
|
|
||||||
// Create a To-Be-Signed Certificate using asn1.js:
|
// Create a To-Be-Signed Certificate to verify using asn1.js:
|
||||||
// Fails at Issuer:
|
// Fails at Issuer:
|
||||||
var tbs = rfc3280.TBSCertificate.encode(c.tbsCertificate, 'der');
|
var tbs = rfc3280.TBSCertificate.encode(c.tbsCertificate, 'der');
|
||||||
verifier.update(tbs);
|
verifier.update(tbs);
|
||||||
|
|
||||||
var v = verifier.verify(npubKey, sig);
|
return verifier.verify(npubKey, sig);
|
||||||
if (!v) {
|
|
||||||
verified = false;
|
|
||||||
}
|
|
||||||
});
|
});
|
||||||
|
|
||||||
return verified;
|
return verified && chainVerified;
|
||||||
};
|
};
|
||||||
|
|
||||||
module.exports = PayPro;
|
module.exports = PayPro;
|
||||||
|
|
Loading…
Reference in New Issue