/
cert.js
186 lines (143 loc) · 5.4 KB
/
cert.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
var jwcrypto = require("./jwcrypto"),
assertion = require("./assertion"),
utils = require("./utils"),
delay = utils.delay,
version = require("./version"),
und = require("./underscore.js");
var SERIALIZER = {};
SERIALIZER._LEGACY_serializeCertParamsInto = function(certParams, params) {
params['public-key'] = certParams.publicKey.toSimpleObject();
params.principal = certParams.principal;
};
SERIALIZER._20120815_serializeCertParamsInto = function(certParams, params) {
params['publicKey'] = certParams.publicKey.toSimpleObject();
params.principal = certParams.principal;
params.version = "2012.08.15";
}
var serializeCertParamsInto = function(certParams, params) {
version.dispatchOnDataFormatVersion(SERIALIZER, 'serializeCertParamsInto', version.getDataFormatVersion(), certParams, params);
};
SERIALIZER._LEGACY_extractCertParamsFrom = function(params) {
var certParams = {};
certParams.publicKey = jwcrypto.loadPublicKey(JSON.stringify(params['public-key']));
delete params['public-key'];
certParams.principal = params.principal;
delete params.principal;
return certParams;
};
SERIALIZER._20120815_extractCertParamsFrom = function(params) {
delete params.version;
var certParams = {};
certParams.publicKey = jwcrypto.loadPublicKey(JSON.stringify(params.publicKey));
delete params.publicKey;
certParams.principal = params.principal;
delete params.principal;
return certParams;
};
function extractCertParamsFrom(params, originalComponents) {
return version.dispatchOnDataFormatVersion(SERIALIZER, 'extractCertParamsFrom', originalComponents.payload.version, params);
};
exports.sign = function(certParams, assertionParams, additionalPayload,
secretKey, cb) {
var payload = {};
utils.copyInto(additionalPayload || {}, payload);
serializeCertParamsInto(certParams, payload);
assertion.sign(payload, assertionParams, secretKey, cb);
};
var verify = function(signedObject, publicKey, now, cb) {
assertion.verify(signedObject, publicKey, now, function(err, payload, assertionParams) {
if (err)
return cb(err);
// compatible with old format
var originalComponents = jwcrypto.extractComponents(signedObject);
var certParams = extractCertParamsFrom(payload, originalComponents);
// make the key appear under both public-key and publicKey
cb(err, payload, assertionParams, certParams);
});
};
exports.verify = verify;
exports.bundle = function(certs, signedAssertion) {
if (!certs || certs.length == 0)
throw "certificates must be a non-empty array";
return [].concat(certs, signedAssertion).join('~');
};
exports.unbundle = function(b) {
var arr = b.split('~');
var obj = {};
obj.signedAssertion = arr.pop();
obj.certs = arr;
return obj;
};
// verify just a chain of certs
var verifyChain = function(certs, now, getRoot, cb) {
if (!certs.length)
return delay(cb)("certs must be an array of at least one cert");
var rootIssuer;
try {
// the root
rootIssuer = jwcrypto.extractComponents(certs[0]).payload.iss;
} catch (x) {
// can't extract components
return delay(cb)("malformed signature");
}
// iterate through the certs
function verifyCert(i, pk, certParamsArray, cb) {
// do a normal verify on that cert
verify(certs[i], pk, now, function(err, payload, assertionParams, certParams) {
if (err) return cb(err);
i += 1;
certParamsArray.push({payload: payload,
assertionParams: assertionParams,
certParams: certParams});
if (i >= certs.length)
cb(null, certParamsArray, certParams.publicKey);
else
delay(verifyCert)(i, certParams.publicKey, certParamsArray, cb);
});
}
// get the root public key
getRoot(rootIssuer, function(err, rootPK) {
if (err) return delay(cb)(err);
verifyCert(0, rootPK, [], function(err, certParamsArray, lastPK) {
if (err) return cb(err);
// we're done
cb(null, certParamsArray);
});
});
};
exports.verifyChain = verifyChain;
exports.verifyBundle = function(bundle, now, getRoot, cb) {
// unbundle
if (typeof(bundle) != 'string')
return delay(cb)("malformed backed assertion");
var parsedBundle = exports.unbundle(bundle);
var signedAssertion = parsedBundle.signedAssertion;
var certs = parsedBundle.certs;
// no certs? not okay
if (certs.length == 0)
return delay(cb)("no certificates provided");
// verify the chain
verifyChain(certs, now, getRoot, function(err, certParamsArray) {
// simplify error message
if (err) {
// allow through the malformed signature
if (err == 'malformed signature' ||
err == "assertion issued later than verification date" ||
err == "assertion has expired")
return cb(err);
else
return cb("bad signature in chain");
}
// what was the last PK in the successful chain?
var lastPK = certParamsArray[certParamsArray.length - 1].certParams.publicKey;
// now verify the assertion
assertion.verify(signedAssertion, lastPK, now, function(err, payload, assertionParams) {
if (err) return cb(err);
// we're good!
cb(null, certParamsArray, payload, assertionParams);
});
});
};