From dea39d1c7280f02df03bd2a3de0b3957300bf98d Mon Sep 17 00:00:00 2001 From: Christopher Jeffrey Date: Thu, 28 Aug 2014 18:13:56 -0700 Subject: [PATCH] paypro: immediately detect self signed certs and untrusted CAs. --- lib/PayPro.js | 44 +++++++++++++++++++++++++++++++++++++++++- lib/browser/PayPro.js | 45 ++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 87 insertions(+), 2 deletions(-) diff --git a/lib/PayPro.js b/lib/PayPro.js index d5f3f9f..4645485 100644 --- a/lib/PayPro.js +++ b/lib/PayPro.js @@ -63,6 +63,44 @@ PayPro.prototype.x509Verify = function(returnTrust) { var chain = pki_data; + // + // Get the CA cert's name + // + var issuer = chain[chain.length - 1]; + der = issuer.toString('hex'); + pem = this._DERtoPEM(der, 'CERTIFICATE'); + var caName = RootCerts.getTrusted(pem); + + if (chain.length === 1 && !caName) { + if (returnTrust) { + return { + selfSigned: 1, // yes + isChain: false, + verified: verified, + caTrusted: false, + caName: null, + chainVerified: false + }; + } + return verified; + } + + // If there's no trusted root cert, don't + // bother validating the cert chain. + if (!caName) { + if (returnTrust) { + return { + selfSigned: -1, // unknown + isChain: chain.length > 1, + verified: verified, + caTrusted: false, + caName: null, + chainVerified: false + }; + } + return verified; + } + var chainVerified = chain.every(function(cert, i) { var der = cert.toString('hex'); var pem = self._DERtoPEM(der, 'CERTIFICATE'); @@ -71,7 +109,7 @@ PayPro.prototype.x509Verify = function(returnTrust) { var ncert = chain[i + 1]; // The root cert, check if it's trusted: if (!ncert || name) { - if (!ncert && !name) { + if (!name) { return false; } chain.length = 0; @@ -127,7 +165,11 @@ PayPro.prototype.x509Verify = function(returnTrust) { if (returnTrust) { return { + selfSigned: 0, // no + isChain: true, verified: verified, + caTrusted: !!caName, + caName: caName || null, chainVerified: chainVerified }; } diff --git a/lib/browser/PayPro.js b/lib/browser/PayPro.js index 0d47462..2245109 100644 --- a/lib/browser/PayPro.js +++ b/lib/browser/PayPro.js @@ -77,6 +77,45 @@ PayPro.prototype.x509Verify = function(returnTrust) { var chain = pki_data; + // + // Get the CA cert's name + // + var issuer = chain[chain.length - 1]; + der = issuer.toString('hex'); + // pem = this._DERtoPEM(der, 'CERTIFICATE'); + pem = KJUR.asn1.ASN1Util.getPEMStringFromHex(der, 'CERTIFICATE'); + var caName = RootCerts.getTrusted(pem); + + if (chain.length === 1 && !caName) { + if (returnTrust) { + return { + selfSigned: 1, // yes + isChain: false, + verified: verified, + caTrusted: false, + caName: null, + chainVerified: false + }; + } + return verified; + } + + // If there's no trusted root cert, don't + // bother validating the cert chain. + if (!caName) { + if (returnTrust) { + return { + selfSigned: -1, // unknown + isChain: chain.length > 1, + verified: verified, + caTrusted: false, + caName: null, + chainVerified: false + }; + } + return verified; + } + var chainVerified = chain.every(function(cert, i) { var der = cert.toString('hex'); // var pem = self._DERtoPEM(der, 'CERTIFICATE'); @@ -86,7 +125,7 @@ PayPro.prototype.x509Verify = function(returnTrust) { var ncert = chain[i + 1]; // The root cert, check if it's trusted: if (!ncert || name) { - if (!ncert && !name) { + if (!name) { return false; } chain.length = 0; @@ -149,7 +188,11 @@ PayPro.prototype.x509Verify = function(returnTrust) { if (returnTrust) { return { + selfSigned: 0, // no + isChain: true, verified: verified, + caTrusted: !!caName, + caName: caName || null, chainVerified: chainVerified }; }