zcash-hackworks
/
bitcore-lib-zcash
mirror of https://github.com/zcash-hackworks/bitcore-lib-zcash.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

paypro: verify the certificate chain.

This commit is contained in:
Christopher Jeffrey 2014-08-21 16:13:34 -07:00
parent 6828f560da
commit 569e60065a
2 changed files with 129 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
lib/PayPro.js
View File

@ -6,6 +6,8 @@ var RootCerts = require('./common/RootCerts');
var PayPro = require('./common/PayPro');
var KJUR = require('jsrsasign');
PayPro.prototype.x509Sign = function(key) {
var self = this;
var crypto = require('crypto');
@ -53,20 +55,74 @@ PayPro.prototype.x509Verify = function() {
var verifier = crypto.createVerify('RSA-' + type);
verifier.update(buf);
return pki_data.every(function(cert) {
var signedCert = pki_data[0];
var der = signedCert.toString('hex');
var pem = this._DERtoPEM(der, 'CERTIFICATE');
var verified = verifier.verify(pem, sig);
var chain = pki_data;
// Verifying the cert chain:
// 1. Extract public key from next certificate.
// 2. Extract signature from current certificate.
// 3. If current cert is not trusted, verify that the current cert is signed
// by NEXT by the certificate.
// 4. XXX What to do when the certificate is revoked?
var blen = +type.replace(/[^\d]+/g, '');
if (blen === 1) blen = 20;
if (blen === 256) blen = 32;
chain.forEach(function(cert, i) {
var der = cert.toString('hex');
var pem = self._DERtoPEM(der, 'CERTIFICATE');
var name = RootCerts.getTrusted(pem);
// XXX Figure out what to do here
if (!name) {
// throw new Error('Unstrusted certificate.');
} else {
// console.log('Certificate: %s', name);
}
return verifier.verify(pem, sig);
var ncert = chain[i + 1];
// The root cert, check if it's trusted:
if (!ncert || name) {
if (!name) {
// console.log('Untrusted certificate.');
} else {
// console.log('Certificate: %s', name);
}
return;
}
var nder = ncert.toString('hex');
var npem = self._DERtoPEM(nder, 'CERTIFICATE');
// get sig from current cert - BAD
var sig = new Buffer(der.slice(-(blen * 2)), 'hex');
// Should work but doesn't:
// get sig from current cert
// var o = new KJUR.asn1.cms.SignerInfo();
// o.setSignerIdentifier(pem);
// var sig = o.getEncodedHex();
// get public key from next cert
var js = new KJUR.crypto.Signature({
alg: type + 'withRSA',
prov: 'cryptojs/jsrsa'
});
js.initVerifyByCertificatePEM(npem);
var npubKey = KJUR.KEYUTIL.getPEM(js.pubKey);
var verifier = crypto.createVerify('RSA-' + type);
// NOTE: We need to slice off the signatureAlgorithm and signatureValue.
// consult the x509 spec:
// https://www.ietf.org/rfc/rfc2459
verifier.update(new Buffer(der, 'hex'));
var v = verifier.verify(npubKey, sig);
if (!v) {
// console.log(i + ' not verified.');
verified = false;
}
});
return verified;
};
module.exports = PayPro;

74
lib/browser/PayPro.js
View File

@ -64,24 +64,78 @@ PayPro.prototype.x509Verify = function(key) {
prov: 'cryptojs/jsrsa'
});
return pki_data.every(function(cert) {
var signedCert = pki_data[0];
var der = signedCert.toString('hex');
var pem = KJUR.asn1.ASN1Util.getPEMStringFromHex(der, 'CERTIFICATE');
jsrsaSig.initVerifyByCertificatePEM(pem);
jsrsaSig.updateHex(buf.toString('hex'));
var verified = jsrsaSig.verify(sig.toString('hex'));
var chain = pki_data;
// Verifying the cert chain:
// 1. Extract public key from next certificate.
// 2. Extract signature from current certificate.
// 3. If current cert is not trusted, verify that the current cert is signed
// by NEXT by the certificate.
// 4. XXX What to do when the certificate is revoked?
var blen = +type.replace(/[^\d]+/g, '');
if (blen === 1) blen = 20;
if (blen === 256) blen = 32;
chain.forEach(function(cert, i) {
var der = cert.toString('hex');
var pem = KJUR.asn1.ASN1Util.getPEMStringFromHex(der, 'CERTIFICATE');
// XXX Figure out what to do here
var name = RootCerts.getTrusted(pem);
if (!name) {
// throw new Error('Unstrusted certificate.');
} else {
// console.log('Certificate: %s', name);
var ncert = chain[i + 1];
// The root cert, check if it's trusted:
if (!ncert || name) {
if (!name) {
// console.log('Untrusted certificate.');
} else {
// console.log('Certificate: %s', name);
}
return;
}
var nder = ncert.toString('hex');
var npem = KJUR.asn1.ASN1Util.getPEMStringFromHex(nder, 'CERTIFICATE');
jsrsaSig.initVerifyByCertificatePEM(pem);
// get sig from current cert - BAD
var sig = der.slice(-(blen * 2));
jsrsaSig.updateHex(buf.toString('hex'));
// Should work but doesn't:
// get sig from current cert
// var o = new KJUR.asn1.cms.SignerInfo();
// o.setSignerIdentifier(pem);
// var sig = new Buffer(o.getEncodedHex(), 'hex');
return jsrsaSig.verify(sig.toString('hex'));
// get public key from next cert
var js = new KJUR.crypto.Signature({
alg: type + 'withRSA',
prov: 'cryptojs/jsrsa'
});
js.initVerifyByCertificatePEM(npem);
var npubKey = KJUR.KEYUTIL.getPEM(js.pubKey);
var jsrsaSig = new KJUR.crypto.Signature({
alg: type + 'withRSA',
prov: 'cryptojs/jsrsa'
});
jsrsaSig.initVerifyByPublicKey(npubKey);
// NOTE: We need to slice off the signatureAlgorithm and signatureValue -
// consult the x509 spec:
// https://www.ietf.org/rfc/rfc2459
jsrsaSig.updateHex(der);
var v = jsrsaSig.verify(sig);
if (!v) {
// console.log(i + ' not verified.');
verified = false;
}
});
return verified;
};
module.exports = PayPro;