-
Notifications
You must be signed in to change notification settings - Fork 204
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SelfSigned Certificate Validation Fail on Apple Root G3 #109
Comments
@fuson You know, PKI.js exists for about 4 years. As I can see from NPM statistic the package is downloaded about 30K times per month. The lib is using inside a real life commercial projects. Do you really think that no one else except you were trying to validate certificates? So, I do recommend you to find your error by yourself. Better would be to start from removing a "third-part soft" - node-webcrypto-ossl. BTW in your code I do not see "setEngine" call. |
@YuryStrozhevsky , i made setEngine in real test, just not copy-paste when publish example, example edited. Sorry for this. And i did not wrote that all cert validation functionality is not working, i wrote then proper certificate cant be validated but another certificate validated successfully. So what engine you recommend as webcrypto engine in node.js env? I just hoped that if node-webcrypto-ossl is on your user it is not "third-party". |
Yes, node-webcrypto-ossl is not third-party. |
@microshine And what is wrong? |
must be ECDSA-SHA-384 but there is ECDSA-SHA-1 |
@microshine If you would continue debugging then on a next line you will have all appropriate parameters for algorithm. |
@YuryStrozhevsky I'm sorry. I've got it |
@YuryStrozhevsky I found one difference from Chrome crypto. Certificate from example uses ECDSA-P384-SHA-384 for signature. Verify function has signatureValue. It has size 97 bytes. But if I generate the same key in Chrome and sign some data I've got signature 96 bytes. |
@fuson So, in fact I do recommend you to test all certificate-related problem via existing life examples. In particular via this example. Unfortunally for this certificate you have seems PKI.js handles it wrong - this is very rare problem, and we could not find it before. I will make a fix soon. |
@microshine Stepan, sometimes ASN.1 integer values are pretty complex. In order to be a "positive integers" it could be sometimes 96 bytes in length, sometimes 97 bytes in length, it is normal. |
@YuryStrozhevsky @microshine Thanks for help guys! I think that this issue related with my previous issue about certificate chain validation, one shoot - 2 issue solved :) |
@fuson I made fix for ASN1.js and checked both your issues: yes, both are solved now. Thanks for such rare case of certificate! BTW I will re-create PKI.js live examples soon - at the moment they have old code and could not be used for testing of latest fix. |
@YuryStrozhevsky confirm, your ASN1 fix solve both issues (this & certificate chain validation), now it works perfect! P.S. npm still not updated |
@fuson Oh, yes, thanks for this note - now NPM is updated. |
Download Apple CA G3 certificate:
https://www.apple.com/certificateauthority/AppleRootCA-G3.cer
Run
import * as fs from 'fs'
import * as pkijs from 'pkijs'
import * as asn1js from 'asn1js'
import * as WebCrypto from "node-webcrypto-ossl";
const webcrypto = new WebCrypto();
pkijs.setEngine('ossl', webcrypto, webcrypto.subtle);
const rootG3CertificateBuffer = fs.readFileSync('AppleRootCA-G3.cer');
const rootG3CertificateASN1 = asn1js.fromBER(new Uint8Array(rootG3CertificateBuffer).buffer);
const rootG3Certificate = new pkijs.Certificate({schema: rootG3CertificateASN1.result});
async function main() {
console.log(await rootG3Certificate.verify());
}
main().catch((error) => console.error(error));
How?!? But on https://www.apple.com/appleca/AppleIncRootCertificate.cer from https://www.apple.com/certificateauthority/ it works ok.
The text was updated successfully, but these errors were encountered: