SelfSigned Certificate Validation Fail on Apple Root G3 #109
Comments
|
@fuson You know, PKI.js exists for about 4 years. As I can see from NPM statistic the package is downloaded about 30K times per month. The lib is using inside a real life commercial projects. Do you really think that no one else except you were trying to validate certificates? So, I do recommend you to find your error by yourself. Better would be to start from removing a "third-part soft" - node-webcrypto-ossl. BTW in your code I do not see "setEngine" call. |
|
@YuryStrozhevsky , i made setEngine in real test, just not copy-paste when publish example, example edited. Sorry for this. And i did not wrote that all cert validation functionality is not working, i wrote then proper certificate cant be validated but another certificate validated successfully. So what engine you recommend as webcrypto engine in node.js env? I just hoped that if node-webcrypto-ossl is on your user it is not "third-party". |
|
Yes, node-webcrypto-ossl is not third-party. |
|
I found problem PKIjs gets wrong Signature algorithm
|
|
@microshine And what is wrong? |
|
must be ECDSA-SHA-384 but there is ECDSA-SHA-1 |
|
@microshine If you would continue debugging then on a next line you will have all appropriate parameters for algorithm. |
|
@YuryStrozhevsky I'm sorry. I've got it |
|
@YuryStrozhevsky I found one difference from Chrome crypto. Certificate from example uses ECDSA-P384-SHA-384 for signature. Verify function has signatureValue. It has size 97 bytes. But if I generate the same key in Chrome and sign some data I've got signature 96 bytes. |
|
@fuson So, in fact I do recommend you to test all certificate-related problem via existing life examples. In particular via this example. Unfortunally for this certificate you have seems PKI.js handles it wrong - this is very rare problem, and we could not find it before. I will make a fix soon. |
|
@microshine Stepan, sometimes ASN.1 integer values are pretty complex. In order to be a "positive integers" it could be sometimes 96 bytes in length, sometimes 97 bytes in length, it is normal. |
|
@YuryStrozhevsky @microshine Thanks for help guys! I think that this issue related with my previous issue about certificate chain validation, one shoot - 2 issue solved :) |
|
@fuson I made fix for ASN1.js and checked both your issues: yes, both are solved now. Thanks for such rare case of certificate! BTW I will re-create PKI.js live examples soon - at the moment they have old code and could not be used for testing of latest fix. |
|
@YuryStrozhevsky confirm, your ASN1 fix solve both issues (this & certificate chain validation), now it works perfect! P.S. npm still not updated |
|
@fuson Oh, yes, thanks for this note - now NPM is updated. |
Download Apple CA G3 certificate:
https://www.apple.com/certificateauthority/AppleRootCA-G3.cer
Run
import * as fs from 'fs'
import * as pkijs from 'pkijs'
import * as asn1js from 'asn1js'
import * as WebCrypto from "node-webcrypto-ossl";
const webcrypto = new WebCrypto();
pkijs.setEngine('ossl', webcrypto, webcrypto.subtle);
const rootG3CertificateBuffer = fs.readFileSync('AppleRootCA-G3.cer');
const rootG3CertificateASN1 = asn1js.fromBER(new Uint8Array(rootG3CertificateBuffer).buffer);
const rootG3Certificate = new pkijs.Certificate({schema: rootG3CertificateASN1.result});
async function main() {
console.log(await rootG3Certificate.verify());
}
main().catch((error) => console.error(error));
How?!? But on https://www.apple.com/appleca/AppleIncRootCertificate.cer from https://www.apple.com/certificateauthority/ it works ok.
The text was updated successfully, but these errors were encountered: